Microsoft has ceased publishing the estimated locations of millions of laptops, mobile phones and other devices with Wi-Fi connections around the world, after an article on Friday from ZDNet Australia's sister site CNET highlighted privacy concerns.
The decision to rework Live.com's geolocation service comes after scrutiny of the way that Microsoft made available its database, assembled by both Windows Phone 7 phones and what the company calls "managed driving" by Street View-like vehicles that record Wi-Fi signals accessible from public roads. Every Wi-Fi device has a unique ID, sometimes called a MAC address, that cannot normally be changed.
Live.com's database, which published the precise geographical locations of Wi-Fi devices, was working normally last Friday. By Saturday morning, Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory, who had analysed the Live.com service, noticed that access had been restricted.
That follows a similar move by Google, which curbed access to its location database days after an article appeared on 15 June. Skyhook Wireless, which provides similar location services, already used a limited form of geolocation to protect privacy.
The two companies' moves to limit access to their databases come as concerns about location privacy have grown. Apple came under fire in April for recording logs of approximate location data on iPhones, and eventually released a fix. That controversy sparked a series of disclosures about other companies' location-privacy practices, questions and complaints from congressmen, a pair of US Senate hearings and the now-inevitable lawsuits seeking class action status.
Reid Kuhn, a Microsoft program manager on the Windows Phone engineering team, confirmed the change in a statement overnight:
This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted. While it was not possible to use the service to track a roaming mobile phone or laptop using its MAC address prior to this change, Microsoft is keenly aware of the sensitivity around all privacy issues, especially those surrounding geolocation ...
Microsoft's commitment to privacy means that not only will we seek to build privacy into products, but we'll also engage with key stakeholders in government, industry, academia and public interest groups to develop more effective privacy and data protection measures. We will continue to update our service with improvements that benefit the consumer in both positioning accuracy, as well as individual privacy.
But Kuhn's statement doesn't appear to be true. One example: CNET tracked an HTC mobile device with the Wi-Fi MAC Address of 7C:61:93:33:44:65 moving from a home on Meadowlawn Drive in Columbus, Ohio, last week to an address on East Mithoff Street.
A Microsoft representative did not have an immediate response.
Microsoft has declined repeated requests to respond to a list of questions, including whether the database includes only Wi-Fi devices acting as access points, or whether client devices using the networks have been swept in as well, something that Google did using Street View. A May blog post touts "Transparency About Microsoft's Practices", but doesn't provide details.
If Microsoft collects and publishes only the Wi-Fi addresses of access points, the privacy concerns are lessened. But hundreds of millions of phones and computers are used as access points — tethering is one example, and the feature is built into OS X — meaning that their locations could be monitored.
It's true that Wi-Fi addresses, or MAC addresses, aren't typically transmitted over the internet. But anyone within Wi-Fi range can record yours, and it's easy to narrow down which addresses correspond to which manufacturers.
Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone or a laptop's configuration menu, can obtain it in a few seconds, as well. Hobbyist hacker Samy Kamkar created a proof-of-concept code last year that uses what's known as a cross-site scripting attack to grab the location of Wi-Fi routers that can be seen from an unsuspecting visitor's computer.
Microsoft's database extends beyond US locations. A CNET test last week showed that Live.com returned locations linked to street addresses in Leon, Spain; Westminster, London; a suburb of Tokyo, Japan; and Cologne, Germany.
Starting in April, CNET posed that aforementioned series of questions to Microsoft, which have gone unanswered. Here's an abbreviated list:
- Do you collect the MAC addresses of client devices or just access points? (The identification of an AP is reported in the BSSID field of the Wi-Fi header.)
- Do you collect the MAC address of mobile devices, including laptops that are acting as APs?
- What mechanism do you provide to let people opt out if they don't want Microsoft to track the location of their device?
- Have you received any civil subpoenas, requests from law enforcement or any other form of compulsory process for access to geolocation data based on MAC address?
- Do you make this location database publicly accessible via an API or other mechanism?
- How many entries are in this database?
- How frequently is it updated?
- How many entries are client MAC addresses?
- Why do you not take steps similar to Google and Skyhook to restrict access to it?
- Does Microsoft currently collect, or has it ever collected, client MAC addresses through any mechanism, including Windows Phone 7 crowdsourcing or "managed driving"?
- When did Microsoft start collecting location data from mobile devices?
- How frequently do devices running Windows Phone 7 transmit the data to Microsoft? Every 15 minutes? Hourly? Daily?
- Is the connection encrypted? If so, using what method?
- What information, exactly, is transmitted?
- You say the information collected includes a "randomly generated unique device ID". Is that device ID ever changed? If it is changed, how often does it change?
- You say the randomly generated ID is "retained for a limited period". How long is that? Is the ID then deleted or only partially anonymised?
- Given a street address or pair of GPS coordinates, is Microsoft able to produce the location logs associated with that generated ID, if legally required to do so?
- Given a generated ID, is Microsoft able to produce the complete location logs associated with it, if legally required to do so?
- Given a MAC address of an access point, is Microsoft able to produce the generated IDs and location data associated with it, if legally required to do so?
- How many law enforcement requests or forms of compulsory process have you received for access to any portion of this database?
- If Microsoft knows that a Hotmail user is connecting from a home network IP address every evening, it would be trivial to link that with a Windows phone's device ID that also connects via that IP address. Does Microsoft do that?