Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lumia Phones Leaking Private Data To Microsoft

Posted by samzenpus on from the like-a-sieve dept.

New submitter Albietta writes "Two independent sources inside Nokia have confirmed that Nokia Lumia phones send private information to Nokia and Microsoft servers around the world. Location data, SMS-messages and browser identification is uploaded. The Nokia leadership has known about the privacy violation since 2011 when the Lumia phones were introduced. In spring 2013, after suspicions of leaks and during the negotiations for selling off the mobile phone branch to Microsoft, the Finnish state communications department sent an inquiry to Nokia regarding leaking of private data, asking Nokia to assure that users' private data is not leaked. Nokia did not want to (or could not) provide an assurance due to the delicate business negotiations. After two more inquiries with narrower demands, Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws. Microsoft is apparently also following Lumia user accounts. On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage."

18 of 110 comments (clear)

  1. That doesn't sound like a "leak". by Anonymous Coward · · Score: 5, Insightful

    That looks like it is deliberate.

    Had it only gone to Nokias servers then it could have been an accident - not removing certain debugging code for instance used to tracing.

    But sending to Microsoft servers as well as Nokia servers... that is more like a deliberate action.

    1. Re:That doesn't sound like a "leak". by WaffleMonster · · Score: 3, Interesting

      I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program.

      I don't think there is anything that is overblown.

      If you associate your Windows phone with an account (Required to load software from the only source permissible the windows app store) the phone also periodically and on demand of Microsoft uploads your location to a Microsoft server and there is **NOTHING** you can do about it and no way you can turn it off short of wiping the device and never associating an account which means not using the app store paying a hefty premium to use what is then essentially a "feature phone"

      Microsoft's WP does not respect your privacy by default and there is no lever you can pull that changes this.

  2. Wow... by Farmer+Pete · · Score: 5, Insightful

    Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws.

    How much non-3rd party software does a Nokia phone ship with? I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

    1. Re:Wow... by vyvepe · · Score: 2

      Hardware and firmware? They proabably wanted to tell: "Our phones do not snoop at the hardware and firmware level. Anything at the higher levels is not our business."

    2. Re:Wow... by hydrofix · · Score: 4, Informative

      I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

      This is indeed absolutely ridiculous and priceless statement.

      To understand why they gave such a statement, we must know some background. The whole debacle started in 2012 when the Finnish government's IT department had a meeting with Nokia, where Nokia's management assured them that Nokia's Lumia phones had superior security and user privacy to both iPhone and Androids. Consequently, the government bought several Lumia phones for top officials who engage in sensitive communication, like the Prime Minister. Thanks to Snowden leaks, the government in 2013 then received contrary information: that Lumia phones were just as hackable as other smartphones through the inclusion of the Microsoft operating system.

      Consequently, the Finnish Communications Regulatory Authority (FICORA) made an officially actionable inquiry to Nokia regarding whether the devices they sold indeed revealed the user's confidential communications, location information and other private information without the user's authorization. The authority warned that if the corporation had knowledge that the phone was leaking such data, and did not answer truthfully, it could be held liable under the criminal law for false statement in official proceedings and failing to report a serious offence.

      The company then replied, that they were unable to officially give such an assurance (i.e. they probably knew that the device was leaking private data). Then, FICORA made another official inquiry, asking for even a smaller set of privacy assurances. Nokia was again unable to give an official assurance of privacy of its devices, so in August 2013 officials from FICORA and Nokia had an informal meeting where they tried to find common ground: what kind of privacy assurances Nokia could actually give about its devices. Turns out, Nokia could only go as far as to assure that it had not installed any additional spying modules – and only to those devices that it was selling in Finland, anyway.

      So they delimited the official assurance that Nokia should give to only concern the hardware and software it had itself made and was selling in Finland, excluding actions of their subcontractors and business partners (like Microsoft). Well, Nokia was able to give such an assurance, even if it is obviously of no value to consumers. But the company had something to show for FICORA: at least Nokia itself takes Finnish and EU privacy regulations seriously, even if it is in partnerships with other corporations for which it can not make equal assurances.

  3. CP hysteria by tepples · · Score: 5, Informative

    On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage.

    This says more about the hysteria in certain industrialized markets where all nudity is considered sexual for the purposes of zero tolerance regulations against production of alleged child porn. See also prosecutions of parents who photograph their children in the bathtub.

    1. Re:CP hysteria by cbhacking · · Score: 2

      Yyyep. Don't store your pictures in the cloud, folks. There's automated scanning (not just of Sky/OneDrive, but of others as well) that looks for anything it thinks is nudity, and flags it for human review. If said human decides it's nudity, or even if it could be considered erotic / is too risqué, they can and often will shut down your account. This has happened before. I admit I've never heard of it happening to related accounts owned by other companies (i.e. Microsoft killing somebody's Nokia account as well as their Microsoft account) but it's possible, I suppose. Or maybe Nokia flagged the images themselves. Or maybe the article author is confused and meant the Nokia user's Microsoft account is the one that got blocked (WP supports automatic picture uploads to what it still calls SkyDrive).

      And yes, the whole thing is bloody ludicrous. I don't even think it's a CP issue, really.. just general prudishness and puritanism turned up to 11.

      --
      There's no place I could be, since I've found Serenity...
    2. Re:CP hysteria by OzPeter · · Score: 2

      This says more about the hysteria in certain industrialized markets where all nudity is considered sexual

      Last week there was a "beat up" story on the local news as to how there is this church and worshippers who have services in the nude. The teasers didn't bother to mention that this church was in the middle of a nudist club.

      --
      I am Slashdot. Are you Slashdot as well?
  4. "Leaking" by FuzzNugget · · Score: 4, Insightful

    A sieve doesn't leak, it does what it's designed to do

  5. Sources? by adycarter · · Score: 2

    Seems a little light on actual proof there, even the source doesn't have a source for the magical "Lumia account closed as the user is a paedo" comment

    --
    Witty Comment Here
  6. I call it a bull by Anonymous Coward · · Score: 4, Informative

    I recall that it was stated in clear language that SMSes will be uploaded if I choose some option during initial setup for my Lumia.

    And if they mean skydrive onedrive account as "Lumia user account", then I wouldn't be surprised that Microsoft screens uploaded (public?) pictures. Similar like Google screens youtube videos.

    1. Re:I call it a bull by cbhacking · · Score: 3, Informative

      Specifically, the option for SMS backup (it can be set up after initial boot, of course). Obviously, this requires sending your SMS. Now, they can (and should) be encrypted, but it still must send them. If they're inside an SSL tunnel (and nobody goofed their cert validation, the way Apple has apparently been doing...) then they should be secure in transit, at least.

      --
      There's no place I could be, since I've found Serenity...
  7. Re:Excluding third-party software, as the O.S. by ChristW · · Score: 2

    http://www.gta04.org/ or http://neo900.org/

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  8. Re:EQUALITY by TheCarp · · Score: 2

    I think you miss what they mean when they say people. See, when the NSA spys on nameless faceless Americans, that, is surveillance. Its not victimizing people. However, when they spy on someone like Angela Merkel; that is an outrage, because she is a real person with a face and a name....she is someone who matters.

    Corperations are people like Angela Merkel is a person. They are real, they matter. They are not you, some nameless faceless peon; barely fit to eat the scraps a real person drops from their table.

    --
    "I opened my eyes, and everything went dark again"
  9. In other news by jones_supa · · Score: 3, Interesting

    There's also a side story in this scoop which involves Nokia allegedly handing over user data to Finnish police without a warrant.

    YLE Uutiset - Police chief to look into Nokia phone spying claims

  10. Hang on a minute by RMH101 · · Score: 4, Informative

    This looks like a mountain being made out of a molehill. From TFA: "Lumia phones do not ensure the user’s privacy – at least no better than the phones of other big manufacturers"
    When you use a WP8 device, you are signed in using a Microsoft Account. Features like SMS backup, location services such as "Find My Phone" etc need to send data back to MS in order to work. In fact when you first sign into a phone this is made explicitly clear, as it is during the install of any apps on the phone that require, say, location based services. So whilst the implication of this article appears to be that there's something shady and underhand going on, until someone shows me a wireshark trace that shows it, I'm calling BS.

    1. Re:Hang on a minute by Farmer+Tim · · Score: 2

      I'm calling BS.

      More secure than texting BS...

      --
      Blank until /. makes another boneheaded UI decision.
  11. List of WP8 security and privacy fails by WaffleMonster · · Score: 2

    1. Find my phone option can't be opted out of there is no way to not have the device send location to Microsoft and still be able to use the device in even a remotely meaningful way.

    2. It is not possible to not be complicit in Microsofts skyhook WiFi location mapping system.

    3. When your device connects to a WiFi network it sends unique device identifiers in the clear over the network there is no way to stop it.

    4. Wireless security 100% completely utterly insecure by design due to total failure of device to validate certificate chain.

    5. Impossible for mortals to perform basic functions available as standard features on decades old "feature phones" such as contact synchronization without having to upload all of your contact information to Microsoft. My contacts are none of Microsoft's goddamn business.

    Windows phone 8 is designed to violate your privacy at every turn while locking you into their curated app store.