Does Microsoft's new WGA disclosure fall short?

Does Microsoft's new WGA disclosure fall short?

Summary: After its Windows Genuine Advantage (WGA) anti-piracy software (pushed to end users via Windows Update) starting phoning home to Microsoft's servers on a daily basis thus earning Microsoft a place in the public spotlight in recent days, the software giant's public relations engine was apparently very busy yesterday figuring out what to do about users' concerns and then getting the word out.  The result?

SHARE:
TOPICS: Windows
21

After its Windows Genuine Advantage (WGA) anti-piracy software (pushed to end users via Windows Update) starting phoning home to Microsoft's servers on a daily basis thus earning Microsoft a place in the public spotlight in recent days, the software giant's public relations engine was apparently very busy yesterday figuring out what to do about users' concerns and then getting the word out.  The result?  A statement combined with a FAQ that may assuage some concerns but that, based on my experience with the way WGA works, innaccurately describes the installation process as one that asks the user for consent. 

Here are some of the major points made by the statement  (headlined: Microsoft Provides Additional Clarity About Windows Genuine Advantage Notifications) and my thoughts on them (in italics):

  • The WGA program was launched July 2005 to provide an improved experience for consumers using genuine Windows XP and to help Microsoft address software piracy.  It's quite clear that, based on the way un-WGA-validated copies of Windows will only get access certain updates (most likely critical security ones that pose a threat to other Windows users and the Internet) that this is an anti-piracy program. The basic message is that if you don't have a valid copy of Windows, you won't get the updates you need. Therefore, you (and your customers if you're distributing invalid copies of Windows) are better off with legitimate installations.  What's not clear to me is how users of "genuine Windows XP" will end up with an "improved experience."  Prior to WGA coming out, users of genuine and non-genuine Windows were having pretty much the same experience and receiving the same improvements via patches and updates.  This statement seems to imply that that the denial of certain updates to non-genuine copies of Windows XP adds up to an improved experience for genuine Windows XP.
  • The WGA program consists of two major components, WGA Validation and WGA Notifications.  Based on my tests of how WGA installs, this is true. The first update my machine received was the Validation component.  Then, after the validation component installed in one batch of updates, the notification component showed up in the next batch.
  • Validation determines whether the copy of Windows XP installed on a PC is genuine and licensed. WGA Notifications reminds users who fail validation that they are not running genuine Windows and directs them to resources to learn more about the benefits of using genuine Windows software. This is an incredibly important distinction between the two components because of what landed Microsoft in the spotlight in the first place --- the act of "phoning home" (to Microsoft's servers in this case) on a daily basis (a behavior that's often associated with spyware). That act raised questions about why such contact had to be made so frequently and exactly what  information was being passed back to Microsoft.
  • Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found. The settings file provides Microsoft with the ability to update how often reminders are displayed and to disable the program if necessary during the test period. This functionality enables Microsoft to respond quickly to feedback to improve the customer's experience. So, this is a description of what the Notifications component does.  Although there will probably be other reminders that bubble up through WGA Notifications, the one that's getting all the attention right now is the one that reminds users of unvalidated copies of Windows that they need to get a valid licensed copy. Microsoft's ability to reach out and disable software as a result of installing WGA raises more questions about what else Microsoft can disable, if it decides it wants to.  But for now, what's important is the distinction between Validation and Notification and which of the two is the one that phone's home.  So far, it appears as though WGA Notifications downloads files from Microsoft's servers (as opposed to uploading information, aka, "phoning home").  More.....
  • Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft.  So, here, I'm going to be the editor talking for a second.  Use of the lower-case "validation" is confusing.  If Microsoft meant WGA's validation component, which I think it did, then it should give it the same upper-case treatment that it gave to the notification component by phrasing it as "WGA Validation." When WGA installs itself, there are clearly two components that install.  During the installation, the name "Windows Genuine Advantage Validation Tool" appears when the first component is installed.   Then, when the subsequent component is installed, the name "Windows Genuine Advantage Notification (KB905474)" is displayed.  I could be mistaken (the West Coast was still sleeping as I wrote this), but I think it's safe to assume that when Microsoft refers to "validation," it's referring to the "WGA Validation Tool" that installs first, and when it's referrring to "WGA Notification" that it's referring to the "WGA Notification" that installed second.  To minimize the chances of confusion, Microsoft should be consistent with its nomenclature between the actual user experience and it's communications with the public.  Now,... if the assumption is correct that Microsoft's reference to "validation" is a reference to the WGA Validation Tool, then this last part of the statement makes it clear that the WGA Validation Tool is the component that phones home while WGA Notification is the component that checks for and downloads new files if their available.  This is very relevant to Microsoft's communications regarding the issue of consent. 
  • Yesterday, CNET News.com ran a story that said "Microsoft acknowledged that it has not been forthcoming enough about the antipiracy tool's behavior, but countered that its tool is not spyware, since it is not installed without a user's consent and has no malicious purpose."  In the statement released last night that further addressed allegations that WGA is spyware (the chief defining characteristic of spyware being that it phones home to its developers with sensitive information), Microsoft reiterated that "Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware."  

And here's where the confusion and misinformation continues to fester. As can be seen from the screen gallery and writeup of my tests, I was not asked for consent when the WGA Validation Tool -- the one that like spyware, phones home -- installed itself. In fact, as can be seen from this screenshot which immediately preceeded the automatic download and installation of the WGA Validation Tool, I could easily argue that I was misled into thinking I was going to download and install something else when in fact, I was downloading and installing, without my consent, software that apparently phones home. 

Was I ever asked for my consent. Yes, when WGA Notification -- the component that doesn't phone home installs itself (acceptance of this End User License Agreement is required). So, as best as I can tell, Microsoft asks for consent in the wrong place.  Instead of asking for consent before installing the software that apparently phones home, it asks for consent before installing the software that downloads files. Notwithstanding the questions about WGA Notification's downloading of files that apparently give Microsoft some remote control capabilities over your system's behavior, it should be the other way around. At the very least, consent should be required before any software that phones home is downloaded to your system.  In this situation, I'd argue that consent should be required when both components are installed.

Also, here again, Microsoft should have done a better job on the editing front. The FAQ says "WGA is installed with the consent of the user."  But the truth is that WGA by itself isn't an entity that installs itself as one big chunk of software for which consent is required.  Currently, it's two pieces of software that are installed independently of each other and, as just said, consent is required for one piece, but not the other. 

Finally, the one newsworthy item in Microsoft's statement is that, with the next update to WGA Notification, the company will be changing the frequency with which WGA Notification checks for new downloads.  According to the statement:

As a result of customer concerns around performance, we are changing this feature to only check for a new settings file every 14 days. This change will be made in the next release of WGA. Also, this feature will be disabled when WGA Notifications launches worldwide later this year.

14 days is certain better than daily.  But, this actually raises another important question about Microsoft's methodology when it comes to how WGA has been rolled out to end users.  In a global test of pre-release software (which WGA is), are users unwittingly being forced into becoming Microsoft's guinea pigs?

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • WGA

    It would seem to me anyone that uses any MS products are guinea pigs, and always have been.

    If you can list one MS app or OS that has come out finsihed on its first release that never needed a security patch or an update then I'll eat crow. It seems quite ridiculas and rather ludicris that MS can keep a straight face while charging $200 for an OS full of holes and $400+ for an office suite that needs a service pack every three months and a slew of security updates inbetween.

    Lets face it, if MS built cars we'd all be riding bikes. You don't tolerate your new car clunking out three or four times a month without reason, nor would you take an "I don't know what's wrong with it just reboot it" from your mechanic.

    MS has been raping the public dollar for its inferior products for over a decade, why do you think linux and mac have been taking back shares?

    People got tired of paying $20 for a music CD with one or two good songs so P2P became the way around being robbed. Just as the music industry learned so will MS, why pay and put up with something that doesn't perform like the box says?

    We don't tolerate this kind of performance with any other product in the world, no matter the price, so why should we start now?
    warezdog
    • Whooollly cow, no MS flamers yet?

      Although I did post this exact same thing on another blog closely related I expected to be flamed here as well from diehard MS junkies.
      IF Ax should manage to find his way in here and by means of feeble brain exercising post a flame in support of MS keep in mind that working for MS sometimes causes temporary insanity.
      warezdog
  • A correction

    You wrote "downloads new files if their available" when you meant
    "downloads new files if [b]they're[/b] available".
    dalerb
    • ditto

      also noticed that glitch. although being used a lot now a days doesn't make this usage right
      smiileysa
  • is this a courtroom?

    i mean the way the author disected the statements, i would have to assume he was a lawyer in a previous career. So, if you break it down, Microsoft wants to see if its updates are reaching people who paid for its software. so is that wrong, Who would not want to do that. I would if I was running my own company. Why do we have to make such a big fuss, its common knowledge. You pay you get it. Also, Microsoft as of yet, does not do anything with the pirated user, ok so once a day is too much but they themselves acknowledge that they will change it to 14 days. i am not a microsoft shareholder/employee/contractor. more a google guy, but in this case microsoft is right.
    ash_ak
    • Right about what?

      Microsoft certainly has the right to limit updates to paying customers. I don't think anybody could rightly deny them that, as their competitors do the same thing all the time.

      No, what's being pointed out here is that -- after having allowed the updates for so long -- Microsoft is now being deceptive about how the WGA tools work and are installed. As is shown in the screenshots David Berlind posted (http://blogs.zdnet.com/BTL/?page_id=3170&page=7) there is no disclosure that WGA is about to be installed. By definition, WGA IS spyware and Microsoft IS deceptive in both the installation and subsequent denials.

      No, they're not "right"... Microsoft abdicated the high ground when they chose deception over honesty.

      The plain fact of the matter is that, though they could easily limit the updates to paying customers (technologically, legally, and even morally), in practical terms they don't because to do so would erode mindshare in their product. In the long run it's better for Microsoft to keep patching the "pirates."

      And to the "pirates"...

      Look, if you can't afford Windows, you shouldn't be using Windows. Period. I'd urge anybody with pirated Windows to try out a recent version of Linux. There are a LOT of good distributions out there, I'd strongly recommend SuSE or Mandriva, and Linspire is very tough to beat for ease of use for home users. You can get a run-live CD that boots Linux so you can try it out without even having to install it first.

      Even if you don't think that Linux is ready for you yet, then prepare yourself by switching to application software that is cross-platform (like Firefox, Thunderbird, OpenOffice.org, etc.) so that you can switch when the time comes. The writing is on the wall... Microsoft has already priced Windows out of this game or you'd have paid for it. But they have no interest in seeing you switch to something else. If it's a choice between piracy or going to another product, they'd rather you pirate Windows. That way they can throw lawyers at you and wind up with a money transfusion.

      Why let them put you in that position? YOU DON'T NEED THEM.
      dave.leigh@...
    • Yes indeed, a kangaroo court

      Here's the headline and lead from IT Wire which puts the whole thing in the proper perspective...
      "Windows anti-piracy program causes shock for doing its job
      By Stan Beer
      Saturday, 10 June 2006
      The news that Microsoft users are shocked because the anti-piracy Windows Genuine Advantage (WGA) program reports back to home base is astounding. The astounding thing, however, is not that WGA calls home but that some users claim to be shocked by this..."

      Enough said!
      bob2cam
    • It's been done multiple times

      The issue is that the validation was done when you purchased the software and installed it. When you activated your product you validated it. Then when you installed the genuine advantage activex control you validated again.

      The problem is in how many times and in which manner Microsoft will use to continue to access your computer.

      Legit users are being used more than illegit users. An illegit user can go out and download patches to keep the notification program from installing.

      Let's say that I buy a movie and make a copy of it. Then I play that copy instead of playing the original. What's my purpose? To keep from destroying or altering the original.

      Now, let's say that the movie company states that I must permit them to monitor my movie watching behavior because they want to determine daily whether I am legitimately playing only the original.

      That's what's going on here. It is a monitor program and it is monitoring legitmate users usage of Windows.

      Microsoft can glean more than just whether you are legit. They can determine your connection to the internet. For instance, if you don't report in daily or even bi-weekly they know you are not on high speed. This is ancillary to the whole yet it is useful information because they can target your region (city, county) with advertisements for their products to purchase MSN.

      So, even though this doesn't seem so devious you can only imagine the minds of the employees who's success relies on acquiring this sort of knowlege in order to increase sales, etc.

      What this is is an affront to the legitimate users. We are constantly monitored even tho we were already deemed legit. It is a complete and utter lack of trust from a "monopoly" which has no competition so to speak which has billions upon billions of dollars in cash in the bank, constantly monitoring everyone. It is like calling every legit user a thief or a potential thief.

      So, not only can they use the information in ways well beyond what they have disclosed, they can and do infer that everyone using it is a potential thief, but that they open the flood gates to other vendors to do the same thing.

      Already there are considerable amounts of unncessary programs running on our computers alot of which customers know nothing about. That system tray is filled with gobs of junk programs which do nothing other than slow down their computer by using system resources and memory.

      Is it any wonder why Vista has such high system requirements? 1gig of ram is a bit much. A system with 1 gig of ram, 200gigs of storage, a 128bit gforce AGP 8x card can't run the aero interface?

      If Microsoft were to put as much time into fixing bugs and to optimizing their code then we'd not see this sort of issue. The DRM and IP validation system in Windows alone must take a huge amount of code (and hence resources).

      We need online updates because Microsoft wrote a very buggy and insecure operating sytem. Close your eyes and think about the concept of Windows having been secure from the beginning. We'd not need online updates, we'd not be seeking alternatives to microsoft products. Microsoft would be focusing on real important issues instead of DRM and IP rights validation. Costs would be lower and people could afford to actually buy the operating system.

      But they didn't because they had this fool-hardy notion that they could keep the OS secure without the traditional tools conceived of 20+ years ago. So, due to Microsoft's monopoly they have been negligent about our rights and have maneuvered that into more money for them.
      hermmunster
  • choices

    This is why I always do a custom install for my Windows updates so I can choose which ones I want... and of course I've always deselected the WGA deal and told it not to ask me again. Come on people... it's not that hard to just skim over what's being installed first.
    karrth
    • The WGA doesn't always give you the option to deselect

      I have seen on 4 different machines, including this one,just this morning the auto-update began to download and the yellow shield displayed only in the beginning of the download. The sheild then disappeared and is not seen again. Then when you go to turn off the computer, Volia! you have the little microsoft colored shield over the Turn Off button and if you are not sharp enough to notice the writing underneath and just click turn off you have installed the updates. The writing says "Click turn off to install important updates or click here to turn off without installing updates." HOw many people will notice this? Im smarter than the average bear(just barely) and it almost got me. I shut the machine off 4 times to try to get rid of it and finally when I went to the control panel and changed my options from "Download updates but let me choose when to install them' to "Notify me but Dont automatically download or update" I was able to get the shield to come up so I could select custom etc, etc, etc, so it isn't always as direct or obvious as clicking custom and deselecting the WGA> (Hope the spellings correct as well as grammar that their and they're made me nervous :-}) Madmaven
      madmaven
  • Genuine Notification

    Microsoft isn't being honest in more ways than one. Their notification is not being distributed in a "user aware" way. The definition and purpose of the tool being distributed is not being disclosed among other things.

    1) The user is almost never aware that the update has been installed on their computer because anyone receiving updates, which was the suggested by Microsoft a long time ago, will put the update on customer's computers without their knowledge and implicit consent.

    If the user has automatic download set on their computer will bring down the update with a slew of others. In fact, this coming Tuesdays update will get the Notification program installed on a large percentage of users computers because it will be hidden in the list of updates.

    The users can choose custom install of the updates and uncheck the box associated with the Notification program but most customer have no idea why they would not want this to happen or what's going on with it, so they would not uncheck it.

    When the user does uncheck it they are prompted to indicate whether they never wanted to be prompted nor install this update again. This is all well and good, but when the customer goes to the Microsoft website to download other updates they are warned as if their is some impending critical flaw that needs to be fixed because they have some hidden updates which are not to be installed. This is a false alert and wrongly panics the customer into believing they need to change it.

    So, the bottom line is that the updates are installed without customer knowledge in a stealth way--no one defined that stealth must be totally invisible, just that it has to be done in a manner which is not totally visible to the users--hence Microsoft's disclaimer that the installation is optional is not the whole truth--in fact, imho, it is behavior traditionally seen in hackers and those that make spyware programs.

    Because this is under the control of Microsoft they can and will change and alter what you desire to be done and try to get this installed on your computer without your knowledge. This is a certainty. And at any point in time they can simply make it a required patch. Or incorporate it into XP SP3. Most certainly it has already been incorporated into Vista.

    The issue of the "every day" and the "14 day" notification timeframe is really quite moot. The first is because those that want to get past the notification can. The second is that once you are validated there's no legitimate reason to keep attempting to validate. Third it is rude of Microsoft to run unnecessary programs on the users computer in an attempt to spy on them--because once you are validated you are being spied upon.

    Once validated you are validated. It's that simple. Why run a program daily that reports bi-weekly when you have already been validated?

    The answer lies in Bill Gate's attitude toward all computer users. We are all thieves. This goes back to the day when he and Paul Allen distributed their version of the stolen programming language called BASIC on paper tape and the open letter they wrote to the members of their club accusing them of stealing. This attitude permeates this program and the idealogy behind it. What's worse is that Bill Gates and Paul Allen stole computer time from Harvard to write the code for their version of BASIC which was then licensed to MITS out of Arizona 20+ years ago.

    The next important point here is that there are a number of hacks already out there, probably 5 different ones that will keep the notification from functioning. Anyone can locate and apply the patches to keep the notification from popping up.

    The final point I wish to make is that the Genuine Notification is incorrect sometimes and alerts people improperly to being a stolen copy when in fact they have a legit copy. Customers with the "sticker on the side of their case", "the booklet in their possession", and "the CD with the proper legal identifiers" are being accused of having an invalid illegit copy of Windows. This can happen to anyone, from a lawyer in a small town to a retired elderly person in her 70s--which in both cases it has.

    I would not like to have my customers reporting me due to me selling them Windows XP and Microsoft misidentifying their product. That would mean that I go into some rather unscrupulous database at Microsoft and I would be improperly branded a purveyor of illigit software even if I have never done so before.

    In summary, there's no need for the notification program, the installation of which is done in a stealth way with this unscrupulus attitude that it is done with consent when it is not. On top of that once you are validated theres no real need to re-validate you, not every two weeks and certainly not every day. Even so, those that have been infected by this spyware are being misidentified, probably in leaps and bounds across the US and the rest of the world.

    If we permit Microsoft to do this, and they are doing this solely because they can due to their Monopoly status, they'll enact other mechanisms that go well beyond what the DRM and IP rights laws of the US and the rest of the world permit.
    hermmunster
  • It gets worse: false positive on

    This is MUCH worse than has been reported. I have a Dell Laptop. My Dell Service Tag is confirmed. (Is M$FT suggesting Dell pirates software?) I've successfully been updating for six months. Yet now I can't update KB905474, and I get the following error messages, when using M$FT's "diagnostic tool." (It validates Windows, but not Office -- I don't know why.)

    Looks like this was a giant push by M$FT to look for bootleg software -- only they goofed, and it gives "false positives" (incorrectly identifying software as non-genuine when it is genuine). I've spent over an hour on this -- does M$FT have a class-action lawsuit on its hands? $100/hour is my going rate.

    Thank you for staying on this story!


    ----

    [0x8018114]
    Microsoft Office XP Professional with FrontPage: Validation Failed
    The product key used to install Office has been blocked by Microsoft.

    -----

    [First I chose "Home User", w/o thinking:]

    Office Genuine Advantage Results Report
    Validation Failure: The Microsoft Office software on your PC does not appear to be genuine.

    Reasons this PC Failed
    Microsoft Office XP Professional with FrontPage:
    The product key used to install Office has been blocked by Microsoft.

    ----

    [Then I tried "Business User":]

    Office Validation Assistant: Inconclusive

    Product Name: Microsoft Office XP Professional with FrontPage

    The license for your copy of Office was issued to an organization and has certain usage limitations. Please contact your system administrator or reseller to confirm that Office has been properly licensed for your use.

    ----
    LiamKnuj
    • Did you get an answer

      did you ever get this handled?
      I have a "CERTIFIED SOFTWARE DEALER" trying to sell me a VLK with the same message. They swear it is legitimate! I have tried every way I know to get a "live" person on the phone regarding MS Office with no luck. You can get support for license problems only on Windows XP as far as I can tell.
      questorfla
    • WGA

      When I bought my computer from Gateway, I found I could not drop my dial-up to receive or send a fax without rebooting to restore the dial-up. I got an "Error 20" notice. Gateway support was useless. A neighbor suggested I had a bad install and suggested I reinstall Win XP. I had no install disk so he loaned me his. I re-installed with his disk and that solved the "Error 20" problem but now Microsoft has branded me as a phariah. I trust Gateway's copy of XP was legal when they put it on my computer at their factory. I can't understand microsoft's problem. At the start, if they had given Gateway a good copy of XP there'd be no problem today-- I think.
      rayc@...
  • in the 1st place.....

    IF the' software was cheap..
    there would not to be hacking etc.
    there would not have to be pirate versions
    If the OS was an OPEN system
    all the arguments mentioned before would not be..
    WGA is a New Orleans disaster, period.
    amj2010
  • WGA

    Not only is this wretched program an example of Microsoft's arrogance in the way it only requests user acceptance too late, once it does insinuate itself onto a system, the user is told it cannot be uninstalled!

    Shame on you Bill!
    journo46
  • Microsofts WGA

    After reading the comments I decided to add one more. Try changing some hardware as I did. The WGA came back and told me there were too many changes made to reinstall, which I did. Upon repair installation I was told the windows I had was not genuine. But it was and had to call and waste a lot of time to strighten this out.

    jackiii
    jackiii@...
  • No Genius, Buuuuuuut........

    I'm not a genius by any stretch of the imagination.
    I'm not even a geek, but it is really appalling to see how ignorant the average "user" is. As clear as it is to the majority of the members that post here, there is still many who argue and support the integrity of Microslop.
    My only consolation will be to witness them getting "bit in the ass" when their time comes. Nothing you can say to them will explain what they are letting themselves in for.
    Ole Man
  • Victims

    We're self sustaining victims and the problem is we have systematically been controlled by convenience. Yep, we whine and bicker when something happens that disturbs us but continue to play their game. We still buy gas even though we know we're being gouged, don?t we? We still invest in MS even though their product is less than perfect. Most of us have learned ways to like our XP trash which we need to run all of the associated third party software that we?ve invested time and money in. We?re locked in and MS knows this very well and thus has set us up to dance to their music. We built this empires and now just like with the price of oil, inflation and taxes we must live with our own creations.
    The-Sensei
  • Annoyance

    First of all let me start by saying I absolutely despise automatic updating. The reason my home computer runs as smooth as silk is because I micromanage the living crap out of my OS by being -very- picky about what I install and how I install it. My motto at work is, "NEVER let the computer think for you. It's a tool. Do you let your hammer think for you when you're pounding a nail?"

    With that said, my work machine is an older machine, 1ghz running 256mb of RAM, and XP Professional. Unfortunately, we run Novell Groupwise here, so calling our machines "stable" is a stretch. Because we're a legitimate business entity, and a law office at that, we're very careful about genuine software. This morning I had a notification that Windows Update had software to be installed. I looked at the list, didn't see anything bad, and installed it. Soon afterwards, I was greeted with little popup messages and an icon in my system trap that would NOT go away, even after I updated the settings, which requires taking you to a website on Microsoft.com.

    We have legitimate software, and we still have to deal with popups and programs running?. Why? So that Microsoft can tell me that they're going to stop supporting Service Pack 1 in October. At least, that's what the current useless, annoying, waste of resource message says.

    It's really nothing more than an annoyance, but it's yet another case of legitmate users having to deal with something they don't want to have to deal with.

    Meanwhile, at home I've got a Dell machine running XP Pro with a pirated serial number, because Dell gave me a copy of Server 2003 with it. I had an XP disc, just grabbed a serial number.. and I don't have any MS Spyware issues on that, just on the "genuine" ones. Brilliant.
    JalenRawley