September 1st, 2011
Microsoft collects phone location data without permission, says researcher
A security researcher says that Microsoft’s Windows Phone 7 software can transmit your location without your explicit permission.
An analysis by Samy Kamkar says that the Camera application sends the device’s location--complete with latitude and longitude, a unique ID, and nearby Wi-Fi access points--to Microsoft even when the user has not given the app permission to do so. Here are more details on how it works.
“The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it,” Kamkar wrote in an analysis made public yesterday as part of a lawsuit filed against Microsoft. Lawyers for the suit, who are seeking class action status, hired him to perform the testing.
Microsoft declined to comment to CNET.
Kamkar, who once landed in legal hot water for creating a worm that garnered him a million friends on MySpace overnight in 2005, has recently focused on geolocation privacy issues, including creating a Web site that allowed people to look up the unique ID of their computer or Wi-Fi access point and see its location. Google disabled that service after a CNET article in June drew attention to privacy concerns.
The privacy issue that Kamkar identified may not be huge: for one thing, there’s no evidence even a single customer was harmed as a result. Second, turning off location services completely (through the phone’s global settings option) should disable any transmission of geolocation data to Microsoft. Like Google, Apple, and Skyhook Wireless, Microsoft is assembling a crowdsourced database using what customers’ phones can see.