Microsoft's Web map exposes phone, PC locations

Caption: Examples of HTC device locations that CNET extracted from Microsoft's Live.com location database.
(Credit: Declan McCullagh/CNET)

Microsoft has collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world and makes them available on the Web without taking the privacy precautions that competitors have, CNET has learned.

The vast database available through Live.com publishes the precise geographical location, which can point to a street address and sometimes even a corner of a building, of Android phones, Apple devices, and other Wi-Fi enabled gadgets.

Unlike Google and Skyhook Wireless, which have compiled similar lists of these unique Wi-Fi addresses, Microsoft has not taken any measures to curb access to its database. Google tightened controls last month in response to a June 15 CNET article, and Skyhook uses a limited form of geolocation to protect privacy.

Microsoft assembled the database through crowdsourced data gathering from Windows Mobile 7 devices and through what it calls "managed driving" by Street View-like vehicles that record Wi-Fi signals accessible from public roads. Its Web interface is, the company says, intended to provide "search results, weather, movie times, maps and directions based on a device's current location."

Stanford researcher Elie Bursztein says Microsoft should adopt the same location-privacy protections that Google implemented last month.

CNET has confirmed how Live.com's interface works independently and also with Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory who recently analyzed Microsoft's application programming interface, or API. He plans to summarize his findings in a related talk with two other researchers at the Black Hat security conference in Las Vegas next week.

Bursztein recommended that Microsoft adopt some of the same limits that its competitors already have. "I think what Google does is the smart thing to do," he said. "It's a pretty good solution."

Microsoft declined repeated requests since Tuesday to respond to a list of questions, including whether the database includes only Wi-Fi devices acting as access points, or whether client devices using the networks have been swept in as well--something that Google did with its Street View cars. A May blog post touts "Transparency About Microsoft's Practices," but doesn't provide details.

If Microsoft collects and publishes only the Wi-Fi addresses of access points, the privacy concerns are lessened. But hundreds of millions of phones and computers are used as access points--tethering is one example, and the feature is built into Apple's OS X operating system--meaning that their locations could be monitored.

It's true that Wi-Fi addresses, also called MAC addresses, aren't typically transmitted over the Internet. But anyone within Wi-Fi range can record yours, and it's easy to narrow down which addresses correspond to which manufacturer.

Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone or a laptop's configuration menu can obtain it in a few seconds as well. And hobbyist hacker Samy Kamkar created a proof-of-concept code last year that uses what's known as a cross-site scripting attack to grab the location of Wi-Fi routers that can be seen from an unsuspecting visitor's computer.

A Microsoft representative pointed CNET to a list of Web pages, including one describing how geolocation works in Internet Explorer 9 and another discusses Windows Phone 7 and geolocation. Microsoft does not appear to provide an opt-out mechanism that would allow someone to remove their Wi-Fi address from the Live.com database.

Microsoft's database extends beyond U.S. locations. A CNET test of a range of Wi-Fi addresses used by HTC devices showed that Live.com returned locations linked to street addresses in Leon, Spain; Westminster, London; a suburb of Tokyo, Japan; and Cologne, Germany.

Some Wi-Fi addresses appeared to change positions, meaning the Live.com database--located at http://inference.location.live.com--could be used to track the movements of a handheld device. In addition, some Wi-Fi addresses were added or deleted to the database over the period of a few days.

Google has taken multiple privacy steps that Microsoft has not, including using geolocation to filter requests (to find out where a wireless device is, you already have to know it's approximate location to about one city block). Another is that the search company's database does not appear to include the Wi-Fi addresses of Android devices acting as wireless hotspots.

Here's how it works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google's database doesn't include the MAC address 02:1A:11:F2:12:FF. But Microsoft's does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Disclosure: McCullagh is married to a Google employee not involved in this issue.