Windows Phone 7.5 no longer accesses location data without authorization

By Tom Warren, on 28th Sep 11 12:34 am with 41 Comments

Windows Phone 7 camera location notification

Microsoft’s Windows Phone 7.5 “Mango” update has introduced an important privacy change to the operating system.

Microsoft has been accused of tracking Windows Phone locations without explicit end user consent. A lawsuit was filed in a Seattle federal court earlier this month, backed by analysis from a well known security researcher. Windows Phone 7 allegedly sends user location info to Microsoft’s inference.location.live.net even if a user says “no” when prompted by the mobile operating system’s camera application.

Microsoft denied the claims earlier this week and insisted that the company was investigating the accusations. “Microsoft is investigating the claims raised in the complaint,” explained a Microsoft spokesperson in a statement issued shortly after the lawsuit. “We take consumer privacy issues very seriously. Our objective was — and remains — to provide consumers with control over whether and how data used to determine the location of their devices are used, and we designed the Windows Phone operating system with this in mind.”

It now appears that Microsoft has made a change to the way the camera application accesses location data in Windows Phone 7.5. Rafael Rivera, famous for his work on jailbreaking Windows Phone 7, originally revealed that packets of data were sent to Microsoft’s location services before a user selected an accept button in Windows Phone 7 to communicate its location. Rivera has now completed the same tests on Windows Phone 7.5 and he claims that Microsoft no longer sends location data prior to being granted permission to do so. “The behavior I’m now seeing is perfectly aligned with Microsoft’s letter to the U.S. House of Representatives,” said Rivera in a blog post on Wednesday. Microsoft’s Windows Phone 7.5 operating system now correctly adheres to the company’s promised location functionality:

  • Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information
  • Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data.

Microsoft is still the subject of the ongoing lawsuit despite the changes in Windows Phone 7.5.

  • Guest

    Which really doesn’t tell us whether it was a design change or a bug fix.

    • Anonymous

      Does it really matter?

    • Guest

      Yes, both from a trust/credibility perspective and in light of the pending lawsuit.

    • Anonymous

      Mango was completed a really long time ago, far before the lawsuit.  if anything it would have been a bug fix, developers can’t modify a code while a different version is being tested by carriers, and manufacturers.

    • Anonymous

      your trust if anything should increase. Their credibility should if anything be bolstered. Look there was a grey area, why wait, just go ahead and do what’s right. What’s there not to like or trust?

    • Anonymous

      Based on what Microsoft has said about their privacy intentions in the past (added to the fact that Mango was RTM back in August, before the lawsuit) I would say that this was just a bug, and one that Microsoft took the initiative to fix before the lawsuit

    • Anonymous

      I wouldn’t call it a bug, because the concept of “collection” is not a simple one to prove. Rivera was able to prove that the phone transmits the data even if user’s consent was not obtained explicitly. Whether the info is actually received, acknowledged or stored while that bit is set to false is something no one will ever know.

    • Anonymous

      The bit is not set to “false” in this case though. The bit is “unset” (the user has not stated their preference yet) and if the user had turned off the location services in the phone settings upfront then the location is never transmitted.

      So even if the data were collected and stored at the server, it would be too generalized in the context of the phone app, since the user has the power to answer no to this question (making it non-specific to photos, after they entered the app and taken pictures, and totally consistent with the expectations of the phone setting). Transmission stops once the user has stated their preference specifically for the phone app. Plus the fact that this was improved in Mango (before the lawsuit) and becomes obvious that this is a bug. =)

  • Anonymous

    Why does Microsoft need to receive location info at all? If I’m taking a photo, I want that info in my photo’s meta data. MS does not need to know where I am, nor that I took a photo. It’s none of their business. The only time MS should receive location data from me is when I’m specifically asking for location based results in a search of some sort.

    • Anonymous

      http://en.wikipedia.org/wiki/Assisted_GPS

      “…An Assisted GPS system can address these problems by using data available from a network.”

      Goodbye troll.

    • Anonymous

      What does that have to do with MS receiving location data? Whether I use GPS, A-GPS, or triangulation, MS does not need to receive location data for photos.

      Leave your stupid insults for your family and friends at recess.

    • Anonymous

      GDal, you’re being a bit too aggressive but, if you’ve ever held a WP device  you’d know that it has integration with various online services and social networks such as facebook and Windows Live. The information could be useful in aiding check in type features for example. You cannot dictate how a company implements a certain technology. In any case they closed the door permanently for anyone to be able to go raise a “shadow” of a doubt. So chill out.

    • Anonymous

      Aggressive? How does asking questions equal aggression? Stop being so overly sensitive. It’s just a question. It’s just text. It can’t hurt anybody.

      It’s amazing how far we’ve come. Conversation and debate used to be signs of intelligence. Now they seem to be signs of anger. How long will it be before the mere suggestion that someone said something wrong will be enough to sue them for hurting someone’s feelings? Schools already can’t correct stupidity. And now asking questions is “being aggressive”. Yeesh!

      Check-in type activities are fine, and that falls within my original thoughts. Not a search, but user requested service. But no data needs to be sent when taking a photo. Received, yes, but not sent.

      And yes you can dictate how a company implements a certain technology, if it is found that that technology violates certain expectations of privacy, expense, or safety.

    • Anonymous

      Calling a troll a troll is a stupid insult? I’ve seen your posts here.

      If you don’t understand why (or how) location is included in photos, you are even more stupid than I thought.

    • Anonymous

      Amazing that you can actually think… Spell either.

      How does your example of A-GPS add anything to the conversation? A-GPS information can be gained without sending location data to a central server. All it has to acquire is locations of various known devices, and the phone can do the triangulation. The final calculated location does not need to be sent back.

    • Anonymous

      GDal, I don’t see anything here that proves that what you call “final location information” is computed by the phone and sent back to the server. Besides, triangulation algorithm that incorporates cell (and wifi) tower information and others should run in the cloud to make it more scalable and powerful. 

    • Anonymous

      Go back to the original iPhone. It had no GPS, so it relied on tower info and info from SkyHook (?). Even without data access, it could, and did, calculate an approximate location. It wasn’t the greatest accuracy, but good enough. No need to access a central server for calculations as the phone did it all.

      Why on earth would a simple triangulation calculation need to be done in the cloud? You can’t improve an algebraic formula, especially not one as simple as triangulation. It would be a waste of cloud resources. Once the phone has tower locations and signal strengths to approximate distance, the phone is more than capable of calculating its position. Computing a simple bouncing ball takes more computing power.

      The fact that the location data is retrieved by the phone and sent to any of a myriad of services should be readily deducible. It’s common sense. Only the phone has the data required to pinpoint its location. For that info to be usable on another server, it has to be sent.

    • Anonymous

      “Go back to the original iPhone. It had no GPS so relied on tower info and info from SkyHook (?). Even without data access, it could, and did, calculate an approximate location. It wan’t the greatest accuracy, but good enough. No need to access a central server for calculations as the phone did it all.”

      Huh? No data access? iphone did have one. Without it, how did it work with Skyhook???

      Straight from Skyhook website:

      “A mobile device with Skyhook’s Core Engine collects raw data from each of the location sources. The Skyhook client then sends this data to the Location Server and a single location estimate is returned.”

      If you can’t see why the server needs to be involved for practical and accuracy reasons, sorry I can’t help you anymore.

    • Anonymous

      When it didn’t have data access (lost signal or no Edge service), it still gave approximate locations accurate enough for photos and maps held in cache.

    • Anonymous

      So it used cached base station information for those times. So what your point? We should hook up our phone to PC to download cell and wifi database all the time, and remove the real-time cloud server from the picture? Good night.

    • Anonymous

      I see this conversation is going nowhere. Since when does a device with data or wifi capability need to use a PC to download A-GPS data?

    • Patsrch

      “Why on earth would a simple triangulation calculation need to be done in the cloud?”
      It isn’t the triangulation that needs to be done on the cloud. The phone needs the GPS co-ords of the towers/wifi APs that are around it to do the triangulation. So how does it get this? It sends the IDs of the towers (and possibly signal strengths) it can see to MS/Apple/Google, where a database lookup is done and their GPS co-ords, along with other nearby towers is returned. The phone can then compute its position based on the signal strength it’s receiving from these towers. So, sending the ID of towers that it’s seeing is equivalent to sending its location.

    • Anonymous

      Agreed completely. I did mention that (in less detail) in another post.

    • Guest

      GDal do you even have a Windows Phone? Because I’m guessing the answer is no.

    • Anonymous

      You’re right, I don’t. The question doesn’t only apply to MS though, It applies to Apple and RIM, and Google, etc. None of them should be getting location data except for specific requests.

    • Guest

      So sue them instead of whining about it to us.

    • Anonymous

      Its for Windows Live

    • Anonymous

      For that I can understand, but again, only if i need to check in or such… But I’d accept it as I do with Facebook.

    • Anonymous

      It not you they are worries about. The common practice now is for people to geo-tag photos. So in order to try and provide the bet performance for you they cache your location to tag your photo with. It has not been shown that this information stored or used to locate you after you restrict the location information. It was simply provided in case YOU wanted to make use of it.

    • Anonymous

      The issue was never that the phone could deduce its position. GPS devices do this without any data transmission whatsoever. They are simply receivers. There’s no need to cache this info before storing it in photos, hence, there’s no reason to transmit that info anywhere.

    • Trollhunter

      Troll!

  • Anonymous

    Just more proof that you can’t trust MSFT anymore. Buy an Apple.

    • Anonymous

      Watchu talkin bout Willis!?
      CNN: Report: iPhones secretly track their users’ locations
      http://articles.cnn.com/2011-04-20/tech/iphone.tracking_1_iphone-users-apple-devices-location-data?_s=PM:TECH

    • Anonymous

      I’m guessing he’s just being sarcastic. He’s weird though.

    • Guest

      Weird? He beyond weird. He’s certifiable. In fact I would be surprised if he’s institutionalized.

    • Guest

      Sybil, i thought we agreed you were going to take your MPD meds from now on?

    • http://twitter.com/OldCongress Gamer

      You are just silly, there was a glitch in NoDo.
      Mango was RTM’ed before the lawsuit was opened, so it will just be voided.

    • Anonymous

      Are you trying to say that Apple is completely free of reasons for mistrust?? At least with Microsoft in this case they made the change that the minority was clamoring for.

    • Trollhunter

      troll

  • Anonymous

    Now that is jsut the way it is supposed to be dude. Seriously.
    privacy-web.pro.tc

  • Flying Madden

    i am pretty sure the fix has been pretty easy, a simple flag check.