HMD is in hot water following a report from Norwegian site NRKbeta, which found that HMD’s Nokia 7 Plus was sending users’ personal information to a server in China. HMD responded to the report, admitting, “Our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus.”
NRKbeta’s investigation found the Nokia 7 Plus was sending the IMEI, MAC ID, and the SIM ICCID, all of which are unique hardware or SIM card identifiers that could be used to track an individual. There was also rough location information, as the device sent the ID of the nearest cell tower. NRKbeta’s article is in Norwegian, but through Google Translate the site claims this data was sent every time the phone was switched on and that the phone was sending this data for several months.
HMD admits this data ended up on “a third-party server” but claims the data “was never processed.” The company identifies the information sent as “activation data” and then says that “no person could have been identified based on this data.” HMD’s claim here is a bit strange, considering the entire point of “activation data” is to identify someone so they can be billed for cellular access.
NRKbeta says Chinese server in question was http://zzhc.vnet.cn, which apparently belongs to the state-owned China Telecom. China has been a major focus for HMD, and the country often gets the company’s Nokia phones before the rest of the world. HMD says its activation data ended up in China due to shipping the wrong “country variant” of an activation app.
According to NRKBeta, HMD has already said, “This error has already been identified and fixed in February 2019” and that “all affected devices have received this fix and nearly all devices have already installed it.” Presumably that means any Nokia 7 Plus owners running the “March 2019” Android security patches should have the update.
Just fixing the issue probably won’t be the end of this situation, though. There’s a good chance this was a violation of Europe’s General Data Protection Regulation (GDRP), which limits the exporting of user data outside of the EU. HMD is based in Finland, so Finland’s Data Protection Ombudsman is considering investigating the incident. HMD said it “takes the security and privacy of its consumers seriously” and that it will cooperate with any investigation.