HMD moves Nokia phone user data storage to Finland

HMD Global, the maker of Nokia-branded smartphones, announced that it is moving the storage of user data to Google Cloud servers located in Finland, to ease concerns about data security.

The phone maker announced the move in the context of its new partnership with CGI, a consulting firm that specialises in data collection and analytics, and Google Cloud, which will provide HMD Global with its machine learning technologies. The new models, Nokia 4.2, Nokia 3.2 and the Nokia 2.2, will be the first ones to have the user data stored in the Google Cloud servers in Hamina, southern Finland. Older models that will be eligible for upgrading to Android Q will move the storage to Finland at the upgrade, expected to take place from late 2019 to early 2020. HMD Global commits to two years’ OS upgrades and three years’ security upgrades to its products.

HMD Global claims the move will support its target to be the first Android OEMs to bring OS updates to its users, and to improve its compliance with European security measures and legislation, including GDPR. “We want to remain open and transparent about how we collect and store device activation data and want to ensure people understand why and how it improves their phone experience,” said Juho Sarvikas, HMD Global’s Chief Product Officer. “This change aims to further reinforce our promise to our fans for a pure, secure and up to date Android, with an emphasis on security and privacy through our data servers in Finland.”

Sarvikas denied to the Finnish news outlet Ilta-Sanomat that the move was a direct response to privacy concerns triggered by the controversy earlier this year when Nokia-branded phones sold in Norway were sending activation data to servers in China. At that time HMD Global told Telecoms.com that user data of phones purchased outside of China is stored in AWS servers in Singapore, which, the company said, “follows very strict privacy laws.” However, according to GDPR, to take user data outside of the EU, the company would have had to obtain explicit consent from its EU-based users.

Sarvikas claimed that the latest decision to move storage to Finland has been a year in the making and is part of the company’s overall cloud service vendor swap from Amazon to Google. “Staying true to our Finnish heritage, we’ve decided to partner with CGI and Google Cloud platform for our growing data storage needs and increasing investment in our European home,” Sarvikas added in the press release.

Francisco Jeronimo, Associate VP at IDC, saw this move a positive action by HMD Global, calling it a good move “to address concerns about data privacy” on Twitter.

UK consumers are resigned to poor data security, research finds

The new EY research in UK’s digital households found over four in ten consumers believed their data would never be fully secure, despite the recent regulatory changes including GDPR.

The consulting firm EY has published the security section of its annual survey of UK households about their digital lives. The good news is the majority of consumers are aware of the new privacy data protection regulations. Close to seven out of ten consumers know GDPR and “what this means for how their data is stored, managed and used”. The bad news is the confidence in the effectiveness of the legal measures is low. Only 43% of consumers “believe that the changes resulting from GDPR will significantly improve the security of their personal data”. Worse still, almost equal number of consumers (41%) have almost given up, thinking it “impossible to keep their personal data secure when using the internet or internet-enabled devices”.

When it comes to who to trust to keep personal data secure, broadband providers and utility companies came on top, winning the trust of 28% and 21% of the households surveyed. On the other end, mobile app developers and social networks fared the worst, being trusted by only 2% and 3% of all households. Mobile operators and pay-TV providers also came closer to the bottom of the table than to the top.

EY digital household trust in data security 2019

EY thinks at least three lessons can be learned from the findings:

  1. Businesses should put trust at the heart of all the customer interactions;
  2. Businesses should communicate about security with purpose, clarity, and consistency;
  3. Businesses should ensure that their innovation agenda should be built on an ethical data management system.

This report is part of the overall “Decoding the digital home” project and was made on the survey of 2,500 UK households.

Amazon China staff were reportedly selling-on user data

Amazon is conducting an internal investigation into allegations that its staff in China received bribes from merchants for user data.

According to a report by the Wall Street Journal, staff of the online retailing giant’s China operation received between $80 and more than $2,000 to part internal user and sales data to brokers, who would then re-sell them to merchants who do business on Amazon platform. According to the WSJ report, it was not only Amazon’s internal sales metrics and users’ email addresses that were sold, also on offer was additional services. The staff would help the buyers to delete negative reviews and to re-open banned Amazon accounts.

It is said the malpractice was particularly rampant in Amazon’s office in Shenzhen, the city bordering Hong Kong. It is not the first time China’s online retailers suffered from data security comprise. Back in 2016 over 20 million of Alibaba’s users had their data hacked. Nor is this the first time that Amazon has found itself in the centre of data leaking controversies, but earlier cases were related to its cloud service AWS. So it is astonishing that in the present case, data was not breached by hacking but through blatant criminal transactions. It is not clear how many users have had their data sold.

Amazon released a statement saying “We have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behaviour, we will take swift action against them, including terminating their selling accounts, deleting reviews, withholding funds, and taking legal action.”

Amazon set up its business in China in 2004 after acquiring a competing online bookshop Joyo with $75 million. It was rebranded Amazon China in 2011.

The security of Polar users’ data could be comprised, in a big way

The Finnish fitness device and software maker Polar has found itself in the centre of a data leaking scandal, which it’s feared could jeopardise the security of personnel on sensitive missions.

In a country where personal space and privacy is highly respected, Finland can be rather transparent too. Every year at the beginning of November, the tax office will grant public access to data on how much income and capital gains made by everyone in the previous year as well as how much tax has been paid.

The country also produced Polar, the company that invented the portable heart beat reader. More recently its professional heart beat monitor system was credited to be largely behind the scientific training at Leicester City Football Club, which went on to win the Premier League in 2016.

But it is safe to say Polar has taken transparency too far. After months’ investigation, the Dutch independent media De Correspondent, in conjunction with the British “citizen journalism” website Bellingcat, and the Finnish investigative journalist Hanna Nikkanen on Long Play (in Finnish), published the findings on how anyone with a Polar account was able to see all the details of anyone else who publicly shared their workout sessions on Polar’s user interface app Flow.

Data extracted include the names, as well as time-stamped GPS data of all the workouts uploaded since 2014. When zoomed out, the aggregated data would generate a clustered view of the user’ activity pattern on the map. This could lead to a rather accurate estimate of the user’ home base, where most exercises started and ended, including places in sensitive locations, e.g. military bases in Iraq or Afghanistan. With some additional cross-search on social networks, the user’s professional affiliation including those of the military and secret service, could be made available.

By the time they published their reports, the journalists had managed to gather personal and professional details of more than 6,000 Polar users, including those working for the NSA of the US, Britain’s GCHQ and MI6, Russia’s GRU and SVR RF, France’s DGSE, the Finnish military, as well as the Dutch MIVD.

The journalists notified the Dutch and Finnish authorities as well as reaching out to Polar before they published the findings. The app was disabled remotely on official phones issued to its employees by the Dutch and Finnish Defence Ministries, and warnings were sent out to private device users. However Polar did not formally take down the feature until yesterday (9 July), more than two weeks after being contacted by the journalists and after a forlorn attempt to defend itself by claiming that the company had not leaked the users’ data.

Finland’s Data Protection Ombudsman is looking into the matter. Because its failure to safeguard user data has affected users in other EU countries, the possibility that the case could be brought under the new GDPR cannot be ruled out.

Polar was not the first fitness app to score own goals. As a matter of fact, it was the high-profile case of Strava leaking training data in military bases, which made headlines at the beginning of the year, that prompted the independent journalists to look into the vulnerability of other apps, including Polar. What makes the Polar case stand out is the ease with which users’ private data could be extracted, and the slow reaction from the company.

The ramification of the case could be profound. The journalists have found that similar data could also be extracted from other fitness apps like Endomondo, Runkeeper, Garmin, albeit with a bit more skill. This could result in authorities banning all similar apps from use by employees in sensitive functions, just to be on the safe side. The Finnish military had already banned the sharing of location data on social networks even before the Strava case, but the rank and file servicemen and the reservists largely ignored the order, according to Long Play.

In her testimony to the Congress, the newly appointed Director of the CIA, Gina Haspel, declared she has no social network accounts. This could move from voluntary decision to mandatory order for employees on sensitive missions. Profiles on social networks like LinkedIn and Facebook have made it straightforward for the journalists to join dots and put together the Polar users’ personal and family details, functions, and locations.

In our latest annual survey published at the end of last year, nearly 95% of the network operators called security as being either critical (69%) or important (25%) to their company’s overall technology and business. Clearly other service providers including device makers and app developers should also enhance their awareness and subject their products to more rigorous security tests.