The Finnish government is on the verge of starting an official investigation into HMD Global's Android smartphones over allegations they breached the European Union's General Data Protection Regulation by sending certain identifiable information to China, Ombudsman Reijo Aarnio said earlier today.
The 63-year-old official intends to conduct an in-depth probe into the matter and the public announcement of the investigation starting isn't a possibility but an expected formality at this point. The development is relates to a Thursday report from NRK, a Norwegian government-owned public broadcaster that identified an issue with the Nokia 7 Plus, claiming the Android handset in question has been sending a wide variety of data types to Chinese servers.
What's more, the information relayed by the device was unencrypted, meaning it wasn't just going away to a jurisdiction of a historic opponent to the West and its allies but was also largely unprotected along the way, meaning anyone who possibly intercepted it one way or another was also able to access the entirety of its contents without too much extra effort.
NRK was originally alerted of those suspicious activities by one of their viewers who noticed it under unspecified circumstances. The broadcaster assembled a team that looked into the matter further, confirmed the source's findings, and confronted HMD over the matter. The Finnish company that licenses the Nokia Mobile brand from the Espoo-based corporation said no personally identifiable information from the user in question was shared with any outside entity. What's still unclear is who owns the Chinese server in question seeing how HMD declined to answer that question when asked directly.
It did, however, imply that the observed behavior was irregular and no user data whatsoever, identifiable or otherwise, should have ever been sent to China. The comment gives weight to the original report's claims that the discovered packet transmissions were not prompted by any third-party app but HMD's implementation of Android, which itself is essentially just stock Android 9 Pie. The software packaging process used for distributing the most recent Android security patch to the device was affected by an error that was blamed for the entire ordeal. HMD claims the misstep only affects an individual batch of devices, hence probably keeping the number of potentially compromised users in the low triple digits, though again – the Finnish company insists no one was compromised as no sensitive information leaked in any shape or form.
HMD says it already identified and addressed the issue with a subsequent over-the-air patch in February but failed to clarify why the problem wasn't publicly disclosed, in accordance with the industry's best-recommended cybersecurity practices. Over the last month, almost every device affected by the issue installed HMD's fix, according to the company.
The entire affair bears some resemblance to a high-profile incident American phone maker BLU got itself involved into some two years back, except that there are no indications that HMD ever engaged in any malicious activity. The company's link to China is a dual-fold one; it manufactures and assembles most of its Android devices in the Far Eastern country which is also wherefrom its major manufacturing partner and investor FIH Mobile originates from, being a subsidiary of tech giant Foxconn.
The Nokia 7 Plus remains one of HMD's most popular Android smartphones, even over a year from its release. The value-oriented mid-ranger has been running Android 9 Pie since early fall and is one of the best-supported handsets on the market in terms of monthly security patches which arrive every four to five weeks almost without fail, hence keeping the device as safe and secure as the very latest models appearing on the store shelves.