Microsoft's Web map exposes phone, PC locations

Microsoft logoMicrosoft has collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world and makes them available on the Web without taking the privacy precautions that competitors have, CNET has learned.

The vast database available through publishes the precise geographical location, which can point to a street address and sometimes even a corner of a building, of Android phones, Apple devices, and other Wi-Fi enabled gadgets.

Unlike Google and Skyhook Wireless, which have compiled similar lists of these unique Wi-Fi addresses, Microsoft has not taken any measures to curb access to its database. Google tightened controls last month in response to a June 15 CNET article, and Skyhook uses a limited form of geolocation to protect privacy.

Microsoft assembled the database through crowdsourced data gathering from Windows Phone 7 devices and through what it calls "managed driving" by Street View-like vehicles that record Wi-Fi signals accessible from public roads. Its Web interface is, the company says, intended to provide "search results, weather, movie times, maps and directions based on a device's current location."

CNET has confirmed how's interface works independently and also with Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory who recently analyzed Microsoft's application programming interface, or API. He plans to summarize his findings in a related talk with two other researchers at the Black Hat security conference in Las Vegas next week.

Bursztein recommended that Microsoft adopt some of the same limits that its competitors already have. "I think what Google does is the smart thing to do," he said. "It's a pretty good solution."

Reid Kuhn, a program manger with Microsoft's Windows Phone Engineering Team, sent CNET this statement: "To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses."

Microsoft did not, however, respond to questions whether its database includes only Wi-Fi devices acting as access points, or whether client devices using the networks have been swept in as well--something that Google did with its Street View cars. A May blog post touts "Transparency About Microsoft's Practices," but doesn't provide details.

If Microsoft collects and publishes only the Wi-Fi addresses of access points, the privacy concerns are lessened. But millions of phones and computers are used as access points--tethering is one example, and the feature is built into Apple's OS X operating system--meaning that their locations could be monitored.

It's true that Wi-Fi addresses, also called MAC addresses, aren't typically transmitted over the Internet. But anyone within Wi-Fi range can record yours, and it's easy to narrow down which addresses correspond to which manufacturer.

Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone or a laptop's configuration menu can obtain it in a few seconds as well. And hobbyist hacker Samy Kamkar created a proof-of-concept code last year that uses what's known as a cross-site scripting attack to grab the location of Wi-Fi routers that can be seen from an unsuspecting visitor's computer.

A Microsoft representative pointed CNET to a list of Web pages, including one describing how geolocation works in Internet Explorer 9 and another discusses Windows Phone 7 and geolocation. Microsoft does not appear to provide an opt-out mechanism that would allow someone to remove his or her Wi-Fi address from the database.

Microsoft's database extends beyond U.S. locations. A CNET test of a range of Wi-Fi addresses used by HTC devices showed that returned locations linked to street addresses in Leon, Spain; Westminster, London; a suburb of Tokyo, Japan; and Cologne, Germany.

Some Wi-Fi addresses appeared to change positions, meaning the database--located at be used to track the movements of a handheld device. In addition, some Wi-Fi addresses were added or deleted to the database over the period of a few days.

Google has taken multiple privacy steps that Microsoft has not, including using geolocation to filter requests (to find out where a wireless device is, you already have to know it's approximate location to about one city block). Another is that the search company's database does not appear to include the Wi-Fi addresses of Android devices acting as wireless hotspots.

Here's how it works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google's database doesn't include the MAC address 02:1A:11:F2:12:FF. But Microsoft's does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Source: CNET

Tags: Microsoft, Wi-Fi

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Pokemon GO had the potential to net $1 billion a year
The report said that Hon Hai has invested about US$600 million in India
Market research firm IDC reports that in the third quarter of this year
Customers will only have to shell out 50% of the cost of their Galaxy S7 device
New flagship will launch in 2017
Patent hints at name of the upcoming Surface AIO
IBM, Globalfoundries and Samsung have chosen to use extreme ultraviolet (EUV) light to pattern transistors
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
HP Slate 7 is a 7-inch Android 4 Tablet PC with good sound
A cost-effective, 7-inch tablet PC from a renowned manufacturer
October 25, 2013 / 4

News Archive



Do you use microSD card with your phone?
or leave your own version in comments