The data leak was found out by a Norwegian citizen, Henrik Austad, who wanted to find out what his phone sends over the Internet. He found out that his phone sent an unencrypted data burst every time a phone was switched on. This data package included phone's location, SIM card number and phone's serial number among other details.
The data was sent unencrypted over the Internet to a server located in China, operated by Chinese government-owned ISP China Telecom.
Nokia itself doesn't manufacture phones nowadays, but instead, has licensed its brand to another Finnish company called HMD Global. HMD Global says that the claims are true, but were caused by a bug in specific production batch - and that the issue has since been fixed with later production phones. HMD Global also says that the information leak didn't include anything that could be associated to a specific person or to allow tracking of a specific person.
As HMD Global is based in Finland (as is Nokia whose license they are using), the Finnish Office of the Data Protection Ombudsman has announced that they will start an official investigatio into this matter. European Union's GDPR data procetion directive states clearly that while data can be pretty much freely transferred within the European Union, with user's consent, the transfer of data to outside of the European Union is a different matter. With such case, there needs to be a legal rationale behind the data transfer and the user should know about it.
Nokia-branded phones are manufactured by a Chinese tech giant, Foxconn.
Story was originally leaked by NRKBeta (article in Norwegian).
Written by: Petteri Pyyny @ 21 Mar 2019 9:24