Microsoft downplays concerns about private data collection

As far as collecting users' location data is concerned, Apple's iOS and Google's Android are not alone - Microsoft's Windows Phone 7 does it too. Microsoft said its Location Services for Windows Phone can be accessed when one allows an application or game to access the Windows Phone 7 device's location. "To provide location services, Microsoft assembles and maintains a database that records the location of certain mobile cell towers and Wi-Fi access points. These data points are used to calculate and provide an approximate location of the user's device by comparing the Wi-Fi access points and cell towers that a user's device can detect to the location database, which contains correlations of known Wi-Fi access points and cell towers to observed latitudes and longitudes," it said in a help and how-to page. Windows Phone 7 runs on smartphones from brands including Dell, HTC, LG, Nokia, and Samsung. Microsoft said that the benefits of Location Services include finding local movie times, weather, or directions to the nearest coffee shop. User consent required However, Microsoft also stressed that the feature will not be activated without the user's consent. "We believe you should always have choice and control over access and use of your device's location. Before any application can gain access to information regarding a user's location, you must allow the application to access your device's location," it said. It added applications that use the user's location are required to provide the ability to turn off that application's access to the user's location. The user also can always turn off access for all applications by turning off location services, it said. Microsoft versus Apple and Google An article on CNET said that Microsoft's method of not saving location histories directly on the device is different from Apple's practice of recording the locations of visible cell towers on a "consolidated.db" file in iPhone and iPad devices running iOS 4 and up. It's also different from Google's approach of recording the last few dozen locations on Android phones. Microsoft said that it also gathers information in many cities, towns, and geographical regions using mobile teams who drive vehicles equipped with mobile phones that contain software which collects Wi-Fi information broadcast by Wi-Fi access points. They then transmit this information directly to Microsoft's location database. "By using the GPS available on the mobile phone that is used to collect Wi-Fi access point information, Microsoft also observes the actual latitude and longitude when the vehicle observes the Wi-Fi access point information. This allows the location database to associate particular Wi-Fi access points with a particular location," it said. Microsoft is planning to conduct managed driving in major cities and metropolitan areas in conjunction with Streetside image collection during fall 2010 and during 2011. Only public broadcasts monitored Microsoft insisted that it does not collect any "payload data" such as information sent over private, non-protected wireless networks when observing Wi-Fi access points. "Microsoft engineered and tested the software to make sure that it only observes the information publicly broadcast by Wi-Fi access points to identify access points to devices. The software does not collect any packets transmitted over encrypted or non-encrypted networks and does not attempt to connect to any open networks. This means that any private data you have transmitted over your Wi-Fi network (for example, email or other data you may have sent) is not detectable by the location service software," it said. It said that it also does not collect emails and passwords transmitted over open Wi-Fi networks, and does not attempt to connect to any open networks. Microsoft stressed that it does not track every user who contributes location information from their mobile device to Microsoft's location services. "When users contribute location information from their mobile devices to Microsoft's location services, we collect a randomly generated ID to identify a particular device, which is retained for a limited period. We use this identifier to help distinguish location requests, identify errors and improve the accuracy of location services. We don't use it to identify or contact individual device users," it said. It also said it does not share its location services with mobile operators. Questions in need of answers The CNET article said Windows Phone currently claims about a six-percent market share, but cited IDC data it may capture about 21 percent by 2015 thanks to Microsoft's partnership with Nokia. It also noted a privacy concern is that location databases can be a gold mine for police or civil litigants. CNET said it had posed some questions to Microsoft that have yet to be answered as of Tuesday evening:

• When did Microsoft start collecting location data from mobile devices?
• Does Microsoft collect cell tower data?
• How frequently do devices running Windows Phone 7 transmit the data to Microsoft? Every 15 minutes? Hourly? Daily?
• How is that done? Is it an HTTP POST request to a Microsoft.com server, like Google?
• Is the connection encrypted? If so, using what method?
• What information, exactly, is transmitted?
• You say the information collected includes a "randomly generated unique device ID." Is that device ID ever changed? If it is changed, how often does it change?
• What does Microsoft use the database of Wi-Fi access points for? Because you collect "direction and speed" if GPS is available, is it used for traffic data?
• You say the WiFi access points are surveyed when "the user has allowed a particular application to access location services and the application requests location information." If WiFi is turned on, location services have been activated, but no apps are ever run, will location data ever be transmitted to Microsoft?
• You say the randomly generated ID is "retained for a limited period." How long is that? Is the ID then deleted or only partially anonymized?
• Given a street address or pair of GPS coordinates, is Microsoft able to produce the location logs associated with that generated ID, if legally required to do so?
• Given a generated ID, is Microsoft able to produce the complete location logs associated with it, if legally required to do so?
• Given a MAC address of an access point, is Microsoft able to produce the generated IDs and location data associated with it, if legally required to do so?
• How many law enforcement requests or forms of compulsory process have you received for access to any portion of this database?
• If Microsoft knows that a Hotmail user is connecting from a home network IP address every evening, it would be trivial to link that with an Windows phone's device ID that also connects via that IP address. Does Microsoft do that?
• Is any information about current or previously-visited locations stored on a Windows Phone 7 device?
• Is Microsoft planning to change any of its policies regarding location data storage and transmission?