April 28, 2011
Like Apple and Google, Microsoft collects records of the physical locations of customers who use its mobile operating system.
Windows Phone 7, supported by manufacturers including Dell, HTC, LG, Nokia, and Samsung, transmits to Microsoft a miniature data dump including a unique device ID, details about nearby Wi-Fi networks, and the phone’s GPS-derived exact latitude and longitude.
A Microsoft representative was not immediately able to answer questions that CNET posed this afternoon, including how long the location histories are stored and how frequently the phone’s coordinates are transmitted over the Internet. Windows Phone currently claims about a 6 percent market share but, according to IDC, will capture about 21 percent by 2015 thanks to Microsoft’s partnership with Nokia.
Microsoft does say, however, that location histories are not saved directly on the device. That’s different from Apple’s practice of recording the locations of visible cell towers on iPhone and iPad devices, which can result in more than a year’s worth of data being quietly logged. Google’s approach, by contrast, records only the last few dozen locations on Android phones.
The privacy practices of mobile software companies have come under extensive scrutiny after a researcher at a conference last week in Santa Clara, Calif., described in detail how the iPhone’s location logging works. A CNET report, however, showed that law enforcement and forensics analysts had been aware of and relied on the undocumented feature since at least last year.
Sen. Al Franken (D-Minn.) today asked Google and Apple to appear at a Senate hearing scheduled for May 10, and Illinois Attorney General Lisa Madigan has asked for a meeting. A lawsuit seeking class action status was filed today in Tampa, Fla.
According to a Web page in the “Help and How-To” section of the Windows Phone site, Microsoft has assembled a database with the “location of certain mobile cell towers and Wi-Fi access points” so a mobile device can determine its location more quickly, and with less battery drain, than if only GPS was used. Relying exclusively on GPS would have a negative “impact on mobile phone users by increasing data charges and draining the battery,” the company says.
To make applications like maps work, of course, it’s necessary for a smartphone or tablet to transmit its GPS coordinates to a remote server–and, in exchange, receive nearby restaurant reviews, or driving directions, and so on.
Privacy concerns begin to arise when a unique device ID is transmitted, which allows a company to track a customer’s whereabouts over an extended period of time. Randomizing the device ID frequently would alleviate some concerns. (Microsoft says that in the case of Windows Phone 7, location information is transmitted to its servers only if Wi-Fi and location services are turned on. It also points out it offers a global switch to turn off all location-based services.)
“The user is identifiable if you have a series of events” that can be linked together, says Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C.
Microsoft says its operating system transmits the MAC address of the Wi-Fi access point (but not the name), signal strength, a randomly generated unique device ID retained for an unspecified limited period of time, and, if GPS is turned on, the precise location and direction and speed of travel. That happens when the “application or user makes a request for location information,” the company says.
One privacy concern is that location databases can be a gold mine for police or civil litigants: requesting cell phone location information from wireless carriers has become a staple of criminal investigations, often without search warrants being sought. It’s not clear how often legal requests for these records have been sent to Microsoft, which said it could not immediately answer that question, or whether its lawyers require a search warrant signed by a judge.
Even though police are tapping into the locations of mobile phones thousands of times a year by contacting AT&T, Verizon Wireless, and other mobile carriers, the legal ground rules remain unclear, and federal privacy laws written a generation ago are ambiguous at best. The Obama Justice Department has claimed that no warrant is required for historical location information, a claim opposed by a coalition of companies including Google and Microsoft but not Apple. (CNET was the first to report on warrantless cell tracking in 2005.)
Apple acknowledged (PDF) to Congress last year that “cell tower and Wi-Fi access point information” is “intermittently” collected and “transmitted to Apple” every 12 hours, but has declined to elaborate. Google has confirmed that it collects location information from Android devices, but downplayed concerns about privacy by saying the information is not “traceable to a specific user.” It has yet to respond to questions from last Friday.