Microsoft curbs Wi-Fi location database

The company restricts access to a Live.com geolocation tool linking Wi-Fi devices with locations after a CNET article draws attention to privacy concerns.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
caption: Microsoft's Live.com database showed an HTC mobile device moving across Columbus, Ohio, last week.
Microsoft's Live.com database showed an HTC mobile device moving across Columbus, Ohio, last week. Screen snapshot by Declan McCullagh/CNET

Microsoft has ceased publishing the estimated locations of millions of laptops, cell phones, and other devices with Wi-Fi connections around the world after a CNET article on Friday highlighted privacy concerns.

The decision to rework Live.com's geolocation service comes following scrutiny of the way Microsoft made available its database assembled by both Windows Phone 7 phones and what the company calls "managed driving" by Street View-like vehicles that record Wi-Fi signals accessible from public roads. Every Wi-Fi device has a unique ID, sometimes called a MAC address, that cannot normally be changed.

Live.com's database, which published the precise geographical locations of Wi-Fi devices, was working normally last Friday. By Saturday morning, Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory who had analyzed the Live.com service, noticed that access had been restricted.

caption: Stanford researcher Elie Bursztein had suggested that Microsoft should curb access to its database.
Stanford researcher Elie Bursztein had suggested that Microsoft should curb access to its database.

That follows a similar move by Google, which curbed access to its location database days after a June 15 CNET article appeared. Skyhook Wireless, which provides similar location services, already used a limited form of geolocation to protect privacy.

The two companies' moves to limit access to their databases come as concerns about location privacy have grown. Apple came under fire in April for recording logs of approximate location data on iPhones, and it eventually released a fix. That controversy sparked a series of disclosures about other companies' location privacy practices, questions and complaints from congressmen, a pair of U.S. Senate hearings, and the now-inevitable lawsuits seeking class action status.

Reid Kuhn, a Microsoft program manager on the Windows Phone engineering team, confirmed the change in a statement sent to CNET today:

This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted. While it was not possible to use the service to track a roaming mobile phone or laptop using its MAC address prior to this change, Microsoft is keenly aware of the sensitivity around all privacy issues, especially those surrounding geolocation...

Microsoft's commitment to privacy means that not only will we seek to build privacy into products, but we'll also engage with key stakeholders in government, industry, academia, and public-interest groups to develop more effective privacy and data protection measures. We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy.

But Kuhn's statement doesn't appear to be true. One example: CNET tracked an HTC mobile device with the Wi-Fi MAC Address of 7C:61:93:33:44:65 moving from a home on Meadowlawn Drive in Columbus, Ohio, last Tuesday to an address on East Mithoff Street last Wednesday.

A Microsoft representative did not have an immediate response.

Microsoft has declined repeated requests from CNET to respond to a list of questions, including whether the database includes only Wi-Fi devices acting as access points, or whether client devices using the networks have been swept in as well--something that Google did using Street View. A May blog post touts "Transparency About Microsoft's Practices," but it doesn't provide details.

If Microsoft collects and publishes only the Wi-Fi addresses of access points, the privacy concerns are lessened. But hundreds of millions of phones and computers are used as access points--tethering is one example, and the feature is built into OS X--meaning that their locations could be monitored.

It's true that Wi-Fi addresses, or MAC addresses, aren't typically transmitted over the Internet. But anyone within Wi-Fi range can record yours, and it's easy to narrow down which addresses correspond to which manufacturer.

Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone or a laptop's configuration menu can obtain it in a few seconds as well. And hobbyist hacker Samy Kamkar created a proof-of-concept code last year that uses what's known as a cross-site scripting attack to grab the location of Wi-Fi routers that can be seen from an unsuspecting visitor's computer.

Microsoft's database extends beyond U.S. locations. A CNET test last week showed that Live.com returned locations linked to street addresses in Leon, Spain; Westminster, London; a suburb of Tokyo, Japan; and Cologne, Germany.

Update, 9:20 a.m. PT Tuesday: Microsoft has abandoned its claim that its Wi-Fi database could not be used to track someone. Program manager Reid Kuhn's initial statement to CNET yesterday said: "It was not possible to use the service to track a roaming mobile phone or laptop using its MAC address prior to this change." After this article demonstrated how a device's movements could be tracked, Microsoft revised Kuhn's statement to delete that language.

Starting in April, CNET posed that aforementioned series of questions to Microsoft that have gone unanswered. Here's an abbreviated list:

- Do you collect the MAC addresses of client devices or just access points? (The identification of an AP is reported in the BSSID field of the WiFi header.)
- Do you collect the MAC address of mobile devices including laptops that are acting as APs?
- What privacy policy governs this?
- What mechanism do you provide to let people opt-out if they don't want Microsoft to track the location of their device?
- Have you received any civil subpoenas, requests from law enforcement, or any other form of compulsory process for access to geolocation data based on MAC address?
- Do you make this location database publicly accessible via an API or other mechanism?

- How many entries are in this database?
- How frequently is it updated?
- How many entries are client MAC addresses?
- Why do you not take steps similar to Google and Skyhook to restrict access to it?
- Does Microsoft currently collect or has it ever collected client MAC addresses through any mechanism, including Windows Phone 7 crowdsourcing or "managed driving?"

- When did Microsoft start collecting location data from mobile devices?
- How frequently do devices running Windows Phone 7 transmit the data to Microsoft? Every 15 minutes? Hourly? Daily?
- Is the connection encrypted? If so, using what method?
- What information, exactly, is transmitted?
- You say the information collected includes a "randomly generated unique device ID." Is that device ID ever changed? If it is changed, how often does it change?
- You say the randomly generated ID is "retained for a limited period." How long is that? Is the ID then deleted or only partially anonymized?
- Given a street address or pair of GPS coordinates, is Microsoft able to produce the location logs associated with that generated ID, if legally required to do so?
- Given a generated ID, is Microsoft able to produce the complete location logs associated with it, if legally required to do so?
- Given a MAC address of an access point, is Microsoft able to produce the generated IDs and location data associated with it, if legally required to do so?
- How many law enforcement requests or forms of compulsory process have you received for access to any portion of this database?
- If Microsoft knows that a Hotmail user is connecting from a home network IP address every evening, it would be trivial to link that with an Windows phone's device ID that also connects via that IP address. Does Microsoft do that?