Claims in a lawsuit against Microsoft over Windows Phone location management have been proven true.
Microsoft has been accused of tracking Windows Phone locations without explicit end user consent. A lawsuit was filed in a Seattle federal court earlier this month, backed by analysis from a well known security researcher. Windows Phone 7 allegedly sends user location info to Microsoft’s inference.location.live.net even if a user says “no” when prompted by the mobile operating system’s camera application.
Microsoft denied the claims earlier this month and insisted that the company is investigating the accusations. “Microsoft is investigating the claims raised in the complaint,” explained a Microsoft spokesperson in a statement issued shortly after the lawsuit. “We take consumer privacy issues very seriously. Our objective was — and remains — to provide consumers with control over whether and how data used to determine the location of their devices are used, and we designed the Windows Phone operating system with this in mind.”
Rafael Rivera, famous for his work on jailbreaking Windows Phone 7, has investigated the claims thoroughly. After initially labelling the claims “skimpy”, Rivera has tested the camera application in Windows Phone 7 to determine whether Microsoft sends device location information to its servers without explicit user confirmation. Rivera explains that packets are sent to agps.location.live.net and several to Microsoft’s Location Inference service hosted at inference.location.live.net. Items transmitted include (but aren’t limited to):
- OS Version
- Device Information
- Wireless access points around the device including MAC addresses and power levels
- Various GUID-based identifiers
The response to the packets includes pin-point location information before a user hits the accept button to allow Windows Phone 7 to communicate its location. Rivera explains Microsoft is likely caching the location ready for the user to accept the location services functionality. “The question is whether the Microsoft servers in question are in fact collecting data about the phone or simply returning this information with no storage abilities,” says Rivera. Either way, the behaviour runs against what Microsoft has promised of its Windows Phone 7 functionality:
- Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information
- Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data.
WinRumors has reached out to Microsoft for comment on the latest revelations. The company was unable to supply a statement at the time of writing.