SOS
06-12-2006, 03:55 AM
Groklaw (http://www.groklaw.net/article.php?story=20060608002958907)
Don't install this if you can.
Microsoft's Calling Home Problem: It's a Matter of Informed Consent http://www.groklaw.net/images/speck.gif Sunday, June 11 2006 @ 11:18 AM EDT
No doubt many of you saw on Slashdot the article "Microsoft Talks Daily With Your Computer (http://yro.slashdot.org/article.pl?sid=06/06/08/0119253)" or in Steven J. Vaughan-Nichols article for eWeek titled, Big Microsoft Brother (http://www.eweek.com/article2/0,1895,1974911,00.asp), about allegations that Microsoft's Windows Genuine Advantage validation tool phones home daily to report information to Microsoft about you on each boot. Lauren Weinstein (http://lauren.vortex.com/archive/000178.html) broke the story on his blog. Microsoft has now put out a statement (http://blogs.zdnet.com/BTL/?page_id=3174), asserting that the Windows Genuine Advantage tool is not spyware, that they're going to change it some, and that one thing that distinguishes it from spyware is that they get consent before installing it. I question the accuracy of the statement. David Berlind did a fabulous job of discovering that in fact the tool has two parts, one of which is new, the Notification part, as you can see in his helpful series of screenshots (http://blogs.zdnet.com/BTL/?page_id=3170). First, he explains (http://blogs.zdnet.com/BTL/?p=3168) how the applications actually work. His research indicated to him that Microsoft asks permission for only one of the two, but the wrong one. I think it's muddier even than that, after reading the EULA. Thanks to Berlind's work, I see a legal problem with consent, which I noticed by reading the EULA. I think I also see a problem with the statement Microsoft has issued (http://blogs.zdnet.com/BTL/?p=3174) with regard to what information it collects. And something in the EULA needs to be explained, because it doesn't match Microsoft's statement. Let me explain.
Vaughan-Nichols lists the information Microsoft says it is collecting, which matches the Microsoft statement's list:
Now, when you use Windows Genuine Advantage for the first time, it gathers up, Microsoft tell us, and it will grab your PC's XP product key, PC manufacturer, operating system version, PC BIOS information and user locale setting and language. Nothing at all, Microsoft assures us, that could identify us or what programs we use, or anything like that. No siree. No chance of that.
Microsoft actually collects more information than that. I have some additional details I found on Microsoft's own website (http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en) that I thought you'd want to know.
Let's look at what Microsoft currently tells customers about the validation tool and what information it collects:
Information collected during validation Q: What information is collected from my computer?
A: The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. This process does not collect or send any information that can be used to identify you or contact you. The only information collected in the validation process is:
* Windows product key
* PC manufacturer
* Operating System version
* PID/SID
* BIOS information (make, version, date)
* BIOS MD5 Checksum
* User locale (language setting for displaying Windows)
* System locale (language version of the operating system)
* Office product key (if validating Office)
* Hard drive serial number Q: How does Microsoft use this information?
A: The information serves three purposes:
* It provides Web page flow, tailoring the pages you see based on your responses. * It conveys demographics, which help Microsoft to understand regional differences in Windows or Office usage.
* It confirms user input. User input is often compared against data collected from the PC in order to determine whether to grant a user’s request for additional access.
I think we can discount those three items as being the purpose behind taking in our hard drive serial numbers. Microsoft is not checking our hard drive serial numbers to provide web page flow, convey usage demographics, or confirm user input, unless they are also perusing the contents of our hard drives, which they claim they are not. Of course, once they are inside your computer, there's really nothing much stopping them, if they felt like it. So why does Microsoft collect information like that and what are they doing with it? The above statement surely isn't all. They don't need such information about you as your hard drive's serial number, the company that built your computer, what language you use, PID/SID, Bios information with an MD5 checksum, and where you are located to do any of the three things they say they are doing it for. Obviously, they are checking to know if you are a pirate, and they should say so straightforwardly. But does Microsoft need your hard drive serial number to know if you are a pirate? If you change it, is it any of Microsoft's business? Did they sell you that hard drive? But my point is, it's not mentioned in the EULA at all, so I don't see consent having been given. But it gets worse.
Here's part of what Lauren Weinstein wrote about his discovery in his blog entry on June 5th:
It appears that even on such systems, the MS tool will now attempt to contact Microsoft over the Internet *every time you boot*.... The connections occur even if you do not have Windows "automatic update" enabled. I do not know what data is being sent to MS or is being received during these connections. I cannot locate any information in the MS descriptions to indicate that the tool would notify MS each time I booted a valid system. I fail to see where Microsoft has a "need to know" for this data after a system's validity has already been established, and there may clearly be organizations with security concerns regarding the communication of boot-time information.
I'll leave it to the spyware experts to make a formal determination as to whether this behavior actually qualifies the tool as spyware.
Shortly thereafter, he was contacted by Microsoft and so he had a chance to ask his questions, and he tells what happened next in his blog entry for June 6 (http://lauren.vortex.com/):
Why is the new version of the validity tool trying to communicate with MS at every boot? The MS officials tell me that at this time the connections are to provide an emergency "escape" mechanism to allow MS to disable the validation tool if it were to malfunction.... I was told that no information is sent from the PC to MS during these connections in their current modality, though MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving.
Apparently these transactions will also occur once a day if systems are kept booted, though MS intends to ramp that frequency back (initially I believe to once every two weeks) with an update in the near future. Further down the line, the connections would be used differently, to provide checks against the current validation revocation list at intervals (e.g., every 90 days) via MS, even if the user never accessed the Windows Update site directly.
Oh, excellent. So they get your ip address too, and date/timestamp data "relating to systems' booting and continued operations". No way to contact customers, eh? No information sent? In what way is this not spyware? I am reminded of what the gentleman from Homeland Security said (http://www.digital-copyright.ca/node/1211) after the Sony rootkit was revealed: yes, it's your intellectual property; it's not your computer. (video (http://www.washingtonpost.com/wp-dyn/content/video/2005/11/11/VI2005111101160.html).) Again, there is nothing in the EULA that gets your consent for that information to be collected that I can find.
Microsoft, of course, says it is not spyware, and this is a one of their statements explaining their point of view, from Berlind's article:
"Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware." Now, as we've already seen, they didn't clearly notify customers that they were installing something that calls home daily, by their own acknowledgment. Here's what their website says about the ease of the validation process:
Q: Is genuine Windows validation a one-time process?A: We’ve designed validation to be as easy as possible. Validation itself just takes a moment. The lengthiest part of the process is downloading the ActiveX control that performs validation. The ActiveX control is downloaded on the first validation and when a new version is available from Microsoft. So, while it’s not a one-time process, it is still quick and easy.
MORE IN THE LINK. CLICK THE LINK AT THE TOP OF THE POST.
Don't install this if you can.
Microsoft's Calling Home Problem: It's a Matter of Informed Consent http://www.groklaw.net/images/speck.gif Sunday, June 11 2006 @ 11:18 AM EDT
No doubt many of you saw on Slashdot the article "Microsoft Talks Daily With Your Computer (http://yro.slashdot.org/article.pl?sid=06/06/08/0119253)" or in Steven J. Vaughan-Nichols article for eWeek titled, Big Microsoft Brother (http://www.eweek.com/article2/0,1895,1974911,00.asp), about allegations that Microsoft's Windows Genuine Advantage validation tool phones home daily to report information to Microsoft about you on each boot. Lauren Weinstein (http://lauren.vortex.com/archive/000178.html) broke the story on his blog. Microsoft has now put out a statement (http://blogs.zdnet.com/BTL/?page_id=3174), asserting that the Windows Genuine Advantage tool is not spyware, that they're going to change it some, and that one thing that distinguishes it from spyware is that they get consent before installing it. I question the accuracy of the statement. David Berlind did a fabulous job of discovering that in fact the tool has two parts, one of which is new, the Notification part, as you can see in his helpful series of screenshots (http://blogs.zdnet.com/BTL/?page_id=3170). First, he explains (http://blogs.zdnet.com/BTL/?p=3168) how the applications actually work. His research indicated to him that Microsoft asks permission for only one of the two, but the wrong one. I think it's muddier even than that, after reading the EULA. Thanks to Berlind's work, I see a legal problem with consent, which I noticed by reading the EULA. I think I also see a problem with the statement Microsoft has issued (http://blogs.zdnet.com/BTL/?p=3174) with regard to what information it collects. And something in the EULA needs to be explained, because it doesn't match Microsoft's statement. Let me explain.
Vaughan-Nichols lists the information Microsoft says it is collecting, which matches the Microsoft statement's list:
Now, when you use Windows Genuine Advantage for the first time, it gathers up, Microsoft tell us, and it will grab your PC's XP product key, PC manufacturer, operating system version, PC BIOS information and user locale setting and language. Nothing at all, Microsoft assures us, that could identify us or what programs we use, or anything like that. No siree. No chance of that.
Microsoft actually collects more information than that. I have some additional details I found on Microsoft's own website (http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en) that I thought you'd want to know.
Let's look at what Microsoft currently tells customers about the validation tool and what information it collects:
Information collected during validation Q: What information is collected from my computer?
A: The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. This process does not collect or send any information that can be used to identify you or contact you. The only information collected in the validation process is:
* Windows product key
* PC manufacturer
* Operating System version
* PID/SID
* BIOS information (make, version, date)
* BIOS MD5 Checksum
* User locale (language setting for displaying Windows)
* System locale (language version of the operating system)
* Office product key (if validating Office)
* Hard drive serial number Q: How does Microsoft use this information?
A: The information serves three purposes:
* It provides Web page flow, tailoring the pages you see based on your responses. * It conveys demographics, which help Microsoft to understand regional differences in Windows or Office usage.
* It confirms user input. User input is often compared against data collected from the PC in order to determine whether to grant a user’s request for additional access.
I think we can discount those three items as being the purpose behind taking in our hard drive serial numbers. Microsoft is not checking our hard drive serial numbers to provide web page flow, convey usage demographics, or confirm user input, unless they are also perusing the contents of our hard drives, which they claim they are not. Of course, once they are inside your computer, there's really nothing much stopping them, if they felt like it. So why does Microsoft collect information like that and what are they doing with it? The above statement surely isn't all. They don't need such information about you as your hard drive's serial number, the company that built your computer, what language you use, PID/SID, Bios information with an MD5 checksum, and where you are located to do any of the three things they say they are doing it for. Obviously, they are checking to know if you are a pirate, and they should say so straightforwardly. But does Microsoft need your hard drive serial number to know if you are a pirate? If you change it, is it any of Microsoft's business? Did they sell you that hard drive? But my point is, it's not mentioned in the EULA at all, so I don't see consent having been given. But it gets worse.
Here's part of what Lauren Weinstein wrote about his discovery in his blog entry on June 5th:
It appears that even on such systems, the MS tool will now attempt to contact Microsoft over the Internet *every time you boot*.... The connections occur even if you do not have Windows "automatic update" enabled. I do not know what data is being sent to MS or is being received during these connections. I cannot locate any information in the MS descriptions to indicate that the tool would notify MS each time I booted a valid system. I fail to see where Microsoft has a "need to know" for this data after a system's validity has already been established, and there may clearly be organizations with security concerns regarding the communication of boot-time information.
I'll leave it to the spyware experts to make a formal determination as to whether this behavior actually qualifies the tool as spyware.
Shortly thereafter, he was contacted by Microsoft and so he had a chance to ask his questions, and he tells what happened next in his blog entry for June 6 (http://lauren.vortex.com/):
Why is the new version of the validity tool trying to communicate with MS at every boot? The MS officials tell me that at this time the connections are to provide an emergency "escape" mechanism to allow MS to disable the validation tool if it were to malfunction.... I was told that no information is sent from the PC to MS during these connections in their current modality, though MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving.
Apparently these transactions will also occur once a day if systems are kept booted, though MS intends to ramp that frequency back (initially I believe to once every two weeks) with an update in the near future. Further down the line, the connections would be used differently, to provide checks against the current validation revocation list at intervals (e.g., every 90 days) via MS, even if the user never accessed the Windows Update site directly.
Oh, excellent. So they get your ip address too, and date/timestamp data "relating to systems' booting and continued operations". No way to contact customers, eh? No information sent? In what way is this not spyware? I am reminded of what the gentleman from Homeland Security said (http://www.digital-copyright.ca/node/1211) after the Sony rootkit was revealed: yes, it's your intellectual property; it's not your computer. (video (http://www.washingtonpost.com/wp-dyn/content/video/2005/11/11/VI2005111101160.html).) Again, there is nothing in the EULA that gets your consent for that information to be collected that I can find.
Microsoft, of course, says it is not spyware, and this is a one of their statements explaining their point of view, from Berlind's article:
"Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware." Now, as we've already seen, they didn't clearly notify customers that they were installing something that calls home daily, by their own acknowledgment. Here's what their website says about the ease of the validation process:
Q: Is genuine Windows validation a one-time process?A: We’ve designed validation to be as easy as possible. Validation itself just takes a moment. The lengthiest part of the process is downloading the ActiveX control that performs validation. The ActiveX control is downloaded on the first validation and when a new version is available from Microsoft. So, while it’s not a one-time process, it is still quick and easy.
MORE IN THE LINK. CLICK THE LINK AT THE TOP OF THE POST.