Steve Kovach, Business Insider
Pandya uncovered how Nokia was having all of its handset users' supposedly secure data diverted to its own servers, unencrypted, then re-encrypted and sent out to its intended destination server. They did this through preinstalled software that automatically rerouted all traffic to Nokia servers.
The action, Pandaya rightfully pointed out, potentially gave eyes at the company an opportunity to look at classified information.
Caught in the act, the company quickly rerouted encrypted data to other servers — but the damage had been done.
From a Information Security Magazine post just today:
Nobody suggests that Nokia has abused this information; but it is a clear issue of trust. The whole purpose of https encrypted traffic is so that the user can have confidence that his message cannot be eavesdropped en route. “It is a big deal,” says Rick Falkvinge (the founder of the Swedish Pirate Party), “because banks rely on having a secure connection all the way to you. As do corporate networks. As do news outlets’ protection of sources.
While no one is suggesting that Nokia spied on data, the potential exposure of proprietary corporate information, secret sources, possibly even state secrets without users permission is a huge deal in the information security world.
Nokia's statement to TechWeek UK:
“The proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.”
Last August, privacy advocates were concerned as Nokia developed the ability to track users' movements in the future, up to 24 hours in advance, with a margin of error of about 10 feet. Nokia claimed that process was also for the benefit of users.