A developer has revealed evidence that Windows Phone devices collect and transmit user location data before users have given the phones permission to do so. The news follows claims Microsoft made to the United States House of Representatives stating that it does not collect or transmit any location data until a Windows Phone user opts in. Windows Phone devices clearly ask for permission regarding the collection of location data — the user must click “allow” in a pop-up dialog box seeking authorization for the camera app to collect positioning data — but it appears as though the OS doesn’t bother to wait for users to opt in before it begins transmitting location information. Read on for more.
Windows Phone developer Rafael Rivera had been skeptical about claims that Microsoft was collecting location data without permission, and he took it upon himself to investigate. Using a retail device that had been restored to factory settings, Rivera went through the setup process while monitoring data sent to and from the phone. The developer was surprised by his findings.
“According to Kamkar, launching the Camera application was enough to see the culprit behavior, so I tried it,” the developer wrote on his blog, referring to a report written by security researcher Samy Kamkar that Rivera had previously contradicted. “After launching the app., Fiddler captured location data being sent to and from Microsoft servers, just as Kamkar’s report suggested. Uh oh!”
Rivera reports that “pin-point accurate positioning information” was collected by his Windows Phone before he gave it permission to gather such data. The culprit, it seems, is the Camera application, though the developer notes that the cause it largely irrelevant — this behavior is a direct contradiction to statements Microsoft made in a letter to the U.S. House of Representatives (emphasis added by Rivera):
[1. User Choice and Control.] Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information. Users that have allowed an application to access location data always have the option to access to location at an application level or they can disable location collection altogether for all applications by disabling the location service feature on their phone.
[2. Observing Location Only When the User Needs It.] Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data. If an application does not request location, Microsoft will not collect location data.
Microsoft declined to comment on Rivera’s findings. Instead a company spokesperson provided BGR with the following statement via email:
Microsoft is investigating the claims raised in the complaint. We take consumer privacy issues very seriously. Our objective was — and remains — to provide consumers with control over whether and how data used to determine the location of their devices are used, and we designed the Windows Phone operating system with this in mind.
Because we do not store unique identifiers with any data transmitted to our location service database by the Windows Phone camera or any other application, the data captured and stored on our location database cannot be correlated to a specific device or user. Any transmission of location data by the Windows Phone camera would not enable Microsoft to identify an individual or “track” his or her movements.