Microsoft tweaks location services in response to privacy fears

By Tom Warren, on 1st Aug 11 7:39 pm with 3 Comments

Microsoft's location map

Microsoft announced on Monday a change to its geographic location positioning service.

The change was implemented on July 30 and addresses an issue highlighted by security researcher Elie Bursztein. CNET ran a story last week concerning Microsoft’s location database and highlighted an obvious privacy flaw. Microsoft has been collecting the locations of millions of laptops, cell phones and other Wi-Fi enabled devices worldwide. The database of locations was freely available on the web without any tight security or restrictions.

“Microsoft released a change to its geographic location positioning service on July 30, 2011, which addresses an issue highlighted in Elie Bursztein’s blog on July 29, 2011,” confirmed Reid Kuhn, a Partner Group Program Manager on the Windows Phone engineering team at Microsoft. “This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted.”

Bursztein’s research revealed that users could retrace where a computer has been using its MAC address to query Microsoft’s location database. “To my surprise, Microsoft’s API did not enforce any query restrictions,” said Bursztein. “You can get the location for a single MAC address and do as many queries as you want.” Bursztein contacted Microsoft and confirmed on Sunday that the flaw is now fixed. ”I had a phone call with some people from Microsoft  yesterday (yes on a Saturday) and they told me they fixed the problem. The demo code does not work anymore.”

Microsoft confirmed its contact with Bursztein in a blog post on Monday. “Microsoft’s privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings.  We thank Elie and his team for working with us on this issue,” said Microsoft’s Reid Kuhn. Microsoft previously open sourced its Bing Streetside Wi-Fi data collection software. The code is used to collect data from cell towers, Wi-Fi access points and GPS to build a positioning database for Windows Phone, Bing and other Microsoft products and services. Microsoft started to collect mapping data in early April for its European Bing Maps Streetside imagery.

Image Credit: Declan McCullagh/CNET

  • Anonymous

    This is how it should be done. Done blame others, just fix the problem.

    • Tim Mariner

      Agreed.  If you’re serious about security, you don’t sweep security problems under the rug or claim they have been “overblown”, you fix them and move on.

  • Dude

    Kudos to Microsoft