Microsoft Database Tracks Laptops and Smart Phones

Monday, August 01, 2011



Microsoft has been building a database that tracks the location history information for laptops, smartphones and possibly other mobile devices, according to a report from Cnet.

The data collected and stored for retrieval includes device MAC addresses and the corresponding street addresses, which could be used to identify individual users in what amounts to clandestine tracking of customer movements on a moment to moment basis.

The database is located in the Microsoft Live network which is notorious for having known security vulnerabilities which can make the tracking data potentially available to anyone.

In fact, staff at Cnet were able to retrieve very specific device tracking information from the Microsoft database.

According to Cnet's Declan McCullagh:

Here's how it works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google's database doesn't include the MAC address 02:1A:11:F2:12:FF. But Microsoft's does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Worse yet, there does not seem to be any way to opt-out of having your data collected, stored, or retrieved - a nightmare scenario for anyone concerned about privacy issues.

An official statement from Microsoft obtained by Cnet states:

Reid Kuhn, a program manger with Microsoft's Windows Phone Engineering Team, sent CNET this statement: "To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses."

The news of the database runs counter to some assertions Microsoft made last spring when news-feeds were awash with reports of surreptitious tracking of mobile device users by several leading device manufacturers.

Last April, Microsoft released a Q&A style statement regarding the company's practice of collecting geolocation tracking information from mobile devices. The statement confirms that Microsoft collects and store location data, but insists the information is not device specific and does not compromise user privacy.

Apple similarly released a statement regarding the uproar over revelations that the iOS operating system maintains a geolocation tracking file that records location information of devices running the operating system.

Apple's statement employed some semantic play that attempts to both confirm and deny suspicions about the data collection, and attributed the controversy to technical glitches in the iOS operating system and the company's lack of open communication on the issue.

In contrast, the Microsoft statement was more technically thorough, and did not attribute the data collection to any flaws in the operating system software, and made no attempt to apologize for the practice.

Unlike Apple, Microsoft insisted that users can prevent the collection of the location data by disabling the Location Services feature. Apple is expected to update the iOS to allow users the same option.

Apple, as it turns out, had filed for a patent in September of 2009 titled "Location Histories for Location Aware Devices" with the intent to develop services based around the company's ability to locate and track mobile devices running the iOS operating system.

The Microsoft tracking database revelations demonstrate that both companies - as well as Google and probably many others - have been less than forthright regarding the collection, transmission and storage of sensitive data about their customers.


Possibly Related Articles:
Microsoft Privacy Databases Mobile Devices geo-location Smart Phone Monitoring Surveillance Tracking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.