Lawsuit charges Microsoft with location spying with Windows Phone 7
For once, Microsoft may not be offending nearly as much as it appears
A class action lawsuit filed in Seattle yesterday charges that Microsoft intentionally designed the software that runs cameras in Windows Phone 7 smartphones to collect and report location data even when the customer has specifically asked that it not do so.
Lawyers who put the lawsuit together and collected customers for the class action did so after revelation in a lawsuit filed in April that Apple's iPhones collected location data even when no apps on the phone were using that data, then stored the data unencrypted for as long as a year.
The suit, filed in Seattle District Court charges that Microsoft set its OS to "siphon geographic location information from users and transmit their specific whereabouts to Microsoft's servers."
The specific example it cites is the Windows Phone Camera app, which asks users when first launched whether they would like it to track location data that can be added to their photos.
Even when the customer chooses "no," the app "brazenly" continues to collect location data, according to the suit, filed by Seattle attorney Rebecca Cousineau, who hired security analyst Samy Kamkar to test a Samsung phone running Windows Phone 7.
A statement from Kamkar in the suit claims the Camera software begins collecting location data even before asking permission.
The phone intermittently transmits data from both wifi and cell networks to a server at Microsoft that tracks the user's location, according to his report that accompanied the lawsuit.
He concluded that "the Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed the Camera application to share location information or not."
If the camera app is the only one on the phone that tracks location data without permission, it's possible to see it as an inconsistency in adherence to configuration and common-practice rules for the Microsoft and OEM apps that run on the phone.
Still a problem, but not necessarily one worthy of federal prosecution.
Cousineau expands the charge, however, citing a Congressional investigation in May following the location-data scandal about the iPhone and a letter Microsoft sent testifying that it only collects location data at the request of customers and stops when they ask it to.
"Microsoft's representations to Congress were false," the lawsuit reads – making a serious charge that's both perfectly accurate and almost certainly incorrect in several different ways.
Spying, or staying connected?
Even without any other complicating factors – like software loaded on a phone that may collect GPS data – Microsoft's statement could not possibly be true, even if only it and the cell carrier were the only ones that could possible track location data on users.
Every activated cell phone has to identify itself and its location to cell-network access points on cell towers in the area, in order to remain connected to the mobile-phone network.
The only way the phone itself could avoid that would be to shut down its radio in between calls made by the phone owner, which would cut it off from incoming calls and automatic data updates.
Every time the owner wanted to make a call, the phone would have to signal local cell towers, then go through a (relatively) long identification and authentication process.
Even for customers sensitive enough about privacy to carry a phone that can only make outgoing calls, the delay in that process would make the phone unpopular, if not completely unusable.
So…skip the attempt to expand the accusation of Microsoft-as-Big-Brother into one that includes purposeful lying to Congress and what you have (so far) is one app that keeps grabbing and forwarding location data the phone already has and that is easily available to the apps that run on it.
That's clearly a problem, most especially because it sends the data not to the cell carrier to verify location, but to Microsoft's own servers to verify who knows what.
It's not necessarily an indictment of Microsoft as a whole, or even all the software running on Windows Phone 7.
I'm perfectly willing to believe evidence showing Microsoft is misusing location data, or collecting it surreptitiously, or telling customers something about what it does with that data that is substantially different from what it really does.
Plenty of other companies have been doing the same thing, which remains a big problem for both the privacy of customers and presumed honesty of vendors.
So far, though, it looks as if it might be a screwup with just one of a dozen or more built-in major apps – one that can be fixed easily with a patch.
Believing it was a mistake and that it has been fixed will require more than just bland reassurance from Microsoft, though.
It will require a little explanation about what's running on the servers collecting that location data, why Microsoft thought it might be important in the first place and what its plans for that data may have been.
It would also help to have some reassurance that it had actually deleted the data permanently, rather than just saying it had, as is the usual case when a vendor gets its hand caught in the private-data-cookie jar.
Lawsuit aside, and ignoring what I'm sure will be a demand for compensation and damages, Microsoft owes more of an explanation and reassurance to all of the U.S. customers who actively use a Windows Phone 7 device.
Given the size of its market share, they could probably visit each one of those users individually to make the explanations in person.
They should bring a gift, too. Flowers, maybe, or a food basket.
Nothing with even a decorative photo; that would be pushing its luck.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.