Nokia plays the ethics card

Finnish kit vendor Nokia is celebrating being named one of the world’s most ethical companies, but what does that even mean?

The accolade has been bestowed on Nokia, for the fourth time, by a company called Ethisphere. As the name implies, ethics are its thing and it has been the self-appointed arbiter of corporate wholesomeness for some time. This year Ethisphere (tagline: Good. Smart. Business. Profit.) decided 132 companies were nice and ethical. The list reads like a who’s who of corporate America, with 101 of the ‘winners’ coming from that country.

“It is a great honour to be recognized once again as one of the world’s most ethical companies,” said Nokia CEO Rajeev Suri. “Our reputation is built on more than 150 years of trustworthiness and ethical business practices. This award is due to the hard work and commitment of the entire Nokia team, who ensure we put our values of trust, integrity, and social and environmental responsibility into everything we do.”

“Nokia is one of just three telecom companies to make the list, highlighting how much the company is doing to enhance ethical business practices in the sector”, said Ethisphere’s CEO, Timothy Erblich. “Congratulations to everyone at Nokia for earning this recognition.”

Being such a paragon of ethics, it’s safe to assume the methodology involved in awarding these accolades is totally transparent, right? Well, here’s what the press release has to say: “Grounded in Ethisphere’s proprietary Ethics Quotient®, the World’s Most Ethical Companies assessment process includes more than 200 questions on culture, environmental and social practices, ethics and compliance activities, governance, diversity and initiatives to support a strong value chain.

“The process serves as an operating framework to capture and codify the leading practices of organizations across industries and around the globe. Best practices and insights from the 2020 honorees will be released in a report and webcast in March and April of this year. All companies that participate in the assessment process receive an Analytical Scorecard providing them a holistic assessment of where their programs stand against the demanding standards of leading companies.”

So it seems only companies that involve themselves with Ethisphere’s proprietary Ethics Quotient (registered trade mark) even qualify for assessment. Ethisphere is a for-profit company as far as we can tell, so it’s presumably not compiling this list entirely as a philanthropic gesture. I quick sniff around its website reveals that it costs at least $3,000 to participate in Ethisphere’s proprietary Ethics Quotient, the underlying methodology for which we couldn’t find a link to.

It’s no secret that compliance and corporate responsibility are big business and that companies devote considerable resource to managing their reputations. Nokia is hardly alone in this respect, but it’s hard to know how seriously to take this specific accreditation, awarded as it is by an organisation that bases at least part of its business model on charging companies for the privilege. Whatever happened to ‘virtue is its own reward’?

Ericsson gets a $150 million bargain on its corruption fine from the US

Swedish kit vendor Ericsson got a $150 early Christmas present from US authorities after its fine for violating corruption laws was finally revealed.

The consequence of being found guilty of using back-handers to grease the wheels of commerce in Djibouti, China, Vietnam, Indonesia and Kuwait as recently as Q1 2017 is a fine of SEK1.06 billion. But since Ericsson had already accounted from a fine of SEK 11.5 billion that means it now has 150 million bucks more than it expected to. It can now spend that bonus wedge on Christmas presents which, of course, it will account for in a transparent and correct manner.

To be fair to Ericsson this is probably common business practice in some or all of those countries, but the trick is not to get caught isn’t it? Both the US Department of Justice and the Securities and Exchange Commission have had a piece of this action and seems to have split the winnings equally, so Christmas should be fun there too.

The DoJ is trousering 520,650,432 in return for promising to drop all charges if Ericsson keeps its hands clean for the next three years. Presumably, if Ericsson does comply and the charges are dropped, the DoJ won’t pay back the half a bil in spite of Ericsson no longer being legally guilty of doing anything wrong. That makes the whole thing smell like state extortion, but what do we know?

Meanwhile the SEC prefers to round its takings to the nearest 10k and is pocketing $539,920,000, which hilariously includes $81,540k in interest. This fine seems to be for the same activities so it’s not clear why Ericsson has to pay it twice. Maybe the fine was always going to be around a bil and the DoJ and SEC couldn’t agree on jurisdiction, so decided to split it down the middle.

“The DoJ proceeding is a criminal enforcement action and the SEC proceeding is a civil enforcement action,” explains the Ericsson announcement. “The agencies resolve their investigation independently of one another using their own discretion and applying different standards of proof.  As a result, the DoJ and SEC have come to different conclusions based on the same facts.”

“I am upset by these past failings,” said Ericsson CEO Börje Ekholm. “Reaching a resolution with the US authorities allows us to close this legacy chapter. We can now move forward and build a stronger company. The settlement with the SEC and DOJ shows that we have not always met our standards in doing business the right way. This episode shows the importance of fact-based decision making and a culture that supports speaking up and confronting issues. We have worked tirelessly to implement a robust compliance program. This work will never stop.”

“Through slush funds, bribes, gifts, and graft, Ericsson conducted telecom business with the guiding principle that ‘money talks.’” said U.S. Attorney Geoffrey Berman. “Today’s guilty plea and surrender of over a billion dollars in combined penalties should communicate clearly to all corporate actors that doing business this way will not be tolerated.”

“Implementing strong compliance systems and internal controls are basic principles that international companies must follow to steer clear of illegal activity,” said Don Fort, Chief of IRS Criminal Investigation.  “Ericsson’s shortcomings in these areas made it easier for its executives and employees to pay bribes and falsify its books and records.  We will continue to pursue cases such as these in order to preserve a global commerce system free of corruption.”

So the IRS got a piece of the action too – nice. Here are the specific pieces of naughtiness Ericsson admitted to committing to the DoJ, the charges for which, don’t forget, will probably be dismissed in three years’ time.

Between 2010 and 2014, Ericsson, via a subsidiary, made approximately $2.1 million in bribe payments to high-ranking government officials in Djibouti in order to obtain a contract with the state-owned telecommunications company valued at approximately €20.3 million to modernize the mobile networks system in Djibouti.  In order to effectuate the scheme, an Ericsson subsidiary entered into a sham contract with a consulting company and approved fake invoices to conceal the bribe payments.  Ericsson employees also completed a draft due diligence report that failed to disclose the spousal relationship between the owner of the consulting company and one of the high-ranking government officials.

In China, between 2000 and 2016, Ericsson subsidiaries caused tens of millions of dollars to be paid to various agents, consultants and service providers, a portion of which was used to fund a travel expense account in China that covered gifts, travel and entertainment for foreign officials, including customers from state-owned telecommunications companies.  Ericsson used the travel expense account to win business with Chinese state-owned customers.  In addition, between 2013 and 2016, Ericsson subsidiaries made payments of approximately $31.5 million to third party service providers pursuant to sham contracts for services that were never performed.  The purpose of these payments was to allow Ericsson’s subsidiaries in China to continue to use and pay third party agents in China in contravention of Ericsson’s policies and procedures.  Ericsson knowingly mischaracterized these payments and improperly recorded them in its books and records.

In Vietnam, between 2012 and 2015, Ericsson subsidiaries made approximately $4.8 million in payments to a consulting company in order to create off-the-books slush funds, associated with Ericsson’s customers in Vietnam, that were used to make payments to third parties who would not be able to pass Ericsson’s due diligence processes.  Ericsson knowingly mischaracterized these payments and improperly recorded them in Ericsson’s books and records.  Similarly, in Indonesia, between 2012 and 2015, an Ericsson subsidiary made approximately $45 million in payments to a consulting company in order to create off-the-books slush funds, and concealed the payments on Ericsson’s books and records.

In Kuwait, between 2011 and 2013, an Ericsson subsidiary promised a payment of approximately $450,000 to a consulting company at the request of a sales agent, and then entered into a sham contract with the consulting company and approved a fake invoice for services that were never performed in order to conceal the payment.  The sales agent provided an Ericsson employee with inside information about a tender for the modernization of a state-owned telecommunications company’s radio access network in Kuwait.  An Ericsson subsidiary was awarded the contract valued at approximately $182 million; Ericsson subsequently made the $450,000 payment to the consulting company and improperly recorded it in its books.

There was clearly a fair amount of dodgy stuff going on in the above cases, but none of it is especially shocking. Under-the-table payments are an endemic issue everywhere in the business world and the trick is to launder them such that they look legit. Ericsson clearly failed to do this and that’s really what it’s being punished for.

But nobody seems to be questioning the US’s jurisdiction in prosecuting this matter. None of the back-handers were paid in the US or even seemed to involve US companies, so why is the US policing this matter? Maybe the answer lies in the fines, none of which will apparently find their way to the countries supposedly corrupted by all this. Even with a $150 million discount, the US authorities are now the ultimate beneficiaries of Ericsson’s naughtiness.

Nokia admits there may still be some Alcatel Lucent skeletons in the closet

Finnish kit vendor Nokia has filed its annual report with the SEC and in it flagged up some legacy issues from Alcatel Lucent that may still be a problem.

In the lengthy ‘risk factors’ section, Nokia indicates that, even years after it completed the acquisition of Alcatel Lucent, it’s still digging up stuff that may present some kind of threat to the company. Here’s the relevant passage in full.

“During the course of the ongoing integration process, we have been made aware of certain practices relating to compliance issues at the former Alcatel Lucent business that have raised concerns. We have initiated an internal investigation and voluntarily reported the matter to the relevant regulatory authorities, with whom we are cooperating with a view to resolving the matter. The resolution of this matter could result in potential criminal or civil penalties, including the possibility of monetary fines, which could have a material adverse effect on our business, brand, reputation or financial position.”

Asked for further comment on the matter Nokia just stressed that “although this investigation is in a relatively early stage, out of an abundance of caution and in the spirit of transparency, Nokia has contacted the relevant regulatory authorities regarding this review.” There’s no reason not to take that statement at face value at this stage, but while the extent of the material effect this could have on Nokia remains uncapped it will surely remain a significant concern.

Iran is also addressed in the risks section, with Nokia noting the dilemma that, while Europe is relaxing its sanctions against the country, the US is moving in the other direction and ramping them up. “As a European company it will be quite challenging to reconcile the opposing foreign policy regimes of the US and the EU,” it laments.

Since the US has shown an unlimited capacity for vindictiveness towards companies that do business with Iran Nokia has sensible decided not to do any more business there for the time being. “Although we evaluate our business activities on an ongoing basis, we currently do not intend to accept any new business in Iran in 2019 and intend to only complete existing contractual obligations in Iran in compliance with applicable economic sanctions and other trade-related laws,” said the filing.

Lastly the risks section also mentions HMD Global, which licenses the Nokia brand to put on its smartphones. It doesn’t make reference to any specific case but notes “Nokia has limitations in its ability to influence HMD Global in its business and other operations, exposing us to potential adverse effects from the use of the Nokia brand by HMD Global or other adverse development encountered by HMD Global that become attributable to Nokia through association and HMD Global being a licensee of the Nokia brand.” How timely.

Huawei employee arrested in Poland on spying allegations

Huawei’s sales director in Poland, who previously served in the Chinese diplomatic corps, has been arrested by the Polish authorities on spying allegations. Huawei immediately terminated his employment.

More details have been disclosed related to the arrest of Wang Weijing, who also goes by the name Stanislaw Wang. After serving as attaché at the Chinese general consulate in Gdansk, Wang joined Huawei’s Poland office in 2011, first as its PR director then as its sales director responsible for selling to the Polish public sector. Wang was detained on 8 January, on allegations of spying, as was first reported by the Polish public broadcaster TVP.

According to TVP, an Orange employee arrested on the same allegations, identified as Piotr D, had worked at the country’s Internal Security Agency (ISA, or “Agencja Bezpieczeństwa Wewnętrznego (ABW)” in Polish), which carried out the arrests. While at ISA one of his responsibilities was issuing security certificates for equipment used by Poland’s public-sector offices. He left the agency earlier after being accused of corruption but was not formally charged.

The offices of Huawei and Orange were searched respectively following the arrests, though a spokesperson for ISA told Reuters that the allegations against Wang were related to individual actions, not directly linked to Huawei. This is also the line Huawei adopted when it promptly severed the employment relationship with Wang, citing that “in accordance with the terms and conditions of Huawei’s labour contract, we have made this decision because the incident has brought Huawei into disrepute.”

Orange said it did not know if the investigation in Piotr D. was linked to his professional work but would continue to cooperate with the authorities.

Despite the troubles it has run into in markets like the US, New Zealand, Japan, and the UK, Huawei’s business in Eastern Europe has been largely unperturbed. However the latest twist in Poland and the earlier arrest of Meng Wanzhou, Huawei’s CFO, in Canada might put this position under pressure. On Saturday 12 January, Joachim Brudzinski, Poland’s interior minister, called for a EU-NATO joint position with regard to banning Huawei from these markets when speaking on a Polish commercial radio station. “There are concerns about Huawei within NATO as well. It would make most sense to have a joint stance, among EU member states and NATO members,” said Brudzinski.

Then on Sunday 13 January, Karol Okonski, a government official responsible for cyber security, told Reuters that Poland could consider forbidding the public sector from using Huawei products while probing the legal measures to limit Huawei’s access to the private sector. “We do not have the legal means to force private companies or citizens to stop using any IT company’s products. It cannot be ruled out that we will consider legislative changes that would allow such a move,” Okonski said.

Huawei has always denied that it poses security threats, or it spies on behalf of the Chinese government. In a statement it sent out to media after its CFO’s arrest and it sent again after the arrests in Poland, Huawei stressed that it “complies with all applicable laws and regulations in the countries where it operates, and we require every employee to abide by the laws and regulations in the countries where they are based.”

Incidentally, the South China Morning Post reported earlier that, shortly before her arrest in Canada, Meng Wanzhou and Ren Zhengfei, the founder of Huawei and Meng’s father, hosted a town hall meeting for Huawei employees. According to a transcript distributed to Huawei staff and seen by SCMP, both executives discussed extensively on compliance. Cases were divided into “red” and “yellow” lines. By red line, Meng meant the rules where there is “no bargaining and must be strictly complied with”, while by yellow line she referred to cases where strict compliance is not operationally feasible, and the company can build in the costs of flouting the rules as “sunk costs.” She cited labour risks as an example.

“Of course, beyond the yellow and red lines, there may still be another scenario, and that is where the external rules are clear-cut and there’s no contention, but the company is totally unable to comply with in actual operations. In such cases, after a reasonable decision-making process, one may accept the risk of temporary non-compliance,” quoted by SCMP.

Ren also urged his staff to consider both cost and benefit in compliance cases, especially related to laws of the US and EU. SCMP quoted him challenging those present when answering a question: “We must not bind ourselves up just because the US is attacking us. If our hands and feet are bound, then we will not be able to continue producing, then what’s the point of compliance?”

Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.

Facebook and Google accused of GDPR ‘forced consent’

It turns out that imposing extra layers of bureaucracy on companies can bring about unintended consequences, who knew?

Among the inevitable deluge of emails sent by companies desperate to be seen to be doing the bare minimum in compliance with the General Data Protection Regulation (GDPR) that came into effect in Europe today, have been those requesting blanket opt-ins. They usually feature handy one-click buttons that most people presumably use just to be able to put this trying week behind them. The underlying threat is that users either agree to everything or get kicked off the service.

Campaigning group noyb.eu (none of your business), headed by prominent data privacy complainer Max Schrems, is not happy with how Facebook and Google have gone about interacting with their users on this matter. So it has filed complaints against the two and also Facebook subsidiaries Instagram and WhatsApp, in four different countries to make sure it’s nice and pan-European.

“The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR),” says the complaint. “Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.

Using language apparently taken from the pages of 50 Shades of Grey, companies seem to be imposing forced consent on their users in order to achieve basic compliance with the GDPR regulations. But if this complaint has merit, which it seems to, then these tech giants might end up getting a thorough spanking from the European Commission.