Nokia's official response on the case of user data violations
A few days, a report by Norweigan NRK revealed that certain Nokia 7 Plus units were phoning home to China with sensitive user data that could allow real-time tracking. Nokia, or HMD Global, depending on how you look at it, has issued a press released demystifying the entire episode.
"We have looked deeply into the case at hand and can confirm that no personally identifiable information has been shared with any third party," the statement said. "We have analysed the case at hand and have found that our device activation client meant for our China variant was mistakenly included in the software package of a single batch of Nokia 7 Plus phones. "
"Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed, and no person could have been identified based on this data. To be clear, no personally identifiable information has been shared with any third party."
"This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it."
The company's excuse does sound solid. The data was a match with the format used for device registration by China Telecoms, the owners of the servers to which the data was being sent. That said, this is sloppy of HMD Global. It's also amusing that the company claims the leak to be "alleged".
The old Nokia brand was known for its rock-solid quality but new Nokia devices have experienced hardware issues—The Nokia 7 Plus's Novatek display has well-documented problems—and things on the software end aren't perfect either.
Get it together, HMD Global.
What you need to know about your privacy and the alleged “data breach” on Nokia 7 Plus phones
22 March 2019
HMD Global takes the privacy and security of its consumers seriously. With the recent news regarding the Nokia 7 Plus, it’s important that you hear about what happened from us and learn more about how we collect and store data.
We have looked deeply into the case at hand and can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for our China variant was mistakenly included in the software package of a single batch of Nokia 7 Plus phones. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed, and no person could have been identified based on this data. To be clear, no personally identifiable information has been shared with any third party. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it. If you want to check if your Nokia 7 Plus has received the security fix, we have included step-by-step instructions below.
There is also some speculation about other Nokia phones sharing similar data with third-party servers. We can confirm that this is incorrect speculation and no Nokia phones are impacted. All device data of Nokia Phones other than the China variant is stored at HMD Global’s servers in Singapore provided by Amazon Web Services. HMD Global takes the security and privacy of its consumers seriously and complies with all applicable privacy laws. Data collected from our devices is stored safely in accordance with applicable laws. The device data collection is further explained on our web pages . We encourage our consumers to familiarize themselves with this information and our Privacy Policy that further explains the data collection. HMD Global takes the privacy and security of its consumers seriously.
However, before you go, please take a look at our infographic and Q&A below for more information on how we collect and store data, plus step-by-step instructions to check if your Nokia 7 Plus has received the security fix.
Demystifying data collection
Additional information
Why do we collect data from the devices?
We collect data from devices for two primary reasons:
- Activating device warranty: When the device is taken into use for the first time, it sends data to our servers. This data helps us activate warranty on the device.
- Improve user satisfaction: In case you choose to participate in the User Experience Program, we collect device satisfaction feedback and diagnostics data from your Nokia phone. This helps us to enhance our products and services based on your feedback.
How do we manage privacy within HMD Global?
- Our software developers are continuously trained to master local privacy requirements such as the GDPR or China Cyber Security Law requirements. This applies also to the software developers from partners working together with us.
- We take privacy extremely seriously and follow ‘privacy as a design’ process. This means that all changes and updates to data collection are always approved by a privacy expert.
- On top of that, we conduct regular third party audits for our data collection and management processes.
- We also have strict policies in place related to technical architecture, data and access management.
Where is my device data stored if I have purchased the device for example from Europe, US or India?
- Your data is stored in Singapore. Singapore, as you may already know, follows very strict privacy laws.
Where is my device data stored if I have purchased the device from China?
- In order to comply with China Cyber Security law, we are obligated to store data originating from China in China. This means that only those devices that are sold in China will send data to our servers in China.
How can I check if my Nokia 7 Plus has received the security fix?
If you want to confirm your device is up to date, follow these steps:
- Go to Settings > System > About Phone > Scroll down to “Build Number”
- If your phone shows “00WW_3_39B_SP03” or “00WW_3_22C_SP05” as the “Build number”, you have already installed the fix on your Nokia 7 Plus.
- If your phone is not showing either of the above, don’t worry, you can always request the latest approved build by following these steps:
- Go to “Settings” > “System” > “Advanced” > “System Update” > “Check for Update”.
- A Wi-Fi connection is preferred, but if not possible, you can select “Resume” to use your cellular data connection. Please be advised that using a cellular connection may incur a data charge. Check with your operator if any concerns.