Skip to main content

How does a phone maker 'mistakenly' collect user data and ship it off to a server in China?

Nokia 7 Plus
Nokia 7 Plus

Recently, the Nokia 7 Plus — the best phone from the new HMD-owned Nokia by far — was found to be sending private data from a Norwegian user's phone to a remote server in China. It seems that every time the phone was turned on, unencrypted data containing Henrik Austad's location, the SIM card number, and the phone's serial number went flying through the tubes to a Chinese server. HMD Global says this was an "error in the packing process of software" and that it has been fixed.

This may be the most recent case of such a "mistake" but it's not the only one. Most notably, OnePlus was found to be doing the same thing in a beta build, and also fixed things pronto. We're glad the companies involved provide quick fixes, but how in the hell does this sort of "mistake" happen?

China has laws, too

For starters, collecting and sending the data isn't a mistake. The software was written this way on purpose and the data being collected and sent to China is supposed to be collected and sent to China. Just saying "it's a mistake" makes it sound like a software engineer somewhere screwed up while writing the code.

If you want to sell phones in China, you have to build tracking software into them.

Where the screw up really happened is when the software was built for markets outside of China. The Chinese government requires users of mobile devices to provide this information every time they are being used. When you light up your screen, the Chinese version of Big Brother wants to know where you are and it does so by tracking the hardware by location. The debate about how horrible and overbearing this sort of law is aside, the people who wrote the OS for phones like the Nokia 7 Plus were required to do this and it sounds like they have done a good job.

If a company were to try and sell a phone that doesn't comply with these laws, it would face the wrath of the Chinese government. So would the software engineers who didn't include the "feature". It's no wonder why it's done for phones made and sold in China.

Norway is not China

Henrik Austad doesn't live in China. He wasn't visiting China when he noticed this, and most likely the phone in question hasn't been back to China since it was assembled. There is no reason for this data to be collected at all, let alone sent off to the Chinese government. So why did it happen?

Maybe the Q.C. department at HMD did this one on a Friday.

When the Chinese-made Nokia 7 Plus was built for other markets, it required a bit of software modification. Support for Chinese-specific network tech like TDMA can be removed, Mandarin is no longer the default language, and certain apps are removed or changed for a more Western point of view. Part of this process is to remove some of the code the Chinese government requires in order to fulfill its communication and transportation laws, like reporting who and where you are every time you unlock your phone.

I'm not going to pretend I know how difficult it is to find this in the code or how difficult it is to remove it. It very well could be weeks worth of work; it also could be as easy as Control+F and the delete key. I have no idea because I've never seen the source code for a Chinese phone and probably don't ever want to see it. But I do know one thing: shipping a phone to be sold in Norway with this code still enabled is inexcusable.

"Mistakes" do happen. Sometimes more often than they should.

I'm not going to say HMD Global is at fault for anything other than overlooking something that should have never been overlooked. I'm also not going to have any ill will towards the (probably overworked and underpaid) developer(s) who missed it and said everything was good to go or the quality control department that didn't check things well enough before it was shipped. Sh&t Happens, and as long as it doesn't happen again, we should chalk it up as a stupid "mistake".

"Stuff" happens. Hopefully, it only happens once.

But if things like backdoors and secret data transmissions happen more than once — I'm looking at you, BLU — these companies need to be branded with a scarlet letter and shunned. I'd still buy a Nokia-branded or OnePlus phone, because things were handled correctly and quickly once the problems were found. I just think it's important that we all understand what happened and don't think it somehow resembles things like Huawei and ZTE's troubles with the U.S. government.

Carry on, HMD, but try and do better next time, OK?

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

32 Comments
  • Playing dumb doesn't get you to first base, Nokia! Oh, how did this happen.
  • The next question should be, was it really a mistake?
  • That was answered in the article, and yes, it was a mistake for it to be happening in Norway, but it's on purpose in China.
  • It is not a mistake.
  • What would Nokia gain if your ridiculous conspiracy was correct?
  • They never answer that. Lol
  • Well Nokia had a short run. Too bad.
  • They don't and hopefully this will take some steam out of the Huawei suit against the US.
  • Why? No one has found any evidence of Huawei sending data to China or having any backdoor. On the other hand, Edward Snowden has told us plenty of the NSA spying on everyone on Earth. For me though, I can careless about all of this. What are they, the NSA or the Chinese, are going to use my info? At least Google uses my info to send me ads.
  • Do you really think that the Chinese do not put spyware in their products?
  • dude, everybody does, clear?
  • Guess u don't mind being spied on by the enemy.
  • I don't deny it, but also I can confirm that my phone also has Spyware from Facebook (unable to uninstall bloatware/Spyware from an Yankee company) and it is so annoying that even when it is disabled, it enables itself again. What is worse, Yankee Spyware or Chinese, I think you will say Chinese because of racist reasons but for me both are the same.
  • There is evidence. Search: African union / Huawei / Hacking. Enjoy. Don't search "enjoy", I meant enjoy reading the articles. Well, not "enjoy", I doubt you would, I doubt anyone would, why would they? Anyway, be ambivalent reading the articles.
  • Instead of building the Chinese firmware and then shave it off for western markets, why didn't they just make the simpler firmware first and then add the chinese market specific codes on top?
  • That's how it should have been done...
  • That's not how the Chinese market works. Chinese market phones have backdoors in the BIOS which means they are completely different to overseas phones. Also, you don't add anything when you manufacture electronics. It's all made in batches and the chips are preinstalled in full from the beginning. Nokia already said a few phones were mixed up in production and ended up in Europe. That's all that happened, it's not a conspiracy. The phones were programmed to send data to China Telecom. Probably because that's the carrier for them... It's not that bizarre everyone. Also, to the writer, they don't "ship information" like it's a pallet of CD's. The phones are all programmed to automatically do things hence why the several leaked phones had this issue.
  • Yep. Chinese variants in Europe. Same thing if I go on Ebay and by the Chinese variant of the Nokia Whatver.1
    Sure it works fine but it will function just like every other Chinese variant is programmed to do.
  • Sometimes phones are built for China only and the world gets annoyed and ask for a US or global version. So that can happen.
    Furthermore I don't live in the USA nor do I live in China so NSA, CIA, FBI or whatever 3 letter government agency along with the Chinese or FSB spying on me is unacceptable. Government spying on private citizens is just wrong. Don't condemn HMD or ZTE, ONEPLUS or others for something Google is proud of doing. Us spying, China spying is wrong. SPYING is wrong.
  • You guys have no idea how phones sold for China market looks like! All Android Phones sold for China market doesn't allow any Google App Store installed. Nor any Google service frameworks because ALL google servers are blocked. So, the firmware is really half the functionality of the international version. You won't mistake it. The same phone for international market needs to have all the Google stuff included and certified by Google to Play Store. Yes, you can buy a Chinese market phone for cheap on eBay but be prepared to install all the missing stuff yourself. Some brands offer a package for easy installation. Others not so easy.
  • This stuff has been happening for years. Sucks but it happens. It is only noticeable now because media/5G/conspiracies/Cosumer awareness/etc/etc/etc have the whole world looking for someone to slip. Was everyone and their brother wiresharking HTC back in 2010 or prior to then to sniff out stuff like this?
  • HTC is Taiwan not PR of C
  • Will never buy a Chinese phone
  • So that means no iPhone, Samsung Galaxy, LG, HTC, Nokia, Alcatel, Motorola, etc devices for you. They are ALL made in China.
  • You missed his point and sound like an idiot doing so.
  • Made in China not programmed in China
  • Oh, can answer this one. They outsourced their phone making to a company named HMD. It's like how Apple doesn't really make their phones either. Foxconn does. Anyhow, when you turn on an Android phone right now, it tries to automatically provision your sim card. They accidentally used the same chinese provisioning server for both their global and chinese roms. But yeah, I guess it's more fun to act like donald trump and pretend they are spies or something.
  • This is rather easy to explain although not nice to hear: HMD doesn't control the software. They get that "pure" Android crap from Google at their Shenzhen R&D centre, and then send it to Chinese company Evenwell to finish off. Then it returns to Shenzhen and its deployed to HMD phones. The software is made in China, controlled by Chinese employees and put in phones assembled in China by a Chinese company. HMD might have their headquarters in Finland and be an European company on paper. But make no mistake: they're de facto a Chinese company. And when you have a self-centred Chief Product Officer whose clear main goal at his job is to suck-up to Google enough that they offer him a job, you have a recipe for disaster. Amidst all of this mess the only thing I'd like to see is a reaction from Nokia.
    After all it's their brand that's being misused and diminished by HMD. And if all the crappy phones weren't doing enough damage, a privacy scandal with the Finnish authorities investigating sure will.
  • The firmware doesn't work that way. Once the hardware, phone device, is ready, then they flash, install/upload, it with the market specific firmware.
    Each country specific firmware has a name that you may recognize and as an end user, you might be able to see and read its name on your settings. In Samsung Galaxy S8, for instance, it's Setting>About phone>Software Information.
    It's a Quality Department "mistake" because they supposed to check and monitor each phone's firmware per its market.
    One more thing, no one trim or shave a Chinese code/firmware so it'd "fit" a western market. This is hilarious. Manufacturers get an "empty" firmware device/phone then it'd be directed to go to the assigned production line to be flashed with the right firmware. If a "mistake" happened or decided to move phones from one market to a different market then the manufacturer could wipe out the IC or the BIOS so they can install or flash a different firmware. Each process, wiping out or flashing could take seconds or just few minutes at worse case scenario.
    I'm a quality engineer who's working in assembly electronic boards and have IT background.
  • Who cares anymore? We all sold everything about us years ago.
  • That^^ If the Chinese government wants to follow where I am at any point, they are going to be bored beyond belief.
  • The HMD' quality control department is almost non existent. This is concluded if you go to Nokia's forum and read the numerous issues about Nokia 7 plus's display unit. Unexpected freezing, grounding issue, full brightness at night, etc.
    The Nokia 7 plus's display is supplied from the Chinese manufacturer Goodix together with its firmware and it seems that the Chinese manufacturer doesn't give a **** in fixing any of these problems in it's firmware or, and this is even worse, HMD never asked Goodix to fix any of these problem that its clients have massively reported in its forums. If the latter is correct then I agree with the one that said that HMD is actually a Chinese company because this kind of behavior is typical of Chinese firms and foreign to Western culture.