Sometimes covering tech news requires sitting back a few days and letting something play out. While often it may not be necessary to delay coverage, when it came to the story this week about certain Nokia 7 Plus models ‘sending data to China’ we decided to let the information flow out before jumping on the Fear, Uncertainty and Doubt coverage train.
Now the news has had time to settle, HMD Global has had time to investigate. While there are still a few unanswered questions, the issues certainly aren’t as alarming as it was originally reported by some outlets. As best as we can tell, and taking HMD Global on their word a little (which at this stage we are happy to do), the whole issue centers around an ‘Activation app’ that comes with Nokia phones.
The normal function of the app outside of China, where HMD have a big presence, is that at activation the device will communicate with a server in Singapore (an AWS server under HMD Global control). However, in China, variants communicate with a different server located in China. According to HMD Global, a batch of international Nokia 7 Plus devices was incorrectly connected to the Chinese server instead of the AWS instance.
For affected devices dialing China, it seems they were sending the device IMEI, MAC ID, and the SIM ICCID along with the local tower data, all logged against the time and date. What’s worse, is that this data was apparently sent every time the phone was powered on or the screen was unlocked or activated. Again, this behavior seems to be restricted to devices intended to ship in China so not all Nokia phones are sending this data all day every day.
So, in short, the answer posed in the headline is no – your Australian Nokia devices are extremely unlikely to be affected.
HMD has already released a patch for the issue which was included in the March 2019 OTA security update. According to HMD, only a select batch of Nokia 7 Plus devices were affected and all of them are eligible to download this patch. Their internal records show that ‘almost all’ affected devices have installed the patch. We’ve reached out to HMD Global in Australia and asked for comment if any of the affected batches could have been sent to Australia. We’ll let you know if we hear back.
If you’ve got a Nokia 7 Plus and are worried the solution is easy, check if you have the latest update, if not spam that update button and all will be well. To update a Nokia 7 Plus go to Settings -> System -> Advanced -> System Update -> Check for Update. If you want to be double sure check the build number, go to Settings -> System -> About Phone -> Scroll down to “Build Number”, if it shows “00WW339BSP03” or “00WW322CSP05” you’ve got the updated version. NOTE: Having the latest version DOES NOT mean your devices was originally affected.
The real story for us is the growing body of evidence surrounding Chinese surveillance of its people. None of this is overly surprising, but it’s comforting to think that it’s normal to have all of the information logged so regularly in China. The other interesting aspect of this is the potential implications of the European General Data Protection Regulation (GDPR) for HMD Global.
It’s very possible that this activity contravenes that regulation, and even if unintentional, HMD Global is likely to face investigation and possible fines in relation to the breach.
This story isn’t over yet folks.