Posted on 11/13/2002 3:27:34 PM PST by Action-America
Microsoft's New Privacy Row
It's not the EFF that's worried about privacy this time. It's bankers like Lester Warby, CIO of Seattle Metropolitan Credit Union, who feel that the latest license terms might well put the him in violation of new federal privacy laws.
| by Dan Orzech of internetnews.com [October 23, 2002] |
|
Lester Warby is the kind of guy who reads the fine print. And the fine print for the latest updates to Microsoft Windows has him worried.
Warby—who is the chief information officer at Seattle Metropolitan Credit Union—believes that the terms for the end user license agreement (EULA) for Microsoft's Windows 2000 Service Pack 3 (SP3) and XP Service Pack 1, might well put the credit union in violation of new federal privacy laws.
At issue is Microsoft's "automatic update" feature, which allows users to automatically get upgrades and patches to their systems. To get the updates, users must agree to give Microsoft access to information on their systems.
That, says Warby, conflicts with federal regulations for financial institutions, such as the Gramm-Leach-Bliley Act of 2001. The new law, which goes into effect next May, forbids financial service companies from giving third parties access to customer data without express consent from the customer. European countries generally have even stricter data privacy laws.
"We're forced into a position where we're either out of compliance with Microsoft's licensing, which is not acceptable, or we're out of compliance with the law, which is not acceptable either. Under these circumstances, we'll probably change our operating system," says Warby.
Warby is considering shifting his servers to another operating system like Novell or Linux, if Microsoft doesn't change its policy.
What—exactly—is software?
To use the "auto update" feature, according to the Microsoft Windows 2000 SP3 license, "it is necessary to use certain computer system, hardware, and software information...by using these features, users authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes."
The problem with that language, says industry analyst Joshua Greenbaum, of Enterprise Applications Consulting, in Daly City, Calif., is that the phrase "software information" is vague.
The term could include "information about proprietary systems, or about data," he says. "Does a stored procedure—which could contain proprietary algorithms—constitute software? Does the term include information about competitor's products, or about the use of software from a company with whom Microsoft might have a legal dispute?"
Microsoft does provide users with a high level of control over the auto update feature. Windows XP ships with the feature turned off, for example, so users must choose to activate it. And Microsoft notifies users of any updates, requiring them to agree to install them.
"Most home and small office users don't like to apply patches and updates," says Warby—who describes himself as "pro-Microsoft" in general—"so having Microsoft do this automatically for them would be a real value-added service." Microsoft is not the only company that offers such a service: Apple Computer's latest operating system, OS X, offers a similar feature called Software Update.
But what works for home users is not necessarily suitable for financial institutions, with their high level of security concerns, says Warby. And Warby says Microsoft has told him that it plans eventually to eliminate users' ability to disable Microsoft's access to their systems.
Microsoft had no comment on this issue, but if true, it is likely motivated by Redmond's concern about illegal copies of its software. Microsoft's license for Windows XP SP1 says:
Solely for the purpose of preventing unlicensed use of the applicable OS Software, the OS Components will include installation on your computer of technological measures that are designed to prevent unlicensed use, and Microsoft may use this technology to confirm that you have a licensed copy of the OS Software.
This is done through a product key that is sent to Microsoft over the Internet. That means Microsoft must send an authorization back to your system, says Warby, requiring it to have access to your system.
That makes Warby nervous. "Microsoft is definitely not known for their internal security," he says, citing undocumented macros in some Microsoft programs, which can be accessed by those who know the right combination of keystrokes. "The idea of Microsoft coming into a server, creates a potentially huge security risk," he says.
Of equal concern, says Warby, is that by agreeing to the Windows 2000 SP3 licensing terms, the credit union is potentially granting access not just to Microsoft, but to its "designated agents" The Microsoft license offers no assurances about who those companies might be, says Warby. "What if the designated agent is some small company overseas," he says, "in a country with a lax legal system?"
Financial institutions generally require background checks and assurances such as bonding before giving any outsider access to their systems. Oxford Global Technologies, for example, a Beverly, Mass.-based systems integrator, went through extensive security checks before it was allowed to provide remote Oracle database administration to financial industry clients. "One of our clients is a major brokerage house," says Paul Campbell, the firm's CTO. "They not only did background checks on our employees, but reviewed our software systems, and insisted that the security company which guards our building be approved as well."
So the problem is not just whether the nice folks at Redmond have the right to browse through your system, they also may have been given the right to browse through the systems of the organizations with which you deal and to whom you may have given confidential information.
You might also want to take a close look at the agreement that you must accept when you do a manual download and install of an upgrade.
Is it any wonder that I'm starting to think Microsoft may do to themselves what the federal government (justice department) couldn't do?
Cheers!
Eek. Financial systems should not be connected to the Internet. Period.
Microsoft will never be defeated by LINUX or any UNIX variant. Just as the Mac could not beat the IBM Pc. But a college student beat IBM out of its 85% market share from his dorm room with the Dell Pc Clone. Dell didn't build a PC that was better than the IBM pc. He build a PC that was identical to the IBM Pc and cost less. What a novel concept.
If someone really wants to Destory bill gates all they have to do is CLONE Windows and sell it under friendlier terms and at slightly lest cost.
The MAC could not take the PC No matter how much better it was. And LINUX can't take Windows any more than the MAC could take the PC.
But a windows clone could do to Gates what Dell did to IBM. It could take Gates to 10 percent of the market. Once someone Cloned windows and made some bucks others would do it too. Just as Gateway and Compaq followed Dell into the fray.
Those that think LINUX can hurt Gates thought the MAC would hurt IBM. It can't. Clones HURT and not much else.
Eek. Financial systems should not be connected to the Internet. Period.
So don't use the Internet for product-key validation. Instead, just call Microsoft's 888 number and activate that way. Of course, I'm sure the 50+ digit number you have to give Microsoft probably includes various useful goodies like your network card's MAC address, but I don't think they could fit much personal or financial data in the 50+ digits even if they wanted to.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.