Microsoft is yet again in a controversy which is similar to the one it had faced last month. Last time it was for its Streetside and this time it has been accused of exposing laptops and phone locations. Elie Bursztein, Standford researcher demonstrated Microsoft Live.com’s breach. It was demonstrated at the Black Hat USA 2011 security conference. Elie said that the software giant has made the availability of the locations of Wi-Fi devices online without considering the precautions relating to privacy. He stated that said site was making the geographical locations of a Wi-Fi enabled device precisely public.
Bursztein blogged that he was surprised as there were no query restrictions from Microsoft’s API and one could easily get a location relating to a specific MAC address and unlimited queries could be made. He concluded recommending that the software giant needs to come up with a few restrictions which have been adopted by its competitors already.
CNET gave its views on the topic stating that Live.com has published the exact location geographically of not only Apple devices and Android phones, but of any gadget which has Wi-Fi enabled. CNET reported that Microsoft had the database collected which was available at http://inference.location.live.com. The collection of data here was via the gathering it had from Street View-esque cars and Windows Phone 7 devices.
This might have been a rumor, but Windows Phone Engineering Team’s partner group program manager, Reid Kuhn admitted that the collection of data was done publically. The collection is via MAC addresses of Wi-Fi access points and broadcast cell tower Ids. This was to provide the users with the services which were location-based. Kuhn however clarified that only a fixed location Wi-Fi access point MAC addresses are stored in their database.
Kuhn explained how the MAC address is stored in their database. He said that whenever Wi-Fi is enabled on a mobile device or a smartphone, their MAC addresses are listed in the database as part of Microsoft’s service, but when it is determined that any such device is a not a fixed location, its details are removed from the database. The working was even confirmed by CNET.
CNET’s Chief Political Correspondent, Declan McCullagh said that there was still a bit of confusion as to these Wi-Fi enabled devices act as access point only or the inclusion is made of the client devices which use the network. McCullagh said that if Wi-Fi addresses are collected only as access points, then the concerns relating to privacy wouldn’t really be too much. There was no response from Microsoft in this regards which stalled the confusion.
A few more points pointed out by McCullagh were that as access points even, there are a million PCs and phones being used. Even if there is no transmission over the net of MAC addresses, there is still a threat that one can record the Wi-Fi address of a device which is within the range of Wi-Fi. There is no provision for an owner to get his or her Wi-Fi address removed from the database. The concern is serious and it is not only for those who reside in the US territory, as the database is for many other locations too. Another point of concern is that as Kuhn said that usually moving devices are removed from the database, but it still means that the movements of a device can be tracked.
The claims are many and concerns look to stress, but in any case the response of Microsoft will be awaited.