Is Microsoft about to release a Windows "kill switch"?

[Update, 4-Oct: Microsoft has introduced the Software Protection Platform, which contains features very similar to what I describe here. See For Vista, WGA gets tougher.]

[Update, 30-June 8:40AM PDT: Microsoft responds, sort of. Details in this follow-up post.]

Two weeks ago, I wrote about my serious objections to Microsoft’s latest salvo in the war against unauthorized copies of Windows. Two Windows Genuine Advantage components are being pushed onto users’ machines with insufficient notification and inadequate quality control, and the result is a big mess. (For details, see Microsoft presses the Stupid button.)

Guess what? WGA might be on the verge of getting even messier. In fact, one report claims WGA is about to become a Windows “kill switch” – and when I asked Microsoft for an on-the-record response, they refused to deny it.

Last week, a correspondent on Dave Farber’s Interesting People list posted some comments about his experiences with Windows OneCare Live. In the middle of the post, he added this tidbit:

I like to review updates before they are installed. The only update that I have not installed is the latest WGA because of the security issues related to it.

I called Microsoft support to see if there is a hidden option to say, "yep, I've got updates turned to manual... it's okay." The rep said, "No and why wouldn't you want to get the latest updates to Windows."

I responded with the issues relating to WGA. He spent some time telling me that WGA was a good thing, etc. I reiterated that I have accepted all the updates except WGA and just want to review the updates before they're installed on my machine.

He told me that "in the fall, having the latest WGA will become mandatory and if its not installed, Windows will give a 30 day warning and when the 30 days is up and WGA isn't installed, Windows will stop working, so you might as well install WGA now." [emphasis added]

I'm wondering if Microsoft has the right to disable Windows functionality or the OS as a whole (tantamount to revoking my legitimate Windows license) if I do not install every piece of software that they send it updates.

That can’t be true, can it? I’m always suspicious of any report that comes from a front-line tech support drone, so I sent a note to Microsoft asking for an official confirmation or, better yet, a denial. Instead, I got this terse response from a Microsoft spokesperson:

As we have mentioned previously, as the WGA Notifications program expands in the future, customers may be required to participate. [emphasis added] Microsoft is gathering feedback in select markets to learn how it can best meet its customers' needs and will keep customers informed of any changes to the program.

That’s it. That’s the entire response.

Uh-oh. Currently, Windows users have the ability to opt out of the Windows Genuine Advantage program and still get security patches and other Critical Updates delivered via Windows Update. The only thing you give up is the ability to download optional updates. Hackers have been working overtime to find ways to disable WGA notification. If WGA becomes mandatory, would it mean that Microsoft could prevent Windows from working if it determines – possibly erroneously – that your copy isn’t “genuine”? That’s a chilling possibility, and Microsoft refuses an easy opportunity to deny that that option is in its plans.

Over at Ed Bott’s Windows Expertise, I’ve been soliciting feedback from Windows users who’ve been burned by WGA. So far, I’ve received 20 comments. Here’s a sampling:

• I have an XP Media center with a promise RAID 0 4-disc array. When I installed the WPA it broke the drivers for the array by causing failed delayed writes (half of the array just “disapears”.) If I do a system restore to before the installation of the WPA everything goes back to working just fine.
• [S]ince installing WPA … I’ve had blue screens and a total inability to boot. I had to run the XP repair function to get the computer to boot. I had a damaged boot sector on the hard drive. I am running two drives on a RAID 1 config.
• I purchased a SEALED OEM copy of XP Professional. WGA said the license key was already used. I called MS and they said I should uninstall and buy another copy. I told them I wasn’t made of money and hung-up.
• Microsoft rejected the product key that came with the ThinkPad I’m using. I had to call in and they gave me another code to enter which supposedly worked but now I get the blue screen of death about every other time I reboot. I’ve also lost all internet connectivity.
• I sent my Compaq Presario notebook for service repair, and it fails the WGA check. I have a legal version of windows xp professional on it. But I have no way to correct this problem.

What’s most disturbing about this whole saga is Microsoft’s complete lack of transparency on the issue. And before the ABM crowd jumps in with predictable “What did you expect?” comments, let me argue that Microsoft actually has a fairly good track record on transparency issues in recent years. Windows Product Activation is very well documented, and when a similar uproar occurred in 2001, it was squelched quickly by some fairly prominent postings from high-level executives who provided details without a lot of spin. Likewise, the Microsoft Security Response Center has done an exceptional job at providing quick responses to security issues. (Just ask Adam Shostack.)

Currently, no one at Microsoft is blogging about this fiasco. No executive has been quoted on the record about it. There are very few technical details available, and those that have been published are being tumbled through the spin machine and spit out as press releases.

If Microsoft really does plan to turn WGA into a kill switch in September, be prepared for an enormous backlash.