Nokia admits there may still be some Alcatel Lucent skeletons in the closet

Finnish kit vendor Nokia has filed its annual report with the SEC and in it flagged up some legacy issues from Alcatel Lucent that may still be a problem.

In the lengthy ‘risk factors’ section, Nokia indicates that, even years after it completed the acquisition of Alcatel Lucent, it’s still digging up stuff that may present some kind of threat to the company. Here’s the relevant passage in full.

“During the course of the ongoing integration process, we have been made aware of certain practices relating to compliance issues at the former Alcatel Lucent business that have raised concerns. We have initiated an internal investigation and voluntarily reported the matter to the relevant regulatory authorities, with whom we are cooperating with a view to resolving the matter. The resolution of this matter could result in potential criminal or civil penalties, including the possibility of monetary fines, which could have a material adverse effect on our business, brand, reputation or financial position.”

Asked for further comment on the matter Nokia just stressed that “although this investigation is in a relatively early stage, out of an abundance of caution and in the spirit of transparency, Nokia has contacted the relevant regulatory authorities regarding this review.” There’s no reason not to take that statement at face value at this stage, but while the extent of the material effect this could have on Nokia remains uncapped it will surely remain a significant concern.

Iran is also addressed in the risks section, with Nokia noting the dilemma that, while Europe is relaxing its sanctions against the country, the US is moving in the other direction and ramping them up. “As a European company it will be quite challenging to reconcile the opposing foreign policy regimes of the US and the EU,” it laments.

Since the US has shown an unlimited capacity for vindictiveness towards companies that do business with Iran Nokia has sensible decided not to do any more business there for the time being. “Although we evaluate our business activities on an ongoing basis, we currently do not intend to accept any new business in Iran in 2019 and intend to only complete existing contractual obligations in Iran in compliance with applicable economic sanctions and other trade-related laws,” said the filing.

Lastly the risks section also mentions HMD Global, which licenses the Nokia brand to put on its smartphones. It doesn’t make reference to any specific case but notes “Nokia has limitations in its ability to influence HMD Global in its business and other operations, exposing us to potential adverse effects from the use of the Nokia brand by HMD Global or other adverse development encountered by HMD Global that become attributable to Nokia through association and HMD Global being a licensee of the Nokia brand.” How timely.

Nokia-branded phones sent personal data from Norway to China

Norwegian media is reporting that private data of Nokia 7 Plus users may have been sent to a server in China for months. Finland’s data protection ombudsman will investigate and may escalate the case to the EU.

Henrik Austad, a Nokia 7 Plus user in Norway, alerted the Norwegian public media group NRK in February when he noticed every time he powered on his phone it would ping a server in China and batches of data would be sent. The data included the phone’s IMEI numbers, SIM card numbers, the cell ID of the base station the phone is connected to, and its network address (the MAC address), and they have been sent unencrypted. Investigation by NRK discovered that the recipient of the data is a domain (“http://zzhc.vnet.cn”) belonging to China Telecom.

Nokia 7 Plus pinging China server

Because HMD Global, the company behind the Nokia-branded phones that was set up by former Nokia executives and has licensed the Nokia brand, is a Finland-registered company, the news was quickly brought to the attention of Reijo Aarnio, Finland’s data protection ombudsman . “We started the investigation after receiving the news from the Norwegian Broadcasting Company (NRK) and I also consulted our IT experts. The findings showed this looks rather bad,” Aarnio said.

When talking to the Finnish state broadcaster YLE and the country’s biggest broadsheet newspaper Helsingin Sanomat (HS), the ombudsman also raised a couple of serious concerns he said he would seek clarifications from HMD Global early next week:

  • Are the users aware that their personal data are being transferred to China?
  • On what legal ground, if any, are personal data transferred outside of the EU?
  • Have corrective actions been taken to prevent similar cases from happening again?

Earlier when writing to NRK, Aarnio said his first thought was this could be a breach of GDPR, and, if true, the case would be brought in front of the European Union. (Although Norway is not a EU member state, Iceland, Liechtenstein, and Norway, the three EEA countries which are not part of the EU, agreed to accept GDPR two months after it came into effect in the EU.)

Replying to Telecoms.com’s enquiry, HMD Global, through its PR agency, sent this statement:

We can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed and no person could have been identified based on this data. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it.

Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously.

Jarkko Saarimäki, Director Finland’s National Cyber Security Centre (Kyberturvallisuuskeskus), which offered to support the ombudsman if needed, raised another point while talking to YLE, “In cases of this kind, the company should report the case to the Office of the Data Protection Ombudsman (tietosuojavaltuutetun toimisto) and inform the customers of the data security risk.” It looks what HMD Global has done is exactly the opposite: it quietly fixed the issue with a software update.

What exactly happened remains unclear, but the investigation from NRK may shed some light. Further research into the data transfer took NRK investigators to GitHub, where they discovered a set of code that would generate data transmission similar to that on the Nokia 7 Plus in question, and to the same destination. This code resides in a subfolder called “China Telecom”. On the same level there are also subfolders for China Mobile, China Unicom as well as other folders for different purposes. Henrik Lied, the NRK journalist who first reported the case, shared with Telecoms.com this subfolder structure that he captured on GitHub:

GitHub snapshot

Closer analyses of the code in question on GitHub by Telecoms.com seem to have given us a bit more insight. This is what we assume has happened: HMD Global or its ODM partner sourced the code from a developer by the GitHub username of “bcyj” to transfer user data when a phone on China Telecom network is started. But, by mistake, HMD Global has loaded this set of code on a number of Nokia 7 Plus meant for Norway (“our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus”). When it realised the mistake by whatever means HMD Global released a software update to overwrite this code.

Incidentally it looks the code was originally written for a Chinese OEM LeEco (which is largely defunct now) whose product, e.g. the Le Max 2, was running on the Snapdragon 820 platform with the MSM8996 modem. The modem was later incorporated in the mid-tier platform Snapdragon 660 which powers the Nokia 7 Plus.

There are still quite a few questions HMD Global’s statement does not answer.

  • How many users have been affected? And in what countries? The award-winning Nokia 7 Plus is one of the more popular models from HMD Global, and it is highly unlikely a batch of products were specifically made for the Norwegian market with its limited size. Could the same products have been shipped to other Northern European markets too?
  • Is China Telecom the only operator in China that requires phones on its network to be equipped with a software that regularly sends personal data? We do not find similar programmes under the China Mobile or China Unicom subfolders on the same GitHub location.
  • Is HMD Global the only culprit? Or other OEMs’ products on China Telecom network and on the same Qualcomm modem are also running the same script every time the phone is powered on, but they have not made the same mistake by mixing up regional variants as HMD Global did?
  • On what ground could HMD Global claim that the recipients of the data or any other parties who have access to the data (as they are sent unencrypted), will not be able to identify the individuals (“no person could have been identified based on this data”)? To defend itself, in its statement to NRK, HMD Global referred to the Patrick Breyer vs Bundesrepublik Deutschland case when the Court of Justice of the European Union (CJEU) ruled that whether a certain type of data would qualify as “personal data” should generally need to be assessed based on a “subjective / relative approach”. In the present case HMD Global seems to be arguing that the recipients of the data sent from the phones are not able to establish the identities of the users. It may have its point as China Telecom (or other identities in China that receive the data) does not have the identity information of the users. However, this is a weak defence. The CJEU sided with the German Federal Court of Justice because the point of dispute was dynamic IP only, and the court deemed “that dynamic IP addresses collected by an online media service provider only constitute personal data if the possibility to combine the address with data necessary to identify the user of a website held by a third party (i.e. user’s internet service provider) constitutes a mean “likely reasonably to be used to identify” the individual”, as was summarised by the legal experts Fabian Niemann and Lennart Schüßler. In the HMD Global case, however, a full set of private data were transmitted, not to mention transmitted unencrypted.
  • On what evidence did HMD Global claim that the data transmitted has not been processed or shared with third parties?

To be fair to HMD Global, this is not the first, and by no means the biggest data leaking incident by communication products. For example the IT and communication system at the African Union headquarters, supplied and installed by Huawei, was sending data every night from Addis Ababa to Shanghai for over four years before it was uncovered by accident. Huawei’s founder later claimed that the data leaking “had nothing to do with Huawei”, though it was not clear whether he was denying that Huawei was aware of it or claiming Huawei was not playing an active role in it.

Nokia phone saviour HMD hits unicorn status

HMD Global, the home of the re-booted Nokia devices, has raised $100 million from multiple investors to become the 24th company in 2018 to hit the $1 billion unicorn valuation status.

The round of investment was led by Geneva based, Ginko Ventures with participation from DMJ Asia Investment Opportunity and Wonderful Stars, with the funds to be used to scale business operations and fund the company’s growth in its second year. Initial plans will focus on growing its portfolio of Nokia devices and expanding channel reach in strategic markets. When HMD initially entered the segment it promised to spend $500 million to market the Nokia brand; this cash injection will certainly help.

“We are thrilled to have these investors join us in our journey to script the next chapter of Nokia phones,” said Florian Seiche, CEO of HMD Global.

“It is our ambition to deliver great smartphones that delight our fans while staying true to our Finnish roots and the hallmarks that the Nokia brand has always been known for. We aim to be among the top smartphone players globally and our success to date gives us the confidence to further continue on a growth path in 2018 and beyond.”

Over the first 12 months of operations, the team shipped 70 million Nokia branded phones with activations coming from 170 markets. The devices are now sold at 250,000 retail outlets worldwide, posting total revenues of €1.8 billion during the first year, with an operational loss of €65 million. While the devices are generally targeted at the cash-conscious, who could forget the wave of nostalgia which captured the attention during 2017’s edition of Mobile World Congress.

Perhaps it was perfect indication of how the smartphone market has stalled, but a 16-year old rebooted device enthralled the halls of the Fira, only to be followed up at this year’s event with a re-release of the banana phone. For HMD it was a perfect storm of the mundane features, over-pricing and nostalgia. Since re-launching the Nokia 3310 during 2017, the Finnish start-up has introduced 16 new devices and signed partnerships with the likes of Google and Zeiss.

“We are proud to contribute to the next phase of Nokia phones and the successful raising of this investment round,” said Jean-Francois Baril, Ginko Ventures Managing Director. “Personally, as someone who has long been associated with the Nokia brand, this journey is very exciting. From its roots in Finland, HMD Global has chosen an agile strategy that leverages global relationships and collaborations to achieve its phenomenal growth.”

Although some might have viewed the initial relaunch of the 3310 as a gimmicky ploy to capture column inches, you cannot argue with its success. As a re-entrant to the European market, HMD has managed to capture roughly 3.5% of shipments across 2018 Q1, taking it to fifth in the market share rankings. The success here has been leaning on operator relationships, which the team seem to want to double down on with this additional investment. It might be a bit soon to expect profitability at the firm, as it is still a footnote in the greater smartphone story, but progress in re-establishing the Nokia devices brand is certainly being made.

The real test will come before too long as the nostalgia bug dies off. Some trendy characters might still be excited by the idea, but when it gets in the way of feeding the digital habit, the sentiment will disappear rapidly. HMD will now have to show it can strike a balance between quirkiness alongside relevance and innovation; in short, it has to be more than a dated brand.