Lumia Phones Leaking Private Data To Microsoft

New submitter Albietta writes "Two independent sources inside Nokia have confirmed that Nokia Lumia phones send private information to Nokia and Microsoft servers around the world. Location data, SMS-messages and browser identification is uploaded. The Nokia leadership has known about the privacy violation since 2011 when the Lumia phones were introduced. In spring 2013, after suspicions of leaks and during the negotiations for selling off the mobile phone branch to Microsoft, the Finnish state communications department sent an inquiry to Nokia regarding leaking of private data, asking Nokia to assure that users' private data is not leaked. Nokia did not want to (or could not) provide an assurance due to the delicate business negotiations. After two more inquiries with narrower demands, Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws. Microsoft is apparently also following Lumia user accounts. On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage."

CP hysteria

[tepples]

On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage.

This says more about the hysteria in certain industrialized markets where all nudity is considered sexual for the purposes of zero tolerance regulations against production of alleged child porn. See also prosecutions of parents who photograph their children in the bathtub.

I call it a bull

I recall that it was stated in clear language that SMSes will be uploaded if I choose some option during initial setup for my Lumia.

And if they mean skydrive onedrive account as "Lumia user account", then I wouldn't be surprised that Microsoft screens uploaded (public?) pictures. Similar like Google screens youtube videos.

Re:I call it a bull

[cbhacking]

Specifically, the option for SMS backup (it can be set up after initial boot, of course). Obviously, this requires sending your SMS. Now, they can (and should) be encrypted, but it still must send them. If they're inside an SSL tunnel (and nobody goofed their cert validation, the way Apple has apparently been doing...) then they should be secure in transit, at least.

Re:Wow...

[hydrofix]

I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

This is indeed absolutely ridiculous and priceless statement.

To understand why they gave such a statement, we must know some background. The whole debacle started in 2012 when the Finnish government's IT department had a meeting with Nokia, where Nokia's management assured them that Nokia's Lumia phones had superior security and user privacy to both iPhone and Androids. Consequently, the government bought several Lumia phones for top officials who engage in sensitive communication, like the Prime Minister. Thanks to Snowden leaks, the government in 2013 then received contrary information: that Lumia phones were just as hackable as other smartphones through the inclusion of the Microsoft operating system.

Consequently, the Finnish Communications Regulatory Authority (FICORA) made an officially actionable inquiry to Nokia regarding whether the devices they sold indeed revealed the user's confidential communications, location information and other private information without the user's authorization. The authority warned that if the corporation had knowledge that the phone was leaking such data, and did not answer truthfully, it could be held liable under the criminal law for false statement in official proceedings and failing to report a serious offence.

The company then replied, that they were unable to officially give such an assurance (i.e. they probably knew that the device was leaking private data). Then, FICORA made another official inquiry, asking for even a smaller set of privacy assurances. Nokia was again unable to give an official assurance of privacy of its devices, so in August 2013 officials from FICORA and Nokia had an informal meeting where they tried to find common ground: what kind of privacy assurances Nokia could actually give about its devices. Turns out, Nokia could only go as far as to assure that it had not installed any additional spying modules – and only to those devices that it was selling in Finland, anyway.

So they delimited the official assurance that Nokia should give to only concern the hardware and software it had itself made and was selling in Finland, excluding actions of their subcontractors and business partners (like Microsoft). Well, Nokia was able to give such an assurance, even if it is obviously of no value to consumers. But the company had something to show for FICORA: at least Nokia itself takes Finnish and EU privacy regulations seriously, even if it is in partnerships with other corporations for which it can not make equal assurances.

Hang on a minute

[RMH101]

This looks like a mountain being made out of a molehill. From TFA: "Lumia phones do not ensure the user’s privacy – at least no better than the phones of other big manufacturers"
When you use a WP8 device, you are signed in using a Microsoft Account. Features like SMS backup, location services such as "Find My Phone" etc need to send data back to MS in order to work. In fact when you first sign into a phone this is made explicitly clear, as it is during the install of any apps on the phone that require, say, location based services. So whilst the implication of this article appears to be that there's something shady and underhand going on, until someone shows me a wireshark trace that shows it, I'm calling BS.