[Infowarrior] - Windows Vista Privacy Issues

[Richard Forno]

(c/o AJR)

Forget about the WGA! 20+ Windows Vista Features and Services Harvest User
Data for Microsoft - From your machine!

By: Marius Oiaga, Technology News Editor

http://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Feature
s-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml

Are you using Windows Vista? Then you might as well know that the licensed
operating system installed on your machine is harvesting a healthy volume of
information for Microsoft. In this context, a program such as the Windows
Genuine Advantage is the last of your concerns. In fact, in excess of 20
Windows Vista features and services are hard at work collecting and
transmitting your personal data to the Redmond company.

Microsoft makes no secret about the fact that Windows Vista is gathering
information. End users have little to say, and no real choice in the matter.
The company does provide both a Windows Vista Privacy Statement and
references within the End User License Agreement for the operating system.
Combined, the resources paint the big picture over the extent of Microsoft's
end user data harvest via Vista.

Reading Between the EULA Lines

Together with Windows Vista, Microsoft also provides a set of Internet-based
services, for which it has reserved full control, including alteration and
cancellation at any given time. The Internet-based services in Vista
"coincidentally" connect to Microsoft and to "service provider
computer systems." Depending on the specific service, users may or may not
receive a separate notification of the fact that their data is being
collected and shared. The only way to prevent this is to know the specific
services and features involved and to either switch them off or not use
them.

The alternative? Well, it's written in the Vista license agreement. "By
using these features, you consent to the transmission of this information.
Microsoft does not use the information to identify or contact you."

The Redmond company emphasized numerous times the fact that all information
collected is not used to identify or contact users. But could it? Oh yes!
All you have to know is that Microsoft could come knocking on your door as
soon as you boot Windows Vista for the first time if you consider the
system¹s computer information harvested. Microsoft will get your "Internet
protocol address, the type of operating system, browser and name and version
of the software you are using, and the language code of the device where you
installed the software." But all they really need is your IP address.

What's Covered in the Vista License?

Windows Update, Web
Content, Digital Certificates, Auto Root Update, Windows Media Digital
Rights Management, Windows Media Player, Malicious Software Removal/Clean On
Upgrade, Network Connectivity Status Icon, Windows Time Service, and the
IPv6 Network Address Translation (NAT) Traversal service (Teredo) are the
features and services that collect and deliver data to Microsoft from
Windows Vista. By using any of these items, you agree to share your
information with the Redmond Company. Microsoft says that users have the
possibility to disable or not use the features and services altogether. But
at the same time Windows update is crucial to the security of Windows Vista,
so turning it off is not really an option, is it?

Windows Vista will contact Microsoft to get the right hardware drivers, to
provide web-based "clip art, templates, training, assistance and Appshelp,"
to access digital software certificates designed "confirm
the identity of Internet users sending X.509 standard encrypted information"
and to refresh the catalog with trusted certificate authorities. Of course
that the Windows Vista Digital Rights Management could not miss from a list
of services that contact Microsoft on a regular basis. If you want access to
protected content, you will also have to let the Windows Media Digital
Rights Management talk home. Windows Media Player in Vista for example, will
look for codecs, new versions and local online music services.

The Malicious Software Removal tool will report straight to Microsoft with
both the findings of your computer scan, but also any potential errors.
Also, in an effort to enable the transition to IPv6 from IPv4, "by default
standard Internet Protocol information will be sent to the Teredo service at
Microsoft at regular intervals."

Had Enough? I Didn't Think So!

Microsoft has an additional collection of 47 Windows Vista features and
services that collect user data. However, not all phone home and report to
Microsoft. Although the data collection process is generalized across the
list, user information is also processed and kept on the local machine,
leaving just approximately 50% of the items to both harvest data and contact
Microsoft. Still, Microsoft underlined the fact that the list provided under
the Windows Vista Privacy Statement is by no means exhaustive, nor does it
apply to all the company's websites, services and products.

Activation, Customer Experience Improvement Program (CEIP), Device Manager,
Driver Protection, Dynamic Update, Event Viewer, File Association Web
Service, Games Folder, Error Reporting for Handwriting Recognition, Input
Method Editor (IME), Installation Improvement Program, Internet Printing,
Internet Protocol version 6 Network Address Translation Traversal, Network
Awareness (somewhat), Parental Controls, Peer Name Resolution Service, Plug
and Play, Plug and Play Extensions, Program Compatibility Assistant, Program
Properties‹Compatibility Tab, Program Compatibility Wizard, Properties,
Registration, Rights Management Services (RMS) Client, Update Root
Certificates, Windows Control Panel, Windows Help, Windows Mail (only with
Windows Live Mail, Hotmail, or MSN Mail) and Windows Problem Reporting are
the main features and services in Windows Vista that collect and transmit
user data to Microsoft.

This extensive enumeration is not a complete illustration of all the sources
in Windows Vista that Microsoft uses to gather end user data. However, it is
more than sufficient to raise serious issues regarding user privacy. The
Redmond company has adopted a very transparent position when it comes to the
information being collected from its users. But privacy, much in the same
manner as virtualization, is not mature enough and not sufficiently enforced
through legislation. Microsoft itself is one of the principal contributors
to the creation of a universal user privacy model.

The activation process will give the company product key information
together with a "hardware hash, which is a non-unique number generated from
the computer's hardware configuration" but no personal information. The
Customer Experience Improvement Program (CEIP) is optional, and designed to
improve software quality. Via the Device Manager, Microsoft has access to
all the information related to your system configuration in order to provide
the adequate drivers. Similarly, Dynamic Update offers your computer's
hardware info to Microsoft for compatible drivers.

Event Viewer data is collected every time the users access the Event Log
Online Help link. By using the File Association Web Service, Microsoft will
receive a list with the file name extensions. Metadata related to the games
that you have installed in Vista also finds its way to Microsoft. The Error
Reporting for Handwriting Recognition will only report to Microsoft if the
user expressly desires it to. Through IME Word Registration, Microsoft will
receive Word registration reports. Users have to choose to participate in
the Installation Improvement Program before any data is sent over at
Microsof.

Ever used a print server hosted by Microsoft? Then the company collected
your data through Internet Printing. Network Awareness is in a league of its
own. It does not premeditatedly store of send directly information to
Microsoft, but it makes data available to other services involving network
connectivity, and that do access the Redmond company. Via Parental Controls,
not only you but also Microsoft will monitor all the visited URLs of your
offspring.

Hashes of your Peer Name tied to your IP address are published and
periodically refreshed on a Microsoft server, courtesy of the Peer Name
Resolution Service. Every time you install a Plug and Play device, you tell
Microsoft about it in order to get the necessary device drivers. The same is
the case for PnP-X enabled device, only that Windows Update is more actively
involved in this case.

The Program Compatibility Assistant is designed to work together with the
Microsoft Error Reporting Service, to highlight to Microsoft potential
incompatibility errors. For every example of compatibility settings via the
Compatibility tab, Microsoft receives an error report. The Program
Compatibility Wizard deals with similar issues related to application
incompatibility. File properties are sent to Microsoft only with the item
that they are associated with.

You can also volunteer your name, email address, country and even address to
Microsoft through the registration process. A service such as the Rights
Management Services (RMS) Client can only function in conjunction with your
email address.

All the queries entered into the Search box included in the Windows Vista
Control Panel will be sent to Microsoft with your consent. The Help
Experience Improvement Program also collects and sends information to
Microsoft. As does Windows Mail when the users access Windows Live Mail,
Hotmail, or MSN Mail. And the Windows Problem Reporting is a service with a
self explanatory name.

But is this all? Not even by a long shot. Windows Genuine Advantage, Windows
Defender, Support Services, Windows Media Center and Internet Explorer 7 all
collect and transmit user data to Microsoft. Don't want them to? Then simply
turn them off, or use alternative programs when possible or stop using some
services altogether. Otherwise, when your consent is demanded, you can opt
for NO.

What Happens to My Data?

Only God and Microsoft know the answer to that. And I have a feeling that
God is going right now "Hey, don't get me involved in this! I have enough
trouble as it is trying to find out the release date for Windows Vista
Service Pack 1 and Windows Seven!"

Generally speaking, Microsoft is indeed transparent ­ up to a point ­ about
how it will handle the data collected from your Vista machine. "The personal
information we collect from you will be used by Microsoft and its controlled
subsidiaries and affiliates to provide the service(s) or carry out the
transaction(s) you have requested or authorized, and may also be used to
request additional information on feedback that you provide about the
product or service that you are using; to provide important notifications
regarding the software; to improve the product or service, for example bug
and survey form inquiries; or to provide you with advance notice of events
or to tell you about new product releases," reads a fragment of the Windows
Vista Privacy Statement.

But could Microsoft turn the data it has collected against you? Of course,
what did you think? "Microsoft may disclose personal information about you
if required to do so by law or in the good faith belief that such action is
necessary to: (a) comply with the law or legal process served on Microsoft;
(b) protect and defend the rights of Microsoft (including enforcement of our
agreements); or (c) act in urgent circumstances to protect the personal
safety of Microsoft employees, users of Microsoft software or services, or
members of the public," reveals another excerpt.

And you thought that it was just you... and your Windows Vista. Looks like a
love triangle to me... with Microsoft in the mix.