Forgot your password?
typodupeerror
Microsoft Privacy Security United States

Lumia Phones Leaking Private Data To Microsoft 110

Posted by samzenpus
from the like-a-sieve dept.
New submitter Albietta writes "Two independent sources inside Nokia have confirmed that Nokia Lumia phones send private information to Nokia and Microsoft servers around the world. Location data, SMS-messages and browser identification is uploaded. The Nokia leadership has known about the privacy violation since 2011 when the Lumia phones were introduced. In spring 2013, after suspicions of leaks and during the negotiations for selling off the mobile phone branch to Microsoft, the Finnish state communications department sent an inquiry to Nokia regarding leaking of private data, asking Nokia to assure that users' private data is not leaked. Nokia did not want to (or could not) provide an assurance due to the delicate business negotiations. After two more inquiries with narrower demands, Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws. Microsoft is apparently also following Lumia user accounts. On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage."
This discussion has been archived. No new comments can be posted.

Lumia Phones Leaking Private Data To Microsoft

Comments Filter:
  • Considering how this information is sent, it may be trivial for the NSA to capture such information by definition.

    Way to go, Microsoft.

    • Re: (Score:2, Insightful)

      Why bother with tedious 'capture' when Microsoft has it all nicely aggregated on their servers for you?

      This is why Glorious Free Enterprise will always beat the commies at dystopian surveillance: Commies engaged in surveillance for political repression, and had to fund it from the proceeds of their other-than-efficient economies. Here in the Free World, the surveillance pays for itself, thanks to demand from advertisers and analytics weasels, and the clandestine services can get a copy for almost no addi
      • The difference is that in the capitalism, the spying is done because they want to know what kind of clothes and other goodies they should make to get you to want to give them money.

        In communism, the spying is done because they want to know whether or not they need to make you mysteriously disappear without a trace one day on the off chance that you might be or might become a political opponent that they would *gasp* have to compete with.

        • Eh. Communism has a reliable track record of authoritarianism; but absolutely nothing precludes the combination of capitalism and authoritarianism (indeed, our Cold War buddy list provides more than a few examples). There is some structural tension, because the existence of highly concentrated state power makes regulatory capture a dangerously attractive strategy; but this doesn't seem to be insoluble in practice.
          • Communism invariably ends up authoritarian if it isn't already, either that or it just falls apart. Every. Single. Time. Marx was predicting that communes would start authoritarian and move on to democracy, but that has NEVER been the case. Even in communes that are run by elected members and don't have an official government end up resorting to a command structure (see the Icarians in Nauvoo, IL, whose system gradually required more and more strict controls until finally a command system had to be in place

    • They killed my Poppy!

      Microsoft doesn't like nudists. Move along, move along.

  • by Anonymous Coward on Monday February 24, 2014 @08:50AM (#46322595)

    That looks like it is deliberate.

    Had it only gone to Nokias servers then it could have been an accident - not removing certain debugging code for instance used to tracing.

    But sending to Microsoft servers as well as Nokia servers... that is more like a deliberate action.

    • by SQLGuru (980662)

      I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program. Google and iOS have the same type of feature. It's basically how traffic data is captured for the various maps. There are other "user experience" data points that are captured, too.

      • by WaffleMonster (969671) on Monday February 24, 2014 @11:39AM (#46324089)

        I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program.

        I don't think there is anything that is overblown.

        If you associate your Windows phone with an account (Required to load software from the only source permissible the windows app store) the phone also periodically and on demand of Microsoft uploads your location to a Microsoft server and there is **NOTHING** you can do about it and no way you can turn it off short of wiping the device and never associating an account which means not using the app store paying a hefty premium to use what is then essentially a "feature phone"

        Microsoft's WP does not respect your privacy by default and there is no lever you can pull that changes this.

        • I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program.

          I don't think there is anything that is overblown.

          If you associate your Windows phone with an account (Required to load software from the only source permissible the windows app store) the phone also periodically and on demand of Microsoft uploads your location to a Microsoft server and there is **NOTHING** you can do about it and no way you can turn it off short of wiping the device and never associating an account which means not using the app store paying a hefty premium to use what is then essentially a "feature phone"

          Microsoft's WP does not respect your privacy by default and there is no lever you can pull that changes this.

          And how is that different from iOS or Android? Don't they do exactly the same if not worse? Also, you can turn off location services in Windows Phone.
          Atleast they don't seem to be spying on which physical stores you visit unlike Google is. http://digiday.com/platforms/g... [digiday.com]

          • And how is that different from iOS or Android?

            Sorry I don't know anything about iOS. Google is optional on Android, you can load applications on your device without google play and even use a number of alternate stores.

            Turning off "location services" does not resolve the problem.

            Atleast they don't seem to be spying on which physical stores you visit

            At least .... at least Microsoft is not run by Hitler.. so there is that...

            • by cbhacking (979169)

              Turning off "location services" does not resolve the problem.

              Source, please? I very much doubt this is true. There are a number of options which will cause your location to be sent to MS (for example, the Find My Phone feature, or the "Send information about WiFi networks near me to Microsoft to improve location services" feature) but each one of them explicitly calls out that they will send your location. Turning off Location Services is supposed to completely disable the GPS and WiFi-hotspot-based locatio

              • Source, please? I very much doubt this is true. There are a number of options which will cause your location to be sent to MS (for example, the Find My Phone feature, or the "Send information

                I know because I've seen it in action myself. If it is not using the GPS it is uploading tower data to get a rough position for the find my phone option.

                about WiFi networks near me to Microsoft to improve location services" feature) but each one of them explicitly calls out that they will send your location. Turning off Location Services is supposed to completely disable the GPS and WiFi-hotspot-based location features as well (hypothetically the latter could be re-implemented in other code, but I've seen no sign of this).

                How do you use your devices GPS for a local mapping application without also participating in Microsoft's crowdsourcing? It seems to be all or nothing which is unacceptable.

                Oh, and for the record, sideloading is possible on WP as well as on Android. It's definitely more restrictive (you need a PC) but it's possible.

                You need to developer unlock your device to sideload... this requires a Microsoft account and a developer account.. which means find my phone is then not optional.

                • If it is not using the GPS it is uploading tower data to get a rough position for the find my phone option.

                  So you want Microsoft to be able to find your phone without being able to know where your phone is.

                  How do you use your devices GPS for a local mapping application without also participating in Microsoft's crowdsourcing? It seems to be all or nothing which is unacceptable.

                  Perhaps it is, but AFAIK both iOS and Android do the same thing. Google even killed Skyhook and is facing a lawsuit in order to get hold of location data.
                  http://www.theverge.com/2011/0... [theverge.com]
                  Why is such a stink raised over Microsoft doing it?

                  You need to developer unlock your device to sideload... this requires a Microsoft account and a developer account.. which means find my phone is then not optional.

                  That doesn't make any sense. You can turn off find my phone even if you have a MS and dev account and dev unlock your device.

                  • So you want Microsoft to be able to find your phone without being able to know where your phone is.

                    The issue is users are denied the option of preventing their phones location to be
                    periodically uploaded to Microsoft. I don't want Microsoft anyone at Microsoft or anyone who may compel Microsoft to produce the information to track me.

                    Perhaps it is, but AFAIK both iOS and Android do the same thing. Google even killed Skyhook and is facing a lawsuit in order to get hold of location data. Why is such a stink raised over Microsoft doing it?

                    Hello officer, why such a stink over robbing the blind mans collection of wind chimes? My neighbors did it too!

                    That doesn't make any sense. You can turn off find my phone even if you have a MS and dev account and dev unlock your device.

                    There is no way to turn off the find my phone option on the device. This is part of the problem the way the UI is constructed people think they can turn it off wh

                    • The issue you're talking about might be a bug...
                      http://forums.wpcentral.com/no... [wpcentral.com]

                      But...

                      Hello officer, why such a stink over robbing the blind mans collection of wind chimes? My neighbors did it too!

                      That analogy would make more sense if one of your neighbors stole wind chimes from 60 people in plain sight with hundreds of witnesses that would testify, and another one did the same from 37, but you stole from 3 people, and the police come after only you with a SWAT team while the others watch the raid while lounging on their front lawn. Your OP in this thread sounds exactly like that given the marketshare numbers.

                    • That analogy would make more sense if

                      There is no defense for asserting "but they did it too" .. two wrongs don't make a right. Stop digging.

                    • So if the thief that was arrested was of a different skin color(analogous to how Slashdot treats MS compared to Google/Apple) would you still say the same thing? If someone is criticizing how 3% of the market does things, it sure helps to understand what the other 97% is doing differently to put things in perspective.

                    • So if the thief that was arrested was of a different skin color(analogous to how Slashdot treats MS compared to Google/Apple) would you still say the same thing? If someone is criticizing how 3%
                      of the market does things, it sure helps to understand what the other 97% is doing differently to put things in perspective.

                      I'm not a fanboy for any vendor. I only care about what is best for users. I was referring to Microsoft specifically ( AKA topic of conversation). It is unnecessary for me to conduct a survey of what all everyone else is doing when commenting on the actions of a specific vendor. What others may or may not be doing is irrelevant to the fact that Microsoft is in the wrong for doing it. The color and or shape of their corporate logo is as irrelevant as "but they did it too".

    • by mjwx (966435)

      That looks like it is deliberate.

      Had it only gone to Nokias servers then it could have been an accident - not removing certain debugging code for instance used to tracing.

      But sending to Microsoft servers as well as Nokia servers... that is more like a deliberate action.

      And hidden somewhere in the T&C you agreed to when you turned the phone on is a line that says something like:
      "by accepting this agreement you agree to join the Microsoft Customer Service Experience(TM) feedback program and agree to transmit data to Microsoft which may be shared with select Microsoft Partners".

      And if you think Apple's not doing the exact same thing, I have a bridge to sell you.

      Google cops a lot of crap for admitting that it's collecting some data, but unlike Apple and Microsoft,

  • Wow... (Score:5, Insightful)

    by Farmer Pete (1350093) on Monday February 24, 2014 @08:53AM (#46322607)

    Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws.

    How much non-3rd party software does a Nokia phone ship with? I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

    • by vyvepe (809573)
      Hardware and firmware? They proabably wanted to tell: "Our phones do not snoop at the hardware and firmware level. Anything at the higher levels is not our business."
    • by cbhacking (979169)

      Drivers and services that they added to the OS.
      Nokia-authored apps that come pre-installed (such as their custom camera "lens" that gives more control over the camera behavior than the stock camera app).
      Nokia-authored apps downloaded from the store (including updates to pre-installed apps).

      In total, actually, not much - WP8, unlike Android, discourages OEMs from tinkering too much - but it would only take very little. A single thread in a driver or service could do this all day long, easily...

      • Without any assurances from Microsoft, it seems like one couldn't even guarantee the security of the Nokia apps and drivers running on Windows Mobile.
    • Re:Wow... (Score:5, Informative)

      by hydrofix (1253498) on Monday February 24, 2014 @09:54AM (#46323129)

      I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?

      This is indeed absolutely ridiculous and priceless statement.

      To understand why they gave such a statement, we must know some background. The whole debacle started in 2012 when the Finnish government's IT department had a meeting with Nokia, where Nokia's management assured them that Nokia's Lumia phones had superior security and user privacy to both iPhone and Androids. Consequently, the government bought several Lumia phones for top officials who engage in sensitive communication, like the Prime Minister. Thanks to Snowden leaks, the government in 2013 then received contrary information: that Lumia phones were just as hackable as other smartphones through the inclusion of the Microsoft operating system.

      Consequently, the Finnish Communications Regulatory Authority (FICORA) made an officially actionable inquiry to Nokia regarding whether the devices they sold indeed revealed the user's confidential communications, location information and other private information without the user's authorization. The authority warned that if the corporation had knowledge that the phone was leaking such data, and did not answer truthfully, it could be held liable under the criminal law for false statement in official proceedings and failing to report a serious offence.

      The company then replied, that they were unable to officially give such an assurance (i.e. they probably knew that the device was leaking private data). Then, FICORA made another official inquiry, asking for even a smaller set of privacy assurances. Nokia was again unable to give an official assurance of privacy of its devices, so in August 2013 officials from FICORA and Nokia had an informal meeting where they tried to find common ground: what kind of privacy assurances Nokia could actually give about its devices. Turns out, Nokia could only go as far as to assure that it had not installed any additional spying modules – and only to those devices that it was selling in Finland, anyway.

      So they delimited the official assurance that Nokia should give to only concern the hardware and software it had itself made and was selling in Finland, excluding actions of their subcontractors and business partners (like Microsoft). Well, Nokia was able to give such an assurance, even if it is obviously of no value to consumers. But the company had something to show for FICORA: at least Nokia itself takes Finnish and EU privacy regulations seriously, even if it is in partnerships with other corporations for which it can not make equal assurances.

  • mm .. a "smart" phone without the operating system is basically ... nothing.
    • by Anonymous Coward

      It'd be a bootloader which could install an OS of choice from the sd card.

      I'd actually buy one of those.

    • by cbhacking (979169)

      They mean excluding code written be companies that aren't Nokia (for example, most of the OS and some of the built-in apps on each Lumia are Microsoft code, they also come with Angry Birds pre-installed, and that's Rovio code... you get the idea). Nokia's contributions will mostly be some drivers, some services that run in the background (apps aren't generally allowed to do so), some "settings" apps to control those drivers and services, some "normal" apps to add features that aren't built into the OS (for

      • by yacc143 (975862)

        Well, they produce the mobiles, so I guess that they should have included some items in the contract for the software they've licensed that MS will comply with local laws.

  • by Anonymous Coward

    Any comments from the closed source crowd? Any comment from the MicroShaft execs? Exactly, now you know why I stopped using Windows 10 years ago.

  • CP hysteria (Score:5, Informative)

    by tepples (727027) <<tepples> <at> <gmail.com>> on Monday February 24, 2014 @08:57AM (#46322633) Homepage Journal

    On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage.

    This says more about the hysteria in certain industrialized markets where all nudity is considered sexual for the purposes of zero tolerance regulations against production of alleged child porn. See also prosecutions of parents who photograph their children in the bathtub [jonathanturley.org].

    • by cbhacking (979169)

      Yyyep. Don't store your pictures in the cloud, folks. There's automated scanning (not just of Sky/OneDrive, but of others as well) that looks for anything it thinks is nudity, and flags it for human review. If said human decides it's nudity, or even if it could be considered erotic / is too risqué, they can and often will shut down your account. This has happened before. I admit I've never heard of it happening to related accounts owned by other companies (i.e. Microsoft killing somebody's Nokia accoun

    • by OzPeter (195038)

      This says more about the hysteria in certain industrialized markets where all nudity is considered sexual

      Last week there was a "beat up" story on the local news as to how there is this church and worshippers who have services in the nude. The teasers didn't bother to mention that this church was in the middle of a nudist club.

  • "Leaking" (Score:5, Insightful)

    by FuzzNugget (2840687) on Monday February 24, 2014 @08:59AM (#46322649)
    A sieve doesn't leak, it does what it's designed to do
  • Seems a little light on actual proof there, even the source doesn't have a source for the magical "Lumia account closed as the user is a paedo" comment

  • I call it a bull (Score:4, Informative)

    by Anonymous Coward on Monday February 24, 2014 @09:02AM (#46322675)

    I recall that it was stated in clear language that SMSes will be uploaded if I choose some option during initial setup for my Lumia.

    And if they mean skydrive onedrive account as "Lumia user account", then I wouldn't be surprised that Microsoft screens uploaded (public?) pictures. Similar like Google screens youtube videos.

  • It has become quite obvious following the news that corporations are spitting on laws and won't stop committing crimes that increase their profits, until some actual individuals in charge are jailed for significant time.

    Puny fines, often not even exceeding the extra profits made from the crime, won't stop anything. They are just like a gamble CEOs are ready to take - if they are not caught, their personal bonus increases with the extra profit. If they are cought, the company or some insurance will cover t

  • "...a parent's Lumia account was closed without warning when they uploaded pictures from their phone displaying their kids playing naked..."

    I think you know it's for the children.

    • by M1FCJ (586251)

      And I'm sure no one is hoarding the naked selfies... At least, I can be sure, mine...

  • In other news (Score:4, Interesting)

    by jones_supa (887896) on Monday February 24, 2014 @09:39AM (#46322973)

    There's also a side story in this scoop which involves Nokia allegedly handing over user data to Finnish police without a warrant.

    YLE Uutiset - Police chief to look into Nokia phone spying claims [yle.fi]

  • Hang on a minute (Score:5, Informative)

    by RMH101 (636144) on Monday February 24, 2014 @10:07AM (#46323259)
    This looks like a mountain being made out of a molehill. From TFA: "Lumia phones do not ensure the user’s privacy – at least no better than the phones of other big manufacturers"
    When you use a WP8 device, you are signed in using a Microsoft Account. Features like SMS backup, location services such as "Find My Phone" etc need to send data back to MS in order to work. In fact when you first sign into a phone this is made explicitly clear, as it is during the install of any apps on the phone that require, say, location based services. So whilst the implication of this article appears to be that there's something shady and underhand going on, until someone shows me a wireshark trace that shows it, I'm calling BS.
    • I'm calling BS.

      More secure than texting BS...

    • by MrNemesis (587188)

      As an aside, and speaking as a luddite who still uses a Nokia E6 because it's got an amazing QWERTY keyboard, does windows phone mandate signing up for account, or is it optional?

      It seems that both the iphone and android are both nearly useless without signing up for an account (although you can have an android ROM without the gapps loaded, it will apparently severely restrict what you can run on your phone) and I'm of the opinion that any device that requires an account in order to function essentially has

      • by RMH101 (636144)
        It's mandatory to have a Microsoft account with Windows Phone, much like it's mandatory to have a Gmail account for Android and an Apple ID for iOS. You don't have to use the services though, and WP8 is pretty good at explicitly telling you what data it would like and giving you the option of opting out.
        • by Anonymous Coward

          Strictly speaking, you DON'T have to have a Gmail account for any Android phone, only the ones with stock ROMs. An AOSP ROM (like Cyanogenmod) can be used without a Google account; one can get apps from the Amazon App Store or Aptoide, or even F-Droid if you want to stay as close to open source as possible.

          But yes, Windows Phone devices are pretty much useless without a Microsoft account, as that is the only straightforward way to get apps onto the phone. You can always sign up as a WP developer and sideloa

          • by swillden (191260)

            Strictly speaking, you DON'T have to have a Gmail account for any Android phone, only the ones with stock ROMs.

            This is, perhaps, a bit pedantic, but you don't need a Gmail account even then. You need a Google account, but you can set up a Google account using any e-mail address. In general this is a distinction without a difference, since the only difference is Google is handling the e-mail, and you can always create a Gmail account that you don't use for e-mail.

        • by cbhacking (979169)

          Strictly speaking, the Microsoft account is optional (you can choose "not at this time" when it asks you to sign in, and just never get around to actually doing so). You won't be able to access many of the phone's features until you sign in, but the basics (calls/messaging/voicemail/web browsing/taking pictures/accessing WiFi/running built-in apps like calculator/etc.) will work fine. You may even be able to add email accounts that will sync to the phone (I never tried) before setting it up.

          The big problem

  • Snowden reveals that NSA reveals user opinions on corporations to said corporation
    in great piece of Irony that taxpayers are paying to be spied on for corporations that
    want to use the NSA as their private orwellian invasion of privacy.

    Great irony there, getting the sheeple to pay to be spied on, bravo !!!

    Orwell, Quigley, and Huxley were prophets...

  • If the 'leak' is true, I doubt it's intentional and they will correct. I have this phone and I've opted to have them back up my stuff, including SMSs, etc.
  • by WaffleMonster (969671) on Monday February 24, 2014 @12:07PM (#46324387)

    1. Find my phone option can't be opted out of there is no way to not have the device send location to Microsoft and still be able to use the device in even a remotely meaningful way.

    2. It is not possible to not be complicit in Microsofts skyhook WiFi location mapping system.

    3. When your device connects to a WiFi network it sends unique device identifiers in the clear over the network there is no way to stop it.

    4. Wireless security 100% completely utterly insecure by design due to total failure of device to validate certificate chain.

    5. Impossible for mortals to perform basic functions available as standard features on decades old "feature phones" such as contact synchronization without having to upload all of your contact information to Microsoft. My contacts are none of Microsoft's goddamn business.

    Windows phone 8 is designed to violate your privacy at every turn while locking you into their curated app store.

    • by Anomalyst (742352)

      Windows phone 8 is designed to violate your privacy at every turn while locking you into their curated app store.

      How well is their cancer cure rated?
      Can I still work on the C-123 I bought at a Military surplus auction and stay healthy?

  • They are tracking and data rape devices, with a phone built in... kind of like a clock in the stomach of a statue of Buddha.

  • TFA reads like a gossip column. I see no evidence to back up any of the claims, in fact the claims themselves seem to be pretty woolly. There's no mention of what's being uploaded and why, could it be a backup option? Local search results, etc? As a Lumia user I would love to read an article by a techie with some experimental results. In fact if this is true I'm surprised that no one's done these tests already, it surely would have got out there by now.

  • Did you know that when you buy an app in the Google Play Store, Google sends the neighborhood where you live to the app developers? That is why I prefer the Lumia phones with Windows, because Microsoft respects your privacy.

    Also, Microsoft only wants to know your location so that they can protect you. If something were to happen to you they would send an SMS to people you trust (they would get their numbers from your SMS history) and they would send an ambulance to your location (that's the only reason the

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington

Working...