Lumia Phones Leaking Private Data To Microsoft 110
New submitter Albietta writes "Two independent sources inside Nokia have confirmed that Nokia Lumia phones send private information to Nokia and Microsoft servers around the world. Location data, SMS-messages and browser identification is uploaded. The Nokia leadership has known about the privacy violation since 2011 when the Lumia phones were introduced. In spring 2013, after suspicions of leaks and during the negotiations for selling off the mobile phone branch to Microsoft, the Finnish state communications department sent an inquiry to Nokia regarding leaking of private data, asking Nokia to assure that users' private data is not leaked. Nokia did not want to (or could not) provide an assurance due to the delicate business negotiations. After two more inquiries with narrower demands, Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws. Microsoft is apparently also following Lumia user accounts. On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage."
More "Microsoft helps the NSA" (Score:1, Troll)
Considering how this information is sent, it may be trivial for the NSA to capture such information by definition.
Way to go, Microsoft.
Re: (Score:2, Insightful)
This is why Glorious Free Enterprise will always beat the commies at dystopian surveillance: Commies engaged in surveillance for political repression, and had to fund it from the proceeds of their other-than-efficient economies. Here in the Free World, the surveillance pays for itself, thanks to demand from advertisers and analytics weasels, and the clandestine services can get a copy for almost no addi
Re: (Score:2)
The difference is that in the capitalism, the spying is done because they want to know what kind of clothes and other goodies they should make to get you to want to give them money.
In communism, the spying is done because they want to know whether or not they need to make you mysteriously disappear without a trace one day on the off chance that you might be or might become a political opponent that they would *gasp* have to compete with.
Re: (Score:2)
Re: (Score:2)
Communism invariably ends up authoritarian if it isn't already, either that or it just falls apart. Every. Single. Time. Marx was predicting that communes would start authoritarian and move on to democracy, but that has NEVER been the case. Even in communes that are run by elected members and don't have an official government end up resorting to a command structure (see the Icarians in Nauvoo, IL, whose system gradually required more and more strict controls until finally a command system had to be in place
Re: (Score:2)
They killed my Poppy!
Microsoft doesn't like nudists. Move along, move along.
That doesn't sound like a "leak". (Score:5, Insightful)
That looks like it is deliberate.
Had it only gone to Nokias servers then it could have been an accident - not removing certain debugging code for instance used to tracing.
But sending to Microsoft servers as well as Nokia servers... that is more like a deliberate action.
Re: (Score:1)
I have a Lumia 925. I read all the warnings and things I had to click "Allow" or "OK" on when setting up the phone. I also just went and read the article. To summarize, it boils down to "the phone is uploading and transmitting exactly what I agreed to when I clicked 'Allow' when setting up the phone."
It uploads my text messages... obviously, because I turned on text message backup.
It uploads my pictures... well yes, I turned on backup/auto-upload of my pictures to OneSkyDriveWalkCrawl.
It uploads my locat
Re: (Score:2)
Did it also say that someone would be friendly enough to sit there reading your messages and looking at your pictures of your own kids naked?
Re: (Score:1)
I generally assume anything I allow on a network will be read or looked at by someone. I'd imagine all photos uploaded to most online services are scanned/flagged by some automated process looking for kiddie porn, and then anything flagged is reviewed by a human, and true violators reported to LE.
Is it an invasion of privacy? Fair question. It's probably somewhere in the EULA for OneSky, I didn't read the whole thing though so I'm not sure. Was it obnoxious and extreme to kill someone's account because
Re: (Score:2)
I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program. Google and iOS have the same type of feature. It's basically how traffic data is captured for the various maps. There are other "user experience" data points that are captured, too.
Re:That doesn't sound like a "leak". (Score:4, Interesting)
I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program.
I don't think there is anything that is overblown.
If you associate your Windows phone with an account (Required to load software from the only source permissible the windows app store) the phone also periodically and on demand of Microsoft uploads your location to a Microsoft server and there is **NOTHING** you can do about it and no way you can turn it off short of wiping the device and never associating an account which means not using the app store paying a hefty premium to use what is then essentially a "feature phone"
Microsoft's WP does not respect your privacy by default and there is no lever you can pull that changes this.
Re: (Score:2)
I wonder whether it's FUD around the option (probably defaulted to opt-in) to participate in Microsoft's "feedback" program.
I don't think there is anything that is overblown.
If you associate your Windows phone with an account (Required to load software from the only source permissible the windows app store) the phone also periodically and on demand of Microsoft uploads your location to a Microsoft server and there is **NOTHING** you can do about it and no way you can turn it off short of wiping the device and never associating an account which means not using the app store paying a hefty premium to use what is then essentially a "feature phone"
Microsoft's WP does not respect your privacy by default and there is no lever you can pull that changes this.
And how is that different from iOS or Android? Don't they do exactly the same if not worse? Also, you can turn off location services in Windows Phone.
Atleast they don't seem to be spying on which physical stores you visit unlike Google is. http://digiday.com/platforms/g... [digiday.com]
Re: (Score:2)
And how is that different from iOS or Android?
Sorry I don't know anything about iOS. Google is optional on Android, you can load applications on your device without google play and even use a number of alternate stores.
Turning off "location services" does not resolve the problem.
Atleast they don't seem to be spying on which physical stores you visit
At least .... at least Microsoft is not run by Hitler.. so there is that...
Re: (Score:2)
Source, please? I very much doubt this is true. There are a number of options which will cause your location to be sent to MS (for example, the Find My Phone feature, or the "Send information about WiFi networks near me to Microsoft to improve location services" feature) but each one of them explicitly calls out that they will send your location. Turning off Location Services is supposed to completely disable the GPS and WiFi-hotspot-based locatio
Re: (Score:2)
Source, please? I very much doubt this is true. There are a number of options which will cause your location to be sent to MS (for example, the Find My Phone feature, or the "Send information
I know because I've seen it in action myself. If it is not using the GPS it is uploading tower data to get a rough position for the find my phone option.
about WiFi networks near me to Microsoft to improve location services" feature) but each one of them explicitly calls out that they will send your location. Turning off Location Services is supposed to completely disable the GPS and WiFi-hotspot-based location features as well (hypothetically the latter could be re-implemented in other code, but I've seen no sign of this).
How do you use your devices GPS for a local mapping application without also participating in Microsoft's crowdsourcing? It seems to be all or nothing which is unacceptable.
Oh, and for the record, sideloading is possible on WP as well as on Android. It's definitely more restrictive (you need a PC) but it's possible.
You need to developer unlock your device to sideload... this requires a Microsoft account and a developer account.. which means find my phone is then not optional.
Re: (Score:2)
If it is not using the GPS it is uploading tower data to get a rough position for the find my phone option.
So you want Microsoft to be able to find your phone without being able to know where your phone is.
How do you use your devices GPS for a local mapping application without also participating in Microsoft's crowdsourcing? It seems to be all or nothing which is unacceptable.
Perhaps it is, but AFAIK both iOS and Android do the same thing. Google even killed Skyhook and is facing a lawsuit in order to get hold of location data.
http://www.theverge.com/2011/0... [theverge.com]
Why is such a stink raised over Microsoft doing it?
You need to developer unlock your device to sideload... this requires a Microsoft account and a developer account.. which means find my phone is then not optional.
That doesn't make any sense. You can turn off find my phone even if you have a MS and dev account and dev unlock your device.
Re: (Score:2)
So you want Microsoft to be able to find your phone without being able to know where your phone is.
The issue is users are denied the option of preventing their phones location to be
periodically uploaded to Microsoft. I don't want Microsoft anyone at Microsoft or anyone who may compel Microsoft to produce the information to track me.
Perhaps it is, but AFAIK both iOS and Android do the same thing. Google even killed Skyhook and is facing a lawsuit in order to get hold of location data. Why is such a stink raised over Microsoft doing it?
Hello officer, why such a stink over robbing the blind mans collection of wind chimes? My neighbors did it too!
That doesn't make any sense. You can turn off find my phone even if you have a MS and dev account and dev unlock your device.
There is no way to turn off the find my phone option on the device. This is part of the problem the way the UI is constructed people think they can turn it off wh
Re: (Score:2)
The issue you're talking about might be a bug...
http://forums.wpcentral.com/no... [wpcentral.com]
But...
Hello officer, why such a stink over robbing the blind mans collection of wind chimes? My neighbors did it too!
That analogy would make more sense if one of your neighbors stole wind chimes from 60 people in plain sight with hundreds of witnesses that would testify, and another one did the same from 37, but you stole from 3 people, and the police come after only you with a SWAT team while the others watch the raid while lounging on their front lawn. Your OP in this thread sounds exactly like that given the marketshare numbers.
Re: (Score:2)
That analogy would make more sense if
There is no defense for asserting "but they did it too" .. two wrongs don't make a right. Stop digging.
Re: (Score:2)
So if the thief that was arrested was of a different skin color(analogous to how Slashdot treats MS compared to Google/Apple) would you still say the same thing? If someone is criticizing how 3% of the market does things, it sure helps to understand what the other 97% is doing differently to put things in perspective.
Re: (Score:2)
So if the thief that was arrested was of a different skin color(analogous to how Slashdot treats MS compared to Google/Apple) would you still say the same thing? If someone is criticizing how 3%
of the market does things, it sure helps to understand what the other 97% is doing differently to put things in perspective.
I'm not a fanboy for any vendor. I only care about what is best for users. I was referring to Microsoft specifically ( AKA topic of conversation). It is unnecessary for me to conduct a survey of what all everyone else is doing when commenting on the actions of a specific vendor. What others may or may not be doing is irrelevant to the fact that Microsoft is in the wrong for doing it. The color and or shape of their corporate logo is as irrelevant as "but they did it too".
Re: (Score:2)
That looks like it is deliberate.
Had it only gone to Nokias servers then it could have been an accident - not removing certain debugging code for instance used to tracing.
But sending to Microsoft servers as well as Nokia servers... that is more like a deliberate action.
And hidden somewhere in the T&C you agreed to when you turned the phone on is a line that says something like:
"by accepting this agreement you agree to join the Microsoft Customer Service Experience(TM) feedback program and agree to transmit data to Microsoft which may be shared with select Microsoft Partners".
And if you think Apple's not doing the exact same thing, I have a bridge to sell you.
Google cops a lot of crap for admitting that it's collecting some data, but unlike Apple and Microsoft,
Wow... (Score:5, Insightful)
Nokia assured that the phone, excluding third-party software such as the operating system, did not violate Finnish privacy laws.
How much non-3rd party software does a Nokia phone ship with? I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?
Re: (Score:2)
Re: (Score:2)
Drivers and services that they added to the OS.
Nokia-authored apps that come pre-installed (such as their custom camera "lens" that gives more control over the camera behavior than the stock camera app).
Nokia-authored apps downloaded from the store (including updates to pre-installed apps).
In total, actually, not much - WP8, unlike Android, discourages OEMs from tinkering too much - but it would only take very little. A single thread in a driver or service could do this all day long, easily...
Re: (Score:2)
Re:Wow... (Score:5, Informative)
I mean, if you aren't including the OS on the phone as Nokia's responsibility, than what exactly are they responsible for?
This is indeed absolutely ridiculous and priceless statement.
To understand why they gave such a statement, we must know some background. The whole debacle started in 2012 when the Finnish government's IT department had a meeting with Nokia, where Nokia's management assured them that Nokia's Lumia phones had superior security and user privacy to both iPhone and Androids. Consequently, the government bought several Lumia phones for top officials who engage in sensitive communication, like the Prime Minister. Thanks to Snowden leaks, the government in 2013 then received contrary information: that Lumia phones were just as hackable as other smartphones through the inclusion of the Microsoft operating system.
Consequently, the Finnish Communications Regulatory Authority (FICORA) made an officially actionable inquiry to Nokia regarding whether the devices they sold indeed revealed the user's confidential communications, location information and other private information without the user's authorization. The authority warned that if the corporation had knowledge that the phone was leaking such data, and did not answer truthfully, it could be held liable under the criminal law for false statement in official proceedings and failing to report a serious offence.
The company then replied, that they were unable to officially give such an assurance (i.e. they probably knew that the device was leaking private data). Then, FICORA made another official inquiry, asking for even a smaller set of privacy assurances. Nokia was again unable to give an official assurance of privacy of its devices, so in August 2013 officials from FICORA and Nokia had an informal meeting where they tried to find common ground: what kind of privacy assurances Nokia could actually give about its devices. Turns out, Nokia could only go as far as to assure that it had not installed any additional spying modules – and only to those devices that it was selling in Finland, anyway.
So they delimited the official assurance that Nokia should give to only concern the hardware and software it had itself made and was selling in Finland, excluding actions of their subcontractors and business partners (like Microsoft). Well, Nokia was able to give such an assurance, even if it is obviously of no value to consumers. But the company had something to show for FICORA: at least Nokia itself takes Finnish and EU privacy regulations seriously, even if it is in partnerships with other corporations for which it can not make equal assurances.
Excluding third-party software, as the O.S. (Score:1)
Re: (Score:1)
It'd be a bootloader which could install an OS of choice from the sd card.
I'd actually buy one of those.
Re: (Score:3)
http://www.gta04.org/ [gta04.org] or http://neo900.org/ [neo900.org]
Re: (Score:2)
They mean excluding code written be companies that aren't Nokia (for example, most of the OS and some of the built-in apps on each Lumia are Microsoft code, they also come with Angry Birds pre-installed, and that's Rovio code... you get the idea). Nokia's contributions will mostly be some drivers, some services that run in the background (apps aren't generally allowed to do so), some "settings" apps to control those drivers and services, some "normal" apps to add features that aren't built into the OS (for
Re: (Score:2)
Well, they produce the mobiles, so I guess that they should have included some items in the contract for the software they've licensed that MS will comply with local laws.
So does this make Microsoft MicroScrooGoogled now? (Score:1, Insightful)
Any comments from the closed source crowd? Any comment from the MicroShaft execs? Exactly, now you know why I stopped using Windows 10 years ago.
CP hysteria (Score:5, Informative)
On one occasion a parent's Lumia account was closed without warning when they uploaded pictures from the phone displaying their kids playing naked on the beach at their summer cottage.
This says more about the hysteria in certain industrialized markets where all nudity is considered sexual for the purposes of zero tolerance regulations against production of alleged child porn. See also prosecutions of parents who photograph their children in the bathtub [jonathanturley.org].
Re: (Score:3)
Yyyep. Don't store your pictures in the cloud, folks. There's automated scanning (not just of Sky/OneDrive, but of others as well) that looks for anything it thinks is nudity, and flags it for human review. If said human decides it's nudity, or even if it could be considered erotic / is too risqué, they can and often will shut down your account. This has happened before. I admit I've never heard of it happening to related accounts owned by other companies (i.e. Microsoft killing somebody's Nokia accoun
Re: (Score:3)
This says more about the hysteria in certain industrialized markets where all nudity is considered sexual
Last week there was a "beat up" story on the local news as to how there is this church and worshippers who have services in the nude. The teasers didn't bother to mention that this church was in the middle of a nudist club.
"Leaking" (Score:5, Insightful)
Sources? (Score:2)
Seems a little light on actual proof there, even the source doesn't have a source for the magical "Lumia account closed as the user is a paedo" comment
I call it a bull (Score:4, Informative)
I recall that it was stated in clear language that SMSes will be uploaded if I choose some option during initial setup for my Lumia.
And if they mean skydrive onedrive account as "Lumia user account", then I wouldn't be surprised that Microsoft screens uploaded (public?) pictures. Similar like Google screens youtube videos.
Re:I call it a bull (Score:4, Informative)
Specifically, the option for SMS backup (it can be set up after initial boot, of course). Obviously, this requires sending your SMS. Now, they can (and should) be encrypted, but it still must send them. If they're inside an SSL tunnel (and nobody goofed their cert validation, the way Apple has apparently been doing...) then they should be secure in transit, at least.
Corporate crimes won't stop until CEOs are jailed (Score:1)
It has become quite obvious following the news that corporations are spitting on laws and won't stop committing crimes that increase their profits, until some actual individuals in charge are jailed for significant time.
Puny fines, often not even exceeding the extra profits made from the crime, won't stop anything. They are just like a gamble CEOs are ready to take - if they are not caught, their personal bonus increases with the extra profit. If they are cought, the company or some insurance will cover t
Compulsory Caveat (Score:2)
I think you know it's for the children.
Re: (Score:1)
And I'm sure no one is hoarding the naked selfies... At least, I can be sure, mine...
Re: (Score:1)
Re: (Score:2)
Can we all just fucking accept that companies get rich at your cost and there is no large company that does not do shit they should not do!
Never, they care when nobody buys their shit. It is the users responsibility to reign in corporations when they get too greedy by forcing change.
All of these technology companies are banking on not enough people caring.. while it is increasingly clear there actually is a non-trivial chorus of people who actually give a shit.
Re: (Score:3)
I think you miss what they mean when they say people. See, when the NSA spys on nameless faceless Americans, that, is surveillance. Its not victimizing people. However, when they spy on someone like Angela Merkel; that is an outrage, because she is a real person with a face and a name....she is someone who matters.
Corperations are people like Angela Merkel is a person. They are real, they matter. They are not you, some nameless faceless peon; barely fit to eat the scraps a real person drops from their table
Re: (Score:2)
Commie Finns? There is a fine line between funny and stupid and you plopped down way over on the stupid side.
Re: (Score:2)
Something a lot of Americans don't know: there's a ton of bad blood between Finland and Russia, to the point that they sided with Germany during WW2...they wanted help keeping the Russians out.
Re: (Score:2)
Yes. I saw that on the History Channel. Finland put up a hell of a fight.
In other news (Score:4, Interesting)
There's also a side story in this scoop which involves Nokia allegedly handing over user data to Finnish police without a warrant.
YLE Uutiset - Police chief to look into Nokia phone spying claims [yle.fi]
Hang on a minute (Score:5, Informative)
When you use a WP8 device, you are signed in using a Microsoft Account. Features like SMS backup, location services such as "Find My Phone" etc need to send data back to MS in order to work. In fact when you first sign into a phone this is made explicitly clear, as it is during the install of any apps on the phone that require, say, location based services. So whilst the implication of this article appears to be that there's something shady and underhand going on, until someone shows me a wireshark trace that shows it, I'm calling BS.
Re: (Score:3)
I'm calling BS.
More secure than texting BS...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
As an aside, and speaking as a luddite who still uses a Nokia E6 because it's got an amazing QWERTY keyboard, does windows phone mandate signing up for account, or is it optional?
It seems that both the iphone and android are both nearly useless without signing up for an account (although you can have an android ROM without the gapps loaded, it will apparently severely restrict what you can run on your phone) and I'm of the opinion that any device that requires an account in order to function essentially has
Re: (Score:2)
Re: (Score:1)
Strictly speaking, you DON'T have to have a Gmail account for any Android phone, only the ones with stock ROMs. An AOSP ROM (like Cyanogenmod) can be used without a Google account; one can get apps from the Amazon App Store or Aptoide, or even F-Droid if you want to stay as close to open source as possible.
But yes, Windows Phone devices are pretty much useless without a Microsoft account, as that is the only straightforward way to get apps onto the phone. You can always sign up as a WP developer and sideloa
Re: (Score:2)
Strictly speaking, you DON'T have to have a Gmail account for any Android phone, only the ones with stock ROMs.
This is, perhaps, a bit pedantic, but you don't need a Gmail account even then. You need a Google account, but you can set up a Google account using any e-mail address. In general this is a distinction without a difference, since the only difference is Google is handling the e-mail, and you can always create a Gmail account that you don't use for e-mail.
Re: (Score:2)
Strictly speaking, the Microsoft account is optional (you can choose "not at this time" when it asks you to sign in, and just never get around to actually doing so). You won't be able to access many of the phone's features until you sign in, but the basics (calls/messaging/voicemail/web browsing/taking pictures/accessing WiFi/running built-in apps like calculator/etc.) will work fine. You may even be able to add email accounts that will sync to the phone (I never tried) before setting it up.
The big problem
Re: Hang on a minute (Score:2)
In other news.... (Score:2)
Snowden reveals that NSA reveals user opinions on corporations to said corporation
in great piece of Irony that taxpayers are paying to be spied on for corporations that
want to use the NSA as their private orwellian invasion of privacy.
Great irony there, getting the sheeple to pay to be spied on, bravo !!!
Orwell, Quigley, and Huxley were prophets...
Lumia - not intentional (Score:2)
Re: (Score:1)
One of the 4 horsemen of the infocalypse...
Four Horsemen of the Infocalypse: terrorists, pedophiles, drug dealers, and money launderers.
And that's how they take away your rights.
List of WP8 security and privacy fails (Score:3)
1. Find my phone option can't be opted out of there is no way to not have the device send location to Microsoft and still be able to use the device in even a remotely meaningful way.
2. It is not possible to not be complicit in Microsofts skyhook WiFi location mapping system.
3. When your device connects to a WiFi network it sends unique device identifiers in the clear over the network there is no way to stop it.
4. Wireless security 100% completely utterly insecure by design due to total failure of device to validate certificate chain.
5. Impossible for mortals to perform basic functions available as standard features on decades old "feature phones" such as contact synchronization without having to upload all of your contact information to Microsoft. My contacts are none of Microsoft's goddamn business.
Windows phone 8 is designed to violate your privacy at every turn while locking you into their curated app store.
Re: (Score:2)
Windows phone 8 is designed to violate your privacy at every turn while locking you into their curated app store.
How well is their cancer cure rated?
Can I still work on the C-123 I bought at a Military surplus auction and stay healthy?
Why do you keep callign them phones? (Score:1)
They are tracking and data rape devices, with a phone built in... kind of like a clock in the stomach of a statue of Buddha.
Light on evidence, heavy on conjecture (Score:1)
TFA reads like a gossip column. I see no evidence to back up any of the claims, in fact the claims themselves seem to be pretty woolly. There's no mention of what's being uploaded and why, could it be a backup option? Local search results, etc? As a Lumia user I would love to read an article by a techie with some experimental results. In fact if this is true I'm surprised that no one's done these tests already, it surely would have got out there by now.
Re: (Score:2)
I assume you're talking about Android... on WP8, third-party apps are not allowed to request write access to the SD card, or *any* access to SMS. (OEM apps, considered "second-party", are allowed to request SMS access which is useful for things like SMS blockers). Third-party developers can't even compile apps with those capabilities requested unless they modify their VS configuration files, can't install those apps to their phone unless they hacked the phone a bit, and if they try submitting those apps to
Re: (Score:2)
Well, yes, I can imagine Finnish piracy laws don't do much to protect consumer privacy. It's a bit like trying to use murder legislation to prosecute someone for stealing a loaf of bread.
Scroogled! (Score:1)
Did you know that when you buy an app in the Google Play Store, Google sends the neighborhood where you live to the app developers? That is why I prefer the Lumia phones with Windows, because Microsoft respects your privacy.
Also, Microsoft only wants to know your location so that they can protect you. If something were to happen to you they would send an SMS to people you trust (they would get their numbers from your SMS history) and they would send an ambulance to your location (that's the only reason the