The Microsoft Phone Link (formerly known as “Your Phone”) app for Windows, Android, and iOS lets you access parts of your smartphone from within Windows. However, Microsoft has not built the service with your privacy in mind. Instead, the software behemoth relays your personal data through its servers, despite the app only working while your devices are connected to the same local network.
The Microsoft Privacy Statement (February 2023) doesn’t expressly state that Microsoft relays your personal data through its servers. The app‘s requirement for both devices to be on the same local network leads customers to believe that their data is transferred directly between their devices. That’s obviously how this should work, right?
However, in my testing, neither Windows nor Android made direct device connections when using most app features. Crucially, your personal data, such as text messages, clipboard contents, recent photos, and notifications, are not transferred directly over the local network. Notifications may contain sensitive information from your apps, such as the subject and contents of private messages and emails, security codes from authentication apps and texts, caller identities, etc.
I contacted the Microsoft Privacy Team and requested it to clarify some of the vaguer parts of the Microsoft Privacy Statement regarding the Phone Link feature.
Once the Windows PC and phone are paired, a user’s content such as messages, photos, contacts, and notifications are relayed between the user’s devices (PC and Phone) through a Microsoft cloud service. This content is processed to transfer data between the requested devices and is not stored permanently on Microsoft servers. Incoming and outgoing phone calls are handled over Bluetooth. While using screen mirroring and virtualizing Android apps on Windows through the Phone Link app your shared clipboard and file transfers via drag/drop are sent directly peer-to-peer between the phone and PC. Notification content is sent to Microsoft cloud service simply to relay information between paired devices (PC and Phone) and this data is only processed to fulfill the user’s request and is not stored persistently after the request has completed.
When you use the Phone Link app to mirror your phone’s screen on your Windows device, Microsoft may collect diagnostic data based on user diagnostic data collection control in Windows settings app. If Optional diagnostic data collection is turned on data collected may reflect when a phone screen mirroring session was initiated, whether there was engagement, and when the session was closed. When hosting an Android app from your phone onto your Windows device, the Android app will behave like any app running on a Windows device and Microsoft may collect app usage and performance data helping us troubleshoot issues and improve Microsoft product and services.
Microsoft Privacy Team, (via email correspondence)
Privacy-conscious consumers will realize they have no guarantees that Microsoft doesn’t scan, retain, or do anything else with the data that needlessly passes through its servers. The most charitable interpretation of the same-network requirement is that Microsoft aspires to transfer data locally, but it hasn’t yet made it work.
The same-network requirement might be a privacy measure designed to prevent an abusive partner from spying on your usage of your phone while you’re away from your computer. Microsoft apparently did not consider it a problem that it can spy on all your data as it passes through its servers. It’s a feature; not a bug.
If you care about privacy, you might want to consider using alternatives to the Microsoft Phone Link app. The leading free and open-source contender is KDE Connect. It transfers your data encrypted and directly between your devices over the local network. It even lets you connect multiple computers, not just your computer and a smartphone. However, KDE Connect doesn’t support screen mirroring, one of Phone Link’s key selling points. Other free and open-source apps for screen mirroring are available, but they’re more difficult to use than Phone Link.