Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lumia Phones Leaking Private Data To Microsoft

Posted by samzenpus on from the like-a-sieve dept.

New submitter Albietta writes "Two independent sources inside Nokia have confirmed that Nokia Lumia phones send private information to Nokia and Microsoft servers around the world. Location data, SMS-messages and browser identification is uploaded. The Nokia leadership has known about the privacy violation since 2011 when the Lumia phones were introduced. In spring 2013, after suspicions of leaks and during the negotiations for selling off the mobile phone branch to Microsoft, the Finnish state communications department sent an inquiry to Nokia regarding leaking of private data, asking Nokia to assure that users' private data is not leaked. Nokia did not want to (or could not) provide an assurance due to the delicate business negotiations. After two more inquiries with narrower demands, Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws. Microsoft is apparently also following Lumia user accounts. On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage."

10 of 110 comments (clear)

  1. That doesn't sound like a "leak". by Anonymous Coward · · Score: 5, Insightful

    That looks like it is deliberate.

    Had it only gone to Nokias servers then it could have been an accident - not removing certain debugging code for instance used to tracing.

    But sending to Microsoft servers as well as Nokia servers... that is more like a deliberate action.

    1. Re:That doesn't sound like a "leak". by WaffleMonster · · Score: 3, Interesting

      I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program.

      I don't think there is anything that is overblown.

      If you associate your Windows phone with an account (Required to load software from the only source permissible the windows app store) the phone also periodically and on demand of Microsoft uploads your location to a Microsoft server and there is **NOTHING** you can do about it and no way you can turn it off short of wiping the device and never associating an account which means not using the app store paying a hefty premium to use what is then essentially a "feature phone"

      Microsoft's WP does not respect your privacy by default and there is no lever you can pull that changes this.

  2. Wow... by Farmer+Pete · · Score: 5, Insightful

    Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws.

    How much non-3rd party software does a Nokia phone ship with? I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

    1. Re:Wow... by hydrofix · · Score: 4, Informative

      I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

      This is indeed absolutely ridiculous and priceless statement.

      To understand why they gave such a statement, we must know some background. The whole debacle started in 2012 when the Finnish government's IT department had a meeting with Nokia, where Nokia's management assured them that Nokia's Lumia phones had superior security and user privacy to both iPhone and Androids. Consequently, the government bought several Lumia phones for top officials who engage in sensitive communication, like the Prime Minister. Thanks to Snowden leaks, the government in 2013 then received contrary information: that Lumia phones were just as hackable as other smartphones through the inclusion of the Microsoft operating system.

      Consequently, the Finnish Communications Regulatory Authority (FICORA) made an officially actionable inquiry to Nokia regarding whether the devices they sold indeed revealed the user's confidential communications, location information and other private information without the user's authorization. The authority warned that if the corporation had knowledge that the phone was leaking such data, and did not answer truthfully, it could be held liable under the criminal law for false statement in official proceedings and failing to report a serious offence.

      The company then replied, that they were unable to officially give such an assurance (i.e. they probably knew that the device was leaking private data). Then, FICORA made another official inquiry, asking for even a smaller set of privacy assurances. Nokia was again unable to give an official assurance of privacy of its devices, so in August 2013 officials from FICORA and Nokia had an informal meeting where they tried to find common ground: what kind of privacy assurances Nokia could actually give about its devices. Turns out, Nokia could only go as far as to assure that it had not installed any additional spying modules – and only to those devices that it was selling in Finland, anyway.

      So they delimited the official assurance that Nokia should give to only concern the hardware and software it had itself made and was selling in Finland, excluding actions of their subcontractors and business partners (like Microsoft). Well, Nokia was able to give such an assurance, even if it is obviously of no value to consumers. But the company had something to show for FICORA: at least Nokia itself takes Finnish and EU privacy regulations seriously, even if it is in partnerships with other corporations for which it can not make equal assurances.

  3. CP hysteria by tepples · · Score: 5, Informative

    On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage.

    This says more about the hysteria in certain industrialized markets where all nudity is considered sexual for the purposes of zero tolerance regulations against production of alleged child porn. See also prosecutions of parents who photograph their children in the bathtub.

  4. "Leaking" by FuzzNugget · · Score: 4, Insightful

    A sieve doesn't leak, it does what it's designed to do

  5. I call it a bull by Anonymous Coward · · Score: 4, Informative

    I recall that it was stated in clear language that SMSes will be uploaded if I choose some option during initial setup for my Lumia.

    And if they mean skydrive onedrive account as "Lumia user account", then I wouldn't be surprised that Microsoft screens uploaded (public?) pictures. Similar like Google screens youtube videos.

    1. Re:I call it a bull by cbhacking · · Score: 3, Informative

      Specifically, the option for SMS backup (it can be set up after initial boot, of course). Obviously, this requires sending your SMS. Now, they can (and should) be encrypted, but it still must send them. If they're inside an SSL tunnel (and nobody goofed their cert validation, the way Apple has apparently been doing...) then they should be secure in transit, at least.

      --
      There's no place I could be, since I've found Serenity...
  6. In other news by jones_supa · · Score: 3, Interesting

    There's also a side story in this scoop which involves Nokia allegedly handing over user data to Finnish police without a warrant.

    YLE Uutiset - Police chief to look into Nokia phone spying claims

  7. Hang on a minute by RMH101 · · Score: 4, Informative

    This looks like a mountain being made out of a molehill. From TFA: "Lumia phones do not ensure the user’s privacy – at least no better than the phones of other big manufacturers"
    When you use a WP8 device, you are signed in using a Microsoft Account. Features like SMS backup, location services such as "Find My Phone" etc need to send data back to MS in order to work. In fact when you first sign into a phone this is made explicitly clear, as it is during the install of any apps on the phone that require, say, location based services. So whilst the implication of this article appears to be that there's something shady and underhand going on, until someone shows me a wireshark trace that shows it, I'm calling BS.