[Infowarrior] - Windows genuine disadvantage

[Richard Forno]

 Windows genuine disadvantage
Mark Rasch,
http://www.securityfocus.com/print/columnists/409

A recent lawsuit filed against Microsoft should have all companies
reexamining their privacy policies to determine what information they are
actually collecting about customers, and what they can possibly do with it.
What would you call a computer program that surreptitiously installed itself
onto your computer, collected personal information about you without your
knowledge or effective consent, was difficult or impossible to remove,
installed pop-up banners that constantly harassed you, and presented
significant security vulnerabilities?

If you were Los Angeles resident Brian Johnson, the answer would be simple.
You'd call it Windows. Or more specifically, it's the anti-piracy software
download known as Windows Genuine Advantage.

His class action lawsuit (PDF), filed in U.S. federal District Court in
Seattle, Washington on June 26, 2006, alleges that the Microsoft software
violates California and Washington State privacy laws, consumer protection
laws, and anti-spyware laws. The outcome of the case may well dictate how
companies package software, and more particularly how they promise privacy.
This will apply not only to software companies, but also to any company
that, either knowingly or not, collects certain "personal information" about
visitors to its websites.

Genuine advantage?

In April 2004, with much fanfare, Microsoft announced a new program to
protect the consumer from ... well, from themselves. Ostensibly an
anti-fraud program, the Windows Genuine Advantage (WGA) program was marketed
as a means for individuals to determine whether the software on their system
(that is, only the Microsoft OS software) was properly licensed. In theory,
the target for this program was people who bought computers with OEM
Microsoft software which, unbeknownst to them, was not appropriately
licensed. In theory, people who downloaded or obtained software off the web
kinda knew or suspected that their free copy of Windows XP Professional
might not be legitimate.

The WGA program was not really a consumer protection program. It was
actually designed to protect Microsoft itself from people obtaining
unlicensed copies of its Windows (tm) operating system, and forcing them to
obtain actual licensed copies of the OS. If you were the victim of fraud,
and had unknowingly obtained a copy of the OS without a license, Microsoft's
software did not help you obtain redress against the seller of the computer
or OS. It merely offered you a mechanism to repurchase the software, at full
price, from Microsoft itself. Presumably, the consumer who obtained a
perfectly functional computer from an OEM manufacturer at a fair market
price (well, lets assume a slight bargain) was now given the opportunity to
give Microsoft more money to prevent piracy.

I must admit some aversion to the term "piracy" ­ as it evokes images of
peg-legged men with parrots swinging from riggings of Galleons with knives
between their teeth demanding ransom ­ not someone who has obtained software
without adhering to the terms of the End User License Agreement. Captain
Jack Sparrow with a modem? Software "piracy" is at worst theft, and more
generally a breach of contract ­ not an armed gunmen taking hostages off the
Somali coast. Congress' authority to regulate software piracy rests in
Article I Section 8 of the Constitution, which gives them the ability, "To
promote the Progress of Science and useful Arts, by securing for limited
Times to Authors and Inventors the exclusive Right to their respective
Writings and Discoveries." This is not the portion two clauses down which
gives them the ability "To define and punish Piracies and Felonies committed
on the high Seas, and Offences against the Law of Nations." Unless of
course, you had a broadband connection on your Brigantine.

Indeed, those who were the "victims" of software piracy and who presumably
wanted to "get legal" were the ones who purchased OEM products that were
unlicensed ­ and they were the ones being forced by Microsoft to "walk the
plank." Arrrrrrrrrrrrgh. It's not like Microsoft was going after the OEM
manufacturers and distributors of unlicensed product, obtaining monetary
judgments and then giving that money to the purchasers of the products. No,
the enforcement actions were aimed at obtaining license fees and civil and
criminal sanctions for the company, all the while the company was claiming
that the unwitting purchasers were the victims. In fact, even if the Redmond
giant successfully squeezed license fees or other sanctions from the OEM
selling the unlicensed software, they still retained the right, through the
WGA program, to go after the individual (and possibly unwitting) purchasers
for the license fees again. Well, life 'aint fair. Deal with it.

The progression of security updates and unlicensed software

Now make no mistake. The sale and transfer of unlicensed software presents
serious economic costs to software manufacturers. The Business Software
Alliance (PDF) estimated in its March 2006 report that for the previous year
about 35% of software on PCs was improperly licensed, and that worldwide the
median piracy rate was about 64%. In fact, the BSA estimated that, in 2005,
for every two dollars of software purchased legally, one dollar's worth was
obtained illegally. This amounts to billions of dollars of losses ­ a
sizeable portion of which must be for Microsoft itself. No wonder they
instituted a program to protect themselves. But did they go too far?



As originally instituted in April, 2004, the WGA program was a way for you
to scan you own PC and determine whether your copy of the Windows OS was
appropriately licensed. The software was listed as an "update" ­ and a high
priority update at that, when you went to download and install security
updates. So you would think that this was a high priority update to help you
to secure your own computer. But no. What it was, in fact, was a program
that you would install on your computer that would collect information for
the benefit of Microsoft. Indeed, assuming that the pirated software was
genuine pirated software (that is, not a Trojan horse program) then by
installing the program you actually became less secure.

A few observations are in order. Out of the box, with no updates, service
packs, or patches, the Microsoft OS of your choice is buggy and has obvious
security vulnerabilities. Indeed, if you buy a new PC, fully licensed out of
the box, once you connect to the Internet, it can take as long as several
hours for you to download and install all of the relevant patches, updates
and drivers just to get the machine functional. And that doesn't include
things like firewall settings, anti-viral and anti-spyware software, which
you have to buy separately from Microsoft or other vendors. The plain truth
was that most casual users never did these downloads. As a result, most
systems were woefully insecure. In an effort to "take the human out of the
loop," Microsoft introduced an automatic update service. After agreeing to a
general End User License Agreement, you would set your computer up in
automatic mode, and it would download and install updates necessary to
protect not only your computer but any computer to which your computer might
connect. You also had the option to have more control over the settings and
just install the software, or you could simply manually update your system.
But again, the more updated your system was, presumably the more secure. So
automatic update was the way to go.

If you have automatic updates set up, you get the WGA installed
automatically. According to the complaint, Microsoft's director of Genuine
Windows, David Lazar described the WGA program stating:

    "The system works by identifying unique characteristics of a system and
implanting a software key that can be read by Microsoft when updates are
requested. The only way to remove the key is to reformat the hard drive
[...] The key won't be used to identify individual users, only individual
systems [...] I would go back to our privacy policy which says we have no
knowledge of the identity of the users, so a user shouldn't be concerned
about the use of that key."

Um... not quite.

First of all, the software looks at a bunch of things in the hardware to
develop a profile of the user ­ the MAC address, the serial number of the
hard drive, its size, and so on. Thus, if you get a new hard drive or other
hardware, the key won't match, and you could be flagged as a pirate for
using your licensed software. Second, the statement suggests that the only
time you get electronically frisked is when you affirmatively request an
update. Also not true. With automatic updates on (a setting suggested by
Microsoft) you are frisked every time your computer updates ­ or every time
Microsoft pushes an update to you. Indeed, you are frisked more often than
that. Finally, and most disturbingly is the allegation that the key won't be
used to identify individual users. Oh really? Cross your heart and hope to
die, pinky promise?

Broken promises?

In July of 2005, Microsoft changed the WGA program, making users install an
Active X control that also generated a software key, and again promised that
Microsoft does not collect any information during this process] that can be
used to identify you or contact you." Similar promises were contained in the
FAQs and privacy policy of Microsoft.

In April of 2006 the program was expanded once again ­ to Microsoft's
advantage. Now, as you automatically updated the software using Windows
Automatic Update, the WGA validation program was automatically added to your
system. If the software thought your software wasn't valid, you got annoying
pop-ups prompting you to get legal, allegations that you were breaking the
law, and slower boot up times. In addition, this high priority update was
now being used to hold users hostage ­ no longer could they automatically
get software necessary to make their buggy OS reasonably secure without
agreeing to the electronic frisking. Without the possibility of pop ups and
accusations, you could not get critical security updates.

In May of 2006, the head of Microsoft's antipiracy program, Michala
Alexander told CNet that, "... the WGA is a voluntary service. You can turn
off the pop-ups, and people can opt out of it. They still get all the core
downloads, but what they don't get is stuff such as Windows Defender. They
still get all the security patches--we don't penalize customers for not
joining." Not quite. You couldn't get the stuff automatically. Thus, if you
didn't install the WGA software, you were putting everyone else on the
Internet at risk. Fun stuff.

Once installed, the EULA says that "you will not be able to uninstall the
software..." It describes the fact that the software will connect to
Microsoft, that by using the now permanent software you consent to this, and
that you will not be notified when the connection is made. The EULA notifies
you that it uses Internet protocols which sends to Microsoft computer
information such as your XP product key, PC manufacturer, OS version, XP
product ID, PC BIOS information, locale setting and language version of
Windows XP.

It then explains that Microsoft does not use the information to identify or
contact you. Yeah... right. Well, not today... maybe.

Windows Genuine Advantage versus spyware

So what does the WGA software do, exactly? It runs surreptitiously on your
computer. It scans the software and hardware, and extracts information about
it. If you DON'T run it, your computer becomes unsafe. If you do run it, you
have the possibility of getting pop-ups and slowing down your system.
Indeed, Microsoft on July 2, 2006 promised that the unlicensed user
experience would get even worse. This was with Microsoft's PR flack telling
Computerworld that, "In Windows Vista, we are making it notably harder and
less appealing to use counterfeit software, and we will work to make that a
consistent experience with older versions of Windows as well." Sounds an
awful lot like spyware to me.

Indeed, the EULA here is more onerous and less clear than that which the FTC
found actionable for online spyware manufacturer Odysseus, who purported to
allow people to download software to make Kazaa P2P software anonymous, but
which actually collected personal information and sent adware to the users
(PDF). In plain terms, spyware EULAs aren't enforceable, and the WGA license
sure sounds like a spyware EULA.



In fact, the class action lawsuit against Microsoft, in addition to alleging
violations of the Washington State and California deceptive and unfair trade
practices statutes, alleges that the WGA software violates the Washington
State anti-spyware law which makes it a crime to:

    (1) Induce an owner or operator to install a computer software component
onto the computer by intentionally misrepresenting the extent to which
installing the software is necessary for security or privacy reasons or in
order to open, view, or play a particular type of content; and

    (2) Deceptively cause the execution on the computer of a computer
software component with the intent of causing the owner or operator to use
the component in a manner that violates any other provision of this section.

The lawsuit also alleges a violation of the California anti-spyware statute
which also says that you cannot:

    (1) Induce an authorized user to install a software component onto the
computer by intentionally misrepresenting that installing software is
necessary for security or privacy reasons or in order to open, view, or play
a particular type of content.

    (2) Deceptively causing the copying and execution on the computer of a
computer software component with the intent of causing an authorized user to
use the component in a way that violates any other provision of this
section.

So what about the promise that the information cannot and will not be used
to identify individual users? Not so fast. Lets see exactly what information
Microsoft is having its OS call home with. Sure, it sends the key, and
configuration information. But it sends it over the Internet. This adds one
more piece of information to the mix ­ the system's IP address. The
government is increasingly demanding that ISPs ­ and now entities like
Myspace.com ­ retain information for years about IP address holders
specifically so that it (and private litigants) can use the IP information
to determine the true identity of users. Does Microsoft's promise that it
does not collect information from which it can learn your identity mean that
it doesn't collect the IP information for millions of computers that connect
to its servers? I think not. Or that it doesn't retain (at least briefly)
that information? Somehow I doubt it.

This problem is not unique to Microsoft. Many companies proudly exclaim on
their websites that they "do not collect personal information" or that they
only collect that information that people voluntarily provide. They also
eschew any attempt to find out who you are ­ ever, for any reason ­ really
and truly ­ we mean it.

What this really means is that, if a hacker or attacker were to attempt to
access the system, or was truly able to break in, the company's privacy
policy pretty much says we won't use the information on our system (your IP
address, keystrokes, and so on) to try to identify you. I mean, isn't that
what it means when you say you wont collect any information and wont attempt
to use it?

In the case of Microsoft, are they really saying that, if the FBI came to
them pursuant to a criminal investigation of software piracy, they would not
and could not turn over the IP information to help the FBI determine the
identity of those committing piracy? Does this mean that Microsoft has never
collected it? That if they really wanted to, they could never find out who
had unlicensed products? Somehow, I don't think so.

In fact, Microsoft's head is writing checks its body can't cash. On July 2,
2006, Microsoft's PR flack responded to rumors in the blogosphere that, in
addition to annoying pop-up ads, Microsoft would soon deactivate any
unlicensed copy of Windows. The Redmond giant quickly, but in my opinion
unconvincingly, quashed these rumors. According to a spokeswoman with
Waggener Edstrom, from Microsoft's public relations firm, "Microsoft
antipiracy technologies cannot and will not turn off your computer." Hmmm...
Microsoft cannot turn off your computer? Well, um... of course they can.
When the software phones home to see if it is licensed and it receives a
"no" signal, it could simply cease to operate. It is technologically
feasible, isn't it? Perhaps she meant that the computer's power will still
be on (it won't turn off your computer...), not that it will continue to
function. Moreover, as we have learned from past experience, the fact that
Microsoft says now that software will behave in one way doesn't mean that
this is the way it will behave in the future. Just download another EULA ­
or another update.

What all this means is that whenever you collect personal information ­
whether actively or passively ­ that could be used to identify people, you
need to let them know in clear, unambiguous and easily accessible language.
Don't worry, nobody is going to read it anyway. And in the case of
Microsoft, do they have any meaningful choices? Sure... that little
Antarctic bird...