A lawsuit claims Microsoft is building out a location-based database by collecting geo-location data from its Windows Phone 7 phones, even when the user declined to share location data.
A lawsuit filed in Washington state accused Microsoft of tracking
Windows Phone users without their consent even after users have opted out of
Microsoft is allegedly developing a targeted location-based
advertisement system and is using Windows Phone users to collect the
information about the locations of cell towers and wireless networks, said plaintiff
Rebecca Cousineau in court documents filed with United States District Court in
Seattle Aug. 31. The complaint claimed Microsoft chose to collect the
information from photographs taken by users with phones running Windows Phone 7
without user consent.
Microsoft apparently performs the data collection through
the camera application on Windows Phone devices, the lawsuit said. Microsoft
asks the user for permission to use location-based data the first time the
camera application is launched, but allegedly ignores the user's response.
"Microsoft brazenly continues
to collect users' location information, regardless of whether or not the
individual chooses 'cancel' so as to not allow such information to be
tracked," the complaint said
The lawsuit is based on recent
research by Samy Kamkar, who found that Windows Phone 7's default camera app
periodically transmits information collected from WiFi networks and cell towers
to a host system owned by Microsoft. Even if the user opted out of sharing
geo-location data, information such as the longitude and latitude of the cell
tower, the phone's unique identifiers and the applications installed on the
device, are being transmitted, Kamkar said.
Kamkar is best known for
creating the MySpace worm and the "evercookie," a specialized
tracking cookie that can't be deleted. He tested the app on Samsung Omnia 7
phones running Windows Phone 7.0.70004 and 7.0.7392.
Microsoft is investigating the
complaints raised in the lawsuit but denied that it stored unique identifiers
with anything saved in the location database. The identifiers under debate are
the ApplicationID, which is associated with an app installed on the device,
ClientGuid and DeviceID, two unique identifiers for the device and TrackingID,
which identifies each packet sent from the phone.
Apple faced a similar class action
suit this spring after security researchers presented a paper that described a
"feature" in the iPhone that secretly saved the movements and
locations of iPhone users
by saving cell tower locations and wireless networks.
Apple said the feature was intended
to assemble a map of cell phone tower locations to improve user connectivity.
The goal was not to track user movements, according to Apple, which contended
it was due to a bug that the historic information wasn't being deleted
rolled out a patch shortly after to "fix" the bug and to also encrypt
the file so that it wouldn't be so readily accessible.
The lawsuit accuses Microsoft of
violating federal laws and of submitting false testimony to Congress about its
activities. The testimony refers to a letter Microsoft sent to Congress in May,
shortly after Apple's supposed location-tracking came to light. "Microsoft
does not collect information to determine the approximate location of a device
unless a user has expressly allowed an application to collect location
information," the company told federal lawmakers.
Cousineau asked Microsoft to pay
$1,000 per violation of the applicable federal laws. The penalties would be due
to herself and others if the lawsuit becomes a class-action suit.