HMD admits Nokia 7 Plus sent personal data to China

HMD is in hot water as a result of a report from the Norwegian site NRKbeta, which revealed that the HMD's Nokia 7 Plus was sending users' personal information to a server in China. HMD responded to the report by stating, "Our device activation client destined for another country was mistakenly included in the Nokia 7 Plus one-batch software package."

NRKbeta's investigation revealed that the Nokia 7 Plus was sending the IMEI, the MAC ID and the ICCID of the SIM card, all of which are unique hardware identifiers or SIM cards can be used to follow a person. There was also approximate location information because the device sent the ID of the nearest cell tower. The article in NRKbeta is in Norwegian, but through Google Translate, the site claims that this data was sent each time the phone was turned on and that it had been sending it for several months.

HMD admits that this data ended up on "a third party server" but claims that the data "have never been processed". The company identifies the information sent as "activation data" and then indicates that "no one could have been identified on the basis of this data". HMD's assertion here is a bit odd, since the purpose of "activation data" is to identify a person so that they can be billed for cellular access.

NRKbeta indicates that the Chinese server in question was http://zzhc.vnet.cn, which apparently belongs to China Telecom, a public company. China has been a center of major interest for HMD, and the country often obtains the company's Nokia phones before the rest of the world. HMD said that its activation data had been successful in China due to sending the "country variant" erroneous to an activation application.

According to NRKBeta, HMD has already stated: "This error has already been identified and corrected in February 2019" and "all affected devices have received this fix and almost all devices already have it installed." Presumably, this means that all owners of Nokia 7 Plus using Android's "March 2019" security patches should have the update.

Just fixing the problem will probably not be the end of this situation. There is a good chance that this is a violation of the European General Data Protection Regulation (GDRP), which limits the export of user data outside the EU. As HMD is based in Finland, its data protection mediator plans to investigate this incident. HMD stated that it "took the safety and confidentiality of its consumers seriously" and that it would cooperate with any investigation.