Microsoft stops tracking specific Windows Phones
Microsoft has stopped identifying specific Windows Phone handsets when it collects location data from them, and will soon stop any unique device identifiers at all being sent to its location services, the company said on Monday.
In a blog post, Windows Phone chief Andy Lees said the data Microsoft collected from the smartphones was for identifying local "landmarks" — nearby Wi-Fi access points and cellular base stations — that in turn make it easier to ascertain Windows Phones' locations. "We've recently taken specific steps to eliminate the use and storage of unique device identifiers by our location service when collecting information about these landmarks," he said.
"Without a unique identifier or some other significant change to our operating system or practices, we cannot track an individual device," Lees added.
In a letter (PDF download) responding to questions from the US House of Representatives, also sent on Monday, he expanded further: "Given the declining utility of device identifiers, Microsoft recently discontinued its storage and use of device identifiers. Further, as part of its next scheduled update to existing Windows Phone 7 devices, updated devices will no longer send device identifiers to the location service and new phones arriving this fall will not send device identifiers to the location service."
Microsoft's riposte to those who accuse it of tracking its mobile users strongly echoes that of Apple to the same issue. The iPhone company, too, has said it was only scraping location information from its handsets in order to build a database of Wi-Fi access points. However, if a consistent record of these locations is stored, this does in effect amount to the same thing as tracking the handset's user.
Apple was also storing a large amount of this information on iPhones and the computers with which they synced — something that the company has fixed in a recent iOS update. According to Lees's letter to Congress, Microsoft has also been storing part of the location database on users' handsets, but does not transfer that information to synchronised PCs unless the user creates an encrypted back-up while updating their phone.
"We do this so that we can quickly respond to a user-authorised application request for location," Lees wrote. "It is impractical to store the entire database locally on the phone, but small portions of the database that show nearby Wi-Fi access points and cell towers can resolve requests for location more quickly because the request would not need to be made to our cloud-based database.
"This information on the phone is protected so that only the location service can access it. No other applications or phone functions have access to this data and this data is not transferred to a user's personal computer when a user tethers or connects their device."
Windows Phones do transmit some data back to Microsoft's servers, Lees admitted, citing one example as a user firing up a local-movie-times application but Microsoft's database having outdated or too little information about local Wi-Fi access points and mobile masts.
"In those cases, Microsoft uses GPS to help provide location to the requesting application and also will look for the Wi-Fi access points and cell towers that the device can detect from that location," he wrote. "The information about nearby Wi-Fi access points and cell towers along with the corresponding GPS coordinates are temporarily stored on the device and are sent encrypted over HTTPS the next time the device either makes another request for location, or the user connects to Wi-Fi."
In these circumstances, the information is not stored in a file on the phone, Lees said. None of the location information that is stored on the phone is made available to applications, other features of the phone or third parties, he added.
Responding to a question from Congress about the length of time for which information is stored on the phones, Lees said this "depends on the unique circumstances of the device and the actions of the user". Heavy users' information will be frequently updated, he said, while less-frequent users "may have data persist for a greater period of time, but at the same time, the data would be staler".
The last known location of the phone, needed for the Find My Phone browser-based service, is refreshed every six hours, Lees said. "Snippets" of the database of Wi-Fi access points and cell towers are set to expire either when "a request is made from the phone to that snippet data" after a 10-day expiration period, or when the local storage limit for the data is exceeded, "at which point all expired snippets are removed from the phone".