MS anti-piracy tools phone home, raising consent, disclosure and security questions

MS anti-piracy tools phone home, raising consent, disclosure and security questions

Summary: As I reported last week (based on my own experience) Microsoft's Windows Genuine Advantage (WGA) is an anti-piracy technology that checks in with Microsoft's servers across the Internet that Microsoft recently pushed out to users of Windows via its Windows Update service.  Unless the software is able to validate that you have a legitimate copy of Windows, you may be denied certain important updates according to an entry in Microsoft's online knowledgebase.

SHARE:
TOPICS: Microsoft
29

As I reported last week (based on my own experience) Microsoft's Windows Genuine Advantage (WGA) is an anti-piracy technology that checks in with Microsoft's servers across the Internet that Microsoft recently pushed out to users of Windows via its Windows Update service.  Unless the software is able to validate that you have a legitimate copy of Windows, you may be denied certain important updates according to an entry in Microsoft's online knowledgebase.  But now comes new news that WGA is phoning home on a daily basis.  Some are likening it to spyware and even Microsoft has acknowledged that it should be doing a better job disclosing what the program is doing and why.  CNET News.com's Joris Evers reports:

Microsoft has vowed to better disclose the actions of its antipiracy tool once it is installed on Windows PCs. .....The tool, called Windows Genuine Advantage Notifications, is designed to validate whether a copy of Windows has been legitimately acquired. However, it also checks in with Microsoft on a daily basis, the company confirmed Wednesday... This has alarmed some people, such as Lauren Weinstein, a civil liberties activist, who likened it to spyware in a blog posting..... Microsoft disputes that notion...."We can argue about whether or not the tool's behavior is really spyware," Weinstein wrote on his blog Tuesday. The question is whether Microsoft has provided sufficient notice, he added...Microsoft acknowledged that it has not been forthcoming enough about the antipiracy tool's behavior, but countered that its tool is not spyware, since it is not installed without a user's consent and has no malicious purpose.

So, obviously, it's hard to disagree when a vendor acknowledges that it could be doing a better job telling its customers what it's up to when its software is phoning home.  But the consent part is worth a look too. In the context of how Windows Update works, what consitutes sufficient notification and consent in a situation where something "chatty" like WGA is involved? I decided to take a closer look at how WGA installs itself and where the opportunity to consent comes in by booting up a Windows system that hasn't been booted since the WGA update was first pushed out to end users by Microsoft.  I took screen shots of the entire process which can be viewed, replete with detailed captions, in a screen gallery that I posted separately here on ZDNet. 

As the screen gallery shows, there are several ways you can end up with an update on your computer, depending on how you have the Windows Update feature configured.  But the bottom line in the case of how Microsoft pushes WGA out to end-users is that the consent part of the process leaves a lot to be desired.  In fact, when Microsoft first pushes out the a core piece of WGA -- the Validation Tool Kit -- not only might users feel as though the update was done under false pretenses (as can be seen from the screen gallery), the user is never stopped to consent to the update once it's clear that a WGA component is what is being added to your computer.  This stands in contrast to the response that Microsoft offered to News.com's Joris Evers.  I've contacted Microsoft for further clarification, but have yet to hear back.

Eventually, upon installing a second WGA component (that I can only guess relies on the first), there were several places including the presentation of the WGA End User License Agreement where I could have opted out of the installation.  As can be seen from the screen gallery, just getting to the update required more effort than should have been necessary (it took three consecutive manual start-ups of the Windows Update process before I finally bumped into a WGA component that needed my consent to install itself).  In addition, attempts to find out more about the update involved a circuitous route through dialogs and Web pages that landed me in the place I least expected to land in my quest for the nitty gritty details on what I was about to install: Microsoft's homepage for its Windows Genuine Advantage program.  

Do I think there's some secret agenda here that Microsoft is trying to cover up? Absolutely not.  Making Microsoft the subject of a witchhunt because it still has to do some more quality testing on something that is, according to the EULA, a pre-release service is a waste of time.  At best, what we're seeing here is a work-in-progress where there's more work to be done not just in the area of disclosure as Microsoft has already acknowledged, but also on the user experience (which is why my screen gallery includes some suggested UI improvements).

That said, Microsoft's implementation of WGA and the text of the associated EULA do raise some interesting questions when it comes to security monocultures.  Going back to the report I wrote last week, the reason I was able to catch WGA in its attempt to phone home was that I was running McAfee's Personal Firewall software.  Since McAfee doesn't belong to Microsoft, its personal firewall software should always catch any attempts by any software (including Windows) to communicate across the Internet without the user's explicit permission.  That's what firewalls do and if your as anal about security as I am, then you'll want to know when and how often something is trying to phone home.  Even if that something is legitimate.  But now that Microsoft is beginning to build most of that normally third party-provided security into Windows (those third parties being companies like McAfee, Symantec, and Zone Labs), maybe using Microsoft's tools (to save money) is a better idea.  Is it?  According to the EULA that goes with Notification component of WGA:

The software feature described below connects to Microsoft or service provider computer systems over the Internet.  In some cases, you will not receive a separate notice when they connect.  You may switch off this feature or not use it.

If the security software you're using comes from Microsoft, then Microsoft is of course in a position to "drop Windows' guard" for operations in it considers to be legitimate (eg: WGA operations). Sometimes I refer to this as "issuing a hall pass." It's an issue that I raised against the backdrop of Microsoft and MTV's joint announcement of the URGE music service where Microsoft is in a position to issue the same sort of hall pass to MTV.  The question is whether or not you want Microsoft to decide when hall passes get issued, or would you rather be in control of that decision.  Bear in mind that there's an upside to letting Microsoft decide.  Securing our systems has resulted in a lot of friction in the user interface: dialogs and warnings that ask us if it's OK to do X, or should we disallow Y.  If we trust Microsoft to make the right decisions about who should get a hall pass and who shouldn't, conceivably, a lot of the friction that holds us back today could be eliminated.

But some people prefer that friction just to play it safe.  If you're one of them, then, by staying with a non-Microsoft provided personal firewall (as well as other security products), there's a much higher probability that the hall pass decision will always be yours to make.  This is why I think Symantec CEO John Thompson is right to raise the "risks of a security monoculture" issue everytime someone asks him if Symantec is in trouble now that Microsoft is stomping all over its security turf. I don't think he paints a very clear picture, or cites the examples that will make people go "aha!"  But for those of you that want the most control that can be had over such hall passes, third party security solution providers may be your best choice.

[Update 6/9/2006: Last night, Microsoft issued a response to the growing concern over WGA's behavior.  However, as I show in my analysis of that response, the Redmond-based company re-interates that the software does not install itself without the user's consent which, based on my testing, appears to be untrue.  The pre-release nature of the software also raises another serious question as to whether or not Microsoft is forcing users of Windows to test beta software on their production systems.]

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • Good thing..

    ...I use Linux.

    Aren't you Windows people tired of all of the abuse yet?

    http://en.opensuse.org/Welcome_to_openSUSE.org
    Tim Patterson
    • I am considering it

      First Uncle Sam now Uncle Bill.

      Thanks for the link. Now I just need to figure out how to get all my MS games to work. I already enjoy OpenOffice and Firefox!
      tekhund@...
  • Intrusion is the Question

    I am not surprised that the O/S has been modified to report back daily...but frankly, what doesn't sound logical or rational is this:
    If Microsoft has verified ONCE that the O/S is legitimate, why do they need to re-verify it every day? Just how many COPIES of the O/S can you install on one computer? Since the O/S requires residing on the C: (Root) drive), master IDE 0, there can only be one copy of it on the computer. It will not work, trying to install it to a different partition or to a different device...it won't boot. Therefore, there is no logical reason why Microsoft has to verify it daily or even more than just once...unless, of course, there are OTHER reasons.

    Now, as I read your article, it seems to me, that Microsoft has made a big habit of trying to "frame" the questions, the logic and the reasoning to their own skew. This is the same tactic that politicians do, they try to force the discussion based on their turf and not yours. Anything outside their frame of reference is considered illogical, poorly thought out, unreasonable, not appropriate, not the issue, or not anything ELSE just because you are not discussing the topic in terms which is favorable to their position. I think we all need to pay close attention to such psychological tactics which corporations and the government so ruefully use to obfuscate all issues which might put them into a position of liability or responsibility.

    The fact is, it is not either reasonable, logical or rational, for Microsoft to demontrate the level of parinoia that they do demonstrate to the extent that they invade your computer based upon the argument they are merely trying to defend and protect their corporate bottom line by seeking to daily verify the legitimacy of your O/S.

    When the "framing" is set aside, we can ask the real question..."Why?" Since it is obvious it is not necessary or rational to verify the operating system every day, what ELSE is Microsoft really doing that they are DEFINITELY not telling anyone about?

    Conspiracy theories aside, I think it is logical to assume that the US Government has an open door into all of our computers. And I think Microsoft has gleefully allowed the government to get into our computers so they can "watch" us.
    And that is the real reason for what is going on.
    It really isn't Microsoft, it is really the government. They are, so they say, looking for terrorist activities, or for child pornographers and pedophiles or for other criminal activities..but they may be collecting information on everything else we do, where we go, what we look at, how often, who we talk to, who we send emails to. If the NSA has been spying on our phone conversations, what makes you think Bush isn't spying on your social hour as well? I remember for a fact that Microsoft was a big contributor to the Republican campaign, and I wouldn't doubt whatsoever, they are also gleefully and ingratiatingly involved with helping the government to spy on all of us.

    It's not phone home to Microsoft, it's Phone HOme to Fort Meade.
    jimnoregon
    • You've hit the nail..

      ...squarely on the head.

      It's not only possible but it's probable. In theory MS could be getting 'protection' from government from further anti-trust actions in exchange for allowing government the opportunity to take advantage of the Windows monopoly to spy on the people. It's scary to think of all the implications here. Are we heading to a time when government will start watching or detaining people based on a psychological profile comppiled from information about a persons computing 'behavior'?

      A few questions are in order.
      Does the average person know this is happening? No.
      Would people be bothered enough by it if they did know that they would take any action against it at all? Disturbingly most would not.

      For those who do care there are alternatives.
      Tim Patterson
      • Right On...

        I am 99.9% sure that Microsoft has allowed the government a backdoor opening into our computers. With NSA spying already proven and admitted to, there should be no doubt about Microsoft being complicit with this either. This takes the spying from "theory" and "conjectur" to reality. Any form of communication is open to spying by the government. They say they don't care about all the other things...just the criminal acitivities...but then, you have to ask the question..."What else can the government criminialize?" We all know about how Bush has had the major search engine's hand over information. THis is a reality. The reasoning behind it, and the argument is..."We are trying to protect you."

        Our forefather's didn't need protecting when they set this nation up. Our father's didn't need this either...we found ways to provide national security that did not infringe on and violate civil liberties and constitutional rights. Bush has no respect for the constitution or the rights of the people. Whatever is convenient for him is alright as far as he is concerned, and what has been revealed to the public so far, is far short of the egregious activities that he is really involved in.

        Why don't people care? It's basically because many people are stupid...stupid for allowing the government to spy on them.

        There has always been a careful balancing act between national security and civil liberties.
        It's only WHEN the secret police arrive at YOUR doorstep to arrest you for saying something they don't like, it is only WHEN your mother and father are hauled off to a concentration camp, it is only WHEN your daughter is tourchered by a sadistic interrogator, it is only WHEN your home is confiscated and sold, it is only WHEN you are threatened to shut up, that YOU or anyone is really concerned about rights.

        I am reading two volumes on Adolph Hitler and how the Nazi party in Germany came to power.
        I am reading it because I want to remind myself of what happens when a nation becomes so complacent that they allow such persons into positions of power and are willing not only to compromise their liberty and their rights, but also to look the other way when millions of innocent people are brutalized, torchured and killed in the name of security, economic growth, or for any other reason whatsoever.

        A lot of Americans for over two hundred years have fought to defend our rights, died on distant battlefields, sacrificed untold love to preserve and defend our way of life. I do not believe their sacrifices must be discarded to ensure our so called liberty and freedom at the very expense of our liberty and freedom.

        And I am concerned, deeply, about Microsoft and their real intentions. I think we have to ask ourselves just how far we will allow corporations to go in invading our privacy and our personal liberties so that they can assure their prurient desire to protect their profit margins. It is a thin argument which gets increasingly stretched. Perhaps it is time to write laws that guarantee our rights to be left alone by corporations who violate our civil rights.
        jimnoregon
  • Who owns the software

    Let's get real. Read the EULA. Microsoft OWNS the OS. The user just licences the OS from Microsoft. It (Microsoft) can do what it wants to its property, just like you can do what you want with your property. If a user is unsatified with Microsoft's terms or use of THEIR property, dump Windows for an alternative, like Solaris, Linux, BeOS, OS/2. Or buy a Mac and use OSX (licensed from Apple)? There are choices out there and WE are the ones who can make those choices as to what we put on OUR machines!
    talontamer
    • What make you think MAC dose not do this?

      What make you think MAC dose not do this?
      Just because nobody found it yet dose not mean that Apple dose not have the same practice.
      In fact it might very well be doing it quietly some where in the back end.
      vbp1
      • note on apple

        Apple has had acted like this when it had more marketing power. During the 80s Apple tried to force a licensing scheme on software writers where they had to buy a license just to write software. Which would have made free/open source software not so possible.
        Netsplit
  • Microsoft still owns the software

    While you may own your computer, Microsoft still owns the operating system software running on it, they are simply giving you limited permission to use it for a period of time. As you can imagine, Microsoft feels that they should be able to keep tabs on the way you are using their software.
    If they don't like what you are doing with their software, they can stop you from using it.
    Do you have a problem with that?
    WiredGuy
    • Microsoft Owns The Software?

      Whats the length of time they "let" you use it for?
      jrhcod
      • How long?

        Read the EULA which is different from OEM to BRP (boxed retail product) to Volume Licensing. Example for OEM, license if granted to end user for the life of the system and may not be transfered to another system even if old system is retired (tied to MB). We can get into the specifics of the MB but would prefer not to, since it can be lengthy.

        Also, while the Phone Home ET scenario may be of concern to some, WGA ActiveX addon to browser can be shut off. Not sure about the "new" phone home stuff, but pretty sure that can be sidestepped if desired. Hehe.
        magpie_z
    • They don't time the EULA

      At least not yet.

      Depending on if you bought the full version or OEM version that copy may be tied to a certain machine or not. They consider replacing the Mother Board and CPU a new machine.

      Actually the way the EULA is worded is that you bought and own the physical media, that way they don't have to replace the CD due to CD Rot http://www.usatoday.com/tech/news/2004-05-05-disc-rot_x.htm (FYI a dutch company did a study on CD Rot and found that CDs begin to rot not in 100 years, like they claimed initially, in an office drawer but rather begin to degrade in 2 years if stored in a drawer in a standard office environment it is worse if the climate isn't controlled. This is why critical data is still stored on tape BTW) or breakage.

      What MS claims to own, in the EULA no less BTW you own the whole thing until you click I agree because you have yet to accept the terms of the EULA, is the computer program on the CD. They claim to own the software and only license it out to you because that way they can circumvent the copyright law exceptions limitations that are there to balance the law between the consumers and the copyright holder, most notably first sale and the rights you have under section 117 , most notably the right to make copies required to utilize the software without any further license, the right to archive the software, and the right to prepare or have prepared adaption of the software so that it will run on other platforms. This BTW is supported in Case law in the Mai v. Peak case but the Kruase v. Titleserve case gives the consumer the rights they had by declaring that clear title of ownership is not required in order to be classified as the owner of the software for purposes of section 117 but rather just having ownership like rights, like the right to dispose of it or no set time limit in which they must return the CD with the software, is enough.
      Edward Meyers
    • How is that M$ stock doing

      You must own some, the way your shilling for them.
      DarthRidiculous
  • Speaking of intrusive

    Before I get to my real reason for posting here I have a question for ZDNet. Doesn't it strike you as ironic that before I am allowed to post a response to an article about intrusive practices by Microsoft that I am FORCED to provide ZDNet with personal information that I dont particularly wish to provide? Suffice it to say that I my responses were completely fictional.
    Ok - here is the question that I really came to ask. The article refers to a statement in the EULA that says "You may switch off this feature or not use it.". I would have thought it would have been obvious that readers would want to know how to do just that but it was not covered in the article. I tried to find the "switch off" feature without success.
    So........ how do you switch the "phone home" off?
    hawleyj@...
    • Responding to the ZDNet criticism

      Hi Hawley:

      We had a lot of problems when we left the comment system wide open. The spam bots were destroying the forums. So, we treat forum participation like we do newsletters and in fact use the same ID management system. We need a legitimate email address so we can confirm that you someone that indeed wants to partcipate in our forums or subscribe to our newsletters. With one ID, you can log into our systems, use our forums, change the newsletters you're subscribed to, etc. We see that as preserving a good user experience while also making sure that someone can't pose as you and give us your email address in a way that results in you getting a bunch of our newsletters that you never asked for. For a detailed explanation of how serious we take your privacy and what we do with any information we collect, how we use cookies, etc., please visit our privacy policy at:

      http://www.cnetnetworks.com/editorial/privacy.html

      I think you'll find that we're very up front about everything and we're not doing anything sneaky.

      db
      dberlind
  • MS Anti Piracy same old thing

    Maybe Micro$oft just got exposed, but other software firms have been doing this spying for years. From real player to google and nost all of those providing "Free" progs. Sure you can disable many of them throught msconfig, but some are buried so deep in the registry, you'll never find them. Hello Big Brother! It seems that we are all "Comrads", even after the cold war ended.
    Jaytmoon
  • We are all at the mercy...

    The average user is at the mercy of anyone who knows more than you. But there are a few who believe in freedom to use what you purchase and not be a slave to the educated. When you buy an OS you are free to use it anyway you want, like a new car; just stay off public roads if deemed unsafe. The warranty is good if you comply with the agreement. However if a mechanic is adept he can tear up the new car and rebuild it better, at least in his mind. All he loses is the warranty. If he is really a good mechanic he may end up with a better product, he just can't sell the part that is made by someone else, at least until the warranty/patent/copyright/etc. runs out. As for me personally I think if we buy it we can re-engineer it any way we want. The more difficult they make it to re-engineer the bigger the challenge. Like the guy said, if there is something about the OS you don't like, turn it off.
    Dumber_z
    • Sorry, but if you read the license agreement...

      ...you don't actually "own" the software. You just purchased the rights to use it under the EULA terms. I'm not saying your thoughts on the issue aren't justified or make perfect sense, they just aren't legally correct.
      DCMann
  • Better Things On The Horizon

    Ten years ago I was one of Microsoft?s biggest fanboys. I give them the credit for standardizing desktop computer software. But, with their price-gouging, spyware built into Windows, excessive validation and activation practices, adding DRM to Windows, and assuming control of their customers computers over the years, I have come to despise them. I tried several versions of Linux at different times but was unable to find anything, in my opinion, that could compete with Windows at the time.
    HERE?S THE GOOD NEWS. I RECENTLY DOWNLOADED AND INSTALLED THE LATEST VERSION OF SUSE AND DEBIAN LINUX (DIDN?T COST ME A PENNY, EXCEPT THE DISKS USED TO BURN THE INSTALL CD?S, versus gazillions $$$ for Windows). I?M NOT A COMPUTER GEEK, BUT THE INSTALL (TO ME) WAS MUCH EASIER AND FASTER THAN ANY VERSION OF WINDOWS, AND NO NEED TO INSTALL DRIVERS AS IT?S ALL DONE AUTOMATICALLY(recognized and installed drivers for all my hardware on three different computers). ALSO, LINUX CONNECTS TO IT?S SERVERS AND AUTOMATICALLY DOWNLOADS AND INSTALLS ALL UPDATES AND PATCHES (PLUS ANY PACKAGES YOU CHOOSE) WITHOUT ANY OF YOUR PERSONAL INFORMATION. NO DEMANDS TO VALIDATE YOUR COMPUTER OR OS, AND NO DEMANDS FOR MONEY, NOW OR EVER. AND BEST OF ALL, AS FAR AS I CAN DETERMINE (NOT BEING AN EXPERT), THE LATEST LINUX DISTRUBUTIONS CAN DO PRACTICALLY ANYTHING THAT WINDOWS CAN. YOU WOULD BE SURPRISED AT THE PACKAGES (CALLED PROGRAMS IN WINDOWS LINGO) THAT HAS BEEN ADDED RECENTLY.
    Now I still use (and love) Windows. It?s the Microsoft greed and deceit + their dictatorial practices that I deplore. If anyone should read this report outlining the difference in the Microsoft EULA and the GPL License (found here: http://members.iinet.net.au/~cybersrc/about/comparing_the_gpl_to_eula.pdf ), THEY WOULD DROP MICROSOFT LIKE A HOT POTATO.
    Sooooo?., all you newbies and non-geeks out there that think you?ve gotta be a whiz to use Linux, take heart. It?s now easier to use and better than ever, and if I can do it, so can you.
    THERE'S BETTER THINGS ON THE HORIZON THAN VISTA!
    Ole Man
    Ole Man
  • DISASTER with OneCare and WGA !!!

    I encountered a major disaster after Microsoft's OneCare program insisted on running Windows Genuine Advantage yet again. As a subscriber to OneCare, everything was run and up-to-date. Then two weeks ago, OneCare said I needed W'XP updates. Inexplicably the updates process started with Genuine Advantage which had already been run previously. After completing the Genuine Advantage process and OneCare, I suddenly discovered my data file for Microsoft Outlook had now disappeared. Over 10,000 business and technical e-mails had vanished. The current .pst file could not be found anywhere. What a disaster! Fortunately I had backed up my Outlook data about a week before so I didn't loose everything. The OneCare tech support people I reached in India were both useless and infuriating. Although I was a paid consultant in OneCare's development about 2-3 years ago, I will not be recommending OneCare to my clients yet. Lesson learned: Keep your data backed up! Strange things happen.
    dca3333