Nokia 7 Plus sent personal data to Chinese state-owned company

The Nokia 7 Plus has forwarded private data to some of the users to Chinese state-owned company China Telecom. This has been confirmed by manufacturer HMD Global. The Finnish Data Protection Ombudsman is investigating whether HMD has violated the GDPR.

Norwegian public broadcaster NRK writes that a reader observed data forwarding while monitoring network traffic via Wireshark. Data ended up on zzhc.vnet.cn, a server owned by China Telecom. Every time the phone was ‘turned on’, the software sent SIM card and imei numbers, including the cell tower to which the phone was connected, unencrypted to a server in China. It is unknown whether this problem also occurred in the Benelux.

The culprit turned out to be a service from chipmaker Qualcomm running in the background: com.qualcomm.qti.autoregistration.apk. That is presumably software to automatically register a phone on networks of China Telecom or other providers.

On Twitter German Dirk Wetter already wrote in January about the problem. He writes that the Qualcomm apk appeared on his phone in December. Later he writes that the February update removed the apk and his phone no longer sends any information.

Finnish Ombudsman Reijo Aarnio tells Reuters to examine whether personal data has been leaked and whether there was a legal basis for this. In an initial response, he says that it could at least be a violation of the GDPR legislation.

HMD Global, manufacturer of the Nokia phones, confirms to NRK that a ‘part’ of the Nokia 7 Plus phones has sent data to the server in China. According to the Finnish company, the ‘activation data’ was never processed and no personal information was shared with third parties or authorities. At the end of February, the company released a software update to fix the flaw. The company claims that “most” customers have installed the update.