Do Microsoft’s WP7 Location-Tracking Explanations Make Sense?
About a month ago, another smartphone-tracking-your-location story broke, this time looking at Microsoft and the behavior of Windows Phone 7. The accusation made was that the phone’s camera app was reporting your location to Microsoft, even when you had not authorized the phone to do so. Even Congress got involved, with Microsoft testifying before the House as to the nature of its location-gathering practices. WP7 whiz Rafael Rivera sought to see exactly what’s going on, and if Microsoft’s answers held up.
Rivera, much like we did when examining the phone’s requests for permission, started from a freshly-reset device. He took one very important additional step, sending all the phone’s data over WiFi through a proxy server where he could analyze the traffic.
Sure enough, no matter what you do in regards to granting Microsoft access to your location data, simply running the camera app pings a couple of the company’s servers and computes your location with the help of Assisted GPS.
It’s clear that Microsoft can get access to your location data even without your permission, but does that conflict with what it’s said in regards to this issue? We were told by Microsoft that, “because we do not store unique identifiers with any data transmitted to our location service database by the Windows Phone camera or any other application, the data captured and stored on our location database cannot be correlated to a specific device or user.”
That explanation does make sense with the observed behavior, in that there’s no indication that the communications are more than a one-time look-up, or that Microsoft is storing any of that data long-term. In its testimony to Congress, the company often repeated the the phrase “collect information”. It seems to be harping on the point that just because its phones are surreptitiously reporting location-identifying data to Microsoft, that doesn’t mean that the company is acting on that information in any way, which apparently makes it feel absolved of any wrongdoing.
The problem is that all of this is up to your interpretation of words like “store” and “collect” that could mean short-term just as easily as long-term (is copying data from a buffer to another location in RAM “storing” it?), and don’t address intent. Microsoft may be on legally-solid ground, but wouldn’t it be so much easier to have your phones just flat-out not contact your servers for help with location-sensing unless users expressly authorize them to do so?