I left my copy of Lethal Logic in Idaho this weekend or I would quote chapter and page but in essence one thing Henigan says, “Yes, the NRA is right, ‘Guns don’t kill people; people kill people’ but guns enable people to kill people.” And of course that is justification, in his mind, to restrict access to firearms.

What is overlooked, minimized, or deliberated not mentioned is that guns also enable the protection of innocent life and any roadblocks you put up to reduce access to “people that shouldn’t have guns” also reduces access to people that need guns to protect themselves and others. The reduction in access might be not be a complete blockage but any increase in the price of acquisition and ownership reduces the number of people willing to pay that price. Just being put on a government list has a chilling effect on any type of activity. Particularly when that activity has a history of increasing your odds of being put on a death list. Would you be willing to register with the government as a homosexual or Jew?

Another technology that enables both good and evil has been blogged about recently is something I have been working overtime on for The Borg recently. In fact my tester and I were exchanging IM as late as 11:33 tonight and I still have one eye on a build in progress.

Here are some of the blog posts I have recently read about cell phones being used for determining the location of the user:

• Law Enforcement GPS Cell Phone Tracking
• Sprint hands over GPS data
• Surveillance Nation
• It. Does. Not. Work. That. Way. (Roberta is absolutely correct here but she has a minor oversight I’ll address below)

I’m extremely busy at work right now on Windows Mobile 7.0. This is an operating system which will be used in millions and millions of cell phones. My team is the location team. We are responsible for determining the location of the phone and getting that information to applications that want it. I know as much about this topic as just about anybody in the company.

There are multiple ways of determining the location of a modern cell phone. In a decent environment (underground, or next to tall buildings are not good environments) the built-in GPS can obtain the device location with an accuracy of 10 meters or better. The other obvious way to determine location is using the cell tower you are connected to. As a rough estimate this can get you about 1000 meter accuracy. There is a third way that isn’t quite so obvious and Roberta didn’t mention it. High end phones these days have built-in Wi-Fi and by grabbing the BSSIDs* of the visible Wi-Fi access points you have pretty good odds of determining the location to approximately 100 meters.

This is an enabling technology. It can enable good things.

It can help you find your lost phone. 10 meter accuracy can enable turn by turn directions to get you to or from an unfamiliar location. 100 meter accuracy can get you all the pizza shops within walking distances. 1000 meter accuracy can get you a weather forecast or the cheapest gasoline nearby.

It can enable bad things.

That little application your ex boyfriend put on your phone when you were on good terms (or by hiding his own phone in the bumper of your car) might be Roberta’s transponder and he is using it to stalk you. It could be that the cell phone operator (AT&T, Sprint, Verizon, etc.) has put the transponder application in all the phones or is able to remotely install one and is selling the service to the secret police tracking down dissidents, homosexuals, and Jews. The technology could be used to give credence to your stalkers alibi that he was 50 miles away when your house was set on fire with you in it.

I can’t directly speak to the acceptability of what Sprint did with the location information of their customers. I’m as skeptical of the morality of what happened as anyone but without more data it’s hard to say for absolute certainty they were slim-balls. I do know the amount of effort we at Microsoft put into protecting the privacy of our customers.

When I started on this project I had expected to be in fights over making the technology sufficiently “safe” without neutering it so much to make it useless. I figured I would get a reputation as a paranoid nut. I was wrong. There was never a scenario that I proposed as something to be guarded against which people didn’t take seriously and address. I don’t think I was even the most vocal advocate for privacy safeguards. I was exceptionally pleased when one program manager put his foot down over an issue and said it was because he didn’t want to get into the “police nightmare situation”. “What is that?”, I asked. His answer? “The police are constantly bugging us for location information. If we don’t store it we can’t give it to them and they won’t ask for it more than once or twice.”

Some of the solutions we are implementing to protect user privacy are:

• Store the minimum amount of data required to enable valuable customer services.
• Strip out personally identifiable information (PII) at every opportunity.
• Delete the PII data we do store within a few hours (or maybe a few days in the case of “Find My Phone”).
• Applications that access location information are required to ask you for permission (if your Windows Mobile Seven phone ever asks you this the dialog you see is one I implemented).
• Except “Find My Phone”, which requires a username and password, users can disable all location services with a single switch (again, I implemented the user interface for this).

The biggest problem we see is that all it takes is for the user to download the application called “StalkersHelper” and say “Allow” to the location permission question and all the work (I’m sure we have spent many 10s of thousands of dollars just on meetings to discuss the privacy issues) we have done has been bypassed.

The second biggest problem is that the mobile operators might bypass (intentionally or by neglect) our safeguards. Getting bad publicy like Verizon just did (and perhaps the threat of lawsuits) will motivate them to protect the privacy of their customers so I don’t worry about this nearly as much as the customer themselves inviting the wolf in the door.

With those risks is it worth it? How many lives have to be lost to stalkers tracking down their victims before the technology is banned? If it saves just one life isn’t it worth it to ban it? In another year or two will Microsoft be regarded as a “merchant of death” like Glock, Smith & Wesson, and Ruger?

My guess is the technology will be accepted and while there will be instances where the technology was used for evil and/or immoral purposes most people will recognize the benefits it enables outweigh the evil it enables. It’s really no different than cars, knives, and guns. There are rules to follow which reduce the chances of accidents and deliberate misuse must be dealt with by punishing the offender not by attempting the removal of the technology from society.

Now if only Henigan and company could follow the same line of reasoning.

*The Basic Service Set Identifier identifies each Basic Service Set (BSS). The BSSID is the Medium Access Control (MAC) address of the Access Point (AP) in the Infrastructure BSS networks, and it is generated randomly in Independent BSS or ad hoc networks. This means there are duplicates out there and there is ambiguity to be resolved in some instances.