Microsoft sent a letter this week in reply to an inquiry from the U.S. House of Representatives about Windows Phones and how the company tracks and stores user location data.
In order to track users, exact device identifier data associated with the phone need to be transmitted. Microsoft does have such a system set up, but it is discontinuing its current practice of storing device identifier data with the next Windows Phone 7 update, according to. Andy Lees, president of Microsoft’s Mobile Communications Business.
“Given the declining utility of device identifiers, Microsoft recently discontinued its storage and use of device identifiers,” Lees states on page 5 of the letter. “Further, as part of its next planned update to existing Windows Phone 7 devices, updated devices will no longer send device identifiers to the location service and new phones arriving this fall will not send device identifiers to the location service.”
The next planned Windows Phone 7 update depends on the user’s device and service provider. Lees may be referring to the “Mango” update expected in the fall. Some Windows Phone 7 users still have not received the first revise, called “NoDo,” which Microsoft launched in late March.
The Congressional inquiry was spurred by news of Apple and Goggle’s practices. According to news reports, Apple iOS- and Google Android-based mobile devices store user location data, potentially providing a means for users to be tracked. Microsoft responded on Monday to seven questions issued by a House committee investigating location data storage issues (PDF).
Microsoft before denied being in the same boat with Apple and Google on allowing users to be tracked by location. That may or may not be so, but the letter at least outlines a different approach going forward.
Microsoft claims in the letter that its Windows Phone 7 operating system does not follow the users exact location. Rather, it tracks the phone’s proximity to Wi-Fi hotspots or cell towers if the user opts in for location tracking. Windows Phone 7 devices also use the Global Positioning System (GPS) satellite tracking system if a Wi-Fi hotspot or cell tower isn’t in the vicinity. GPS is used as a last option since tapping that data can cause a drain on the phone’s battery.
Users have to opt into location tracking, which can be used for a mixture of services, such as finding the closest movie theater to see a particular film. Microsoft describes how tracking works, and how users can turn it on or off, at this page. The company describes its solitude policy for Windows Phone 7 here. Microsoft claims it cannot track individuals without the device identifiers, and it is discontinuing storing that information.
Location Data Storage
Microsoft stores data on Windows Phone 7 devices in three instances, according to the letter. The first case involves the “Find My Phone” feature, which indicates the last location of the device, as refreshed every six hours or so. That attribute is designed to help users when they have lost their phones.
A second instance of location data storage concerns Wi-Fi and Cell tower data. Microsoft saves snippets of information from its database on the user’s phone for faster access. However, Microsoft’s letter claims, “no other applications or phone functions have access to this data.” It also states that the data are “set to expire after 10 days.” This information indicates the user’s proximity to Wi-Fi access points and cell towers in a five- to six-square kilometer area.
A third instance of data storage occurs when Microsoft stores data to “get better our database of available WiFi access points and cell towers.” That information is sent back to Microsoft via an encrypted HTTPS connection.
While Congress may be moving to protect the privacy of users in requesting this information from Microsoft and other mobile operating system providers, the U.S. Department of Justice seems to be taking a different view. A Senate hearing on Tuesday included comments from Jason Weinstein, the Department of Justice’s deputy assistant attorney general for the Criminal Division. According to a CNET article, Weinstein complained, “when this information is not stored, it may be impossible for law enforcement to collect essential evidence.”
The U.S. government long has had wiretapping technology necessities in place for U.S. telecom carriers under the Communications Assistance for Law Enforcement Act (CALEA). CALEA ensures that telecom technologies and Internet service provider technologies can be tapped by law enforcement agencies. However, the extent to which location data may apply under CALEA might be an area for legal argument. For instance, location data might be considered to fall under the data services category, rather than traditional telecom voice traffic or voice-over-IP traffic communications.
The Federal Trade Commission has also been floating a do-not-track proposal for online behavior (PDF), which is aimed at protecting consumer privacy. The FTC’s online concept is similar to the “do not call” opt-out process for dealing with telemarketers. Microsoft has deployed its own version of this concept with a “tracking protection” feature in Internet Explorer 9. It blocks third-party advertiser access to user click stream data on a Web site, although it does not block Web site access to that data.