Here's the Complaint [PDF] in the second class action lawsuit filed against Microsoft over WGA, Windows Genuine Advantage. I was sure you'd want to see it. This one was filed in the US District Court, Western District of Washington at Seattle on June 30. It's Case no. CV6-927R, Engineered Process Controls, LLC, Univex, Inc., Edward Mifsuid, David DiDomizio, and Martin Sifuentes v. Microsoft Corporation.
This story is not going away.
The first lawsuit emphasizes
injunctive and equitable relief, changes in Microsoft's behavior, "prohibiting Defendant from engaging in the acts of unfair competition or deceptive trade practices alleged" and requiring Microsoft to delete "all data surreptitiously or otherwise collected" and "ordering data, funds or other assets obtained by unlawful means as alleged above to be impounded, or a trust imposed, to avoid dissipation, fraudulent transfers, and/or concealment of such assets by Defendant."
In short, it wanted Microsoft to cut it out. And within a day of filing the lawsuit, Microsoft had announced some changes. I don't personally see how calling home once a month instead of every day solves the problem, in that most of us don't want our computers calling Microsoft at all and we certainly don't want personally identifiable information about us being collected. At least I don't. What does Microsoft do with it? Does it store it? Does it share it? Does it put it together with other information about customers?
Of course, Microsoft denies any connection between the changes it has made and the first litigation filed. But when you don't stress billions in damages, it's a lot easier to get a problem resolved, one would assume.
This second complaint is asking for compensatory and statutory damages, including treble damages, and disgorgement of profits "realized as a result of the unlawful conduct of defendant", on top of cutting it out. Plaintiffs also want Microsoft to have to fund and implement an advertising campaign to let victims know "the potential security and other risks associated with WGA Software, to allow the consumers on whose machines the software is installed to protect themselves from further damage. The publicity campaign should include, at a minimum issuing a public statement describing the risks and providing information about how to uninstall the program." Microsoft has now provided uninstall instructions, but it involves fiddling with the registry, which some of us love to do, but most are appropriately scared to touch, and then there is this notice:
Important These instructions have not been tested on the general release version of the WGA Notifications. Therefore, these instructions are not supported. Microsoft will offer the general release version of WGA Notifications to users who uninstall the pilot version at a later date. These users will obtain the general release version through the Microsoft Automatic Update service. WGA Notifications is part of the Windows Genuine Advantage program....
Regardless of genuine status, users are not denied access to critical updates. However, users who have not validated their computers as genuine are not able to install other updates such as those for Microsoft Internet Explorer 7.0 and Microsoft Windows Defender.
I read that as saying they are not going to cut it out altogether, and you are utterly on your own as far as uninstalling the "pilot" version of WGA. If you mess up your computer, don't call them. Most people will not be able to follow the instructions, I don't think, or more accurately will be too scared to try.
Interestingly, one other unique aspect of this complaint is that it asks the court to decide if the terms of the EULA, some or all of them, are unconscionable, specifically the limitation of warranties and limitations of damages at $5. I've asked myself that question too. Can one be said to have agreed to a EULA's terms if they come from a monopoly software company requiring you to accept software you don't want as a precondition to getting software you do want and feel you need? And when you bought your computer, did you agree that WGA was going to become a fixture in your life? If you had known, would you have purchased XP? Here's law.com's definition of unconscionabale:
adj. referring to a contract or bargain which is so unfair to a party that no reasonable or informed person would agree to it. In a suit for breach of contract, a court will not enforce an unconscionable contract (award damages or order specific performance) against the person unfairly treated, on the theory that he/she was misled, lacked information or signed under duress or misunderstanding. It is similar to an "adhesion contract," in which one party has taken advantage of a person dealing from weakness.
I think it's clear no one wants WGA except Microsoft. But is it bad enough that one could be said to have agreed under duress? And should Microsoft have to pay more than $5 in damages if you've suffered more than that?
The first lawsuit mainly asked for alteration in behavior, then, and in fact Microsoft did alter its behavior to a degree. This second lawsuit looks to be harder to settle out quickly or to satisfy the Plaintiffs. The introduction begins:
Microsoft created serious security, privacy and consumer protection problems that damaged Plaintiffs and the members of the class by installing a "spyware" computer program as a "critical security update" in millions of computers nationwide....
WGA is "spyware" that transmits data to Microsoft's central computer ("phones home") every time a PC is booted up and every 24 hours thereafter. Microsoft does not advise users of these phone home capabilities. WGA gathers data that can easily identify individual PCs and WGA can be modified remotely to collect additional information at Microsoft's initiation. WGA is in daily contact with Microsoft's servers and it can download other software and morph itself for whatever purpose Microsoft desires. Software hackers can exploit WGA to not only collect data but also modify users' computers. "
This was likely written before the changes in Microsoft's WGA process, but the security issues presumably remain, and for a time period there were issues as to whether users knew what was happening to their computers or meaningfully said OK.
The first lawsuit, filed by Kamber & Associates, relied upon the following statutes:
Washington State's Consumer Protection Act
Washington Rev. Code Section 19.86.020
Washington's anti-spyware laws, specifically Washington Rev. Code Section 19.270.040
the California Consumer Legal Remedies Act
California Civil Code Section 1750 et seq.
California's anti-spyware laws, specifically California Business & Professions Code Section 22947.4
California's Unfair Competition Law, California Business & Professions Code Section 17200.
The second lawsuit, filed by the Houck Law Firm, lists the following statutes and claims:
The Computer Fraud and Abuse Act, 18 U.S.C. Section 1030, alleging Microsoft "intentionally access[ed] a computer without authorization or exceeds authorized access, and thereby obtain[ed] ... information from any protected computer if the conduct involved an interstate or foreign communication" in violation of this Act.
- Washington State's Consumer Protection Act ("Microsoft's actions are unfair and deceptive...Microsoft has represented that its WGA software have characteristics, uses or benefits which they do not have....Microsoft installed the WGA programs in defective prerelease condition ... Microsoft's policies and practices are unlawful, unethical, oppressive, fraudulent and malicious. The gravity of the harm to all consumers from Microsoft's policies and practices far outweighs any purported utility those policies and practices have.")
- Washington's Computer Spyware Act, RCW Section 19.270.040 ("Microsoft takes control of the Class's computers and modifies settings that could cause damage to their computers or lead to the stealing of the owner or operators personally identifiable information in order to commit fraud....Microsoft induces an owner or operator to install its WGA software onto the computer by intentionally misrepresenting the extent to which installing the software is necessary for security or privacy reasons.")
- Breach of implied covenant of good faith and fair dealing.
- Intentional misrepresentation.
The plaintiffs also ask that Microsoft work with anti-virus, anti-spyware tools to find and completely clean up everyone's computers. That seems a bit useless. Microsoft has been using your computers to call itself every day for a while now. Did your anti-virus, anti-spyware applications block it? Did they even tell you? Did they warn you about Sony's rootkit, for that matter? Well, one did, finally. But if there is one obvious lesson to be learned from these two events it's that anti-virus companies have been asleep at the wheel. At least.
Here's the thing. The Computer Fraud and Abuse Act is a federal statute. The first litigation was under state laws. The CFAA is one of the serious, heavy-handed computer abuse laws Hollywood and other content owners dream about, designed to deal with "pirates" and "hackers". And now, ironically enough, it is being applied to Microsoft, and I have to say, if all you look at is the actions and compare with the statute, it does seem to match up.
There is the disjoint that Microsoft isn't motivated like a cracker. It isn't going to sell your identity to an ID thief or put charges on your credit card or anything like that. It isn't going to post it on the internet either or cause other damage we normally would associate with the statute. But the law doesn't exactly distinguish such things. In discovery, there may be some digging to see what Microsoft was/is doing with all that data. Does it sell it to partners, for example? If it does, and it told you it was for your advantage, a necessary security update, is that fraud? Section 1030 of the Act is titled: "Fraud and related activity in connection with computers." The criminal penalties are significant. If you are a cracker, for example, found guilty of violating the Act, they can throw you in prison. This is civil only, so that isn't going to happen here, but it's not an insignificant thing to be accused of violating the CFAA. It's like I always say. Be careful what laws you pass, because they won't be used just the way you are thinking. Lawyers are creative.
Judges can distinguish motives, because they are human beings, and juries can, but the charge is actually quite serious. The complaint does ask for a jury trial, by the way, and if the jury is made up of Microsoft XP users who installed WGA or had it installed on them -- and how could it not? -- Microsoft might be in for a rocky ride.
Of course, Microsoft maintains that WGA is not spyware. Here are some slides of a PowerPoint presentation on research on privacy issues and how to make computers less vulnerable, and one slide puts Elitebar in the spyware category for the listed reasons:
TRUST, Berkeley Site Visit, April 26-28, 2006
Cyberlaw Clinic: Enternet
* Enternet Media (EM)
o Internet ad firm in CA
* EliteBar a.k.a. Elite Toolbar
o distributed through websites
o no notice of installation
o prevents uninstallation
o collects personal information
* EULA: unconscionable terms
Hmm. Check, sorta, check (it did before), check, and we'll see.
The real issue with all spyware, to me, isn't just technical. It's the bigger question: what happens to the personal information that is collected? That is the piece we really don't know in the Microsoft WGA story, but it does look like this second lawsuit might just find out.
You could just switch to GNU/Linux, of course, if you wish to escape such problems. I hope you do. You can get it for free and use it on as many computers in your home or business as you like. Then go to your mom's and install it on her crippled XP computer that is doing heaven knows what, so you know she's safer, and then give it to your best friend to do the same. And nobody will ask you or your mom or your friend or his family and friends what you are doing or demand you register or report back or prove you are "legitimately" using the software, which doesn't snoop to see if you've been good.