How does a phone maker 'mistakenly' collect user data and ship it off to a server in China?

Nokia 7 Plus
Nokia 7 Plus

Recently, the Nokia 7 Plus — the best phone from the new HMD-owned Nokia by far — was found to be sending private data from a Norwegian user's phone to a remote server in China. It seems that every time the phone was turned on, unencrypted data containing Henrik Austad's location, the SIM card number, and the phone's serial number went flying through the tubes to a Chinese server. HMD Global says this was an "error in the packing process of software" and that it has been fixed.

This may be the most recent case of such a "mistake" but it's not the only one. Most notably, OnePlus was found to be doing the same thing in a beta build, and also fixed things pronto. We're glad the companies involved provide quick fixes, but how in the hell does this sort of "mistake" happen?

China has laws, too

For starters, collecting and sending the data isn't a mistake. The software was written this way on purpose and the data being collected and sent to China is supposed to be collected and sent to China. Just saying "it's a mistake" makes it sound like a software engineer somewhere screwed up while writing the code.

If you want to sell phones in China, you have to build tracking software into them.

Where the screw up really happened is when the software was built for markets outside of China. The Chinese government requires users of mobile devices to provide this information every time they are being used. When you light up your screen, the Chinese version of Big Brother wants to know where you are and it does so by tracking the hardware by location. The debate about how horrible and overbearing this sort of law is aside, the people who wrote the OS for phones like the Nokia 7 Plus were required to do this and it sounds like they have done a good job.

If a company were to try and sell a phone that doesn't comply with these laws, it would face the wrath of the Chinese government. So would the software engineers who didn't include the "feature". It's no wonder why it's done for phones made and sold in China.

Norway is not China

Henrik Austad doesn't live in China. He wasn't visiting China when he noticed this, and most likely the phone in question hasn't been back to China since it was assembled. There is no reason for this data to be collected at all, let alone sent off to the Chinese government. So why did it happen?

Maybe the Q.C. department at HMD did this one on a Friday.

When the Chinese-made Nokia 7 Plus was built for other markets, it required a bit of software modification. Support for Chinese-specific network tech like TDMA can be removed, Mandarin is no longer the default language, and certain apps are removed or changed for a more Western point of view. Part of this process is to remove some of the code the Chinese government requires in order to fulfill its communication and transportation laws, like reporting who and where you are every time you unlock your phone.

I'm not going to pretend I know how difficult it is to find this in the code or how difficult it is to remove it. It very well could be weeks worth of work; it also could be as easy as Control+F and the delete key. I have no idea because I've never seen the source code for a Chinese phone and probably don't ever want to see it. But I do know one thing: shipping a phone to be sold in Norway with this code still enabled is inexcusable.

"Mistakes" do happen. Sometimes more often than they should.

I'm not going to say HMD Global is at fault for anything other than overlooking something that should have never been overlooked. I'm also not going to have any ill will towards the (probably overworked and underpaid) developer(s) who missed it and said everything was good to go or the quality control department that didn't check things well enough before it was shipped. Sh&t Happens, and as long as it doesn't happen again, we should chalk it up as a stupid "mistake".

"Stuff" happens. Hopefully, it only happens once.

But if things like backdoors and secret data transmissions happen more than once — I'm looking at you, BLU — these companies need to be branded with a scarlet letter and shunned. I'd still buy a Nokia-branded or OnePlus phone, because things were handled correctly and quickly once the problems were found. I just think it's important that we all understand what happened and don't think it somehow resembles things like Huawei and ZTE's troubles with the U.S. government.

Carry on, HMD, but try and do better next time, OK?

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.