Dissecting Case 01438 Exhibit B, Part 2

Before the BUILD conference, I dissected a thin report written by security researcher Samy Kamkar on the topic of Windows Phone and how it handles location data. With BUILD now behind us, I took a moment to test his claims on a legitimate device (Samsung Focus) acquired from my good friend Adam Maras.

Starting with Windows Phone OS 7.0.7004.0, I reset the device and tapped my way through the out-of-box experience, skipping the Live ID configuration. The states of location-sensitive features were as follows:

  • Airplane mode: Off
  • Wi-Fi: Off
  • Bluetooth: Off
  • Location: On
  • Cellular: SIM error
  • Find my phone: Not set up yet
  • Feedback: Disabled

I then configured Wi-Fi access and immediately pointed the phone to a proxy server – in this case, my desktop running Fiddler software, which allows me to see packet details in real time. According to Kamkar, launching the Camera application was enough to see the culprit behavior, so I tried it. After launching the app., Fiddler captured location data being sent to and from Microsoft servers, just as Kamkar’s report suggested. Uh oh!

A few packets were sent, one to agps.location.live.net and several to Microsoft’s Location Inference (codenamed Orion) service hosted at inference.location.live.net. Items transmitted include (but aren’t limited to):

  • OS Version (7.0.7004.WM7_7.0_Ship(mojobld).20100916-1429)
  • Device Information (SAMSUNG/SGH-i917 and SAMSUNG Electronics/SAMSUNG MITs/i917UCJJ1/[digits])
  • Wireless access points around me (MAC addresses, power levels)
  • Various GUID-based identifiers

In response to these packets was pin-point accurate positioning information –  all before I granted the Camera application access to location data. But let’s think this through – did the Camera application really receive any data? Not likely. More probable is that the Camera application woke up the Location service on the phone. A conversation like this probably occurred:

Camera app: “Hey, I need you to get ready, I’m about to request location data”.
Location service: “Sure thing, boss. While you’re busy, I’ll figure out where I am and cache the results.”

But it doesn’t matter what piece of code is responsible. This behavior appears to contradict Microsoft’s earlier statements to the U.S. House of Representatives (Exhibit A, emphasis mine):

[1. User Choice and Control.] Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information. Users that have allowed an application to access location data always have the option to access to location at an application level or they can disable location collection altogether for all applications by disabling the location service feature on their phone.

[2. Observing Location Only When the User Needs It.] Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data. If an application does not request location, Microsoft will not collect location data.

In my case, the phone determined its exact location via Microsoft services prior to me explicitly allowing such behavior. The question is whether the Microsoft servers in question are in fact collecting data about the phone or simply returning this information with no storage abilities. Only Microsoft can tell us what they’re doing with this information. (Mind you, Microsoft has had some issues in the past with this.)

I re-tested the phone after every update (7008, 7390, and 7392) with no change in behavior. When Mango ships in 1-2 weeks, I’ll test that too. Stay tuned.