News

Microsoft Details Windows Phone 7's Tracking Methods to Congress

• By Kurt Mackie
• May 11, 2011

In response to a Congressional investigation into device manufacturers' location data storage policies, Microsoft issued a letter explaining how Windows Phone 7-based mobile phones store users' location data.

The investigation was likely prompted by the recent controversies over Apple's and Google's data storage practices. Specifically, it has been suggested that Apple iOS- and Google Android-based mobile devices store user location data, potentially allowing those devices' users to be tracked.

In a letter dated Monday (PDF), Microsoft responded to seven questions issued by a U.S. House of Representatives committee investigating the issue.

In order to track users, specific device identifier data associated with the phone need to be transmitted. According to its letter, Microsoft does have such a system set up, but it is discontinuing that practice of storing device identifier data. Andy Lees, president of Microsoft's Mobile Communications Business, indicated that such practices will end starting with the next Windows Phone 7 update.

"Given the declining utility of device identifiers, Microsoft recently discontinued its storage and use of device identifiers," Lees states on page 5 of the letter. "Further, as part of its next scheduled update to existing Windows Phone 7 devices, updated devices will no longer send device identifiers to the location service and new phones arriving this fall will not send device identifiers to the location service."

The next scheduled Windows Phone 7 update depends on the user's device and service provider. Lees may be referring to the "Mango" update expected in the fall. However, some Windows Phone 7 users still may not have received the first update, called "NoDo," which Microsoft launched in late March.

Microsoft previously denied being in the same boat with Apple and Google on allowing users to be tracked by location. That may or may not be so, but the letter at least outlines a different approach going forward.

Microsoft claims in the letter that its Windows Phone 7 operating system does not track the user's exact location. Rather, it tracks the phone's proximity to Wi-Fi hotspots or cell towers if the user opts in for location tracking. Windows Phone 7 devices also use the Global Positioning System (GPS) satellite tracking system if a Wi-Fi hotspot or cell tower isn't in the vicinity. GPS is used as a last option because tapping that data can cause a drain on the phone's battery.

Users have to opt into location tracking, which can be used for various services, such as finding the closest movie theater to see a particular film. Microsoft describes how tracking works, and how users can turn it on or off, at this page. The company describes its privacy policy for Windows Phone 7 here. Microsoft claims it cannot track individuals without the device identifiers, and it is discontinuing storing that information.

Location Data Storage
Microsoft stores data on Windows Phone 7 devices in three instances, according to the letter. The first instance involves the "Find My Phone" feature, which indicates the last location of the device, as refreshed every six hours or so. That feature is designed to help users when they have lost their phones.

A second instance of location data storage concerns Wi-Fi and cell tower data. Microsoft saves snippets of information from its database on the user's phone for faster access. However, Microsoft's letter claims "no other applications or phone functions have access to this data." It also states that the data are "set to expire after 10 days." This information indicates the user's proximity to Wi-Fi access points and cell towers in a five- to six-square kilometer area.

A third instance of data storage occurs when Microsoft stores data to "improve our database of available WiFi access points and cell towers." That information is sent back to Microsoft via an encrypted HTTPS connection.

Mixed Messages
While Congress may be moving to protect the privacy of users in requesting this information from Microsoft and other mobile operating system providers, the U.S. Department of Justice (DoJ) seems to be taking a different view. A Senate hearing on Tuesday included comments from Jason Weinstein, the DoJ's deputy assistant attorney general for the Criminal Division. According to a CNET article, Weinstein complained that "when this information is not stored, it may be impossible for law enforcement to collect essential evidence."

The U.S. government has long had wiretapping technology requirements in place for U.S. telecom carriers under the Communications Assistance for Law Enforcement Act (CALEA). CALEA ensures that telecom technologies and Internet service provider technologies can be tapped by law enforcement agencies. However, the extent to which location data may apply under CALEA might be an area for legal argument. For instance, location data might be considered to fall under the data services category, rather than traditional telecom voice traffic or voice-over-IP traffic communications.

The Federal Trade Commission (FTC) has also been floating a do-not-track proposal for online behavior (PDF), which is aimed at protecting consumer privacy. The FTC's online concept is similar to the "do not call" opt-out process for dealing with telemarketers. Microsoft has deployed its own version of this concept with a "tracking protection" feature in Internet Explorer 9. It blocks third-party advertiser access to user clickstream data on a Web site, although it does not block Web site access to that data.