Microsoft responds re Windows XP update vs. spyware

[David Farber <dave () farber net>]

Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: June 6, 2006 11:23:39 PM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Microsoft responds re Windows XP update  vs. spyware


     Luke:    "You lied to me. You said that Darth Vader killed my  
father."
     Obi-Wan: "When Anakin Skywalker turned to the Dark Side of the  
Force,
               the good man that was your father ceased to exist. So,
               what I told you was the truth -- from a certain point
               of view."
                     -- "Star Wars: Return of the Jedi" - 1983

     Pat (to Mystic Seer):   "You're just a stupid piece of junk,
                              aren't you?"
     Don (reading response): "It all depends upon your point of view."
                     -- "The Twilight Zone" ("Nick of Time") - 1960

In a recent message:
( http://lauren.vortex.com/archive/000178.html )
I asked the implicit question: "Is Microsoft's update of their
'Genuine Advantage' OS validity verification tool behaving as
spyware?"

Within hours of that text becoming public, I received e-mail and a
call from the director and senior program manager for Microsoft
"Genuine Windows" (their anti-piracy division).  We had a lengthy
and friendly chat, and I believe I can now answer that question.
However, as you have probably already guessed, the answer is,
"It depends upon your point of view."

And perhaps of more importance, it's not clear that the spyware
question alone is really the key issue in this case, since this is
all part of a larger MS anti-piracy effort with broader implications
for all concerned.  In the long run, the real issues are clarity and
control, as we shall see.

Microsoft has major piracy problems, on a massive scale -- this we
all know.  They have been ramping up their infrastructure to prohibit
"non-validated" copies of Windows XP from installing non-critical
software updates.  What many people don't realize is that MS does not
consider validation to be a necessarily permanent state.  Even after
a copy of XP has been validated, MS may choose to "revoke" that
validation (via communications with their Windows Update site) at a
later date if activation codes are found to be pirated in the future.

Why is the new version of the validity tool trying to communicate
with MS at every boot?  The MS officials tell me that at this time
the connections are to provide an emergency "escape" mechanism to
allow MS to disable the validation tool if it were to malfunction.

While most users will routinely accept the tool update from Windows
Update, MS considers it to be (for now) an optional upgrade as part
of a pilot program, as described in accompanying license information
that (as we know) most users will never read.  (I should note that
while these materials do discuss Internet connections, they do not
appear to notify users that the updated tool will make multiple
connections to MS at various intervals, even on systems that are
already validated.)

I was told that no information is sent from the PC to MS during these
connections in their current modality, though MS does receive IP
address and date/timestamp data relating to systems' booting and
continued operations, which MS would not necessarily otherwise be
receiving.

Apparently these transactions will also occur once a day if systems
are kept booted, though MS intends to ramp that frequency back
(initially I believe to once every two weeks) with a future update
in the near future.  Further down the line, the connections would be
used differently, to provide validation checks at intervals (e.g.,
every 90 days as validations expire) with MS, even if the user never
accessed the Windows Update site directly.

Can you safely block the tool from communicating with MS using
ZoneAlarm or another third-party firewall?  The answer appears to be
yes.  I'm told that if the tool can't communicate with MS,
validation checks will be made the next time the system communicates
directly with the Windows Update site, in the same manner as has
been done up to now since validation began.

We can argue about whether or not the tool's behavior is really
spyware -- there are various definitions for spyware, and the
question of whether or not you feel that the notice provided at
upgrade installation time was sufficient is also directly relevant.
I believe that the MS officials I spoke to agree with my assertion
that additional clarity and a more "in your face" aspect to these
notifications in such cases would be highly desirable.

But this is where an even more important question comes into play.
Microsoft (and other software vendors) are moving inexorably toward
a more "distributed" computing model where users are really "renting"
software services, rather than buying commodity software products.
The "rental" model implies long-term vender control over the use and
applications of such software, with associated communications between
user PCs and vender servers for ongoing authentication and other
purposes.

The entire concept of authentication revocation will be utterly
foreign to many users, who are used to assuming that once they've
bought something that they believe to be legitimate -- and that in
fact has initially been verified as legitimate -- it's then theirs
forever and can't be disabled or restricted later.

And as we've now seen yet again, the communications issues
associated with the rental/service model introduce a range of both
real and perceived privacy factors and concerns that we've hardly yet
begun to explore in depth as technologists or as a society.

One thing is certain regardless of your point of view -- the sorts of
issues that relate to this particular case are but harbingers of
what's to come, in terms of capabilities, controversies, risks, and
more.  The old models are dying, and if we don't get ahead of the curve
by understanding and properly framing the new models, we are likely
to be very sorry after the fact.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com





-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/