Geolocation data is information mobile phone providers often log that records where the device has been.
Samy Kamkar said that the software giant's Windows Phone 7 camera application software can send the location of a device to Microsoft without users' consent, according to a report by CNET.
"The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it," Kamkar said, according to the CNET report.
The location data sent to Microsoft includes the latitude and longitude details of the location, a unique ID, and where the nearest Wi-Fi access points are, even when users say 'no' when prompted, Kamkar said, according to the report.
A spokesperson for Microsoft declined to comment to Out-Law.com.
"When you allow an application or game to access your device's location, the application or game will connect to Microsoft's location services and request the approximate location of the device," the policy said.
"The location service will respond by providing the application or game with the location coordinates of the user's device (when available), which the application or game can then use to enrich the user experience," it said.
"To provide location services, Microsoft assembles and maintains a database that records the location of certain mobile cell towers and Wi-Fi access points. These data points are used to calculate and provide an approximate location of the user's device by comparing the Wi-Fi access points and cell towers that a user's device can detect to the location database, which contains correlations of known Wi-Fi access points and cell towers to observed latitudes and longitudes," it said.
"Before any application can gain access to information regarding a user's location, you must allow the application to access your device's location. Applications that use your location are required to provide the ability to turn off that application's access to your location. And you can always turn off access for all applications by turning off location services," the policy said.
Kamkar made his comments as part of a lawsuit against Microsoft, according to CNET. He carried out the testing for the lawyers bringing the lawsuit, who are seeking class action status. The lawsuit stated that "Microsoft surreptitiously forces even unwilling users into its non-stop geo-tracking program in the interest of developing its digital marketing grid," according to the report.
Microsoft breached the Stored Communications Act, the Electronic Communications Privacy Act and Washington consumer protection laws, the lawyers behind the lawsuit claim, according to the CNET report.
Under the Stored Communications Act whoever "intentionally accesses without authorization a facility through which an electronic communication service is provided; or intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system" is generally committing an offence.
Under the Electronic Communications Privacy Act people have the right to compensation from those who "intercepted, disclosed, or intentionally used" their "wire, oral or electronic communication" unlawfully.