No doubt many of you saw on Slashdot the article "Microsoft Talks Daily With Your Computer" or in Steven J. Vaughan-Nichols article for eWeek titled, Big Microsoft Brother, about allegations that Microsoft's Windows Genuine Advantage validation tool phones home daily to report information to Microsoft about you on each boot. Lauren Weinstein broke the story on his blog. Microsoft has now put out a statement, asserting that the Windows Genuine Advantage tool is not spyware, that they're going to change it some, and that one thing that distinguishes it from spyware is that they get consent before installing it. I question the accuracy of the statement.
David Berlind did a fabulous job of discovering that in fact the tool has two parts, one of which is new, the Notification part, as you can see in his helpful series of screenshots. First, he explains how the applications actually work. His research indicated to him that Microsoft asks permission for only one of the two, but the wrong one. I think it's muddier even than that, after reading the EULA. Thanks to Berlind's work, I believe I see a legal problem with consent, which I noticed by reading the EULA. I think I also see a problem with the statement Microsoft has issued with regard to what information it collects. And something in the EULA needs to be explained, because it doesn't match Microsoft's statement. Let me explain.
Vaughan-Nichols lists the information Microsoft says it is collecting, which matches the Microsoft statement's list:
Now, when you use Windows Genuine Advantage for the first time, it gathers up, Microsoft tell us, and it will grab your PC's XP product key, PC manufacturer, operating system version, PC BIOS information and user locale setting and language.
Nothing at all, Microsoft assures us, that could identify us or what programs we use, or anything like that. No siree. No chance of that.
Microsoft actually collects more information than that. I have some additional details I found on Microsoft's own website that I thought you'd want to know.
Let's look at what Microsoft currently tells customers about the validation tool and what information it collects:
Information collected during validation
Q: What information is collected from my computer?
The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. This process does not collect or send any information that can be used to identify you or contact you. The only information collected in the validation process is:
* Windows product key
* PC manufacturer
* Operating System version
* BIOS information (make, version, date)
* BIOS MD5 Checksum
* User locale (language setting for displaying Windows)
* System locale (language version of the operating system)
* Office product key (if validating Office)
* Hard drive serial number
Q: How does Microsoft use this information?
The information serves three purposes:
* It provides Web page flow, tailoring the pages you see based on your responses.
* It conveys demographics, which help Microsoft to understand regional differences in Windows or Office usage.
* It confirms user input. User input is often compared against data collected from the PC in order to determine whether to grant a user’s request for additional access.
I think we can discount those three items as being the purpose behind taking in our hard drive serial numbers. Microsoft is not checking our hard drive serial numbers to provide web page flow, convey usage demographics, or confirm user input, unless they are also perusing the contents of our hard drives, which they claim they are not. Of course, once they are inside your computer, there's really nothing much stopping them, if they felt like it. So why does Microsoft collect information like that and what are they doing with it? The above statement surely isn't all. They don't need such information about you as your hard drive's serial number, the company that built your computer, what language you use, PID/SID, Bios information with an MD5 checksum, and where you are located to do any of the three things they say they are doing it for. Obviously, they are checking to know if you are a pirate, and they should say so straightforwardly. But does Microsoft need your hard drive serial number to know if you are a pirate? If you change it, is it any of Microsoft's business? Did they sell you that hard drive? But my point is, it's not mentioned in the EULA at all, so I don't see consent having been given. But it gets worse.
Here's part of what Lauren Weinstein wrote about his discovery in his blog entry on June 5th:
It appears that even on such systems, the MS tool
will now attempt to contact Microsoft over the Internet *every time
you boot*.... The connections occur even if
you do not have Windows "automatic update" enabled.
I do not know what data is being sent to MS or is being received
during these connections. I cannot locate any information in the MS
descriptions to indicate that the tool would notify MS each time I
booted a valid system. I fail to see where Microsoft has a "need to
know" for this data after a system's validity has already been
established, and there may clearly be organizations with security
concerns regarding the communication of boot-time information.
I'll leave it to the spyware experts to make a formal determination
as to whether this behavior actually qualifies the tool as spyware.
Shortly thereafter, he was contacted by Microsoft and so he had a chance to ask his questions, and he tells what happened next in his blog entry for June 6:
Why is the new version of the validity tool trying to communicate with MS at every boot? The MS officials tell me that at this time the connections are to provide an emergency "escape" mechanism to allow MS to disable the validation tool if it were to malfunction....
I was told that no information is sent from the PC to MS during these connections in their current modality, though MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving.
Apparently these transactions will also occur once a day if systems are kept booted, though MS intends to ramp that frequency back (initially I believe to once every two weeks) with an update in the near future. Further down the line, the connections would be used differently, to provide checks against the current validation revocation list at intervals (e.g., every 90 days) via MS, even if the user never accessed the Windows Update site directly.
Oh, excellent. So they get your ip address too, and date/timestamp data "relating to systems' booting and continued operations". No way to contact customers, eh? No information sent? In what way is this not spyware? I am reminded of what the gentleman from Homeland Security said after the Sony rootkit was revealed: yes, it's your intellectual property; it's not your computer. (video.) Again, there is nothing in the EULA that gets your consent for that information to be collected that I can find.
Microsoft, of course, says it is not spyware, and this is a one of their statements explaining their point of view, from Berlind's article:
"Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware."
Now, as we've already seen, they didn't clearly notify customers that they were installing something that calls home daily, by their own acknowledgment.
Here's what their website says about the ease of the validation process:
Q: Is genuine Windows validation a one-time process?
We’ve designed validation to be as easy as possible. Validation itself just takes a moment. The lengthiest part of the process is downloading the ActiveX control that performs validation. The ActiveX control is downloaded on the first validation and when a new version is available from Microsoft. So, while it’s not a one-time process, it is still quick and easy.
Aside from breaking out in hives at the thought of having ActiveX running constantly on my computer, is this a clear description of how often it checks? Does it even indicate? How often does Microsoft release a new version? Daily? Weekly?
Microsoft's statement distinguishes between the two tools:
Q: What information is collected in this check? Is Microsoft collecting Personally Identifiable Information?
A: Other than standard server log information, no information is collected. Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft.
Q: Why were customers not told that their PCs would periodically check in with Microsoft?
A: Microsoft strives to maintain the highest standards in our business conduct and meet our customers' expectations. We concentrated our disclosure on the critical validation step that would occur when validating through WGA. Not specifically including information on the periodic check was an oversight. We believe that being transparent and upfront with our customers is very important and have updated our FAQ accordingly. We have gone to great lengths to document any time a Microsoft product connects with Microsoft servers and will continue to do so. For example, we published a white paper that covers the topic of connecting with Microsoft Servers in Windows XP SP2. It is located at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/intmgmt/download.mspx
I understand that to be saying that the validation tool collects information about the computer, but the new notification tool does not, that it only checks to see if you should be sent a notice that you are not running validly licensed software. But if you think about it, that is the same as saying that it is checking every day on your validation, so the statement on their website about checking only once and then again when a new system is released isn't matching this information. And remember what they told Weinstein: "MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving."
Berlind was the one who noticed that there are actually two tools, and the Validation tool never asks consent before installation. The Notification tool does, but without telling you that what you are downloading will be calling home daily. The notion of informed consent is that you have to know what you are saying yes to, and the party asking for your consent has an obligation to tell you the things you need to know to make an informed decision. A hospital, for example, can't get your consent to try a new, untested drug without telling you that it is new, untested, that you are a guinea pig, and exactly what the risks are and what your choices are. And if you refuse treatment, it can't force you to take the drug. And your doctor can't remove your gall bladder while doing surgery on your appendix, just because he notices a tumor in the gall bladder. Why not? Because that is battery, if he didn't get your prior consent to remove your gall bladder. You might wish to treat the tumor a different way, after all. Motive doesn't matter. There is no, "I was only trying to help" excuse. It's your right to say yes or no, because it's your body and medicine isn't a field where one has sufficient certainty to determine in advance if a certain treatment is or isn't going to work.
What about Microsoft's statement that it isn't spyware because it has no malicious purpose? First, I don't think spyware has to have a malicious purpose to be spyware. That's Microsoft's definition, but spyware companies no doubt would object. And that's also taking Microsoft's word for their good purposes. We don't actually know what they do with the information. There's no way to check. Do they store it? I'm sure they must. And let's face it, "malicious purpose" depends on where you are standing, doesn't it? Did Sony's rootkit have a malicious purpose? Or was its purpose very much like Microsoft's here? The "content industry" has gotten so used to waxing indignant about the harm being done to them by piracy, and getting laws to suit, that they now, evidently, believe that anything they do to reduce or prevent piracy is acceptable. It's not. My computer is mine, not Microsoft's.
But what purpose does Microsoft have? They tell us that their purpose is to notify the user if a proper license is not in place. Why would the user care if they are running a validly licensed copy of the software? Does this have anything at all to do with an "improved" experience for them? I suppose they care because Microsoft holds back updates unless they agree.
But if you look at the screenshots Berlind took, you'll see something else that doesn't seem so straightforward. The notice you get to prompt you to download and install the tools describes it as "updates," not new installations, which would lead a customer to believe that he already has the tool on his computer and just needs to tweak it. The Notification part is labeled "high priority updates", which would lead me to think that I really needed it to be safe. Microsoft says this is what it's for:
The Windows Genuine Advantage Notification tool notifies you if your copy of Windows is not genuine. If your system is found to be non-genuine, the tool will help you obtain a licensed copy of Windows.
Here's the screenshot Berlind took of what you see if you try to update without already having the Windows Genuine Advantage tool in place, although they don't mention it by name at the starting gate, which is devious enough for me right there. [Update: A reader tells me that Berlind missed a tiny Details link, which he says would have provided more information. I have asked him to send me a screenshot.] [Update 2: He has sent me the screenshot,1 and if Berlind had clicked on it, he would have seen the following: "Windows Genuine Advantage Validation Tool (KB892130) 734 KB, less than a minute. The Windows Genuine Advantage Validation Tool enables you to verify that your copy of Microsoft Windows is genuine. The tool validates your Windows installation by checking Windows Product Identification and Product Activation status." So, if he had clicked on that link, he would have know what was about to download, but this also confirms that there is no EULA until after the download. The description of what the tool does is clearly inadequate, in my view, because it doesn't link to the page on the website that tells you they will be harvesting your hard drive number, your machine number, etc., or even duplicate the information here in the details box. Nor does it tell you about any phoning home or how often you will be checked. Instead it says "you" will be enabled to verify that your copy is genuine. It doesn't say Microsoft will be enabled to verify if your copy is genuine, nor is there any information on what will be done with that information.]
If you agree, and who wouldn't, given the description, the next thing you see is your first mention of the Validation tool, but it is already downloading. That isn't consent, let alone informed consent.
It is actually a little more complex, as you can see beginning in the explanation of this screenshot. After you "successfully update" your computer with the Validator tool, if you click Continue, you get your notice of another vital update, the Notification tool. Notice you can't uninstall it, under the terms of the EULA, nor can you "test the software in a live operating environment unless Microsoft permits you to do so under another agreement." You do get a notice, very vague, about consent but only after the Validator tool is already installed, which raises the question of what happens if you say no? Berlind clicked yes all the way through, so I don't know because there is no way in the world I would put my computer through this. Here's part of the language of the "consent":
Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it.
Now, I have read a lot of contracts in my time, as part of my job, and I have no idea what this is saying. Are they saying I can switch off the daily notification? Or that I don't have to install it in the first place? Or is it talking about the "in some cases" feature whereby I don't get notice? Clearly folks have not been getting notices of the daily contact with Microsoft's servers, so what "services" is Microsoft talking about?
Does the user need to know its license is valid every single day? What is Microsoft expecting to happen in 24 hours, after it first checks that a license is in place and valid? And why does Microsoft need to check every day? Obviously, they don't, because they've said they intend to cut back to every 14 days, and then, oddly, they say that once the beta test if over -- and that's another issue, Microsoft installing beta software for you to test for them without making it clear until it is already downloading that it is "Beta PreRelease" software (see the last Berlind screenshot) -- they will end the daily phoning home, according to InformationWeek:
The company plans to change the settings of the application in its next release, so that it dials in to Microsoft every two weeks, the spokeswoman said. The call-in feature would be disabled permanently when the program is generally available worldwide later this year.
That actually worries me even more. Why do they need it now but they won't once the software is available worldwide? Have they got something even more effective coming next? Perhaps they will say it's because once it isn't beta, then they won't need to maybe turn it off. All right. But surely they don't intend to stop validating, and that's the tool that sends Microsoft all the personal information about you, so I find their statement misleading, in that it talks about the notification component, which doesn't, they claim, send any info about you to them, rather than the validation part, which certainly does. People aren't just disturbed about the tool calling home; they are concerned about what the conversation includes.
That brings me to the problem I see in the EULA. Before I explain, some of you might like to know how to get rid of it. Here is what the Rob Pegoraro in the Washington Post says:
Notifications also looks for new instructions from Microsoft every day. The company says these daily checks (which it plans to slow to once every 14 days) let it adjust the program's behavior if problems arise. That raises an alarming point: Notifications is pre-release software, tested without users' consent.
Worse yet, Notifications -- unlike other Microsoft updates -- cannot be uninstalled. (You can, however, erase it by restoring your PC back to its condition before Notifications' install: From the Start Menu, select All Programs, then Accessories, then System Tools, then System Restore.)
Microsoft is out of line here. The Notifications program is not the kind of critical update that should be installed automatically, much less excluded from uninstallation. And if people respond to this intrusive behavior by turning off automatic updates -- thus severing their PCs from the Microsoft patches they do need -- the already-bad state of Windows security can only get worse.
Actually it already is worse, because even if you turn off automatic updates, the notification tool continues to run. So, what about the EULA? Let's take a look at it. First, as Berlind so ably demonstrates, you are asked to consent to the notification tool, but not to the validation tool, which is the part that, according to Microsoft's statement, is the tool that sends them information about you and your computer. That's a hole in the consent process right there, according to Berlind's research. That's the same as saying that you never gave consent for your information to be sent, or only after the fact. You are presented with this EULA only when you are considering whether to install the Notification tool. But it's more complicated, because the EULA you are presented with -- and remember that the notification tool only recently was offered, as of April 24, according to Microsoft's statement -- describes the validation tool's actions, at least according to what Microsoft is telling us. My question is, what was the EULA like before? When did you first see it? And my next question is, if you say no to the EULA, and you don't install the Notification tool, have you ever said yes to the Validation tool? On what terms? Here's Microsoft's description of the two, from the statement:
The WGA program consists of two major components, WGA Validation and WGA Notifications. Validation determines whether the copy of Windows XP installed on a PC is genuine and licensed. WGA Notifications reminds users who fail validation that they are not running genuine Windows and directs them to resources to learn more about the benefits of using genuine Windows software.
They ask for your consent regarding the notification installation only, but it seems as if the EULA is intended to cover both tools, in which case they only ask for consent after the Validation tool is already installed. Here's what Microsoft says the Notification tool does:
Recent public discussions about WGA Notifications have raised questions about its operation. Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found. The settings file provides Microsoft with the ability to update how often reminders are displayed and to disable the program if necessary during the test period. This functionality enables Microsoft to respond quickly to feedback to improve the customer's experience. Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft. There have been some questions on this issue, and Microsoft is working to more effectively communicate details of this feature to the public.
Just telling the truth would work. I think it's obvious no customer wants this software, Microsoft knows that, and so they tried to finesse it so as to get customers to agree to install it. And now they've been caught, just like Sony. Do you remember the time lag after that story broke, before Microsoft would say anything condemnatory? Now we probably know why.
Berlind notices issues remaining after Microsoft's statement. I would only add the following about the EULA: it isn't just a matter of timing, of when you get asked for consent. It's a matter of what you are asked to consent to. From the EULA:
This software is a pre-release version of the software intended to update the technological measures in Windows XP which are designed to prevent unlicensed use of Windows XP.
By using the software, you accept these terms. If you do not accept them, do not use the software.
As described below, using some features also operates as your consent to the transmission of certain standard computer information for Internet-based services.
So far, so good. They are letting you know that there will be some transmission of information about your computer sent to Microsoft. They don't however tell you precisely what they mean by "certain standard computer information." They describe the process as being done in connection with services, which implies you are getting something out of it, but you actually are getting nag screens, which by no stretch of my imagination is a service I would ask for. Additionally, this EULA first appears when you are being asked to download the Notification tool. You already have the Validation tool on your computer without any EULA or request for consent, and according to Microsoft, the Notification tool doesn't send any information about you to them. So this part of the EULA must be about the Validation component, unless they haven't been truthful about what the Notification tool does.
When you install the software on your premises, it will check to make sure you have a genuine and validly licensed copy of Microsoft Windows XP (“Windows XP”) installed. If you have a genuine copy of Windows XP, you receive special benefits, which are listed on the following link: http://go.microsoft.com/fwlink/?linkid=39157.
· If the software detects you are not running a genuine copy of Windows XP, the operation of your computer will not be affected in any way. However, you will receive a notification and periodic reminders to install a genuine licensed copy of Windows XP. Automatic Updates will be limited to receiving only critical security updates.
· You will not be able to uninstall the software but you can suppress the reminders through the software icon in the system tray.
The first part of this seems to be talking about the Validation tool, because it talks about checking to make sure you have a valid copy of the software, unless the Notification component does that too. But the end part, about not being able to uninstall it, which part is that talking about? Can you not uninstall either? Or was the Validation tool you already downloaded uninstallable too? If so, then you have installed software that you can't uninstall that does God knows what without being given an opportunity to say yes or no.
Next comes the Privacy clause2:
PRIVACY NOTICE: The validation process of the software does not identify you and is used only for the purpose of reporting to you whether or not you have a genuine copy of Windows XP. The software does not collect or send any personal information to Microsoft about you. The sole purpose of the software is to inform you whether or not you have installed a genuine copy of Windows XP. However, Microsoft may collect and publish aggregated data about the use of the software.
Now, this is the part I find misleading. Here they say that the validation process doesn't collect anything about you or send it to Microsoft. But in fact, they have already told us in their statements and on their website that in fact the Validation tool does both. Remember the hard drive and the IP address? So this part of the EULA appears to be talking about the Notification tool, but it calls it "the validation process" which means either that the Notification tool has in fact a validation aspect also, or it means that Microsoft never asked you for your consent to send that information to them, because this says they don't do so in the validation process and the software is only for the purpose of notifying you. If this EULA purports to be for both tools, it is inadequate and inaccurate. The validation process does collect information about you and it sends it to Microsoft, and they need to tell us that and get our consent.
So. Where's the information about the Validation tool, which does collect information about us and does send it to Microsoft? I think it's this part:
3. INTERNET-BASED SERVICES. Microsoft provides Internet-based services with the software. It may change or cancel them at any time.
a. Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it. For more information about this feature, see http://go.microsoft.com/fwlink/?LinkId=56310. By using this feature, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you.
i. Computer Information. The software uses Internet protocols, which sends to Microsoft computer information, such as your Windows XP product key, PC manufacturer, operating system version, Windows XP product ID, PC BIOS information, user locale setting, and language version of Windows XP.
ii. Use of Information. We may use the computer information to improve our software and services. We may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software.
In reality, the information we have indicates that you can't turn off this feature. What feature is it you can turn off? Paragraph a is talking about connecting to Microsoft's servers. You can't turn that off, can you? This is so unclear that I consider it no notice at all. What is it that you are agreeing to? It doesn't tell you how often you will be connecting or all of the information that it turns out is sent. Microsoft, for example, in the EULA never mentions your hard drive's serial number or your IP address, unless that is what they mean by standard computer information, in which case they need to explain how very personal and identifying it actually is. If that isn't personal, what is?
And in what way is the customer "using" the software or getting a service? Don't forget that by this point, you already have the Validation tool on your computer and there is a question as to whether you can uninstall it. The EULA purports to cover both tools, as far as I can make out, without ever fully telling you precisely what it is actually doing. There is no notice of daily calling home on each boot, for example. Next, Microsoft's EULA lets you know it is beta, but which tool are they talking about? Let's assume both:
4. PRE-RELEASE SOFTWARE. This software is a pre-release version. It may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.
Now, it's on your computer, half way already, and apparently you can't uninstall it, so if Microsoft changes it for a final commercial version, what happens to you? Do you then have to pay for it? Do you get any choice? Speaking of which, let's look at clause 6:
6. Scope of License. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
· disclose the results of any benchmark tests of the software to any third party without Microsoft’s prior written approval;
· work around any technical limitations in the software;
· reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
· make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
· publish the software for others to copy;
· rent, lease or lend the software;
· transfer the software or this agreement to any third party; or
· use the software for commercial software hosting services.
You have been given a vision of the future, where software will be a service, and all you get is a license to use it the way they allow you to use it. How do you like Microsoft's Brave New World?
Surely they will find a way to check that you are complying with all the above, so I think it's clear that if you stay with Microsoft products, you have to agree to share your computer with them, that your privacy will be in their hands, and that they can control your computer without your say so. And they won't necessarily tell you clearly what they are doing, judging by this incident, or perhaps there will be no notice at all, as mentioned in the EULA. It's not about you buying a product and using it any way you wish. They let you use their software only within strict limitations they set which by the way do not conform to your rights under Copyright Law. This is a license, a kind of contract, whereby you waive rights you would otherwise have in order to use their software. And you are presented with a EULA at least one paralegal can't even understand, too late to say no in a meaningful way.
Is that your only choice? This unintentionally funny article "Windows anti-piracy program causes shock for doing its job," says Microsoft has been "pretty upfront about the WGA program," and if we don't like it, we should switch to Linux. That's a very good idea. You could use GPL software instead. It doesn't care how you use it. Share it, lend it, rent it, install it on as many computers as you wish, write about it, test it, transfer it to a third party, work around any technical limitations of the software, improve it, personalize it to make it do what you want it to do, and use it for commercial services. Do all of the above and you still haven't violated the software license, and by the way, the software is yours. You own it. No one has a need or even a right to check to see if you are using it properly or if you have the right license or if you swapped in a new hard drive or where you live or what your IP address is. Think about it. And then ask yourself, which do I prefer?
The world is at a crossroads, where for the first time there really is a choice. You don't have to accept Microsoft's demeaning and insulting EULA terms. If you are a business, do you want Microsoft having free access to your computer? If you are a government? I'm just an individual, and I don't.
If you wish to remove the Windows Genuine Advantaage tools, and I expect most of you do, why not go the whole hog and remove the entire software package, replace it with GNU/Linux, and find out what it feels like to be treated with respect and to breathe free?
Update: There was a class action lawsuit over this, Johnson et al v. Microsoft, but in my view they sued over the wrong thing, breach of the EULA. The EULA was carefully enough crafted that it was ambiguous, as both parties agreed, so they lost. Here's the order [PDF]. Later, they were given the right to amend the complaint [PDF], but not in a way that would have really helped them, because the judge wouldn't let them sue for fraudulent
misrepresentation, negligent misrepresentation, and fraudulent concealment, which is what I think they should have sued for in the beginning. Had they done so, who knows what the outcome would have been? But as it was, they didn't and then they couldn't, and so Microsoft prevailed, and in a way that enabled them to do all of the above without fear of consequences. And then the parties settled by stipulation [PDF], on terms unknown, wiping out the appeal as well as the cause of action on any amended complaint.
1This is the screenshot of what Berlind would have seen if he had clicked on the Details link:
2The same individual has now sent me another screenshot, but I'll just provide the text, so our servers don't get overloaded. It's the information Windows provides in the ironically named privacy statement regarding Windows Updates, and I believe if you are a techie, you will be hyperventilating at the implications to your privacy:
Windows Update privacy statement
Last updated May 16, 2005
Microsoft is committed to protecting your privacy.
What data is collected – and why?
Windows Update collects general system information from your computer with each visit, so that you receive the updates that work best with your computer. The information is also used to generate aggregate statistics about how the Windows Update web site is used and which systems need support, so that we can improve our service. This information includes:
Computer make and model
Version information for the operating system, browser, and any other Microsoft software for which updates might be available
Plug and Play ID numbers of hardware devices
Region and language setting
Globally Unique Identifier (GUID)
Product ID and Product Key
BIOS name, revision number, and revision date
Your Internet Protocol (IP) address is logged when you connect to the Windows Update site, but this address will only be used to generate aggregate statistics.
How is this data used?
Windows Update collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. The Product ID and Product Key collected are not retained after you are finished using Windows Update, unless the Product ID is not valid.
To generate accurate statistics, Windows Update evaluates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any information that can be used to identify you. A GUID is assigned and tracked in the following cases:
To provide customers with the best possible service, Windows Update tracks and records the number of individual computers that visit the site and whether the download and installation of specific updates succeeded or failed. Windows Update records the GUID of the computer that attempted the download, the ID of the item that was requested, whether updates were required, and the configuration information listed above.
Windows Update logs an additional GUID if you provide responses about whether help and troubleshooting articles were useful in resolving your problem. This allows Windows Update to provide you with increasingly helpful and relevant information.
Microsoft collects information about the pages our customers visit within microsoft.com, including Windows Update. This information might include: your IP address, browser type, operating system, domain name, the time at which you accessed the site, and referring web site addresses. This site visitation data is identified only by a unique ID number used solely for this purpose.
Occasionally you might be invited to participate in a survey about the way you use the Windows Update web site. Each survey includes a privacy statement that details the terms and use of any information submitted with that survey.
View sample data
If you have additional concerns about the data being evaluated to determine which updates apply to your machine, you can view a sample of the information Microsoft will collect from your computer . Note the data provided is sample data only—individual results may vary based on your specific machine configuration.