Nokia-branded phones sent personal data from Norway to China

Norwegian media is reporting that private data of Nokia 7 Plus users may have been sent to a server in China for months. Finland’s data protection ombudsman will investigate and may escalate the case to the EU.

Henrik Austad, a Nokia 7 Plus user in Norway, alerted the Norwegian public media group NRK in February when he noticed every time he powered on his phone it would ping a server in China and batches of data would be sent. The data included the phone’s IMEI numbers, SIM card numbers, the cell ID of the base station the phone is connected to, and its network address (the MAC address), and they have been sent unencrypted. Investigation by NRK discovered that the recipient of the data is a domain (“http://zzhc.vnet.cn”) belonging to China Telecom.

Nokia 7 Plus pinging China server

Because HMD Global, the company behind the Nokia-branded phones that was set up by former Nokia executives and has licensed the Nokia brand, is a Finland-registered company, the news was quickly brought to the attention of Reijo Aarnio, Finland’s data protection ombudsman . “We started the investigation after receiving the news from the Norwegian Broadcasting Company (NRK) and I also consulted our IT experts. The findings showed this looks rather bad,” Aarnio said.

When talking to the Finnish state broadcaster YLE and the country’s biggest broadsheet newspaper Helsingin Sanomat (HS), the ombudsman also raised a couple of serious concerns he said he would seek clarifications from HMD Global early next week:

  • Are the users aware that their personal data are being transferred to China?
  • On what legal ground, if any, are personal data transferred outside of the EU?
  • Have corrective actions been taken to prevent similar cases from happening again?

Earlier when writing to NRK, Aarnio said his first thought was this could be a breach of GDPR, and, if true, the case would be brought in front of the European Union. (Although Norway is not a EU member state, Iceland, Liechtenstein, and Norway, the three EEA countries which are not part of the EU, agreed to accept GDPR two months after it came into effect in the EU.)

Replying to Telecoms.com’s enquiry, HMD Global, through its PR agency, sent this statement:

We can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed and no person could have been identified based on this data. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it.

Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously.

Jarkko Saarimäki, Director Finland’s National Cyber Security Centre (Kyberturvallisuuskeskus), which offered to support the ombudsman if needed, raised another point while talking to YLE, “In cases of this kind, the company should report the case to the Office of the Data Protection Ombudsman (tietosuojavaltuutetun toimisto) and inform the customers of the data security risk.” It looks what HMD Global has done is exactly the opposite: it quietly fixed the issue with a software update.

What exactly happened remains unclear, but the investigation from NRK may shed some light. Further research into the data transfer took NRK investigators to GitHub, where they discovered a set of code that would generate data transmission similar to that on the Nokia 7 Plus in question, and to the same destination. This code resides in a subfolder called “China Telecom”. On the same level there are also subfolders for China Mobile, China Unicom as well as other folders for different purposes. Henrik Lied, the NRK journalist who first reported the case, shared with Telecoms.com this subfolder structure that he captured on GitHub:

GitHub snapshot

Closer analyses of the code in question on GitHub by Telecoms.com seem to have given us a bit more insight. This is what we assume has happened: HMD Global or its ODM partner sourced the code from a developer by the GitHub username of “bcyj” to transfer user data when a phone on China Telecom network is started. But, by mistake, HMD Global has loaded this set of code on a number of Nokia 7 Plus meant for Norway (“our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus”). When it realised the mistake by whatever means HMD Global released a software update to overwrite this code.

Incidentally it looks the code was originally written for a Chinese OEM LeEco (which is largely defunct now) whose product, e.g. the Le Max 2, was running on the Snapdragon 820 platform with the MSM8996 modem. The modem was later incorporated in the mid-tier platform Snapdragon 660 which powers the Nokia 7 Plus.

There are still quite a few questions HMD Global’s statement does not answer.

  • How many users have been affected? And in what countries? The award-winning Nokia 7 Plus is one of the more popular models from HMD Global, and it is highly unlikely a batch of products were specifically made for the Norwegian market with its limited size. Could the same products have been shipped to other Northern European markets too?
  • Is China Telecom the only operator in China that requires phones on its network to be equipped with a software that regularly sends personal data? We do not find similar programmes under the China Mobile or China Unicom subfolders on the same GitHub location.
  • Is HMD Global the only culprit? Or other OEMs’ products on China Telecom network and on the same Qualcomm modem are also running the same script every time the phone is powered on, but they have not made the same mistake by mixing up regional variants as HMD Global did?
  • On what ground could HMD Global claim that the recipients of the data or any other parties who have access to the data (as they are sent unencrypted), will not be able to identify the individuals (“no person could have been identified based on this data”)? To defend itself, in its statement to NRK, HMD Global referred to the Patrick Breyer vs Bundesrepublik Deutschland case when the Court of Justice of the European Union (CJEU) ruled that whether a certain type of data would qualify as “personal data” should generally need to be assessed based on a “subjective / relative approach”. In the present case HMD Global seems to be arguing that the recipients of the data sent from the phones are not able to establish the identities of the users. It may have its point as China Telecom (or other identities in China that receive the data) does not have the identity information of the users. However, this is a weak defence. The CJEU sided with the German Federal Court of Justice because the point of dispute was dynamic IP only, and the court deemed “that dynamic IP addresses collected by an online media service provider only constitute personal data if the possibility to combine the address with data necessary to identify the user of a website held by a third party (i.e. user’s internet service provider) constitutes a mean “likely reasonably to be used to identify” the individual”, as was summarised by the legal experts Fabian Niemann and Lennart Schüßler. In the HMD Global case, however, a full set of private data were transmitted, not to mention transmitted unencrypted.
  • On what evidence did HMD Global claim that the data transmitted has not been processed or shared with third parties?

To be fair to HMD Global, this is not the first, and by no means the biggest data leaking incident by communication products. For example the IT and communication system at the African Union headquarters, supplied and installed by Huawei, was sending data every night from Addis Ababa to Shanghai for over four years before it was uncovered by accident. Huawei’s founder later claimed that the data leaking “had nothing to do with Huawei”, though it was not clear whether he was denying that Huawei was aware of it or claiming Huawei was not playing an active role in it.

Germany pushes back against US Huawei threats

It tried scaring her, to convince her with niceties, the diplomatic approach and finally threats, but the US cannot seem to break the will of German Chancellor Angela Merkel over Huawei.

Speaking at the Global Solutions Summit this week, Merkel has continued to defy the desires and demands of the US over China and its telco champion Huawei. Germany is not only standing resolute against the political propaganda, but this message seems to be more of a push back against the White House.

“There are two things I don’t believe in,” Merkel said during the interview. “First, to discuss these very sensitive security questions publicly, and second, to exclude a company simply because it’s from a certain country.”

This has been the on-going message from Germany and it seems the US threat of intelligence exclusion has landed on deaf ears. Germany wants proof of nefarious activities, and it will not make a knee-jerk reaction to punish a company (or a country for that matter) when the drivers are political and economic.

While there is of course a threat of espionage from the Chinese Government, this on-going narrative is one chapter in the wider US/China trade saga. Threats should of course be assessed and mitigated in a reasonable fashion, but you must consider all branches of the storyline. And Germany isn’t buying into US chest beating.

In terms of what has actually been said, there are five key takeaways:

  • Sensitive security issues should not be discussed on the public stage
  • Punishing a single company is not the right way to ensure security
  • Targeting China due to its economic success is unfair
  • Security requirements should be across the ecosystem to mitigate risk
  • The same security requirements should be escalated to a European level

Each of these points made by Merkel this week, and various German government agencies for months, are completely fair, reasonable and pragmatic. But fair, reasonable and pragmatic does not help the US.

Why is Germany resisting?

The simple answer is that it doesn’t make sense to ban Huawei.

Firstly, from a competition perspective the telco industry is not flush with vendors, especially ones which can offer the same scale as Huawei. Removing Huawei, and Chinese vendors across the board, reduces the number of vendors available for telcos to choose from. This weakens the negotiating position of the telcos and, theoretically, slows down the deployment march.

Secondly, a Huawei ban would impact some European nations more than others and Germany is one of them. Huawei has deep relationships with German operators, with equipment embedded into 4G networks. Banning Huawei would potentially result in kit having to be ripped and replaced, slowing down progress, while backward compatibility becomes more difficult also, again, slowing down progress.

With the world increasingly being defined by wireless, Europe’s largest economy cannot afford to slip too far behind in the 5G race. According to data from Opensignal, Germany has been falling behind numerous European nations when it comes to average 4G speeds.

While it might not have a massive impact on what we associate with connectivity today, primarily consumer smartphone applications and entertainment, with 5G promising a revolution in the way connectivity influences enterprise and the economy, this could become much more of an issue in Germany.

In short, Germany cannot afford to stomach the consequences of banning Huawei.

The turning tide of momentum

The anti-China rhetoric from the US has been consistent and loud over the last couple of months, though it does not seem to be gathering the same support as during the initial propaganda assault.

After Australia, Taiwan, South Korea, Japan and New Zealand seemingly turned against Huawei and China, the ear-whispering has not been as successful in Europe. The European continent has been a successful arena for Huawei in recent years, and such is the dependence of telco infrastructure on the vendor, it is unsurprising these nations are resisting the call to ban Huawei.

While individual states have been pushing back against US ambitions, this leaves the governments in slightly precarious positions. Such is the power and influence of the US economy, individually European nations will be in a frustrating negotiating position when defying US requests. However, escalating to a European level changes the dynamics.

This is perhaps why Merkel is keen to escalate this discussion to European Commission level. The power of the collective against US ambitions is an excellent way to mitigate risk on an individual level. Sovereign nation states often begrudgingly hand over power to the Brussels bureaucrats, but in this instance, it might prove to be a very pragmatic idea.

The European Commission was reportedly looking into new rules which would effectively ban member states from purchasing equipment from Chinese companies (although China would not be mentioned specifically), but we can’t see this carrying through. Brussels would face a huge amount of backlash when seemingly contradicting the wishes of the majority of its member states.

That said, should the US be able to produce concreate evidence of Chinese espionage and collusion with Huawei, attitudes could shift incredibly quickly.

What does this mean for Huawei?

This is neither good or bad; it’s pretty much maintaining the status quo.

Being banned in the US won’t really impact the prospects of the business, it never really cracked this market, while it will continue to maintain its healthy position in Asia. Europe is a key battle ground though.

Europe is in a difficult position. It needs to tread carefully to ensure it can still use equipment from the vendor. European governments will not want to ban Huawei and this continued resistance is a good sign for Huawei. Germany and the UK, two influential voices across the bloc, are both preparing frameworks to allow Huawei’s business to continue, and should such ambitions be escalated to the European Commission, these trends would likely continue.

Due to on-going security concerns, some of which are not fairy tales despite a lack of evidence, and telcos desires to introduce more diversity in the supply chain, Huawei is unlikely to dominate the 5G world in the same way it did 4G. This is far from a secured position, politics has a way of U-turning occasionally, but the anti-Huawei brigade is starting to run out of puff.

US warns UK on efforts to cage Huawei

The UK Government feels it is capable of mitigating any risk associated with Huawei 5G equipment, but the US is not so sure.

According to the Financial Times, a US delegation has reached out to the UK Government warning its means of testing and monitoring Huawei equipment will not protect it against any curious eyes from the Chinese Government. How this warning is received could dictate the US/UK relationship over the coming months.

The UK, and generally Europe on the whole, has taken a much more pragmatic approach in dealing with the potential threat of Chinese espionage. While the US was quick to banish any Chinese equipment from critical infrastructure, European governments are implementing new regulations and conditions to heighten security requirements, theoretically mitigating risk while also allowing telcos the luxury of increased choice.

This might sound like a perfectly logical way to manage a potentially nefarious situation, but the US is not happy. Perhaps this is evidence of the eroding influence which the US has on the world and a shift in the geo-political landscape. Once upon a time, US politicians might have been able to whisper in the ears of the European political elite and achieve their aims, but this does not seem to be the case anymore.

US officials fear that because 5G networks will be software-orientated, any equipment which is embedded into communications networks could altered at a later date, creating virtual backdoors at will. Theoretically, this is a genuine risk, however, nefarious individuals at any juncture of the supply chain, in any country, for any vendor, could also create the same vulnerability.

Although the National Cyber Security Centre is yet to respond to the comments from the US, CEO Ciaran Martin played down fears during a conference speech last week.

“Huawei’s presence is subject to detailed, formal oversight, led by the NCSC. Because of our 15 years of dealings with the company and 10 years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company. We also have strict controls for how Huawei is deployed. It is not in any sensitive networks — including those of the government. Its kit is part of a balanced supply chain with other suppliers.”

While the US has been visiting various countries around the world in an attempt to convince governments to ban Chinese companies, successes are becoming less frequent. European governments in particular have seemingly been very resistant to the idea, with the US reportedly threatening Germany with consequences; should the Germans allow Huawei into their networks, German intelligence agencies would not be granted access to US intelligence databases.

This plea to the UK Government seems to be setting up a similar timeline; should the UK not react in the same manner, the US might well start thumping its chest and stamping its feet, threatening a similar exclusion.

What is worth noting, is that while the US is preaching the benefits of a total ban on Huawei and other similar Chinese vendors, it has not done so itself. Chinese companies are barred from providing products and services in most critical and sensitive products, but the White House has not gone as far as a complete ban. Perhaps the worry is over repercussions from the Chinese, though it does not seem to care whether China punishes its allies.

European Parliament expresses ‘deep concerns’ about Chinese 5G kit threat

The European Parliament has adopted a resolution calling for the European Commission to do something about China.

The resolution cropped up as the Parliament was also adopting the EU Cybersecurity Act, which will create the first EU-wide cybersecurity certification scheme once is has finished its meandering journey though the EU’s byzantine bureaucracy. It seems to be some kind of ‘kite mark’ that will certify a piece of kit has met the EU’s cybersecurity standards, and seems to view 5G

“MEPs express deep concern about recent allegations that 5G equipment may have embedded backdoors that would allow Chinese manufacturers and authorities to have unauthorised access to private and personal data and telecommunications in the EU,” said the announcement.

“They are also concerned that third-country equipment vendors might present a security risk for the EU, due to the laws of their country of origin obliging all enterprises to cooperate with the state in safeguarding a very broad definition of national security also outside their own country. In particular, the Chinese state security laws have triggered reactions in various countries, ranging from security assessments to outright bans.”

This comes hot on the heels of reports that the US has been laying some serious pressure on Germany to play ball when it comes to China – i.e. ban Huawei from 5G. On top of all this the European Commission has also proposed ten further actions around the bloc’s ongoing relationship with China, which you can see below.

Action 1: The EU will strengthen the EU’s cooperation with China to meet common responsibilities across all three pillars of the United Nations, Human Rights, Peace and Security, and Development.

Action 2: In order to fight climate change more effectively, the EU calls on China to peak its emissions before 2030, in line with the goals of the Paris Agreement.

Action 3: The EU will deepen engagement on peace and security, building on the positive cooperation on the Joint Comprehensive Plan of Action for Iran.

Action 4: To preserve its interest in stability, sustainable economic development and good governance in partner countries, the EU will apply more robustly the existing bilateral agreements and financial instruments, and work with China to follow the same principles through the implementation of the EU Strategy on Connecting Europe and Asia.

Action 5: In order to achieve a more balanced and reciprocal economic relationship, the EU calls on China to deliver on existing joint EU-China commitments. This includes reforming the World Trade Organisation, in particular on subsidies and forced technology transfers, and concluding bilateral agreements on investment by 2020, on geographical indications swiftly, and on aviation safety in the coming weeks.

Action 6: To promote reciprocity and open up procurement opportunities in China, the European Parliament and the Council should adopt the International Procurement Instrument before the end of 2019.

Action 7: To ensure that not only price but also high levels of labour and environmental standards are taken into account, the Commission will publish guidance by mid-2019 on the participation of foreign bidders and goods in the EU procurement market. The Commission, together with Member States, will conduct an overview of the implementation of the current framework to identify gaps before the end of 2019.

Action 8: To fully address the distortive effects of foreign state ownership and state financing in the internal market, the Commission will identify before the end of 2019 how to fill existing gaps in EU law.

Action 9: To safeguard against potential serious security implications for critical digital infrastructure, a common EU approach to the security of 5G networks is needed. To kickstart this, the European Commission will issue a Recommendation following the European Council.

Action 10: To detect and raise awareness of security risks posed by foreign investment in critical assets, technologies and infrastructure, Member States should ensure the swift, full and effective implementation of the Regulation on screening of foreign direct investment.

US mulls bill for minimum IoT security requirements

A cross-party delegation of US politicians have introduced a bill which will aim to create minimum security standards for any IoT devices used by government agencies and departments.

Led by Democratic Congresswoman Robin Kelly and Republican Congressman Will Hurd, the bill has gained notable support already. While this is a perfectly logical step forward to ensure the integrity and resilience of government systems, the fact the politicians seem to be taking an impartial approach, not targeting a single company or country, is much more encouraging.

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure,” said Kelly. “Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices. It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives,” said Hurd “This is ground-breaking work and IoT devices must be built with security in mind, not as an afterthought. This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”

When discussing digital security, a mention of Huawei or China is never far away, but this seems to be an effort to mitigate risk on a much grander scale. Yes, the US does have ideological enemies it should be wary of, but it is critical politicians realise there are risks everywhere throughout the digital ecosystem.

It is easy to point the finger at China and the Chinese government when discussing cybersecurity threats, though this is lazy and dangerous. Having too much of a narrow focus on one area only increases the risk of exposure elsewhere. Such are the complexities of today’s supply chain, with companies and components spanning different geographies and sizes, the risk of vulnerability is everywhere. It is also very important to realise cybercriminals can be anywhere; when there is an opportunity to make money, some will not care who they are targeting. Domestic cybercriminals can be just as much of a threat as international ones.

This impartial approach, applying security standards to IOT devices regardless of origin, is a much more sensible approach to ensure the integrity of networks and safeguard sensitive data.

Of course, this is not necessarily a new idea. Many security experts around the world have been calling for a standardised approach to IOT security, suggesting certification processes with minimum standards. Such a concept has already been shown to work with other products, such as batteries, therefore establishing a baseline for security should not be considered a particularly revolutionary idea.

What is also worth noting is that while this is a good idea and will improve protections, it is by no-means a given the bill will pass into a law. A similar bill was launched in 2017, though it was quashed.

F5 makes agile move with $670 million NGNIX acquisition

App security outfit F5 is buying open-source application platform specialist NGINX to augment its multi-cloud offering.

F5 is hardly the first to notice the importance of the cloud in the evolution of the entire tech industry, nor is it unique in realising that open-source is a great way of making a multi-cloud environment work. But for a company of its size (revenues of $563 million in 2018) this certainly qualifies as putting your money where your mouth is.

“F5’s acquisition of NGINX strengthens our growth trajectory by accelerating our software and multi-cloud transformation,” said François Locoh-Donou, CEO of F5. “By bringing F5’s world-class application security and rich application services portfolio for improving performance, availability, and management together with NGINX’s leading software application delivery and API management solutions, unparalleled credibility and brand recognition in the DevOps community, and massive open source user base, we bridge the divide between NetOps and DevOps with consistent application services across an enterprise’s multi-cloud environment.”

“NGINX and F5 share the same mission and vision,” said Gus Robertson, CEO of NGINX. “We both believe applications are at the heart of driving digital transformation. And we both believe that an end-to-end application infrastructure – one that spans from code to customer – is needed to deliver apps across a multi-cloud environment. “I’m excited to continue this journey by adding the power of NGINX’s open source innovation to F5’s ADC leadership and enterprise reach. F5 gains depth with solutions designed for DevOps, while NGINX gains breadth with access to tens of thousands of customers and partners.”

Open source and DevOps are often referred to in the same breath as part of a broader narrative around ‘agility’. One of the main benefits of the move to the cloud is the far greater choice, efficiency and flexibility it promises, but without a culture geared towards exploiting those opportunities they’re likely to be wasted. With this acquisition F5 is positioning itself as a partner for telcos heading in an agile direction.

Here’s a diagram outlining the rationale of the move.

F5+NGINX

Germany outlines its 5G security requirements

Short and to the point, did we expect anything from the German 5G security requirements other than meet our standards and you can operate in our country?

“We regularly adapt the applicable security requirements to the current security situation and the state of the art,” said Jochen Homann, President of Bundesnetzagentur. “The security requirements apply to all network operators and service providers and they are technology-neutral, covering all networks, not just individual standards such as 5G.”

What is worth noting is that while 5G and international security concerns might be the catalyst to these requirements, they will be applied across all networks and communications infrastructure moving forward, as well as all vendors.

The announcement from Bundesnetzagentur, the German regulator, will come as a blow to the aggressive geo-political ambitions of the US. It seems the anti-Huawei propaganda is running low on fuel, and such is the weight of Germany’s influence across Europe, Chinese executives might be letting out a sigh of relief.

Although the new safety requirements are only a concept for the moment, Bundesnetzagentur plans to release a draft of the rules for feedback over the next couple of weeks.

The requirements are quite broad-ranging, though there are enough clauses to ensure Germany is the master of its own fate. For example, critical components can only be used in communications infrastructure should there be certification recognized by the Federal Office for Information Security (BSI). Employees who install or manage this equipment will also have to be certified by German authorities.

There does also seem to be a move towards the UK’s approach to monitoring and managing risk. As part of the new requirements, network traffic must be regularly and continuously monitored for abnormalities, while safety-relevant network and system components must undergo regular and continuous safety checks. This is a more forensic approach to network management, which allows for companies like Huawei to operate in the country, but the risk is managed.

Another interesting aspect to be included in the new rules addresses ‘monocultures’. Although this is a term which is usually used in agriculture, Bundesnetzagentur is essentially ensuring there is depth in the supply chain. Redundancy must be built into the networks through using multiple vendors for different segments and aspects of operations.

While this might create more work for telcos, vendors and regulators, we feel this is a more proportionate response to the risk of nefarious external parties. Simply banning one company, or companies from a single country, will not work, such are the complexities of the digital ecosystem. Vulnerabilities are everywhere, and the most pragmatic approach should be to understand 100% secure will never exist. Its all about managing the risk most appropriately, and Germany seem to be taking a very sensible approach.

In the UK, the industry is eagerly awaiting the results of the Government’s supply chain review, which will potentially dictate how telcos interact with the vendor ecosystem. Rumours have emerged suggesting no single-vendor can own more than 50% of a certain area, but we hope the result is somewhat similar to the German approach here. This seems to be the attitude of Vodafone also.

Speaking at a briefing in London, Vodafone UK CTO Scott Petty highlighted the team has been working with the National Cyber Security Centre (NCSC) to identify the levels of risk associated with each segment of the network (Radio, Transmission, Core), and building a diverse supply chain to mitigate risk where appropriate.

This approach has led to Chinese companies being excluded from certain areas, though on the radio side where right has been deemed to be very low, Huawei supplies 32% of equipment. This approach allows best-in-breed kit to be considered but considering the sheer volume of cell towers around the UK, even if some equipment is compromised, the impact would be incredibly minor. Resilience has been built in through volume, data encryption and security gateways.

Interestingly enough, Germany is taking another very sensible approach to managing risk; the assumption that everyone is nefarious. All components and equipment will have to be certified, not just those products from countries which are deemed underhanded by paranoid opinion. Every vendor’s supply chain is becoming increasingly complex, suggesting vulnerabilities could appear anywhere. This impartial approach to suspicion will certainly place Germany is a sound position.

A considered approach to security

While certain countries have taken a knee-jerk reaction to security requirements, pinning the blame of an insecure digital ecosystem on one country or a very limited number of countries, Germany is taking a much more considered approach.

Having such a laser-like focus on security, scrutinising single elements of the ecosystem is incredibly dangerous. Cyber-criminals are incredibly intelligent, managing sophisticated networks through the dark web. If the risk of exposure becomes too high through a single route, another will be sought. Taking a blanked approach to security as Germany is doing minimises risk throughout the supply chain.

We suspect the Chinese government is not completely innocent in light of all the accusations, but we also believe they are not alone. Many of the fingers are being pointed in one direction, but Germany is not falling into that trap.

Security discussion needs to be bigger than Huawei – Vodafone UK CTO

Huawei is an obvious risk when you are assessing the vendor landscape, but to ensure supply chain resilience and integrity, focusing too narrowly on one company poses a bigger risk, according to Vodafone.

It might be easy to point the finger at China, but according to Vodafone UK CTO Scott Petty, this is a dangerous position to take. Despite a lack of evidence to suggest backdoors are being built into Huawei products, the world is determined to find one, but in reality, there isn’t a single company in the vendor ecosystem which can justifiably state they are 100% secure. This is the world we are living in; risk is everywhere.

“The discussion about Huawei is all managing the risk appropriately,” Petty said at a briefing in Central London.

Risk is a big topic at Vodafone UK right now, and this is clear when you look at how the vendor ecosystem is being managed.

On the radio side of the network, of the 18,000 base stations Vodafone has around the country, Huawei equipment accounts for 32% of them, Nokia 12% and Ericsson taking the remainder. Interestingly enough, Nokia equipment is being phased out in favour of Ericsson. For transmission, this is split between Juniper, Cisco and Ciena, while Cisco is responsible for the core. With this blend of vendors, and appropriate security gateways between each layer of the network, Petty feels Vodafone is managing the risk very appropriately.

And while some might suggest having this much exposure to Huawei might be a negative, Petty argues radio is such low risk it shouldn’t dictate play. You have to take into consideration the risk/benefit equation.

When assessing risk, Vodafone (working with the National Cyber Security Centre) considers two possible scenarios. Firstly, what is the risk of a nefarious actor leaching data from the network, and secondly, taking down the network. On the radio side of things, the exposure is very low.

Firstly, Vodafone has 18,000 base stations throughout the UK. Should one of these base stations be compromised, only the traffic going through that base station would be at risk. This will be a fraction of the total, devices will be handed off to other base stations as people move around, while the clear majority of internet traffic is encrypted nowadays. The likelihood of a nefarious actor trying to bleed valuable insight in this manner is low.

Secondly, even if one of these base stations is taken down by the external wrong-doer, this is only one of 18,000 base stations. To have a material impact on Vodafone’s network, hundreds or even thousands would have to be impacted simultaneously. This is not inconceivable, but highly unlikely. As Petty mentioned, its all about evaluating and minimizing risk.

This is where the discussion becomes incredibly complicated. Huawei is one of the leading names (if not the leader) in the radio segment, ignoring such a vendor is a difficult decision to make as a technologist; you always want to use best in class.

For transmission, another area Huawei would be considered a leading name, the risk has been identified as medium. You would still need a lot of compute power to crack the encryption software, but Vodafone have decided to steer clear of Chinese vendors here.

Finally, onto the core, the most important part of the network. Petty pointed to O2’s issues last year, where a suspect Ericsson node effectively killed the entire network for a day, to demonstrate the importance of this component. Cisco is the vendor here, but this leads us onto the dangers of a such a narrow focus on security.

When looking for signs of a telco vendor assisting a government for intelligence activities, there is arguably only one piece of concrete evidence to support such claims. Edward Snowden produced this evidence, proving Cisco was aiding the NSA for its own spying agenda. This is the reason we suspect the US is so convinced China is spying on the rest of the world; the US government is doing the same thing and therefore knows it is technologically possible.

We are of course not accusing Cisco of aiding the US government in this manner at this moment, but such is the sophistication and technological capabilities of those on the dark web, no company should consider themselves 100% secure. They have their own supply chains which could be vulnerable at some point. The complexities of this ecosystem mean nothing is 100% secure, therefore it comes down to risk assessment, and also the mitigation of risk through layers of security, gateways and encryption.

For Petty, the establishment of Huawei’s European cyber-security centre is a step in the right direction, though he would want the European Union to play an active role in its operations and for the net to be cast wider, considering all vendors. As mentioned before, too much of a narrow focus on one area heightens the risk in others.

However, the talk of a Huawei ban would be a disaster for everyone involved.

“We don’t think a complete Huawei ban would be a proportionate response,” said Helen Lamprell, Vodafone UK’s General Counsel & External Affairs Director.

If risk is appropriately managed and mitigated, business can continue as usual. Policy decision makers have to realise there is no such thing as 100% secure. A broad-sweeping ban on Huawei would be disastrous not only for Vodafone UK, but everyone in the connected economy.

Firstly, you have to think of the cost of removing all Huawei equipment. This would cost hundreds of millions and take a considerable amount of time. This would delay the introduction of 5G and fundamentally undermine the business case for ROI. It could set 5G back years in the UK, not only for Vodafone but the whole industry.

The supply chain review is currently working its way through the red maze of UK government, and while the certainty needs to arrive sooner rather than later, getting the review right is better than speed.

The message from Vodafone this morning was relatively clear and simple; the Huawei risk can be managed, but an outright ban would be disastrous.

Zuckerberg’s vision for Facebook: as privacy-focused as WhatsApp

The Facebook founder laid out his plan for the next steps how Facebook will evolve with a focus on privacy and data security, and promised more open and transparency in the transition.

In a long post published on Facebook, Mark Zuckerberg first recognised that going forward, users may prefer more private communication than socialising publicly. He used the analogy of town squares vs. living rooms. To facilitate this, he aims to use the technologies of WhatsApp as the foundation to build the Facebook ecosystem.

Zuckerberg laid out principles for the next steps, including:

  • Private interactions: this is largely related to users’ control over who they communicate with, safeguarded by measures like group size control and limiting public stories being share;
  • End-to-end encryption: this is about encrypting messages going through Facebook’s platforms. An interesting point here is that Zuckerberg admitted that Facebook’s security systems can read the content of users messages sent over Messenger. WhatsApp is already implementing end-to-end encryption and is not storing encryption keys, which makes it literally impossible for it share content of communication between individuals with any other third parties including the authorities. Zuckerberg recalled the case of the Facebook’s VP for Latin America being jailed in Brazil to illustrate his point.
  • Reducing Permanence: this is mainly about giving users the choice to decide how long they like their content (messages, photos, videos, etc.) to be stored, to ensures what they said many years ago would not come back to haunt them.
  • Safety: Facebook will guard the data safe against malignant attacks
  • Interoperability: Facebook aims to make its platforms interoperable and may extend to be interoperable with SMS too.
  • Secure data storage: one of the most important point here is Zuckerberg vowed not to save user data in countries which “have a track record of violating human rights like privacy or freedom of expression”.

To do all these right, Zuckerberg promised, Facebook is committed to “consulting with experts, advocates, industry partners, and governments — including law enforcement and regulators”.

None of these principles are new or surprising, and are an understandable reaction to recent history when Facebook has been battered by scandals of both data leaking and misuse of private data for monetisation purpose. However there are a couple of questions that are not answered:

  1. What changes Facebook needs to make to its business model: in other words, when Facebook limits its own ability to penetrate user data it weakens its value for targeted advertisers. How will it convince the investors this is the right step to take, and how will it to compensate the loss?
  2. Is Facebook finally giving up its plan to re-enter markets like China? Zuckerberg has huffed and puffed over the recent years without bringing down the Great Wall. While his peers in Apple have happily handed over the keys to iCloud and Google has working hard, secretly or not so secretly to re-enter China, how will the capital market react to Facebook’s public statement that “there’s an important difference between providing a service in a country and storing people’s data there”?