Windows Phone proven to access location data without authorisation

By Tom Warren, on 23rd Sep 11 10:05 pm with 64 Comments

Windows Phone 7 camera location notification

Claims in a lawsuit against Microsoft over Windows Phone location management have been proven true.

Microsoft has been accused of tracking Windows Phone locations without explicit end user consent. A lawsuit was filed in a Seattle federal court earlier this month, backed by analysis from a well known security researcher. Windows Phone 7 allegedly sends user location info to Microsoft’s inference.location.live.net even if a user says “no” when prompted by the mobile operating system’s camera application.

Microsoft denied the claims earlier this month and insisted that the company is investigating the accusations. “Microsoft is investigating the claims raised in the complaint,” explained a Microsoft spokesperson in a statement issued shortly after the lawsuit. “We take consumer privacy issues very seriously. Our objective was — and remains — to provide consumers with control over whether and how data used to determine the location of their devices are used, and we designed the Windows Phone operating system with this in mind.”

Rafael Rivera, famous for his work on jailbreaking Windows Phone 7, has investigated the claims thoroughly. After initially labelling the claims “skimpy”, Rivera has tested the camera application in Windows Phone 7 to determine whether Microsoft sends device location information to its servers without explicit user confirmation. Rivera explains that packets are sent to agps.location.live.net and several to Microsoft’s Location Inference service hosted at inference.location.live.net. Items transmitted include (but aren’t limited to):

OS Version
Device Information
Wireless access points around the device including MAC addresses and power levels
Various GUID-based identifiers

The response to the packets includes pin-point location information before a user hits the accept button to allow Windows Phone 7 to communicate its location. Rivera explains Microsoft is likely caching the location ready for the user to accept the location services functionality. “The question is whether the Microsoft servers in question are in fact collecting data about the phone or simply returning this information with no storage abilities,” says Rivera. Either way, the behaviour runs against what Microsoft has promised of its Windows Phone 7 functionality:

Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information

Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data.

WinRumors has reached out to Microsoft for comment on the latest revelations. The company was unable to supply a statement at the time of writing.

Anonymous

So if you say no to the query, it only saves the data once? Doesn’t bother me.
Unfortunately, I’m sure the “fanboys” will see otherwise.

http://www.winrumors.com Tom W

It looks like it yes. I think the problem here is that MSFT has gone on record saying that the phone does not do this under any circumstances without explicit authorisation from end users. Clearly that’s not the case so they have some explaining to do.
Guest

Which is strange because you’d think MS would have made absolutely sure how it worked before making a public statement. However, IIRC, they did say they were still looking into it. So they may have an out if it’s a bug – which I’m almost positive it just became if it wasn’t already
Anonymous

Even though many of us here speculate it is a bug, if it weren’t it will be now!
Anonymous

Another point of clarification I’d like to know is was the phone explicitly setup to “disable” location services before the camera app’s “initial” permission request?

If all location services were turned off the Camera App should have never even asked for permission in the first place.
NorwegianDude

Have they? I believe they’ve only said they don’t “collect” the information. I.e. STORE it.

Anonymous

well this is funny because they really had to look deep into it to find this out…
who actually pointed out the location issue with the iphone? was it the same company?

as far as i know the location problem with the iphone was known since ios 4.0 and fixed on 4.3+, so i don’t think this is a great issue for windows phone users

http://bit.ly/qKnhpt
thesecondsfade

Dude you can’t have your cake and eat it to. You’d be screaming if the functionality wasn’t there like you are because the functionality is there. The camera app is a part of the OS. If you tell the OS explicitly that it can track your location, it implicitly has the authorization to do so from all parts of the OS.. Individual apps need individual auth… MSFT needs one.

http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

Well, I have my camera app setup to use location. Sometime I take photos and later forget where I took them. and GPS metadata is handy in that situation.

But I would-n like that an app would collect data after I told it not to use it. In this case, I don-t know if Rafael repeated the test after configuring the app.
Guest

Yeah, but as you said the second part hasn’t been shown. For now what has been shown, at least in one case, seems to refute MS’s assertion that nothing is collected unless you explicitly approve it for the OS and the app. But I don’t think anybody is going to be too upset if that data isn’t stored unless you waive the app privacy request.

http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

Actually, the only thing Rafael proves, and he said so himself, is that the camera app seems to send location data do MS servers. Only MS knows if that information is recorded or not.

I would like to see the results for this same test after configuring the camera to not use location data.

Anonymous

MS, quick! Format your hard drives!
Guest

If it’s prefetching location data before you answer yes to the camera app dialog, that would seem to violate what MS said.
http://www.winrumors.com Tom W

And that’s not a problem? That runs dead against their policies and exactly why a lawsuit has been brought against them. The point here is that this is happening during a state when the camera app should be configured not to use location data by default, of course it won’t happen once you have explicitly told the app not to use location data!
http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

The guy has the phone settings with location turned on. For all I know, that could just be the phone trying to triangulate a position. In absence of GPS signal that’s what the phone will do. The only way to prevent the phone to send data to MS servers is to disable location on the phone.
http://www.winrumors.com Tom W

I think you’re missing the point here. The phone is setup from fresh. MSFT says it doesn’t transmit data without a users authorisation (see bottom of my post for policies). The camera app prompts you to authorise itself against the location services of the device and sends your device information and location data to Microsoft’s servers BEFORE you say yes or no. Rafael doesn’t have these location settings “turned on”, he simply has them at the normal default way that prompts you to turn them on per app.
http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

When the location setting is on, the OS can and will use WIFI and cell triangulation to complement the GPS info. This is a well known fact and every OS does it.

If the location could only be obtained via GPS, then this data flow to MS servers would be the equivalent of a smoking gun. But it isn’t. We just don-t know what is going on here. Is the OS sending location data, or receiving? If it is receiving data, does it passes it on to the camera app? We just don’t know.
Anonymous

Exactly. I suspect there is a reasoning behind this or just a simple bug. I suggest we all give MS a chance to respond. By that I mean give them some time to look into it and respond properly. I couldn’t believe my eyes when Mary Jo of Zdnet this week blasted MS for not responding to linux fanboys’ accusation after just one day.
http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

Yes, that wasn’t one of Mary Jo brightest moments! I expected that from some a-hole like sjvn, not her.
Guest

I dunno. Her reporting lately is getting pretty silly. Case in point today’s: “Another
day, another departure from Microsoft’s cloud management team”

Gee, so like they put someone new in charge of S&T because they weren’t happy with the direction and now some senior people are leaving? Duh.
Anonymous

I agree, I’ve had it with all of the Microsoft bashing while Google abuses it’s “monopoly” and Apple has just as big of a Monopoly with their iPad/iPod’s as Microsoft did when they got in trouble for using Windows to push “Safari”… wait, I mean Internet Explorer. It’s Apple who is pushing Safari (a terrible, slow and insecure browser) but they’re “cool” and Google isn’t Microsoft so… yeah, the bashers are coming out of the wood works.

What I wouldn’t give to shut them all up. Why can’t they just do some decent journalism?
Clamdigger63

I have to agree. When I go to zdnet I know that everyday there is going to be something from Mary-Jo taking a pot shot at Microsoft. Nowadays I just can’t stand the women.
http://twitter.com/TheSeph The Seph

Doesn’t the case assert that Windows Phone sends Location data even *after* the user has disabled location services? What does Rafael’s findings have to do with this case in particular?
Anonymous

Why not report it as a bug before filing a lawsuit? It’s pretty clear at this point that it’s only the initial connection that’s an issue – which sounds like a bug. Microsoft is clearly in the wrong according to their own rules but if it’s not malicious or purposeful why make such a big public deal out of it unless you want to “cash in” on your finding?
Guest

Cash is the obvious answer. But to me something stinks here. What are the odds that of the few people who have bought this platform so far, one is this paranoid and decides to launch a major lawsuit?

My guess is that the lawsuit came first and then they found some stooge to act as the “buyer”. And while it may have been just the normal trial lawyers seeing a deep pocketed company as a juicy target, in this particular case I’m wondering if there’s not some backroom connection to competitors. Not a tinfoil hat conspiracy guy normally, but something here just seems odd.
Grs_dev

In what EULA did you read that the phone and or the camera specifically by default ships with a setting placing it in non-communicative mode?

This lawsuit is simply a “pay me and I’ll shut up” one. There is no way either party intends to disclose any of their evidence. I am surprised you’re giving it so much merit!

Anonymous

Sounds like a bug.

http://www.winrumors.com Tom W

Agreed. If it’s not a bug then it seems strange that they wouldn’t have known they were caching this data.
Guest

Could it be something layered on the OS? This is HTC after all.
http://www.winrumors.com Tom W

Windows Phone OEMs aren’t allowed to “layer on the OS”. Rafael’s test is against a Samsung device too. This is core OS functionality unfortunately.
Anonymous

That’s what I believe. I mean, to make it clear, from the explanation it sounds to me like the “initial” request has already sent the data but then after you say no it never does so again. Is that how he is explaining it? If that’s the case I would assume it was a “purposeful” bug so that after you click “Yes” the location information transfer has already happened and the phone doesn’t appear to “lag” because of it.

So, TL;DR: It only sends location info on the FIRST request and it does so BEFORE the user has a chance to opt out. Is that correct? (if so I think the lawsuit is pretty GD nitpicky)

Anonymous

I don’t know the difference between authorisation and authorization, since I thought it was always with Z.

But it sucks it happens, not like I will die because my phone does that. or I would be on news for filling a lawsuit against Microsoft…

I mean, it must be a bug! it seems like a bug. BUT its not like someone will die for that. and then I think… couldn’t this guy just tell Microsoft about the bug, instead being a jerk and filling a lawsuit?

but its suppose to be only once before it asks… its not always like this guy pretend it to seem.
so lets wait for this bug to be fixed, before people start dying from vomiting blood… oh wait, no, nothing of that will happen…

Guest

“I don’t know the difference between authorisation and authorization, since I thought it was always with Z.”

One’s the correct way that most of the English-speaking world uses and the other is American.
Clamdigger63

You should see the crap I get here in Canada when I spell words like authorization with a s. Nowadays I throw in a couple of extra z’s it seems to keep them happy.
Anonymous

America has 300 some million people. We ARE “most of the english-speaking world”.
http://twitter.com/OldCongress Gamer

He wants money, typical people.

Anonymous

So what? If you have nothing to hide, there’s no problem. )))

Guest

Yes, thank you Eric Schmidt.

Guest

“Clearly that’s not the case so they have some explaining to do.”

Your making an assumption there that Rafael’s test is representative of the whole. It probably is because he’s pretty thorough, but still, it’s an assumption as this point.
Anonymous

1. Rafael does not clearly say what the camera settings were before taking the picture. It’s possible the default camera setting is “location on.” Maybe MS should have defaulted it to “off.” Now what happens after you decline the location service in the app and then take another picture? Does it still sent data? How about other apps? He should have gone a bit further to answer these questions before splashing a “MS lied!” article.

2. Tom: “Windows Phone proven to record location data without authorisation”
Um, I don’t think it “proves” the phone “records” location data. Phone was just shown to exchange some location data with the server. As Rafael alluded in his post, it is quite possible the camera app just caches some information in the background to speed up the processing and then throw it away if the user chooses not to include the location data for camera.

3. Even when it’s on, MS says their location service does not store any information that could be used to identify you or your phone. So it’s really no big deal as far as my privacy is concerned. The experiement does not disprove this.

http://www.facebook.com/people/Pedro-Roque/100000194503830 Pedro Roque

Every bloggers throws a click bate now and then. Tom rarely does it. You should see some ZD Net guys!
Anonymous

I’m predicting “Breaking News: M$ spies on you and your children!” for their headline to this story.
http://www.winrumors.com Tom W

Appreciate your points but I refer back to Microsoft’s policies on location data in WP7:

Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information
Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data.The default is not “on” for location. Apps have to be authorized by end users. This scenario isn’t. Simple.
Guest

But that just goes to WWPX’s point. Perhaps the phone in fact sends the info, just as a signature of who the data is coming from.. or whatever. But it is the server the one that processes, yet dismisses the information.

Take a phone call, every phone call says where it’s coming from. If my phone has caller ID, I can see and store your information. But if my phone (the receiving device) is set to dismiss such information, I would get a call but the phone would not store or use the information.
http://twitter.com/TheSeph The Seph

All phones communicate anonymous location data to improve carrier and location-based services.   It’s in all of the privacy policies. Read the iOS and Windows Phone privacy policies… not to be confused with the Microsoft Online Privacy and Apple Privacy policies.

There’s a huge difference between allowing an app to have access to your location via Location Services and the device communicating its anonymous Location details to servers that analyze location data.  The data can be used for remote services (in cases that you’ve enabled the phone for Find My Phone feature), location services improvements, et al.

GUESS WHAT?   The carriers know where you are!!!   If you’re communicating on a network that you do not own, then they know where you are!    Microsoft, Apple, and carriers use the location data to determine how strong your signal is so they could improve their services.
http://twitter.com/OldCongress Gamer

You know, this guy churning out a lawsuit over this shit just wants $$.
I’m more than willing to provide MS with those data to improve their service against Gewgle that collects it annoymously even in http://google.com

http://twitter.com/laserfloyd Lewis McCrary

A bug? Not working as intended? Dunno!
Alique Williams

Hey Tom Warren. I like you man. You’re a cool guy.
Dhaoracle

This is crazy since there have only been about 3 attempts to gather information aorta far. Yet there are no surveys coming from multiple users to see if this is widespread instead of making a big deal about a little bit of information that is irrelevant to locating the user. Could be a bug..
NorwegianDude

I really don’t understand what all the fuss is about. Most Western governments can retrieve tracking information from your device already, simply by requesting by supoena a track-record of your locations from your mobile operator.

Any phone using the GSM standard connects to as many cell towers in its proximity as need be, to constantly switch to the one providing the strongest signal. The cell towers record this “touch-and-go” behavior. By comparing which towers are aware of a certain phone (by its IMEI, its “global identifier”, if you will), you can position the phone at a certain time and date going back as long as the cell provider keeps its records.

The behavior demonstrated here doesn’t prove Microsoft “collects” the information the phone sends. As is stated in the article, it might as well be “pre-loading” the data then discarding it, alternatively never storing it, based on the users response.

This kind of behavior is also what makes it possible for the OS provider to provide an approximate location for your phone WITHOUT your GPS being turned on (used for instance in Bing Maps), based on which wireless networks are in your phone’s vicinity.
http://www.callumpy.co.uk Callumpy

Is this Rafael Rivera just trying to make some quick cash? Turn off you data connection… sorted.

Guest

That’s not the way RR rolls.

Samt_05

Looks like some anonymous information is sent but not stored or collected by Microsoft servers, so this case doesn’t stand up.
BigChiefSmokem

It’ probably a mistake but you gotta keep em honest, thanks Rafael!
Anonymous

Really Donatello? A security researcher discovered this? HAHAHA what kind of security researcher doesn’t know what A-GPS is? Everyone is a fuckin expert now. What a complete joke. This isn’t Microsoft collecting your data. The data being sent over the network ,including the nearest wireless access points is compared in a database to give you a more precise location. Practically every phone in the last 5 years does this,without your consent. You can’t disable it. Nobody made a stink about it, but now everyone and their mother has a blog, and they are experts.
http://twitter.com/elizabethrendon Elizabeth Rendon

I have been using Windows phone 7 for quite a while and when I purchased the windows phone 7 (HTC HD7) it did asked me if I wanted to turn on access location. It gave me a choice to turn it on or off. This is just a deep pocket lawyer. What an as****le.
Anonymous

The policy does not say transmit, it says collect. Collect would suggest it’s stored and we have no reason to believe it is.

So I can’t see any wrong doing unless Microsoft then store and use that data. Location sometimes takes time to triangulate, I’d imagine this is purely to stop the user waiting rather than a bug.

http://www.winrumors.com Tom W

Collecting is the same as transmitting. You can collect data without storing it. I can collect litter from the street but ultimately I might not store it. I’m still in possession of it at some point.
Grs_dev

Tom I will again agree to disagree. For example, I can’t collect a coin without storing it in my coin box hence, collecting and coming in contact with are 2 different things.

Software developers and architects these days rely heavily on caching. Especially in scenarios where latency is an issue (regardless of whether it’s a real or preceived issue). It is important to not discriminate against a product that could be using a technique to improve user exprience by assuming or jumping to a conclusion that it might be behaving in an undesireable manner simply because the mechanism on the surface appears similar to ones used by others for less ethical purposes.

Martijn

Big chance the location together with the wifi data is used to expand Microsofts database to improve the location service without actually tracking the device where the data comes from.
Anonymous

Oh for pete’s sake, are we still on this? There are scads of applications that ask about access to the location services, not just the camera. Not the least of which is the one that helps you track down your phone if you leave it somewhere inadvertantly. Look in the app store where it lists all the services each app may request access to. Location comes up quit often. The camera using your location to tag a shot is significantly different than sending your location of to MS for whatever reason. Maybe that is what is doing it, but I would guess it is one of the dozen other opt in location service apps. In any case, if you are so concerned about your location turn the srvice off, it’s in the settings. Or go into the settings for the apps and turn it off individually. Then don’t complain if IE and Google maps, etc, don’t know where the heck you are. If your privacy is so freakin important, what are you doing with one of the most socially integrated OSs there is anyway?
Anonymous

Tom,

I generally love your work on Winrumors; however, with that said, I have to admit lately you’ve made me wonder with some articles and specifically with your choice of headlines.

So the headline implies that Microsoft is indeed collecting location data without end user authorization, which any informed user after reading the actual post would understand that you’re in no way saying that. My concern is that the average reader out there most likely wouldn’t get the facts out of the article.

Basically the article states that trials have proven that Microsoft resolves the device’s location among other information that are associated with that piece of geographical information. Whether the data is stored anywhere permanently (i.e.: collected) is not clear. Furthermore, it’s dangerous to jump to conclusions and speculate when there is legal debate going on.

I hope you clarify the statement and most importantly the headline.

http://www.winrumors.com Tom W

The headline is accurate. If you read the article it reflects that too. MSFT is collecting location data without the end user authorizing this. Microsoft might not be storing that data but it’s still against the claims it made to the U.S. goverment, stating: “Microsoft does not collect information to determine the approximate
location of a device unless a user has expressly allowed an application
to collect location information”. Microsoft is still “collecting” it, it’s whether it stores it too.
Grs_dev

I hope this is just a difference on semantics here. I read the article multiple times. You even stated that there is no evidence that cements whether they’re actually “collecting” the data. Yes the ecosystem may be accessing the data; however, if it’s transient data then the term collect becomes inadequate as it implies practices the consumers have come to associate with iphones and androids. There is a strong possibility the data could be getting primed in this situation to make the performance appear instantaneous. If the data is not available past that prompt on the server then the “collection” part becomes very shaky. There is no way to know whether the server side logic persists the data once the end user responds negatively to the prompt.

The bottom line, the article at a glance and from 10,000 ft appears to lump Microsoft and WP with the other 2 competitors who were explicitly collecting and tracking data. If we’re going to agree to disagree on what the term collect truly could mean in this context, at least clarify that there has been no evidence indicating that Microsoft Windows Phone behaves in the same manner either the Android OS or the iOS have been proven and documented to collect and track location data.