Microsoft’s Live Location API: Is it a “massive privacy hole”?

microsoft_610x327 News A CNET post today by Declan McCullagh (reposted at CBS News Tech with a more incendiary title) reveals that Microsoft, through its Live Location API, apparently allows searching by MAC address for locations of devices.  McCullagh, in collaboration with Stanford security researcher Elie Bursztein, used the Live Location API to identify locations of MAC addresses, after Google shut off access to a similar API allowing the same thing.

Now the implications and actual implementations of how this all works are a bit murky.  Microsoft has made clear that it only collects location information for devices such as Windows Phones (with no MAC addresses collected), however, as McCullagh points out, “millions” of devices such as Android and iPhones are able to act as access points, something Microsoft does collect information on.  In the Windows Phone Privacy Statement section on Location Services, Microsoft explains what they do and don’t do:

For example, if you have Wi-Fi enabled on your phone, the Media Access Control (MAC) addresses and signal strength of Wi-Fi access points available to your phone will be collected by Microsoft’s location service. If you are connected to a cellular network, identifiers of the cell towers available to your phone will be collected. If GPS is available, the latitude, longitude, speed, and direction of the phone provided by the GPS may be collected. Again, Microsoft collects this information only if you allow a website or application to access your phone’s location.
Based on the information received, the location service will determine your phone’s approximate location and provide it to the requesting website or application. The location service provides the latitude, longitude, speed, direction, and altitude of your phone. It does not provide information about available cell towers or Wi-Fi access points or any phone identifiers.

That is, the location service does not provide info about access points *to your phone* or an app using the location service.  However these access point MAC addresses are available through the Live Location API, as Bursztein explains in a blog post, where he helpfully provides a working example of being able to access location data from a MAC address if it’s held within the Live Location data.

In a Microsoft on the Issues post in May, prompted by somewhat of an uproar over the revelation that Google was collecting MAC addresses as part of its Street View program, Andy Lees seems to address some of the concerns about a combined device/access point:

Collecting Information About Landmarks, Not About Users. Microsoft’s collection of location data is focused squarely on finding landmarks that help determine a phone’s location more quickly and effectively. In our case, the landmarks we use are nearby Wi-Fi access points and cell towers. The information we collect and store helps us determine where those landmarks are, not where device users are located. In fact, we’ve recently taken specific steps to eliminate the use and storage of unique device identifiers by our location service when collecting information about these landmarks. Without a unique identifier or some other significant change to our operating system or practices, we cannot track an individual device.

(italics ours)

We asked Microsoft for comment, and were provided a statement by Reid Kuhn, Partner Group Program Manager, Windows Phone Engineering Team, Microsoft:

“To provide location-based services, Microsoft collects publicly broadcast Cell Tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving.  If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location we remove it from our list of active MAC addresses.”

Collecting and making available a list of permanent access points, of course, could be quite useful in a number of legitimate ways, and Microsoft does appear to be taking steps to eliminate the “mobile access point” issue that McCullagh is concerned about.

In his blog post, Bursztein points out that even though MS does not enforce query restrictions etc., “it seems that this is not an issue for them”, and from what we’re hearing and from some reaction on posts by Neowin etc., the whole thing is a bit of a tempest in a teapot.  We’ll update with any further clarification or policy changes as (or if) they occur.