Check the fine print (Microsoft's new licensing agreement permits access to your computer at will)

InfoWorld ^ | Ed Foster

[John Jorsett]

BILL GATES SAYS security is Microsoft's top priority, but just whose security does he have in mind? Consider some of Microsoft's recent boilerplate legalese -- language you or your company might already have unknowingly accepted -- and then decide for yourself.

The language is contained in the Product Use Rights (PUR) document that can be found at www.microsoft.com/licensing/resources. As the PUR document is part of most customers' volume license agreements and is subject to periodic change, in theory Microsoft customers should check it regularly to see what rights Microsoft has decided to grant or take away.

You can be forgiven if you feel like you have better things to do with your life than reading and rereading all this mind-numbing legal gobbledygook. Fortunately, one Microsoft customer did review the PUR document recently and noticed a change. In the section on Windows XP Professional, he found the "Internet-Based Services Components" paragraph that said in part, "You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer."

The reader was stunned. "By changing that term in the PUR, Microsoft has found a creative way to obtain authorization from users to access their workstations at will," he said. "How many customers are going to review this PDF file and realize they've given Microsoft this right? And all the risk for the security and privacy violations due to this are neatly put on the customer's shoulders, not Microsoft's."

After the reader shared his discovery with me, I asked some other Microsoft volume license customers if they were aware of the PUR term. Not surprisingly, most were only vaguely aware of the PUR's existence, much less the terms in the XP section. But they had plenty of concerns once they read it, the most obvious being the damage the most benign of automatic OS upgrades could cause in a corporate environment. "The idea that Microsoft can change our software without notifying us is totally unacceptable," said one corporate IT manager. "Any alteration to our standard configuration can only be rolled out after careful evaluation and testing. Does Microsoft have no clue?"

Several readers were also worried that Microsoft's broad assertion of its right to access their computers would force their companies into noncompliance with government security guidelines and various privacy laws. This concern was exacerbated by additional PUR language in the same Windows XP section. In terms of "Security Updates," users grant Microsoft the right to download updates to Microsoft's DRM (Digital Rights Management) technology to protect the intellectual property rights of "Secured Content" providers. It says Microsoft may "download onto your computer such security updates that a secure content owner has requested that MS, Microsoft Corporation, or their subsidiaries distribute." In other words, it would seem Microsoft's idea of a security update is one that protects the property rights of vendors, not the security of customers' systems.

Currently, DRM technology is associated just with music or video content, but there's no legal reason it can't be used with software applications as well. One reader expressed the concern that in order to enforce common license terms, DRM technology might have to distinguish customer communications from those of internal users at a company. "As I read this, we will be guilty of violating federal privacy laws if we don't at least warn our customers that Microsoft and its partners may have access to their records," the reader said. "Perhaps our firewall can prevent Microsoft from doing this, but how can I be sure?"

Microsoft officials say that the language in the PUR agreement, which it confirms is also in the Windows XP EULA (End User License Agreement) itself, is not intended to force upgrades on customers. "Our goal is to give the user control over whether a system is being updated, regardless of whether the user is a consumer or an institution," a statement from Microsoft's legal team read. "The 'Internet-based Services Components' section of the Windows XP EULA was written specifically to ensure that we are in compliance with all regulations that require notification when the configuration choices that a user makes could potentially access one of the auto-updating features of Windows XP. We clearly have more work to do to make sure that it's clear when these automatic features are used, and we are looking at how to do a better job at that. But it is certainly not our intent to access any user's system when that is not what they desire."

Both corporate and individual customers can choose to turn off Windows Auto-Update, the Microsoft officials pointed out. Similarly, users will be told when a content owner is requiring an update to Microsoft's DRM technology and they will have the option to download it. "If the user elects not to update the security component, he or she will be unable to play content protected by our DRM from that point forward, although content previously obtained would still be usable."

Well, swell. But if it is indeed Microsoft's intent to continue giving users the right to decline downloads, why has the company written its XP agreements to force users to explicitly surrender that right? Are customers supposed to ignore what the licenses say and just hope Microsoft won't ever do what the terms say it can do? That's not a concept that will make anyone other than Bill Gates feel very secure.

[Dallas]

You don't actually buy microsoft products, you're in fact just leasing.

That's deceptive, and should be illegal....

[TaRaRaBoomDeAyGoreLostToday!]

BTTT

[Dominic Harr]

Bump for great justice.

[Incorrigible]

ALL YOUR COMPUTERS ARE BELONG TO US!

(Get used to it!)

[OldFriend]

Well then, I wish they would get in here and fix this thing up so I don't have so many little annoying problems!!!

[John Jorsett]

Good for you. More people ought to do that.

[John Jorsett]

That reminds me: I just installed a new software package the other day, and declined to register it. Then the thing opens up a browser window and attempts to access a web page with a script that would have sent them my name, the product, and the serial number. Luckily I had my cable modem disconnect at the time, but that kind of sneaky crap really steams me.

[Astronaut]

The easiest way to avoid Microsoft's invasion of your privacy is not refuse to buy their products. While XP is the best version of Windows yet, it is still a pale copy of the Macintosh. Apple has once again leapfrogged ahead of MS with Mac OS X, a Unix operating system that is more stable and easier to use than Windows. More importantly, you pay Apple $129 for the operating system, and thats it. They dont require product activation codes, dont want to snoop around your hard drive, or require you to divulge sensitive personal information. I run a Macintosh with no Microsoft software whatsoever, and I'm damn glad of it. I have a technologically superior system without the baggage of dealing with a privacy invading, anti-competitive behemoth.

[eno_]

If Microsoft loses, they will lose by overreaching like they are doing here. The German government just made Microsoft software persona non grata. The announcement was couched in all kinds of "democracy" hooey, but the bottom line is that any government function that requires real security cannot accept these terms.

It won't come as fast as some people hope for, but if they keep on this track, Microsoft is riding for a fall.

[philetus]

Let`s all panic now.

I go to windows update once in a while and download updates to my computer.So far MS hasn`t taken control of my computer.

I really don`t care what the wording is.
I DO NOT have to let MS "automatically" check and upgrade my computer.

There`s nothing to stop any company from putting anything they care to say in their license agreements,but it still doesn`t give them a legal right.

[Illbay]

Well, guess again. This has been the main "feature" of software since the era of personal computing began bringing with it the concept of software as a commodity that users big and small will buy.

There's nothing new about that part. Even GPU licensed software isn't "owned".

What's new here is the explicit permission for MS to access your computer without your knowing about it.

[spoiler2]

Remember, the ONLY secure computer is a permanently offline computer!

My online unit, which was bought for speed, is basically kept empty, with all my personal and business files kept in the older, offline unit it replaced.

Sound wasteful? Not if you consider what you might lose with a fully loaded unit left online a lot!

[Illbay]

Plus it enhances your religious faith, since you have to pray every day that Apple doesn't go under, and you left there stranded like the Commodore Amiga users that are still holding their breath waiting for someone to resurrect the Amiga.

[Illbay]

I've a lawyer-friend who laughs whenever he sees some sign in a business denying any responsibility for injury or damage to property whil on their premises.

"What a joke!" he says. "I can just see them bringing that sign in with them to show they court when they get sued because someone slipped on a wet floor!"

[stlrocket]

What Many People Think of Microsoft.

ONE'S VIEW OF THEIR LEGALIZE

[FourtySeven]

I'm no computer expert, but I must admit I haven't had a LICK of trouble with my P.C. since I installed a FIREWALL.

It's fascinating and somewhat disturbing to watch, as I remain online, hackers from around the globe trying to access my computer periodically. I don't think it's any coincidence that I haven't had ANY problems since installing the firewall.

Of course the point can be made that Apples and other "lesser used" computers and OS's aren't attacked by hackers nearly as much, thus, they are safer. This is true, however, I think their relatively unattractive status to hackers is not because Linux/Unix/or any other OS is neccessarily more stable. I think those lesser used OS's are more stable because they are lesser used, and thus, present a much less attractive target to the 15 year old punk (typical hacker) who wants to cause as much destruction as possible. In other words, if say Linux was the most popular OS, it would be just as "unstable" as Windows' platforms.

Again, I'm not an expert, this is just my personal theory. But, since no computer expert says any OS is completely safe, I'd say if enough computers used Linux, or the OS X, or whatever, then that would be the "target of choice" for hackers worldwide, and they'd spend as much time finding "faults" in those OS's as they do now finding faults in Microsoft's.

[John Jorsett]

That's a funny picture. I might make a version for my desktop wallpaper.

[krb]

WOW...that's exactly what happened to a friend of mine in the embedded systems consulting business. He got one of those nasty BSA letters even though he religiously uses non-pirated software and tracks EVERYTHING his business buys and uses. When he realized the BSA group can be used as a tool against your competition (think Communist block captains in Cuba, where you can rat out your neighbors or make stuff up) he decided to ditch all MS products and retool himself as a Linux shop.