What you need to know about your privacy and the alleged “data breach” on Nokia 7 Plus phones

madbilly

@edo, thanks for joining in the discussion. I know that HMD consider the data to not be "personally identifiable", but that does not mean it is not subject to the GDPR, nor does it mean that HMD are correct that it is not personally identifiable.

As far as I understand, the information which was mistakenly sent by some 7+ phones to China is described in this article by NRK:https://nrkbeta.no/2019/03/21/norske-telefoner-sendte-personopplysninger-til-kina/:

• IMEI (two if applicable) - this uniquely identifies the phone
  
• SIM Cell ID - the mobile network cell within which the phone is at the time of registration, i.e. rough location of the phone (and since it's for registration when the phone is first turned on, it's almost certainly the rough location of somebody's home as that's where most of us open our parcels)
  
• IMSI - uniquely identifies the subscriber, i.e the person who owns the contract for the SIM card, almost certainly the person who owns the phone and probably the person who lives in the location above
• ICC ID - uniquely identifies the SIM card
• MAC address - another way of uniquely identifying the phone
  

In that article on NRK they publish HMD's response to them where HMD cites the case Breyer vs Germany to suggest that this means none of the above is personally identifiable. This is misleading (and I think incorrect) because that case only concerned a dynamic IP address which is only one piece of information and is a piece of information which can change, therefore can only be used to identify someone if there is a history of which computers are allocated which IP addresses.

The case of the 7+ data leak is very different from the Breyer vs Germany case. 1) IMEI, IMSI, ICC and MAC address all uniquely identify a person/organisation or the phone, and 2) Sim cell identifies a rough location, 3) This is a collection of data, which when aggregated together tells us that the identified person is using the identified phone in the identified location. To me, and I believe also to any DPA, this would be sufficient to be considered to be personally identifiable. Even if they agree that it is not directly personally identifiable, it is certainly indirectly personally identifiable. HMD's own privacy policy suggests that this is considered to be personal data: https://www.nokia.com/phones/en_int/privacyportal

What information do we collect?

We collect your personal data and other information when you make a purchase, use or register into our products and services, take part in campaigns or research, or otherwise interact with us. This includes following categories:

Product and service activations. HMD products and services may require electronic activation, where your device and application type, as well as unique device, application, network and subscription identifiers are sent to HMD.

For your reading pleasure, here are links to and quotes from relevant pages of the Information Commissioner's Office in the UK; I expect this is very similar to the guidance given in Finland or any other European country:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/#pd5

https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf

What does the GDPR say?

Personal data is defined in the GDPR as:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

This means personal data has to be information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.   

It's certainly not anonymised, but even if it was considered pseudomyised the GDPR says that it must still be considered to be personal data.

However, pseudonymisation is effectively only a security measure. It does not change the status of the data as personal data. Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the GDPR.

“…Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…”

Rather than discuss about it here, I would prefer that HMD's webpage on the subject and all the reassurances address these points.

Long post; thanks for reading

PS - please also address @gonespeed and @DNPL's questions about HK, Macau and Taiwan.

edo

Thanks for the long post @madbilly ! As stated earlier the data was never processed. Only phones sold in China communicate with Chinese servers, no TW, HK etc.. Find all info in the web post and always make sure your phone is updated as we promptly corrected the mistake already in February. https://www.nokia.com/phones/en_int/privacy-info 

madbilly

@edo thanks for reading to the end!

Thanks for the confirmation about phones sold in HK, Macau and Taiwan.

As for the point about personally identifiable data... I don't think it matters if the data was processed or not. However, given you read to the end I believe you understand my concerns - which are that HMD correctly understands the gravity of the situation and how any DPA may categorise the leaked data. We owners of Nokia phones are not DPAs, the definitions aren't necessarily important to us, we each have to make our own decision about how we feel about the data which was leaked.

DNPL

madbilly said:

Also, I think that FIH Mobile is a Taiwanese company traded on the HK stock exchange isn't it? At least I think that it's parent company, Foxconn, is from Taiwan (Hon Hai Precision Industry).

To answer the question, yes, as a Taiwanese I am ashamed to admit that the notorious Foxconn is indeed from Taiwan. The reason why I raised concern over this matter was that the head of the group, despite the shift in the recent years in political stance, had a terrible record of being pro-authoritarianism and pro-Beijing. 

Also, thanks for bringing my question to the Edo's attention

@edo

Thank you for clarifying on the model variants in different regions. HMD Global must understand the geopolitical tension between People's Republic of China and its neighboring political entities, and how such potential violation against Privacy Policy by mistake could mean imprisonment or even worse. Security measures must be taken to ensure no such thing would ever happen again. 

TommiS

As I wrote in another topic, personally i have not been too worried about this case. But i understand that this could be serious problem especially when Nokia phones are advertised for business use.

I would like to know if anyone at HMD has any information about how long it will take to Finnish Office of the Data Protection Ombudsman to investigate this case? I know it's not propably possible to predict the timeframe but i think people would feel much better after seeing the results.

I don't know how other people feel and trust this investigation but personally i'am waiting the results and make my own conclusions after that.

madbilly

Good point @TommiS, I don't know how long these things normally take. Is there any info you can find online?

TommiS

@madbilly I have not found anything specific. All the articles say the same.."The investigation has started..."

But when they mentioned that they probably need to contact data protection authorities of the member states of the european union, it must take time. Months ? And that's what I'am afraid of. People don't even think about it anymore when they release the results. But they will definately remember it in the worst way no matter what are the results 😕

madbilly

Really? They have to contact all other EU DPAs? Maybe they need to know if another DPA is already investigating, which might be the case.

I agree that the reputation damage is now, it won't necessarily be fixed even if the DPA don't find a problem.

singhnsk

@madbilly As far as I know, it is all the same firmware in the HK and TW markets. Some phones have had a special SKUID for Taiwan and these might offer a slightly variable software experience there. Other than that, it is Android One and should be the same. The phones do seem to have some settings enabled/disabled via location. For example the notch hide setting in Nokia 8.1. Same software package, same SKUID, but most likely checked via location/IP/SIM card and blocked the setting in the European markets.

singhnsk

@edo I do not want to be doubtful, but to fulfill my own curiosity, I wanna know about how this can happen. Because if I am not wrong, all phones are flashed with the same software release from the factory. For example, the B2N-213B firmware shipped on a lot of phones from the factory. So, how can it affect some phones and not others. Similarly for the OTA updates, they are usually the same across regions.

madbilly

@singhnsk thank you for the insight into software variants and how some features might be locally controlled. Your question to @edo is also a good one. I had presumed that this error was actually originally in an OTA update, not in the original factory firmware, but your question has made me rethink this. Maybe FIH had minor version variants of firmware which are not visible to the public, and it was only one of these minor versions which was affected. Is that possible? Or would you spot the different somewhere in the Android system info/settings?

singhnsk

@madbilly Well, I can be wrong. We have seen that they do maintain separate builds, but to me they all seem like regional restrictions and delays and in the end all devices receive the same software. However, in case of 7 Plus, there have been 2 branches of the software after the Pie update and up until now. As you'd know some regions received Pie earlier, they also received 1 MR earlier than the regions which received Pie later. This did cause 2 different software branches being maintained for a few months. So, it is likely that one of this release carried that buggy app which sent the data to China. If that happened, then HMD is right that only limited number of phones were affected.

With the march update, all Nokia 7 Plus (globally) have arrived at the same build. Maybe at this point the differences in different branches have been unified. The use of the powersaving.g3 evenwell app has been reduced significantly. Also very surprisingly, all devices which are developed under the sdm660 platform (6.1, 6.1 Plus, 7 Plus & 7.1) have received the same March build - 3_51F. It seems like they are in the effort to unite the software on these devices so that developing for one and doing bug fixes makes the thingy ready for all the other devices on the sdm_660 platform (while not really using that SOC). A similar pattern is seen on the CN builds for these devices. All have reached the same build number which has never happened before. This can significantly cut down the expenses to maintain this big bunch of phones. The X71 might come and jump into the same boat.

I do not have the capacity to test in which software version this bug happened and in which it got fixed. But if HMD quotes that all devices with such a bug have been updated, then it does seem like it was a part of the OTA at some point and those devices have received their future updates too. I do not know and cannot test it. So, this is just my assumption. I do not make any claims against HMD. 

madbilly

@singhnsk great explanation, thanks. I was not aware of the branching and merging that happened with the 7+ but I think something similar happened with the 8 as well, as at some point 4_88 existed whilst my phone was on 4_84, but now I'm on 4_88 and 4_84 is no longer receiving updates. Also good observation on the 660 based devices, I also hope this means maintenance will be streamlined and bugs can be fixed quicker.

Cheers

hoc

After going thru the official HMD circular noting the background etc. concerning the 'data compromise' event in recent news, as a Nokia 7plus user (as well as some other Nokia models as well) myself, i'm reasonably convinced there's NO point or real need to 'read too much' into every line & end up of over-reacting & engaging in all manner of practically questionable unproductive speculations, which ultimately don't yield much real practical points in return, other than creating unnecessary anxiety in one's mind...surely there must be many other better things to be bothered by in one's daily lives which better requires one's attention ?! 

Having said the above, however, 1 thing which came to my mind which so far i haven't noted being mentioned is what happens IF someone visits China & decides to buy the China variant models & brings them back say to Europe or somewhere else outside China to use ? Now, if the sets were activated while still in China then the data of course is sent to China servers, that being the required practice for China variant sets. But, if the person buys the China variant sets (kept in original sealed box i.e. not pre-opened & activated) & sells them to other people who knowingly don't mind buying a China variant set (maybe cheaper etc.) outside China (something which i understand officially are NOT encouraged practice ?!) then these people must then be aware that since they own a China variant device, as per HMD standard required practice, their such devices (of course) will have to send the activation data back to China servers as 'default understood' practice which they cannot be surprised by as such, because say if they are located in Finland or anywhere else outside China for that matter, they are NOT expected to be buying a China variant device which, as is understood to be ONLY intended for China market !

These people are thus in possession of something which is not meant for their region yet they know how to 'make noise' that their data is sent to somewhere they don't expect..they should instead ensure they only buy the global variant for their region in order to stay 'compliant' with whatever local regulations etc. in the 1st place !!!!

BTW, even global variant sets (i.e. devices intended for sale outside China markets which would mean sets officially approved for sale in many other countries globally like USA, Europe, India, Malaysia, Singapore etc.) in ALL these cases their data are known to be sent to HMD servers in Singapore instead of China. So ultimately, data are still being sent (reasons already stated in the official HMD circular) just that it doesn't go to China for non-China market intended sets !      

singhnsk

That's completely agreeable @hoc. If somebody buys a Chinese variant in a global market which still runs on the Chinese software (and not converted to global as it should be), then the data will obviously reach China and there's nothing that they can dispute against. The privacy policy and warranty policy for China will be applicable. I guess the whole fuss in this one was about data going to China and not to Singapore. It has been sorted, so we can finally cover this topic in a coffin 😁

Ben77

Why don't nokia built it's own servers in India . Please consider it as an request . 

DibyaXP

Let me unlock bootloader , I will personally send all my location , my name , my girlfriend nsmn and what not . I promise I will use FedEx or DHL to send my data 
@madbilly do you agree with me ?
Any one from China does FedEx work in china?

madbilly

Hi @DibyaXP, I agree with you that I'd like more official bootloader unlock methods from HMD; I do not agree that it's worth sending all that info to them for it! Anyway, to be equivalent to the 7+ leak you would need to write it all on a postcard because that 7+ leak was unencrypted IIRC.

user1555084245092

<b></b>dear <b>laura,
</b><b>I know it is not the right thread to raise this concern..but please excuse me..
</b><b>
</b>I've got a brand new nokia 8.1 today and just booted the device. And inserted my dual sim cards. As soon as I make a phone call , <b>the screen goes blank and it's blackout, </b>but I still see the call is connected at the background..but display is not on..please could you please let me know the process to surrender the device and get the refund please...