Microsoft responded to a request from the U.S. House of Representatives to give details how Windows Phone 7-based mobile phones store user location data.
The Congressional investigation likely was urged by latest news about Apple’s and Google’s practices. It has been suggested that Apple iOS- and Google Android-based mobile devices store user location data, potentially providing a means for users to be tracked. Microsoft responded on Monday to seven questions issued by a House committee investigating location data storage issues (PDF).
In order to track users, specific device identifier data associated with the phone need to be transmitted. According to its letter, Microsoft does have such a system set up, but it is discontinuing that practice of storing device identifier data. Andy Lees, leader of Microsoft’s Mobile Communications Business, indicated that such practices will end starting with the next Windows Phone 7 update.
“Given the declining efficacy of device identifiers, Microsoft recently discontinued its storage and use of device identifiers,” Lees states on page 5 of the letter. “Further, as part of its next scheduled update to existing Windows Phone 7 devices, updated devices will no longer send device identifiers to the location service and new phones arriving this fall will not send device identifiers to the location service.”
The next programmed Windows Phone 7 update depends on the user’s device and service provider. Lees may be referring to the “Mango” update expected in the fall. Some Windows Phone 7 users still may not have received the first update, called “NoDo,” which Microsoft started in late March.
Microsoft previously denied being in the same craft with Apple and Google on allowing users to be tracked by location. That may or may not be so, but the letter at least outlines a different approach going forward.
Microsoft claims in the letter that its Windows Phone 7 operating system does not track the user’s exact location. Rather, it tracks the phone’s proximity to Wi-Fi hotspots or cell towers if the user opts in for location tracking. Windows Phone 7 devices also use the Global Positioning System (GPS) satellite tracking system if a Wi-Fi hotspot or cell tower isn’t in the vicinity. GPS is used as a last option because tapping that data can cause a drain on the phone’s battery.
Location Data Storage
Microsoft stores data on Windows Phone 7 devices in three instances, according to the letter. The first instance involves the “Find My Phone” feature, which indicates the last location of the device, as refreshed every six hours or so. That aspect is designed to help users when they have lost their phones.
A second instance of location data storage concerns Wi-Fi and Cell tower data. Microsoft saves snippets of information from its database on the user’s phone for faster access. However, Microsoft’s letter claims “no other applications or phone functions have access to this data.” It also states that the data are “set to expire after 10 days.” This information indicates the user’s proximity to Wi-Fi right to use points and cell towers in a five- to six-square kilometer area.
A third instance of data storage occurs when Microsoft stores data to “improve our database of available WiFi access points and cell towers.” That information is sent back to Microsoft via an encrypted HTTPS connection.
While Congress may be moving to protect the privacy of users in demanding this information from Microsoft and other mobile operating system providers, the U.S. Department of Justice seems to be taking a different view. A Senate hearing on Tuesday included comments from Jason Weinstein, the Department of Justice’s deputy assistant attorney general for the Criminal Division. According to a CNET article, Weinstein complained, “when this information is not stored, it may be impossible for law enforcement to collect essential evidence.”
The U.S. government long has had wiretapping technology requirements in place for U.S. telecom carriers under the Communications Assistance for Law Enforcement Act (CALEA). CALEA ensures that telecom technologies and Internet service provider technologies can be tapped by law enforcement agencies. However, the extent to which location data may apply under CALEA might be an area for authorized argument. For instance, location data might be considered to fall under the data services category, rather than traditional telecom voice traffic or voice-over-IP traffic communications.
The Federal Trade Commission has also been floating a do-not-track suggestion for online behavior (PDF), which is aimed at protecting consumer privacy. The FTC’s online concept is similar to the “do not call” opt-out process for dealing with telemarketers. Microsoft has deployed its own version of this concept with a “tracking protection” feature in Internet Explorer 9. It blocks third-party advertiser access to user clickstream data on a Web site, although it does not block Web site access to that data.