Microsoft collects phone location data without permission, says researcher

Samy Kamkar, hired by class action law firm, says he's found an example of a Windows Phone 7 app transmitting latitude and longitude even if the user says "no."

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

A security researcher says that Microsoft's Windows Phone 7 software can transmit your location without your explicit permission.

An analysis by Samy Kamkar says that the Camera application sends the device's location--complete with latitude and longitude, a unique ID, and nearby Wi-Fi access points--to Microsoft even when the user has not given the app permission to do so. Here are more details on how it works.

"The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it," Kamkar wrote in an analysis made public yesterday as part of a lawsuit filed against Microsoft. Lawyers for the suit, who are seeking class action status, hired him to perform the testing.

Excerpt from analysis by Samy Kamkar, which he says shows the Camera app transmitting the phone's latitude and longitude to Microsoft servers.
Excerpt from analysis by Samy Kamkar, which he says shows the Camera app transmitting the phone's latitude and longitude to Microsoft servers.

Microsoft declined to comment to CNET.

Kamkar, who once landed in legal hot water for creating a worm that garnered him a million friends on MySpace overnight in 2005, has recently focused on geolocation privacy issues, including creating a Web site that allowed people to look up the unique ID of their computer or Wi-Fi access point and see its location. Google disabled that service after a CNET article in June drew attention to privacy concerns.

The privacy issue that Kamkar identified may not be huge: for one thing, there's no evidence even a single customer was harmed as a result. Second, turning off location services completely (through the phone's global settings option) should disable any transmission of geolocation data to Microsoft. Like Google, Apple, and Skyhook Wireless, Microsoft is assembling a crowdsourced database using what customers' phones can see.

On the other hand, if he's right, Microsoft would be violating its own privacy pledges to customers.

A Microsoft Web page says the company "surveys available Wi-Fi access points" only when "the user has allowed a particular application to access location services and the application requests location information." Microsoft has made similar statements to Congress.

Kamkar says the Camera application transmits location data to Microsoft's inference.location.live.net even if the user chooses to say "no" when prompted.

Concern this year over geolocation privacy began in April, when researchers showed that iPhones and iPads surreptitiously record their owner's approximate location and store the data on the device. Apple responded by calling it a "bug" and promising a fix. (See related articles.)

The Seattle-based law firm Tousley Brain Stephens, which boasts of having "a national reputation for achieving exceptional results" in class action lawsuits, filed the case against Microsoft yesterday in federal district court in Washington state.

Their complaint, which cites an August 1 CNET article, says "Microsoft surreptitiously forces even unwilling users into its non-stop geo-tracking program in the interest of developing its digital marketing grid." (There's no evidence, however, that Microsoft is using its geolocation database for marketing. These databases are typically used to speed up location fixes with Wi-Fi when cellular connectivity is poor.)

The class action lawyers claim that Microsoft violated a federal law called the Stored Communications Act, the Electronic Communications Privacy Act, and the Washington Consumer Protection Act.