Microsoft has closed a rather obvious privacy loophole in its geographic location positioning service.
The issue came to light after CNET pointed out the flaw. The issue revolved around Microsoft collecting, and then storing, the location of millions of devices around the world. Anything with a WiFi connection was potentially implicated, including laptops, mobile phones, and so forth.
The problem was that the database that contained all the information was insecure, and was therefore open to viewing by anyone with enough savvy. The discoverer of the problem phrased it like this: “the WiFi data stored by Windows can be used to geolocate where your computer has been.”
Needless to say, that was a problem. Even though the company committed a serious gaffe by not better securing the information, Microsoft moved quickly and has plugged the leak. In its blog post on the issue, Microsoft both further explained the extent of the previous leak, and what it has done to rectify it:
Microsoft released a change to its geographic locationpositioning service on July 30, 2011, which addresses an issue highlighted in Elie Bursztein’s blog on July 29, 2011. This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted. While it was not possible to use the service to track a roaming mobile phone or laptop using its MAC address prior to this change, Microsoft is keenly aware of the sensitivity around all privacy issues, especially those surrounding geolocation.
This does downplay the largest immediate fear that anyone could conjure concerning the previous problem: tracking. That, it seems, was never possible.
But that there was a security blunder of this sort does make one leery about the potential for more, from any number of companies; it makes one wonder how secure we are in the face of rapidly changing technology and a push for cloud data storage.