June 9th, 2006

Does Microsoft's new WGA disclosure fall short?

Posted by David Berlind @ 7:44 am

Categories: General

Tags:

After its Windows Genuine Advantage (WGA) anti-piracy software (pushed to end users via Windows Update) starting phoning home to Microsoft’s servers on a daily basis thus earning Microsoft a place in the public spotlight in recent days, the software giant’s public relations engine was apparently very busy yesterday figuring out what to do about users’ concerns and then getting the word out.  The result?  A statement combined with a FAQ that may assuage some concerns but that, based on my experience with the way WGA works, innaccurately describes the installation process as one that asks the user for consent. 

Here are some of the major points made by the statement  (headlined: Microsoft Provides Additional Clarity About Windows Genuine Advantage Notifications) and my thoughts on them (in italics):

• The WGA program was launched July 2005 to provide an improved experience for consumers using genuine Windows XP and to help Microsoft address software piracy.  It’s quite clear that, based on the way un-WGA-validated copies of Windows will only get access certain updates (most likely critical security ones that pose a threat to other Windows users and the Internet) that this is an anti-piracy program. The basic message is that if you don’t have a valid copy of Windows, you won’t get the updates you need. Therefore, you (and your customers if you’re distributing invalid copies of Windows) are better off with legitimate installations.  What’s not clear to me is how users of "genuine Windows XP" will end up with an "improved experience."  Prior to WGA coming out, users of genuine and non-genuine Windows were having pretty much the same experience and receiving the same improvements via patches and updates.  This statement seems to imply that that the denial of certain updates to non-genuine copies of Windows XP adds up to an improved experience for genuine Windows XP.
• The WGA program consists of two major components, WGA Validation and WGA Notifications.  Based on my tests of how WGA installs, this is true. The first update my machine received was the Validation component.  Then, after the validation component installed in one batch of updates, the notification component showed up in the next batch.
  
• Validation determines whether the copy of Windows XP installed on a PC is genuine and licensed. WGA Notifications reminds users who fail validation that they are not running genuine Windows and directs them to resources to learn more about the benefits of using genuine Windows software. This is an incredibly important distinction between the two components because of what landed Microsoft in the spotlight in the first place — the act of "phoning home" (to Microsoft’s servers in this case) on a daily basis (a behavior that’s often associated with spyware). That act raised questions about why such contact had to be made so frequently and exactly what  information was being passed back to Microsoft.
• Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found. The settings file provides Microsoft with the ability to update how often reminders are displayed and to disable the program if necessary during the test period. This functionality enables Microsoft to respond quickly to feedback to improve the customer’s experience. So, this is a description of what the Notifications component does.  Although there will probably be other reminders that bubble up through WGA Notifications, the one that’s getting all the attention right now is the one that reminds users of unvalidated copies of Windows that they need to get a valid licensed copy. Microsoft’s ability to reach out and disable software as a result of installing WGA raises more questions about what else Microsoft can disable, if it decides it wants to.  But for now, what’s important is the distinction between Validation and Notification and which of the two is the one that phone’s home.  So far, it appears as though WGA Notifications downloads files from Microsoft’s servers (as opposed to uploading information, aka, "phoning home").  More…..
• Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft.  So, here, I’m going to be the editor talking for a second.  Use of the lower-case "validation" is confusing.  If Microsoft meant WGA’s validation component, which I think it did, then it should give it the same upper-case treatment that it gave to the notification component by phrasing it as "WGA Validation." When WGA installs itself, there are clearly two components that install.  During the installation, the name "Windows Genuine Advantage Validation Tool" appears when the first component is installed.   Then, when the subsequent component is installed, the name "Windows Genuine Advantage Notification (KB905474)" is displayed.  I could be mistaken (the West Coast was still sleeping as I wrote this), but I think it’s safe to assume that when Microsoft refers to "validation," it’s referring to the "WGA Validation Tool" that installs first, and when it’s referrring to "WGA Notification" that it’s referring to the "WGA Notification" that installed second.  To minimize the chances of confusion, Microsoft should be consistent with its nomenclature between the actual user experience and it’s communications with the public.  Now,… if the assumption is correct that Microsoft’s reference to "validation" is a reference to the WGA Validation Tool, then this last part of the statement makes it clear that the WGA Validation Tool is the component that phones home while WGA Notification is the component that checks for and downloads new files if their available.  This is very relevant to Microsoft’s communications regarding the issue of consent. 
  
• Yesterday, CNET News.com ran a story that said "Microsoft acknowledged that it has not been forthcoming enough about the antipiracy tool’s behavior, but countered that its tool is not spyware, since it is not installed without a user’s consent and has no malicious purpose."  In the statement released last night that further addressed allegations that WGA is spyware (the chief defining characteristic of spyware being that it phones home to its developers with sensitive information), Microsoft reiterated that "Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware."  

And here’s where the confusion and misinformation continues to fester. As can be seen from the screen gallery and writeup of my tests, I was not asked for consent when the WGA Validation Tool — the one that like spyware, phones home — installed itself. In fact, as can be seen from this screenshot which immediately preceeded the automatic download and installation of the WGA Validation Tool, I could easily argue that I was misled into thinking I was going to download and install something else when in fact, I was downloading and installing, without my consent, software that apparently phones home. 

Was I ever asked for my consent. Yes, when WGA Notification — the component that doesn’t phone home installs itself (acceptance of this End User License Agreement is required). So, as best as I can tell, Microsoft asks for consent in the wrong place.  Instead of asking for consent before installing the software that apparently phones home, it asks for consent before installing the software that downloads files. Notwithstanding the questions about WGA Notification’s downloading of files that apparently give Microsoft some remote control capabilities over your system’s behavior, it should be the other way around. At the very least, consent should be required before any software that phones home is downloaded to your system.  In this situation, I’d argue that consent should be required when both components are installed.

Also, here again, Microsoft should have done a better job on the editing front. The FAQ says "WGA is installed with the consent of the user."  But the truth is that WGA by itself isn’t an entity that installs itself as one big chunk of software for which consent is required.  Currently, it’s two pieces of software that are installed independently of each other and, as just said, consent is required for one piece, but not the other. 

Finally, the one newsworthy item in Microsoft’s statement is that, with the next update to WGA Notification, the company will be changing the frequency with which WGA Notification checks for new downloads.  According to the statement:

As a result of customer concerns around performance, we are changing this feature to only check for a new settings file every 14 days. This change will be made in the next release of WGA. Also, this feature will be disabled when WGA Notifications launches worldwide later this year.

14 days is certain better than daily.  But, this actually raises another important question about Microsoft’s methodology when it comes to how WGA has been rolled out to end users.  In a global test of pre-release software (which WGA is), are users unwittingly being forced into becoming Microsoft’s guinea pigs?