Does that new Windows Activation update really 'phone home'?

This week, Microsoft began rolling out the Windows Activation Technologies update that it promised earlier this month (see my earlier report, Windows 7 activation update aims at high-volume pirates, for details of that earlier announcement. Privacy expert Lauren Weinstein says this update "phones home" to Microsoft as part of its activity, and Gregg Keizer of ComputerWorld uncritically repeated that exact same wording in a news report today.

I disagree with this characterization. My definition of "phoning home" is activity that uploads data to a server (or alternatively, collects information locally and then allows a remote server to collect that data) for the purpose of tracking activity on that system, usually without the user's knowledge or consent. In the context of PCs, the phrase was popularized nearly a decade ago, when the first widespread spyware programs were discovered. Then as now, "phone home" was a code word for spyware and connoted an invasion of the user's privacy through collection of personal data. In my opinion, there is no way a reasonable person can characterize this update as anything remotely close to that definition.

You can have strong objections to any anti-piracy scheme that are not tied in any way to privacy issues. and you can argue with the way this update is implemented. Reasonable people can find privacy concerns in any technology, including anti-piracy techniques, and I'm not minimizing Lauren Weinstein's concerns at all. But I do think everyone involved in the discussion should have a solid grounding in facts before they begin arguing. So, here is a summary of what the KB971033 WAT update does, with all details confirmed by a Microsoft spokesperson today:

• The purpose of the KB971033 WAT update is to verify that the Windows system licensing files haven't been tampered with. It does so by comparing those files against a list of changes associated with known activation exploits. It doesn't check your product key or the state of your hardware.
• You can refuse to install the update when it's offered. You can hide it so that it is not offered again. You can uninstall it after it is initially installed.
• The update runs locally.
• After the update runs, it sends a status report back to Microsoft, including information that can be used for aggregate reporting. The report indicates whether the installation was successful. It also includes the result of he validation check, including "information about any activation exploits and any related malicious or unauthorized software found, disabled or removed."
• The status report does not include your name, e-mail address, or any personally identifiable information. It is not tied to your IP address. Any pieces of information that are unique to your computer, including the Windows product key and hard drive volume serial number, are hashed using a one-way algorithm. (A one-way hash produces a consistent result, but the hashed result cannot be converted back to the number it started with. It's the same principle used to calculate MD5 hashes of executable files, documents, or digital media files. A one-way hash cannot be used to reconstruct the input data, only to verify it.)

Those last two bullets are the ones that have people concerned. But those details are already part of Windows Activation Technologies and have been since the technology was first introduced. Even this month's update isn't new. It's no different from the Windows Vista Activation Exploit Detection update introduced with Vista Service Pack 1 and updated in February 2009.

So what's new here? The concept of downloadable signatures, mostly, which are updated every 90 days.

In the case of this month's update, if a known activation exploit is found on your PC, some additional information is sent back to Microsoft. Specifically:

• Breach identifiers
• The breach's current state, such as cleaned, quarantined, or removed
• The scanning engine version
• OEM identification
• The breach file name and hash of the file

Here, too, this information is not tied to any record that can uniquely identify you or your PC. Similar information (error codes and file paths that indicate tampered files, for example) have been part of the Windows activation and validation process for years. Collecting that information in aggregate is crucial to tracking down and eliminatin the cause of false positives.

As I noted in my report earlier this month, I was deeply troubled by the activation system that Microsoft introduced as part of the original Windows Genuine Advantage. It was flawed in ways that were almost too numerous to count, including serious disclosure issues and an unacceptable number of false positives. In the past four years, however, Microsoft has done a commendable job of dealing with those issues, especially those related to disclosure and privacy, and it has mostly eliminated the issue of widespread false positives, as I reported earlier this month.

This update is no different.