Interesting People mailing list archives
Microsoft responds re Windows XP update vs. spyware
From: David Farber <dave () farber net>
Date: Wed, 7 Jun 2006 02:27:29 -0400
Begin forwarded message: From: Lauren Weinstein <lauren () vortex com> Date: June 6, 2006 11:23:39 PM EDT To: dave () farber net Cc: lauren () vortex com Subject: Microsoft responds re Windows XP update vs. spywareLuke: "You lied to me. You said that Darth Vader killed my father." Obi-Wan: "When Anakin Skywalker turned to the Dark Side of the Force,
the good man that was your father ceased to exist. So, what I told you was the truth -- from a certain point of view." -- "Star Wars: Return of the Jedi" - 1983 Pat (to Mystic Seer): "You're just a stupid piece of junk, aren't you?" Don (reading response): "It all depends upon your point of view." -- "The Twilight Zone" ("Nick of Time") - 1960 In a recent message: ( http://lauren.vortex.com/archive/000178.html ) I asked the implicit question: "Is Microsoft's update of their 'Genuine Advantage' OS validity verification tool behaving as spyware?" Within hours of that text becoming public, I received e-mail and a call from the director and senior program manager for Microsoft "Genuine Windows" (their anti-piracy division). We had a lengthy and friendly chat, and I believe I can now answer that question. However, as you have probably already guessed, the answer is, "It depends upon your point of view." And perhaps of more importance, it's not clear that the spyware question alone is really the key issue in this case, since this is all part of a larger MS anti-piracy effort with broader implications for all concerned. In the long run, the real issues are clarity and control, as we shall see. Microsoft has major piracy problems, on a massive scale -- this we all know. They have been ramping up their infrastructure to prohibit "non-validated" copies of Windows XP from installing non-critical software updates. What many people don't realize is that MS does not consider validation to be a necessarily permanent state. Even after a copy of XP has been validated, MS may choose to "revoke" that validation (via communications with their Windows Update site) at a later date if activation codes are found to be pirated in the future. Why is the new version of the validity tool trying to communicate with MS at every boot? The MS officials tell me that at this time the connections are to provide an emergency "escape" mechanism to allow MS to disable the validation tool if it were to malfunction. While most users will routinely accept the tool update from Windows Update, MS considers it to be (for now) an optional upgrade as part of a pilot program, as described in accompanying license information that (as we know) most users will never read. (I should note that while these materials do discuss Internet connections, they do not appear to notify users that the updated tool will make multiple connections to MS at various intervals, even on systems that are already validated.) I was told that no information is sent from the PC to MS during these connections in their current modality, though MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving. Apparently these transactions will also occur once a day if systems are kept booted, though MS intends to ramp that frequency back (initially I believe to once every two weeks) with a future update in the near future. Further down the line, the connections would be used differently, to provide validation checks at intervals (e.g., every 90 days as validations expire) with MS, even if the user never accessed the Windows Update site directly. Can you safely block the tool from communicating with MS using ZoneAlarm or another third-party firewall? The answer appears to be yes. I'm told that if the tool can't communicate with MS, validation checks will be made the next time the system communicates directly with the Windows Update site, in the same manner as has been done up to now since validation began. We can argue about whether or not the tool's behavior is really spyware -- there are various definitions for spyware, and the question of whether or not you feel that the notice provided at upgrade installation time was sufficient is also directly relevant. I believe that the MS officials I spoke to agree with my assertion that additional clarity and a more "in your face" aspect to these notifications in such cases would be highly desirable. But this is where an even more important question comes into play. Microsoft (and other software vendors) are moving inexorably toward a more "distributed" computing model where users are really "renting" software services, rather than buying commodity software products. The "rental" model implies long-term vender control over the use and applications of such software, with associated communications between user PCs and vender servers for ongoing authentication and other purposes. The entire concept of authentication revocation will be utterly foreign to many users, who are used to assuming that once they've bought something that they believe to be legitimate -- and that in fact has initially been verified as legitimate -- it's then theirs forever and can't be disabled or restricted later. And as we've now seen yet again, the communications issues associated with the rental/service model introduce a range of both real and perceived privacy factors and concerns that we've hardly yet begun to explore in depth as technologists or as a society. One thing is certain regardless of your point of view -- the sorts of issues that relate to this particular case are but harbingers of what's to come, in terms of capabilities, controversies, risks, and more. The old models are dying, and if we don't get ahead of the curve by understanding and properly framing the new models, we are likely to be very sorry after the fact. --Lauren-- Lauren Weinstein lauren () vortex com or lauren () pfir org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, IOIC - International Open Internet Coalition - http://www.ioic.net Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Microsoft responds re Windows XP update vs. spyware David Farber (Jun 06)