Microsoft's Addiction to Collecting Tracking Data

Thursday, September 01, 2011



Security researcher Samy Kamkar has provided evidence that a camera application for Microsoft's Windows 7 phones is designed to collect geolocation tracking data from users without their permission.

The application sends Microsoft data that includes a unique user ID, the longitude and latitude of the device, along with information on nearby WiFi hubs.

"The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it," said Kamkar, who provided the analysis of the tracking methods for Lawyers seeking to establish a class action lawsuit.

The analysis comes just a little more than a week since Microsoft received criticism for using "supercookies" to track user browsing behaviors.

Supercookies, also known as "zombiecookies" for their ability to regenerate even after a user has attempted to delete them from their system, are used to track user browsing histories and are considered to be a threat to user privacy.

Microsoft ceased using the supercookies on their websites immediately after being called out by a Stanford University computer science graduate student for actively tracking visitors to their websites..

According to an article by The Register's Dan Goodin, the code was copyrighted in 2007, but it is unclear how long Microsoft had been using the supercookies for tracking, or what the data that was collected was begin used for.

The latest news of the camera application tracking also runs counter to some assertions Microsoft made last spring when news-feeds were awash with reports of surreptitious tracking of mobile device users by several leading manufacturers.

Last April, Microsoft released a Q&A style statement regarding the company's practice of collecting geolocation tracking information from mobile devices. The statement confirms that Microsoft collects and store location data, but insists the information is not device specific and does not compromise user privacy.

Apple similarly released a statement regarding the uproar over revelations that the iOS operating system maintains a geolocation tracking file that records location information of devices running the operating system.

Apple's statement employed some semantic play that attempts to both confirm and deny suspicions about the data collection, and attributed the controversy to technical glitches in the iOS operating system and the company's lack of open communication on the issue.

In contrast, the Microsoft statement was more technically thorough, and did not attribute the data collection to any flaws in the operating system software, and made no attempt to apologize for the practice.

Unlike Apple, Microsoft insisted that users can prevent the collection of the location data by disabling the Location Services feature. Apple is expected to update the iOS to allow users the same option.

Apple, as it turns out, had filed for a patent in September of 2009 titled "Location Histories for Location Aware Devices" with the intent to develop services based around the company's ability to locate and track mobile devices running the iOS operating system.

The tracking revelations demonstrate that both companies - as well as Google and many others - have been less than forthright regarding the collection, transmission and storage of sensitive data about their customers.

Possibly Related Articles:
Microsoft Privacy Application Security geo-location Headlines Monitoring Supercookies Tracking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.