MS anti-piracy tools phone home, raising consent, disclosure and security questions
As I reported last week (based on my own experience) Microsoft's Windows Genuine Advantage (WGA) is an anti-piracy technology that checks in with Microsoft's servers across the Internet that Microsoft recently pushed out to users of Windows via its Windows Update service. Unless the software is able to validate that you have a legitimate copy of Windows, you may be denied certain important updates according to an entry in Microsoft's online knowledgebase. But now comes new news that WGA is phoning home on a daily basis. Some are likening it to spyware and even Microsoft has acknowledged that it should be doing a better job disclosing what the program is doing and why. CNET News.com's Joris Evers reports:
Microsoft has vowed to better disclose the actions of its antipiracy tool once it is installed on Windows PCs. .....The tool, called Windows Genuine Advantage Notifications, is designed to validate whether a copy of Windows has been legitimately acquired. However, it also checks in with Microsoft on a daily basis, the company confirmed Wednesday... This has alarmed some people, such as Lauren Weinstein, a civil liberties activist, who likened it to spyware in a blog posting..... Microsoft disputes that notion...."We can argue about whether or not the tool's behavior is really spyware," Weinstein wrote on his blog Tuesday. The question is whether Microsoft has provided sufficient notice, he added...Microsoft acknowledged that it has not been forthcoming enough about the antipiracy tool's behavior, but countered that its tool is not spyware, since it is not installed without a user's consent and has no malicious purpose.
So, obviously, it's hard to disagree when a vendor acknowledges that it could be doing a better job telling its customers what it's up to when its software is phoning home. But the consent part is worth a look too. In the context of how Windows Update works, what consitutes sufficient notification and consent in a situation where something "chatty" like WGA is involved? I decided to take a closer look at how WGA installs itself and where the opportunity to consent comes in by booting up a Windows system that hasn't been booted since the WGA update was first pushed out to end users by Microsoft. I took screen shots of the entire process which can be viewed, replete with detailed captions, in a screen gallery that I posted separately here on ZDNet.
As the screen gallery shows, there are several ways you can end up with an update on your computer, depending on how you have the Windows Update feature configured. But the bottom line in the case of how Microsoft pushes WGA out to end-users is that the consent part of the process leaves a lot to be desired. In fact, when Microsoft first pushes out the a core piece of WGA -- the Validation Tool Kit -- not only might users feel as though the update was done under false pretenses (as can be seen from the screen gallery), the user is never stopped to consent to the update once it's clear that a WGA component is what is being added to your computer. This stands in contrast to the response that Microsoft offered to News.com's Joris Evers. I've contacted Microsoft for further clarification, but have yet to hear back.
Eventually, upon installing a second WGA component (that I can only guess relies on the first), there were several places including the presentation of the WGA End User License Agreement where I could have opted out of the installation. As can be seen from the screen gallery, just getting to the update required more effort than should have been necessary (it took three consecutive manual start-ups of the Windows Update process before I finally bumped into a WGA component that needed my consent to install itself). In addition, attempts to find out more about the update involved a circuitous route through dialogs and Web pages that landed me in the place I least expected to land in my quest for the nitty gritty details on what I was about to install: Microsoft's homepage for its Windows Genuine Advantage program.
Do I think there's some secret agenda here that Microsoft is trying to cover up? Absolutely not. Making Microsoft the subject of a witchhunt because it still has to do some more quality testing on something that is, according to the EULA, a pre-release service is a waste of time. At best, what we're seeing here is a work-in-progress where there's more work to be done not just in the area of disclosure as Microsoft has already acknowledged, but also on the user experience (which is why my screen gallery includes some suggested UI improvements).
That said, Microsoft's implementation of WGA and the text of the associated EULA do raise some interesting questions when it comes to security monocultures. Going back to the report I wrote last week, the reason I was able to catch WGA in its attempt to phone home was that I was running McAfee's Personal Firewall software. Since McAfee doesn't belong to Microsoft, its personal firewall software should always catch any attempts by any software (including Windows) to communicate across the Internet without the user's explicit permission. That's what firewalls do and if your as anal about security as I am, then you'll want to know when and how often something is trying to phone home. Even if that something is legitimate. But now that Microsoft is beginning to build most of that normally third party-provided security into Windows (those third parties being companies like McAfee, Symantec, and Zone Labs), maybe using Microsoft's tools (to save money) is a better idea. Is it? According to the EULA that goes with Notification component of WGA:
The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it.
If the security software you're using comes from Microsoft, then Microsoft is of course in a position to "drop Windows' guard" for operations in it considers to be legitimate (eg: WGA operations). Sometimes I refer to this as "issuing a hall pass." It's an issue that I raised against the backdrop of Microsoft and MTV's joint announcement of the URGE music service where Microsoft is in a position to issue the same sort of hall pass to MTV. The question is whether or not you want Microsoft to decide when hall passes get issued, or would you rather be in control of that decision. Bear in mind that there's an upside to letting Microsoft decide. Securing our systems has resulted in a lot of friction in the user interface: dialogs and warnings that ask us if it's OK to do X, or should we disallow Y. If we trust Microsoft to make the right decisions about who should get a hall pass and who shouldn't, conceivably, a lot of the friction that holds us back today could be eliminated.
But some people prefer that friction just to play it safe. If you're one of them, then, by staying with a non-Microsoft provided personal firewall (as well as other security products), there's a much higher probability that the hall pass decision will always be yours to make. This is why I think Symantec CEO John Thompson is right to raise the "risks of a security monoculture" issue everytime someone asks him if Symantec is in trouble now that Microsoft is stomping all over its security turf. I don't think he paints a very clear picture, or cites the examples that will make people go "aha!" But for those of you that want the most control that can be had over such hall passes, third party security solution providers may be your best choice.
[Update 6/9/2006: Last night, Microsoft issued a response to the growing concern over WGA's behavior. However, as I show in my analysis of that response, the Redmond-based company re-interates that the software does not install itself without the user's consent which, based on my testing, appears to be untrue. The pre-release nature of the software also raises another serious question as to whether or not Microsoft is forcing users of Windows to test beta software on their production systems.]