Hacker News new | past | comments | ask | show | jobs | submit login
Nokia phones sent identifiable data to Chinese server (translate.google.com)
407 points by henriklied 61 days ago | hide | past | web | favorite | 176 comments



I knew of that 9 months ago, but nobody was interested so I dropped it.

https://news.ycombinator.com/item?id=17329825


I wonder how often this kind of comments fall through the cracks like this. Happened to me too with something privacy related about one of the big Corps that then was noticed by everyone else a few weeks later...

I agree with others, better open a "Tell HN" in this cases.


Happens with a lot of posts, if they don't reach a critical mass of upvotes early on. In this case probably nobody could verify, if the claims were correct.


There is a new feature on HN these days to fix this: If a post get upvotes later, it will often be given a second chance to ‘try to shine’ to the front page.

With this comment I think it was to hard for people to understand in the first place.


It's not if a post gets upvotes later, but rather if a moderator or a small number of story reviewers notice that it was a good post that didn't get attention. We've been doing it for quite a while now https://news.ycombinator.com/item?id=11662380. The long term plan is still to open this up to all users, not just a few, but we still haven't figured out a good way to do that.


Maybe we should add a new topline category, "threat reports"?


I actually like that option, it would allow us to filter and extract the info as well. I could see a nice little app on my phone where i could setup alerts based on the systems / apps i choose, and getting a notification if one of them where tagged. A little bit like Have I been pawned, but with software and hardware threats.


This seems outside of HN remit, but definitely worth being a site of its own with an RSS feed. I feel this should be curated not based on community voting.


US-CERT is already a thing. But we all hang out here. I think this community has a special collection of talents that could foster positive relationships with the larger society.


Somewhat related subreddit https://www.reddit.com/r/netsec


I've found that sometimes a "why was this downvoted" response to an irrationally downvoted question can turn it from grayed out to black again.

Herd mentality for sure.


Your title wasn't really great honestly, unfortunately this community is often based first impressions.


Or more bluntly: click bait wins. Now you don’t get away with taboola style headlines here, they have to be more sophisticated, but they need to grab interest.


In this case, it's not click bait that is winning.

> Nokia phones sent identifiable data to Chinese server

isn't click bait, but simply much more clear and to the point than

> Ask HN: HMD Global (Nokia) is acting shady Any recourse?


I got most of my karma through «clickbait» stuff. If you manage to post something like the Apple annual report, you can get a million free points basically. You just gotta be quick.


Clear headlines that put the most salient information in the headline are not clickbait. The headline on this post is not clickbait.


Click bait is an unfortunate reality but I think it's possible to create decent titles that are not just misleading. Personally I think this OP might even be a bit too much, but milankragujevic's was plain confusing.


thank you for the previous post, really. it's frustrating to be ignored when you are right.

a lot of this industry (in particular web and mobile technologies) survives thanks to systematic privacy violations. it's nice to keep the eyes wide open.


The ask hacker news section isn't really a good avenue for discussion unless it's a general topic like:What's a good framework? or Give me an easy idea to make money.

Best thing to do would have been to contact tech sites with the info. Like The register would definitely do an article about it.


> The ask hacker news section isn't really a good avenue for discussion

I think "Tell HN:" is for such cases, but it's just not as popular.


I think you didn't know that data was being sent. From what I read, you just had suspicions, which is a big difference.


I have a work device that is a Nokia 8. I see the evenwell apps too.

Were you able to forcefully uninstall these via adb?


Wow, this is interesting. I’ve sent you an email.


Ouch. One of those times when it sucks to be right, I guess...


What model? 5,6,7? Or you think all?


I have a Nokia 3 and a Nokia 7.0 Plus, both had a bunch of com.evenwell.* packages installed.

I think all HMD devices have those packages.


Would love to speak to you about this. Can you send me an email? henrik.lied [at] nrk.no


Send you a mail from a newly created mail account.


How do I generate a list like this?


Login to android shell using adb


More specifically:

  adb shell pm list packages
You can sort it alphabetically by piping it through the "sort" command, like this:

  adb shell "pm list packages | sort"


It's also really hard to read your writing when what should be an entire paragraph is one sentence.


Please don't assume this is a one-time event, or that it is specific to this brand or even to Chinese manufacturers. Nokia could actually be in the best half on that aspect, just got unlucky.

Most of such info leaks are hidden. I've already witnessed several OEM firmwares sending informations to many different parties. Too often, this is done through http, with payload encrypted. But it's always symmetrical encryption, and the encryption key can be computed from the fields in clear in the request. Such techniques are enough to stay under the radar of classic MITM, and require hard reverse engineering work to detect. I've noticed such behaviours on major Chinese OEMs, and white-label brands.

I never did actual reverse engineering on more western-ish brands, but the little I've seen doesn't look good. On Samsung Galaxy S9+ simply listing apps that can install apps silently (which is the master of all permissions, because this gives the right to give apps any permission), raises an advertisement company in Israel and a Telco in Singapore.

If you're worried about this situation (I do), I recommend you start lobbying about mandatory bootloader unlock, and easier OS replacement on smartphones. In this area, Nokia is amongst the worse, since AFAIK they still haven't authorized any bootloader unlock. Personally my work in this ecosystem is to make the Phh-Treble ROM, which is most likely the Android ROM with the largest hardware support (even though it requires the phone to be natively running Android 8 at least), and it is opensource.


> On Samsung Galaxy S9+ simply listing apps that can install apps silently (which is the master of all permissions

Wait... what? Why is there such a permission in the first place?


> Why is there such a permission in the first place?

Google Play and F-droid require it in order to update apps automatically.

Essentially, you give one app a permission to install other apps. Whether it notifies you or not, it's up to the app.


As mentioned, there are updates, but then you could have an upgrade-specific permission (there isn't one).

But even when simply installing, check the workflow that the play store currently have: When you click "install" in the play store, you don't really want interactions far in the future about it. So the apps' permissions are asked right away. Without this silent install permission, you would have a pop-up at the end of the download (which can be between few seconds after clicking "install" to several hours if you're unlucky and downloading a big app), asking you to confirm the installation.


Oh. Now I see why my phone randomly installs Amazon Prime Music or Prime Video. I have Kindle installed and recently installed audible - after installing audible, I noticed I got Prime Video (haven't been a subscriber for a while).


> raises an advertisement company in Israel

Out of curiosity, what "advertisement" company would that be?


Digital Turbine


This has to be fixed by HMD and I hope for an official investigation as most other manufacturers are probably doing the same.

In the meantime, I recommend the following:

1. Remove any unnecessary packages through ADB (https://www.xda-developers.com/uninstall-carrier-oem-bloatwa...)

2. Use Shelter (https://f-droid.org/en/packages/net.typeblog.shelter/)

3. Use a VPN-Firewall such as NetGuard (https://f-droid.org/en/packages/eu.faircode.netguard/) or NoRoot Firewall (https://play.google.com/store/apps/details?id=app.greyshirts...).


This should be fixed at an even higher level, and have Google force manufacturers to not add or alter the base OS for any data-gathering reasons in Android One and deny them from using the Android One brand if they do, or people will lose faith about the Android One program.


That, my friend, would be abusing their monopoly position.

Google hoovers up all the data and tells their partners they can't do this too? The antitrust regulators would have a field day.


According to the statement HMD Global gave to NRK, they have already rolled out a software update to fix this issue. Of course there is almost guaranteed to be other spyware on the phone serving the curiosity of the same and different masters, like Google.


Google should revoke their use of the AndroidOne trademark over these shenanigans.


Thank you for linking Shelter, I had no idea that was possible and that easy software for it existed!


You suggest installing userspace apps to control system software that might run in a privileged context. NoRoot Firewall, for example, doesn't control iptables, it just pretends to be a VPN server and privileged software, I assume, can bypass it.


Yes, I'm fully aware of this. There's also the problem of having a closed source baseband processor in pretty much every device.

But bypassing these mechanisms is a decision they had to make. If they're just lazy or incompetent, these userspace apps should be sufficient as a mitigation.

Check this out for a more sophisticated way: https://privacyinternational.org/node/2732


According to the explanation about permissions within NoRoot Firewall itself, any app with the 'Internet' permission can create connections to bypass the VPN. This is how NoRoot Firewall itself works (else the filtered traffic would never escape the app/vpn).


It's shameful of Google (but totally expected) that they don't supervise the Android One program AT ALL. All of the Android One mobiles appear on the top list of their Android One microsite and I'm sure most of them contain malware built-in.

https://www.android.com/one/

Having said this, I never expected Nokia to be doing that, too. Both Nokia and HMD are Finnish, do they really need to outsource the creation of the ROM?!


Yeah, Android One is a bit of a joke really. I got a Nokia 7 Plus on the promise that it would have fast updates, be bug free, and not contain any OEM modifications. None of those have really been true. Admittedly, updates are still a bit faster than the likes of Samsung and other big OEMs, but the process has shown that it's not as simple as Google rolling out the updates.

OEMs still make changes to it, and it still seems dependent on carriers pushing through the changes - despite buying a SIM free phone, I waited 2 months longer for updates, which seemed to be the case with everyone on the same network in the UK.

It's far from bug free, with a few updates in the last few months introducing new bugs. Again, it shows that this isn't an update coming directly from Google, it is at least in some part developed and tweaked by OEMs. In this particular case, the process showed that HMD/Nokia is severely lacking in development and QA expertise, as there have been ongoing issues for months with no fix.

They also introduced their own battery optimisation software a few months ago, which massively changed how the phone handled multitasking and background applications (effectively, it killed them all). And then this news that they're sending unencrypted identifiable information to a third party? These things shouldn't be possible if Android One did what it claimed.

I avoid OEMs like Samsung because of all the bloat and junk that they add on top of Android, but Android One is clearly not a solution to that. I would still prefer it in theory in the alternatives, but I'll do more research next time - if a company doesn't have a proven track record, then Android One isn't going to solve that.

One minor point - Nokia the company isn't involved in the Nokia Android phones. HMD is just a small company that licenses the brand. Admittedly, a small company that was founded by ex-Nokia folk and based across the road from Nokia's HQ, but it's evidently not a company with Nokia's resources or much of their expertise.


One really big bugbears I have with HMD and the firmware updates is absolutely unusable WiFi after they released the January/February security updates for this year.

After installing the security updates, WiFi only works once after a reboot, the moment you disable it, you have to either sludge forward with modem speeds on 2.4GHz-band or none at all if you are on 5GHz-band. Since these problems manifested after installing the security updates, it's slowly starting to point towards a driver/firmware issue instead of a hardware problem as some have speculated.

Some fixes for this are "phantom SIM", resetting WiFi settings or booting into safe mode. Only common thing with these "fixes" is the reboot; so far it is the only thing that will fix the WiFi but turn it off once and you're boned. Similar issues are noticeable with the WiFi AP: first try after boot works just fine, next one you have to try to force 2.4GHz-band on the AP along with 5GHz, causing the AP to "soft reboot". After this, you are very likely in need of a reboot as the AP will no show up.

After this breach of privacy and data security, along with the WiFi issues, I'm slowly starting to lean towards filing a complaint to either HMD or the local customer protection agency here.

Worst of all, the support forum topics I've checked somewhat regularly on have no official replies from HMD or Nokia, only second-hand information from people who have been in touch with support.


This really stings. I purposefully chose a Nokia for exactly these reasons - Android One and European.


HMD is Finnish, but AFAIK they have zero own software development in Finland. Not sure whether it is public knowledge where they buy the SW from. Of course the Google part is known, but I assume the application reported here is not from Google.


Yeah. HMD is just license holding company with nothing but lots of managers as employees. All of their software development is outsourced to Finnish and foreign companies.

I know some of those people (in Finland) who worked in these outsourcing companies, but they just worked on the more high level components like Android apps etc. Not with bootloaders or OS images.


The firmware for my 7 Plus is littered with packages named "com.evenwell.*", including the very aggressive powersaving "feature".


You're right. My Android One Nokia 7.1 comes with at least 64 evenwell/HMDGlobal apps, albeit behind the scenes. There's no docs on any of them as far as I can tell so you can only guess from the name what they do.

https://pastebin.com/LehzyCMU

That said I've not noticed anything obviously suspicious when I use a firewall to monitor it. I only did it as a test so I might have missed something. Also I'm in the UK, if that makes a difference.


I've got a Nokia 8 (also bought in the UK) with the Evenwell system apps as well, and I haven't noticed any unusual domains in my Pi-hole logs at home.

I wonder if it's only specific country builds that display this behaviour?


These apps can freely choose to only use the cellular modem for communication and thus communication may not show up in your firewall / proxy. In addition to this, your carrier can't distinguish legitimate traffic generated by you from malicious traffic generated by these applications.


How can I check it? I bought Xiaomi Mi A2 recently and I didn't find any non-Google software, it looks pretty authentic.

Here's pm list: https://pastebin.com/HjQED9fr (I installed few applications myself)


You have the problematic application: com.qualcomm.qti.autoregistration, also some stuff from Goodix that I'm not sure if you installed yourself...


> You have the problematic application: com.qualcomm.qti.autoregistration

Could you explain why this is problematic?


"security researcher Dirk Wetter reported that the culprit could be an APK package named “com.qualcomm.qti.autoregistration.apk.”"

https://www.androidauthority.com/nokia-7-plus-user-info-9679...


FWIW, I have a recently purchased Nokia 7.1 which is part of the Android One scheme (running Android Pie). This was through a legit high-stret UK retailer so not grey-import or anything.

I installed NoRoot Firewall as suggested in another comment here. So far NoRoot Firewall has not detected any activity from anything unusual running in the background (either idle, screen-on, or charging).

What was weird though was that if I open the Nokia camera app, it tries to talk to edge-star-shv-01-lhr-facebook.com, edge-star-mini-shv-01-sof1.facebook.com & edge-star-shv-01-sof1.facebook.com. I believe this is due to the facebook live-broadcasting feature built into the Nokia camera app, although I have not got it logged in so not sure why it is phoning home just when I open the app.


So 24 hours later and still nothing odd going on according to NoRoot Firewall on a UK retail Nokia 7.1.

I'll keep running foir a few more days (I cant use my usual VPN at the same time as NoRoot Firewall so dont want to run indefinitely) and udpate if anything else happens.


Very nice of the Chinese military to choose a .cn domain so even the Norwegians can see what is going on ...


It is obviously a bug / lazy programmer / broken project management. A phone with most of it components bought from China and in one of the many configurations just copied from the supplier's examples there was an URL which was supposed to be changed but didn't.

In other words - a non-story or at most a story about quality issues at the reborn Nokia.

But luckily the URL pointed to China ... so we can make the story about that ... with a big red communist flag, talk about mass surveilliance, human rights, future invasions and so on ...

I don't really think this is because of racism; I mostly just think it is because we are idiots that prefer big hyperboles rather than simple explanations of non-issues.


Huh? It's more than just that; the Android build comes littered with software from an unscrupulous source, even on phones that are supposed to be close to a clean version of Android.


Why do you assume they (the presumely Chinese provider of the component) are unscrupulous?

To me it is obvious that it is Nokia that is sloppy and having quality issues.


Why do you assume it's simply laziness? Regardless, it's not good.


Why is there a Chinese flag in the article and not a Finnish flag?

Because it gives more attention.

The real story here is that the venerable brand of Nokia now is being used to sell sub-quality phones.


Because the service and server in question are in China? Look I understand being skeptical of the narrative, but that's where the data was going.

Nokia isn't being shielded in the article.


[flagged]


Comments like this are a bannable offense on HN. Three ways actually: nationalistic flamewar, personal attack, and insinuation of astroturfing. Please don't do any of these here again.

https://news.ycombinator.com/newsguidelines.html


I agree with your assessment that this was likely unintentional, although it doesn't seem like they forgot to change the URL, but rather that the whole component should have been disabled. https://news.ycombinator.com/item?id=19451772

On the off chance that you're a native Chinese speaker, are you able to figure out what the purpose of device self-registration is? My Chinese is unfortunately not good enough to easily find information on it.


I don't speak Chinese. And you are right; it looks like something specific to China Telecom that should be completely removed.


It is kind of ironic for me to think my perception of Android as same as Windows as major malware distributor despite it is based on Linux. Android is now fast becoming Windows XP of mobile.


My Android phone came with a weather app preinstalled. The app cannot be uninstalled, is full of translation errors and some links redirect to Chinese websites. Who knows what data my phone constantly sends there?

Adding to that the fact that I don't receive system updates anymore, I have absolutely no trust in my phone. My next phone will be an iPhone, for the lack of better alternative.


Yeah, I recently switched from iPhone to Samsung Galaxy S10.

I don't have a previous experience so my reasoning was "well it's Samsung, at worst they'll have some shitty branded apps and some cruft". But I don't have an idea what these dozens of preinstalled apps running on my phone doing. Almost none of them can be uninstalled and only a handful can be disabled.

It is kind of scary to use a banking app on this thing. Never felt this way on an iPhone. I wanted to see the Android side after years of iPhone use, apparently it is still shit.


This is exactly why I am back on iPhone. I have had enough of unremovable shitware. I also value the simplicity of getting basic things done such as Bluetooth pairing. Stuff seems easier. The only thing slightly worse on iPhone is google 2fa, because it needs to use the gmail app.


> google 2fa, because it needs to use the gmail app you mean the Google app, right? Not the GMail one.


Not the original poster, but yes you're right


I use k9 mail and open keychain on android. What would be the equivalent on iPhone?


> It is kind of scary to use a banking app on this thing.

My wife, who is not a tech person at all, flatly refuses to run any banking or financial apps on her Android phone. She knows just enough about the technology to know that most Android devices are cesspools of spyware and malware, even her Galaxy phone. She doesn't like iPhones though, so I doubt she will ever go over to that side even for security's sake.


Please have her order a Librem 5 for banking etc!


No thank you, I lost faith in Purism after they continually misled their customers about the Librem 15 laptop.

https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem...


To be fair, they did get Coreboot working after about 2 years from the time of that post but it's still not ideal, compared to a older Libreboot based system, performance not withstanding.


They did, but they never once apologized or admitted they misled customers about the laptop launching with Coreboot working and ME removed (in fact their initial promise was that they somehow got Intel to make a ME-free chipset "just for them" which was a flat out lie).

Lie to me and I'm done with you, especially over something as important as privacy and freedom. It may now be closer to what they originally promised, but I no longer trust them.


That's fair, and even "I" as a "partial supporter" think they need to tune down the marketing machine a bit.

It's a shame because they're really the only company doing what their doing (a fighting a chance at open source (as possible) and secure hardware)


Ever try the phones from Google with pretty much nothing pre-installed? It is a much better experience, but yes Android is still proper shit in some ways. In others it has come so far. I never have to restart my phone like I had to for my Galaxy S1 every day.


I got a nokia because it's as close to pure android without a super expensive google phone and here we are...


I used to have Nokia Windows Phones and they were excellent...I wonder if this was still going on back then?


> I never have to restart my phone like I had to for my Galaxy S1 every day.

Give it time. The slow-downs/reboots happen to every Android device over time.


I have a s8 I'm not using out of creep factor. Switched to a phone that supports lineageOS.


Oneplus preinstalled weather app doesn't work at all without access to my contacts and to device storage (media). I'm also more and more thinking about switching to Apple, and paying premium for no hardware advantage, only due to fact that Apple collects and sells less information about me. Not because it will change anything substantially but on principle.


... and it is probably going to be even worse with BSD/MIT/Apache-licensed eventual Android replacement in development called Fuchsia. More modifications by vendors and manufacturers, more preinstalled malware and bloatware, less customizations allowed. :)


At least it's easy to take control of a PC and modify what you want including completely install a clean OS... not so easy with Android.


I did some research on zzhc.vnet.cn and what its purpose might be. Zzhc is probably an abbreviation of 自注册, meaning self-registration. There is plenty of documentation (in Chinese) on how to implement it (e.g. [1]), but so far I haven't been able to figure out what it's actually good for.

You can find implementations by Qualcomm and Mediatek on GitHub, the Mediatek one even comes with a minimal README [2]. That seems to indicate that it's gated by a feature flag "MTK_CT4GREG_APP" and is only supposed to be active when explicitly selected while the phone is in developer mode. That makes it likely that sending the data was only due to a misconfiguration.

Considering the long list of manufacturers starting at page 10 of [1], it's also possible that others are leaking data in the same way.

[1] https://wenku.baidu.com/view/c2eaa9fc5022aaea998f0f7f.html

[2] https://github.com/griffins-testing-ground/android_vendor_mt...


More articles about "补贴", from same user, https://www.jianshu.com/u/3bff037f7a8b .

I assume the android implementation was done in China, then many requirements are related with "补贴", it is just part of them to submit some data to zzhc.vnet.cn. But didn't get deleted when they are making EU variants.


Thanks for the links. Actually, I had seen one of those articles before, but didn't understand it well enough.

My understanding now is that some 4G deployments are subsidized, and to correctly compute the amounts to be paid, China Telecom needs to collect more data than is usually available, so they came up with the idea of sending the data to zzhc.vnet.cn.

Still pretty hacky, but it kind of makes sense from a perspective of doing the minimum necessary to fulfill the requirements.


In this thread on V2EX (the closest thing to Chinese HN), someone says that registration is intended for phones sold with a China Telecom contract: https://www.v2ex.com/t/547150#r_7062149

Though that doesn't explain why CT wants that data.


https://www.jianshu.com/p/6d257f83ecf8

江苏某项目采用CAT1模块做模块补贴,补贴中自注册失败,后经排查发现如下在补贴自注册中的几个共性问题:1、终端客户采购模块与模块厂家到广研送检模块和软件版本不一致;2、补贴受理中,如果是定向的,需要增加自注册的IP地址zzhc.vnet.cn IP:42.99.2.15;3、补贴受理时需开通4G功能。


ALL Android phones users should go NOW and instal NoRoot Firewall. This will catch anything running over the OS (but I feel it wouldn't catch any rootkit). What information is missing in the article is "which app is leaking the data"? On all rooted android phones you can advise on uninstall xyz and be done with it. Then you can take screenshots and make a nice post in your blog. Unfortunately I don't own a Nokia 7 to do this myself.


Edit: just notice that autocorrect changed my: "adb pm uninstall XYZ"


This is pretty damning. The fact that HMD don't come clean and admit they were required to load this software in order to sell to the Chinese market is a little odd. Maybe the Chinese require companies not to admit the backdoors they place.


I think and assume part of the process, some Nokia Phones which were only meant to sold in China, or Software that were only meant to be installed in China's version of Nokia got muddled up into International version.

If you have been following the Nokia's Android phone, you will know they have always been launching new phones in China first before making slight update or shipping exactly the same one to International Market. So it could happen this is part of the logistics and Supply Chain mistep. I am giving Nokia the benefits of doubt here. Since HMD do have many original Nokia employees, it could be an oversight.


So much for "Android One"....


Shouldn't this be something that the NSA looks into and prevents?

The NSA works with US companies to secure their systems from espionage.

Shouldn't the NSA be analyzing consumer electronics to make sure they don't spy on US citizens, some of which will have sensitive information or trade secrets on their phones?


NSA is the world-wide espionage agency. They welcome these leaks. That's why security bugs found in Windows are first sent to NSA and later eventually to Microsoft to fix. Read more about Snowden's leaks, read stallman.org.


They do warn the public, but people on this site say the warnings aren't real, and that it's just the government trying to hurt Chinese businesses. Look at any of the threads about Huawei, it's mostly full of people saying that the warnings from western intelligence agencies are lies as part of a trade war.


It seems that some companies do not like to be "secured" by NSA, according to the article [1]

[1] https://www.wired.com/2013/10/nsa-hacked-yahoo-google-cables...


'Do as I say, not as I do'?

Aren't those companies tryig to get all the information they can about us?

Perhaps they don't want to be "secured" because it costs money to do so.


This is more FBI's lane of work.


One more reason to get a Purism phone I guess...


If it was the Chinese who were trying to spy, it'd be pretty dumb to use a .cn URL isn't it?

Seems to support the US paranoia about Chinese gear and if proven as known evil, doesn't help huawei's 5g aspirations...


The Chinese don't have to be covert about their tracking activities. It's part of their society, and everyone (at least outside of China) is aware of it, and nobody inside of China is allowed to talk about it.


People inside China are very aware of it; most just don't care that much. They (willingly, if not happily) trade what westerners might consider pillars of freedom for widespread prosperity.

When you consider the progress China has made over the last 50 years from the perspective of a typical Chinese citizen, you can see why they make that bargain.


I hear this often, but it kinda implies they prospered because they had this obnoxious rules, i fail to see if this is actually true. Wouldn't they still be better without this tyranical bullshit?


I don't mean to imply that modern-day China exists because the state is organized the way that it is, only that it does exist this way and that leaves little incentive for Chinese citizens (within the current climate) to upset the apple cart.


They would, but that requires a fight against a party apparatus of 1+ million people, that controls the police, secret services and the army. And that in 1989 did what it did in Tiananmen and wouldn't be afraid to do it again, I'm pretty sure.

So success would be far from guaranteed.

If I'd be Chinese I'd probably do the same trade they did.

After prosperity, keeping the lid on as hard as it is now is much, much harder. And if changes don't come easily and naturally, I guess you can emigrate.


So then maybe they aren't so "happy" to make the trade, but afraid for their status and lives if they don't obey?


Happy, probably not. Content? Most likely.

And what makes most people happy is having a rich personal life, rather than achieving their political goals, I've found.


Bread and circuses stave off revolution.


From a viewpoint of a person that was able to move from the poor dirty village to the city, get a well-paid job at the factory and get a mortgage for an apartment in a 40-floor building, the government is doing everything right. Also this person has probably to work all over the clock to repay the mortgage so he has not much time to think about politics.


Imagine there were no strict rules.

There would now be political rallies, protests, different factions of people wanting different things, etc.

That distracts from economic progress.

It's fairly clear to me that in many cases freedom of speech and similar rights leads to less stability and less economic growth.


Taiwan has prospered just fine without pervasive digital surveillance.


Chiang Kai-Shek and Deng Xiaoping were different leaders who left different legacies; who knows what might've happened if Deng had been 15 years younger?

(I'm specifically noting those two because their deaths were epochal events in the modern political history of both countries.)


>People inside China are very aware of it; most just don't care that much.

The OP said they don't talk about it. Doesn't mean they don't care about it much. It is simply they don't have any means, tools or action they could do to change it.


> they don't have any means, tools or action they could do to change it.

This isn't true at all. China is one of the only places in the developed world where the populace legitimately could topple the government, simply by sheer mass.

Why do you think the party works so diligently to quell dissent and organization while going to extreme lengths to prop up the economy? It would be nearly impossible to hold on to power if the people turned, but nobody is interested in that while they (or their children) can live in a nice apartment and take a holiday in Europe once in a while.


Just as a thought experiment... would Chinese people be okay with say an American company that openly spies on them in virtue of a "cool" product that they would not have had otherwise?

I'm just trying to understand this attitude towards acceptance of losing privacy...

Or is just given up after years of losing to their government?


I guess that when you are saying that nobody is allowed to talk about it, you are talking about politics because I would have broken the law so many times otherwise.

I have been living there for a while and Chinese people can talk about it as freely as elsewhere and most of the people I know are very aware of it.

The opinions about tracking/surveillance are not the same than in the west though and it is much more accepted here. In my social circle, a large majority of Chinese people would prefer security over privacy or just don't really care.

Hard to believe for a westerner like me, but people are happy about it so far.


Masking domain name is ineffective security by obscurity. It's trivial to trace where it goes anyways.


It's likely to go unnoticed anyway, and it provides for plausible excuses.


Side note: I didn't notice the page was translated from another language until after I finished reading it and noticed the title bar. Machine translation between European languages has really come a long way.


Oh wow me neither. Just one word (ombudsman) stood out to me, but I thought it could exist in English. It does in my native language so I did understand it :p

That's a nice translation!


It does exist in English.


It's a bug. The URL was corrected to mil.no/etjenesten in the software update mentioned in the article.


If this is a joke, it's a nice joke.

Ah... the times we live in.


Bingo :)


What is the joke here?


Spying is ok, just data should end up in "Norwegian Intelligence Service" not China.


Maybe it was a prank, bro?

What about the data that already leaked?


Whoa! I had a cheap Nokia dumb phone a year ago that sent a daily SMS to a number in China. Could never figure out what was in it, and support was no help.


"Nokia" phones, while it's really R&D and manufactured Foxconn phones sold by reseller HMD which just slap Nokia sticker on them


To be fair. They are nicely made Foxconn phones.


Guess Nokia devices are only the tip of iceberg. Apple works better: https://www.theverge.com/2018/9/7/17832106/apple-utility-app...

Personally for me Google is an opposite of privacy.



Statement from HMD Global We have analyzed the case and can confirm that there has been an error in the packing process of software in a single batch of a telephone model, which by mistake attempted to send activation data to a foreign server. The data was never processed and no personal information was shared with third parties or authorities.

This has now been fixed and almost any device affected by this error has now installed the update. HMD Global takes the safety and privacy of our customers seriously.


If that's an official statement, it should probably come with a link to a corresponding press release.

Random hacker news comments aren't the most trustworthy.


"takes the safety and privacy of our customers seriously" - so far every company said that.


That’s some pretty bad QC on Nokia’s part. It’s not like it’s clever even with some takeover of the lte chip, it’s just up there in your face running on the application later.


I purchased a Xiaomi phone 4 years ago and some of the Xiaomi apps (cleaner, antivirus, and link accounts) were sending personal info to China as well. These suspicious apps were impossible to remove.


i just bought the 7 plus a few weeks ago, anyone has a tip on what could I do now?


If your are located in the EU file a DGSVO complained. In fact since HMD is based in Finland you can do this probably anyway.


*GDPR. DSGVO is the German name.


How can I check if my phone is emitting these packets?


Install NoRoot Firewall as HenryBemis mentioned, it's on the Play store. The app tells you what IP addresses apps are trying to communicate with in a fairly neat and simple way.

I've just installed it on my 6.1 Plus. Nothing sus yet but it's only been 5 minutes.


I did install it too on my 6.1 and found the System app trying to connect to several cloudfront IPs, cant find any kind of extra info, did you find the same?


We need surveillance more on people and they actions! It's shame that android store let very suspicious apps uploaded!


If the GDPR is any good, this should cost HMD a lot of money.


I think it is also worth investigating whether phones secretly send any data to Western companies. Chinese authorities cannot do anything to you unless you come to China, but USA authorities have the power to extradite people from most countries. Sending data to US companies is much more dangerous than sending them to China. This can literally get you into jail.

For example, many apps, especially messenger and social network apps secretly or openly export contact lists from devices. Not only this is highly unethical, it might be a violation under GDPR because the information in the contact list is personal information and you must obtain the permission of that person for transferring the data abroad, not only the permission of the phone owner.

Almost every mobile app collects IMEI, a hardware identifier that allows governments and mobile companies to track the precise location of your phone. While such data are highly sensitive, they collect it without any second thought. Even a simple keyboard app was collecting all the data it could grab [2].

I can remember how Google was collecting WiFi data, without permission from access point owners. It was also collecting the traffic sent over WiFi [1].

It seems like the companies in every country have similar interests for users' data.

Also, I have a noname Chinese phone and when I examined its traffic with Wireshark, it was attempting to send data with IMEI to Chinese servers (luckily I had no SIM card inserted so it couldn't get a phone number). It was sending data to Google servers as well, but sadly they were encrypted with SSL and even installing a self-signed root certificate on the device didn't help to decode the contents.

So I think there should be better regulation of data collection. The general rule ("not a single byte" rule) should be that no data can be sent anywhere without explicit user's consent (not a phrase somewhere in the EULA). Also I think the manufacturers should put large warnings on the boxes, like the ones on the cigarette packs, like "This device sends all your private data to country X", "This IoT device will spy on you 24 hours a day", "This device uses a cloud in country Y", etc. So that the consumers better know who will spy on them.

[1] https://www.wired.com/2012/05/google-wifi-fcc-investigation/

[2] https://www.zdnet.com/article/popular-virtual-keyboard-leaks...


Nokia is just a name on the phone. The trademark licensee is HMD Global while engineering and manufacturing has been outsourced to Foxconn, a Chinese company.


Foxconn is a Taiwanese company

Edit: I am not disputing the "One China Principle". The fact remains that Taiwan is self-governed.


[flagged]


No, China claims it is, but it’s not.


"China" claims it is part of the People's Republic, which it is indeed not.

But both sides agree that it is China.

Like Korea includes both North and South even if there are two states.


In practice, that's a useless tidbit. Would you rather be the average South Korean or the average North Korean? Their lives are completely different, those are different states for a reason.


That's not useless at all, that's very important and that's the point.

Ask Chinese, ask Koreans. Also ask Germans or Vietnamese.

You could also ask Foxcomm's founder.


Ok, let's clarify in the context of our topic: why would Foxconn's founder send data to the RPC government? Just because the Taiwanese are primarily ethnic Han?


I think Republic of China would at this point prefer to be referred to as Taiwan rather than China. This way they can also distance themselves from all the human rights abuses happening in Xi Jinping's China, you know concentration camps, medical genocide (organ harvesting), mass surveillance and whatnot.


Regardless of the politics, Taiwan and China have different governments and Taiwanese companies are unlikely to be forced by the Taiwanese government to put Chinese spyware on phones that they manufacture.


Which makes it a Chinese company, yes...


Regardless of border politics, Taiwan has its own government


regardless of government, taiwan is an island full of Chinese people, speaking practice every aspect of (traditional-ish) Chinese.


People's race has nothing to do with their alignment with other governments.


Yes, it's called the Republic of China...


Allegedly hacked entire OPM database, Marriot and other orgs. This allows them to potentially blackmail key personnel they want to control. Imagine what they can accomplish with the deployment of Huawei 5G.


This is bullshit. what's the connection? This is an Android based flaw. What could Huawei 5G infrastructure do that couldn't yet be achieved through their highly prevalent 4G infrastructure? Are we worried they're gonna spy us faster and with lower latency?


All this 5G panic is ridiculous. If our protocols were properly end to end encrypted then it doesn't matter who makes the router.

The real reason is that 5G is not secure by design, just like 4G and 3G and GSM before. But the NSA wants to have the keys only for themselves.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: