Two years ago, trust in the data security of Nokia smartphones was still strong.
On Monday, 5 March 2012, a meeting was organised at the Nokia headquarters in which Nokia advertised the data security of its smartphones to authorities deciding on government IT procurements.
Soon after the event, large amounts of Nokia’s Lumia phones were bought for the Finnish government: ministers, MPs and authorities. Prime Minister Jyrki Katainen (National Coalition) also uses Lumia.
At the same time, the data leak began. In the centre of it are Nokia’s Lumia phones and their Windows Phone operating system.
Contrary to what Nokia implied two years ago, Lumia phones do not ensure the user’s privacy – at least no better than the phones of other big manufacturers. Lumia’s operating system transmits the user’s private information to Microsoft in the United States. According to numerous data security companies, Microsoft, for its part, cooperates with the United States Security Agency (NSA).
HS test: Lumia contacted the United States
Helsingin Sanomat wanted to test what Nokia’s Lumia phone and its Microsoft Windows Phone operating system are in contact with without the knowledge of the user. The test was organised together with network technology experts.
The Lumia phone was placed on the table next to the computer. The phone was on.
Number sequences and character strings, which mean nothing to the average person, began to swarm on the computer screen. Data communication information comes directly from the network when the phone is connected to the base station. A base station is a device to which the phone is connected at all times by air.
Thus, even if the user does not even touch the phone, its operating system “talks” to the mobile network.
When the phone is used, the data communication, calls and text messages are initially directed to the base station by air, and from there around the world through optical fiber cables.
As a user types a Finnish web address, for example, into Lumia’s web browser, he or she probably believes that the phone contacts this address directly.
In the test by Helsingin Sanomat, it became clear that this does not always happen.
According to information received from the base station, the phone continuously “talks” with many servers located abroad, unbeknownst to the user. The user does not see any of this.
The majority of the data travels in an encrypted connection, which is a kind of a well-protected pipe. One cannot peek inside the pipe other than by breaking the encryption, which would be illegal.
Technically, it is possible that a user’s confidential information is transmitted inside the closed pipe. That is how many bits travel in an encrypted connection.
Without breaking the encryption, it is clear from the base station data which different IP addresses the operating system is connected to. An IP address is a number sequence, which identifies all computers connected to the Internet.
In the test, it became clear that if the Nokia phone is using settings suggested by the operating system, the phone circulates the browser’s data transfer through Microsoft’s proxy server located in the United States. Only after that can the phone get connected to a Finnish web address. In other words, Microsoft can, when it wants to, monitor what pages the Finnish user visited.
Data is transmitted abroad also by Nokia’s map and navigation services, which utilise assisted satellite navigation. At that time, in addition to the satellite navigation, the phone utilises location data received from the mobile phone network. According to Nokia, a phone can be connected to its owner with the help of this data.
Lumia phones can also save photos and text messages to Microsoft’s cloud service.
An exception is the encrypted connection between the phone and bank: it does not circle via the United States.
In regards to the average user, the situation is difficult.
If one wants to restrict the transfer of one’s data usage information abroad, one must disable from the phone all backups and many different useful features and services.
Consequently, phone use may slow down. This results from the fact that the phone is no longer connected to proxy servers, which speed up web browser actions.
Even this is not necessarily enough. In the Helsingin Sanomat test, it became clear that even though one would close from the phone settings the data transfer of all of the features installed into it during the production phase, the operating system still “talks” to foreign servers without the knowledge of the user.
The kind of data transferred by the phone regardless of changing the settings was not found out in the test.
Only a complete break up of data communication prevents the operating system from communicating abroad. Then, Lumia is not a smartphone anymore that is connected to the Internet.
According to the test, it is thus technically possible that the Lumia phones used by the government transmit confidential data abroad.
Nokia admits that information can be transmitted abroad
1. Is the data security regarding the government’s Lumia phones in good shape?
2. To what extent do the Lumia phones transmit confidential information abroad if the user has accepted that the phone uses location data, backups and proxy servers?
The majority of the applications and Internet services are offered from outside of Finland.
Data transfers related to phone use are described in the Windows Phone and Nokia privacy policies and the privacy policies of the applications used in the phone.”
Also at that time, Nokia makes sure that the personal information protection level is adequate, for example, by agreeing on matters related to the confidentiality and processing of personal information in a manner required by legislation.
4. How specifically does Nokia know what information is transmitted by the phone through the encrypted connection to Microsoft?
Nokia and Windows Phone privacy policies describe data transfers related to phone use.
Using encryption to protect data communication between the device and server is recommended by the authorities.”
5. Why has Nokia supplied the Finnish Police with phone location data?
The localisation technology used by the phone is executed in such a way that location data identifying an individual user is not saved in our devices and servers. The application or feature used in the phone can save the location data in the device or the servers.”
According to information received from two inside sources of Helsingin Sanomat independent of each other, Nokia’s top management has known since spring 2011 that Lumia’s operating system transmits a great deal of information about the phone’s user to Microsoft. The company, however, has kept quiet about it, because the matter is embarrassing.
In connection with the case, also another completely separate problem related to Nokia has become clear to Helsingin Sanomat. In Finland, Police has asked many times for mobile phone location data directly from the Nokia headquarters in Keilaniemi, even in those kinds of cases in which no crime has occurred yet. According to law, the Police would need a district court decision to acquire information.
Finnish authorities began to suspect the security of Nokia’s smartphones last summer.
In June 2013, Edward Snowden, former employee of the United States National Security Agency (NSA), told that the NSA receives confidential data usage information from devices and services from, for example, Google, Facebook, Apple and Microsoft.
The authorities were startled. If Microsoft operates in cooperation with the NSA, is it able to access the data usage information of Nokia smartphones? What if the Lumia phones transmit information about, for example, the Finnish Prime Minister’s communication to the Microsoft servers in the United States?
“When we found out about the allegations, we were in contact with the Finnish Security Intelligence Service and the Finnish Communications Regulatory Authority,” says Juhapekka Ristola, Director-General of the Communications Policy Department at Finland’s Ministry of Transport and Communications.
The Finnish Security Intelligence Service does not say whether it took action or not. The Finnish Communications Regulatory Authority did; its job is to oversee message protection and the security of devices used by the government.
On 14 June 2013, the Finnish Communications Regulatory Authority sent a request for clarification to Nokia, Nokia Solutions and Networks and three other companies. The authority asked for an assurance from the companies that their device users’ “confidential communication, location information or other private information will not be revealed to outsiders without the user’s consent”. The authority was concenrned, especially because so many in the government use Lumia phones.
Helsingin Sanomat acquired a copy of the request for clarification by the Finnish Communications Regulatory Authority. In the request, the Finnish Communications Regulatory Authority states that giving out false information can be a matter of giving false testimony to authorities. Additionally, since state secrets can be revealed through the companies’ devices and software, it could also be a matter of leaving a serious crime unreported, unless the authorities are told of the lack of privacy protection.
Nokia was in trouble. The company had to tell the Finnish Communications Regulatory Authority the truth, but it had to be very careful not to cause harm to its most important collaborator: Microsoft. During summer 2013, sales negotiations of Nokia’s mobile phone business were in the final stretch.
In early 2001, Nokia had switched to Microsoft’s Windows Phone software for its smartphones operating system. Two inside sources independent of each other tell Helsingin Sanomat that Nokia’s top management knew from the beginning that the operating system transmitted a great deal of data usage information to Microsoft.
In 2011, however, this was seen as a necessary evil. The same thing is done by Google’s and Apple’s operating systems.
“What was banned in Europe was allowed in the United States. If the company has significant business activities in the United States, it must cooperate with the security agency. The alternative is withdrawing from the US market, which would prove to be very expensive,” says an inside source well aware of the matter.
In the United States, companies must operate according to the laws of the country, and anti-terrorism laws give the NSA an opportunity to access the data usage information of phones.
At the same time, the US smartphone market is the most important in the world. There, consumers pay more for their phones than in other market areas. To do well with smartphones, manufacturers must do well in the United States.
In the United States, data usage information from Google, Apple and Microsoft software is saved in large data warehouses, which the NSA can legally access. The phone’s operating system knows where the user is located, what kinds of webpages he or she visits, which photographs have been taken, who the user talks and sends messages to.
The matter is of concern also to German Chancellor Angela Merkel.
She suggested a week ago that Europe should develop its own web services, so that the NSA would not be able to access the private information of Europeans.
Of course, the United States is not the only one prying for information. Finnish ministers traveling to the Sochi Olympics were advised to leave their phones and tablets home because of data security.
Nokia was unable to provide the assurance the Finnish Communications Regulatory Authority was hoping for regarding the privacy protection of its phones.
In July 2013, the Finnish Communications Regulatory Authority watered down its original request and made a new, more direct request to Nokia. Nokia still could not respond. For this reason, at the end of August, a discussion was organised at the Finnish Communications Regulatory Authority in which it was considered, together with the Nokia people, what kind of an assurance the company could give.
The Finnish Communications Regulatory Authority was ready to give concessions to Nokia, so it could show it had fulfilled its responsibilities. The authority assures that it continues to clarify the data security of Nokia devices and those made by other manufacturers.
In the third request by the Finnish Communications Regulatory Authority, the assurance was limited to concern devices and software sold to Finns. Procedures by subcontractors and collaborators were restricted outside of the request. In other words, Nokia did not have to give an assurance on behalf of Microsoft. Nokia thus washed its hands problems of Microsoft’s operating system’s problems.
Finally, Nokia gave the requested assurance to the Finnish Communications Regulatory Authority in October. It was written very carefully.
“Nokia is not aware that those kinds of functionalities or components, which enable the revealing of the user’s private information to outsiders without the knowledge of the user, would have intentionally been installed into its products sold in Finland.” The response has been signed by Ilkka Rahnasto, Nokia’s Vice President of Legal and Intellectual Property.
With all of this in mind, what does the average user of the phone know?
If the user accepts the settings suggested by the phone, the operating system transmits the user’s confidential information to Nokia and Microsoft serves located in the United States and in other countries. Data transmitted to the United States include, for example, phone location, text messages, contact information and web browser usage information. The “Locate your phone” feature even saves location information regularly.
When Helsingin Sanomat asked Nokia about what kind of data is transmitted forward by the phone, the response was complicated. According to Nokia, the phone can transmit information about where its user is located.
Nokia emphasises that the user can, if he or she so desires, prevent the phone from communicating with foreign servers. This, however, requires that the user knows how this is done through the phone settings. Even this is not necessarily enough. Even though one would disable the data transfer of the phone’s features, the operating system is still in contact with foreign countries.
It is a matter of principle: who has the right to access private information. The practice is a different matter: it is impossible to say if the NSA is interested in monitoring, for example, the Finnish Prime Minister’s communication.
According to Finland’s constitution, the privacy of a letter, phone call and other confidential message is inviolable. In the United States, the NSA acts according to local laws. If the NSA would pry into the communication of any Finn in the United States based on anti-terrorism laws, it would not be a crime. If the NSA would do the same thing in Finland, it would be a crime.
Also another privacy protection problem related to Nokia but unrelated to the Lumia operating system arose in connection with Helsingin Sanomat’s report.
According to information received from a reliable source of Helsingin Sanomat, the Police have asked Nokia for phone location information for years – much before the Lumia phones. Nokia has often agreed to the requests, because it wants to maintain good relations with the Police.
The Police make these requests to Nokia to acquire information on people for a possible preliminary investigation. Thus, it is not always a matter of people who are even suspected of a crime.
“Preventing crimes is adequate justification, in other words nothing concrete has had to happen. A mere suspicion by the Police that something might happen in the future is enough,” says a source well informed of the matter. The source does not have their own interest at stake in telling the information.
The National Bureau of Investigation and the Finnish Security Intelligence Service ask for data also to respond to requests for assistance from foreign authorities. Cooperation is part of the official duties of the Police. Intelligence, for its part, is based on a tradeoff: to acquire information from abroad, the Police must offer something in exchange, for example, information on phone users.
When requesting information from Nokia, the Police have appealed to a section of the Police Act, according to which they have the right to receive information from companies and communities. The right, however, does not concern confidential communication data, such as phone location data. To acquire this, the Police must have the decision of the district court.
According to Tero Kurenmaa, deputy chief of the National Bureau of Investigation, he is not aware that under-the-table requests were made to Nokia for phone location data.
“We acquire mobile phone location data from teleoperators with a telecommunications surveillance permit granted by the court,” Kurenmaa says.
According to the Helsingin Sanomat source, no documents exist of the location information requested without a court decision.
How serious is this matter all in all?
The fact that user data flows from Nokia’s phones to Microsoft in the United States certainly, in theory, threatens the privacy of the Finnish government and all Finnish users of Lumia phones. Indeed, it is good for Finns to realise that Nokia phones are no more secure than Apple phones or Google’s Android phones.
So far, there is only little evidence of how the data is used, if it is used. Photos taken by a mobile phone are, however, monitored: for example, in the case of one user, Microsoft closed the user’s entire account without warning because the person had in the summer taken photos of his or her children playing naked on the shore of the cottage. Microsoft, apparently, had classified the user as a pedophile.
Another matter is to what extent has the Nokia management covered up the problems of its phones. At least Nokia has not actively informed users that the phones may leak information to the United States.
Still, Nokia has not given false information to the Finnish Communications Regulatory Authority because the authority was satisfied with the kind of assurance that Nokia was prepared to give.
According to Reijo Aarnio, Data Protection Ombudsman, and Sakari Melander, Docent in Criminal Law at the University of Helsinki, the most serious thing is that the Police have asked for phone data directly from Nokia without legal permission.
“If the Police has asked Nokia for phone location information or other confidential communication data, the Police may have even exceeded their powers,” says Aarnio.
“If the Police have acquired location information without the permission of the district court, it may be a matter of illegal interference with basic rights. It would be a very serious matter, because legal protection in telecommunications surveillance is essentially based on the fact that its use requires he permission of the court,” says Melander.
Petri Sajari – HS
Meri Rantama – HT
@ HELSINGIN SANOMAT
Images: Klaus Welp/HS