Forgot your password?
typodupeerror
Microsoft Security IT Your Rights Online

All Microsoft Updates Phone Home 233

Posted by samzenpus
from the always-watching-you dept.
juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."
This discussion has been archived. No new comments can be posted.

All Microsoft Updates Phone Home

Comments Filter:
  • What if. . . (Score:4, Insightful)

    by smooth wombat (796938) on Thursday March 08, 2007 @03:12PM (#18280192) Homepage Journal
    you don't go through Microsoft Updates but instead go to their Security Search and manually download each patch?

    Since you've never activated WGA, does that mean you're invisible to Microsoft?
    • Re: (Score:3, Insightful)

      by HateBreeder (656491)
      Some apps, require "validating" your copy of windows before installation.

      Windows Defender for instance, comes as local executable - but obviously, the WGA authentication is remote.

      probably a non-issue anyway.
    • Re:No (Score:5, Informative)

      by asphaltjesus (978804) on Thursday March 08, 2007 @03:32PM (#18280426)
      My firewall detects the connections after doing manual installs. I know this because I've got production equipment we can't just let windows auto-update on. Based on my experience, WGA is just one of many apps/updates that phones home.

      Again, it's been this way for quite a while, and the information does not "perfectly" identify you, but each install has it's own signature as far as I can tell so they can deduce who you are pretty quickly.

      Why do you care now as opposed to all of the other Microsoft's-evil-OS stories on /.?
      • It was a combination legitimate question as well as snarky question.

        Besides, since I'm on dial-up at home, whatever information is sent must take forever to get to them.
    • by hguorbray (967940) on Thursday March 08, 2007 @03:52PM (#18280682)
      Usually you will be forced to download WGA before you can get to other updates -and your new install of Windows XP or Vista will stop booting after about 45-60 days if it has not been validated online. Obviously there are OEM and corporate versions cracked versions which will install without online validation, but the requirement for WGA for software updates is probably still on.

      My hope is that is all of these things make running pirated versions of Windows more difficult -particularly in the developing countries where internet connectivity is spotty such that OSS can gain in popularity and use. This could end up being a real win for Linux and other OSS.

      cue stories of entire countries running off a single pirated copies of Windows and Office.....

      -I'm just sayin'
  • That's hardly surprising.
    Considering that most of these applications are installed via the windows-update site...
    I doubt you could even maintain a session without sending information back to the web-server.

    I say: nothing to see here, move along.

    • Nothing to see (Score:4, Insightful)

      by HomelessInLaJolla (1026842) * <lajollahomeless@hotmail.com> on Thursday March 08, 2007 @03:18PM (#18280256) Homepage Journal
      There really is nothing to see for those who are technically literate to the operation of modern systems. This sort of thing, however, should be included as a sticker on the front of all MS products as the majority of the population probably does not think about the consequences of callbacks. Most consumers, whom I've met, actively avoid products which obviously track their movements unless the product is highly desirable (eg. cellular telephones). Making the reality of callbacks more popularly known would have a definite impact on the decisions which consumers make.
      • by Ash-Fox (726320)

        This sort of thing, however, should be included as a sticker on the front of all MS products as the majority of the population probably does not think about the consequences of callbacks.
        "Now sends information on failed/successful updates so we can improve upon our future updates."
      • Re:Nothing to see (Score:5, Insightful)

        by Mr2cents (323101) on Thursday March 08, 2007 @04:23PM (#18281156)
        First the say:

        With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself.
        and in the next paragraph:

        When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data,
        So when you are a legit user, they don't care about the quality of your software. They're only interested in the quality of pirated software.
    • by ditoa (952847)
      Agreed. While I dislike WGA it is hardly surprising they collect success/failure data. The blog post was detailed and answered several questions I had. However I wouldn't say no to an option to disable it calling home, they have enough command line parameters one more won't hurt :)
      • by Mateo_LeFou (859634) on Thursday March 08, 2007 @03:51PM (#18280674) Homepage
        TFA: "In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"

        Kinda sad that we just assume letting vendors capture all this info is part of the game (i.e. necessary to make the update work right). Wrong. When I do "yum upgrade" -- as far as I know -- not a single piece of information about my system goes up the wire. Correct me if I'm wrong.
        • I don't know for sure, but I would expect that yum, at the very least, sends what base architecture and OS you are running, along with IP, etc. or that you can get that information based on what is requested. Not enough info to pick out one computer from a large install base, but enough to pick out most home users. Microsoft does collect a lot more, much of it they don't have any visible need to collect, but if you are getting your updates over the internet, you are already identified.
          • Re: (Score:3, Informative)

            by PitaBred (632671)
            The difference is that yum can only infer that from data you voluntarily send to them every time you query for updates. Yum says "Send me the package list for FC6 on the x86 architecture", and that's it. The server gets your IP address as a side effect, and your system version. That's a far cry from that list of crap that Microsoft gets, and never says they're sending. I'm really not comfortable with sending all that info, especially since they don't explicitly state that it's happening. What other inf
        • by mosel-saar-ruwer (732341) on Thursday March 08, 2007 @04:33PM (#18281322)

          "In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"

          There are what - like a billion or so computers in the world running an M$FT operating system?

          And e.g. Windows 2000 is now up to something like 125 or 150 Critical Updates since SP4?

          And they're keeping track of all of that data?

          That's a database that would make the NSA green with envy.

          Can SQLServer handle a load like that?

          Or would you be looking at something specialized, like what National Cash Register built for Wal-Mart?

          • by un1xl0ser (575642)
            Now we know why it takes so long for patches to come out, they need to deploy cluster upon cluster of SQL servers every time they do so that they can handle the volume of phone-home data they get.
        • by HangingChad (677530) on Thursday March 08, 2007 @04:55PM (#18281602) Homepage

          Kinda sad that we just assume letting vendors capture all this info is part of the game

          It's a gradual process. Ever been stopped on the way out the door at Costco? You're basically proving to the door lackey that you're not stealing anything. Since when is proving you didn't steal anything between the check stand and the door become part of the game? Because people let them get away with it.

          Companies will keep doing whatever until customers push back. MSFT will keep being the invasive, WGA promoting rat bastards they can be until people extend their middle finger toward Redmond and learn a different operating system.

          The door lackey at Wal-Mart tried stopping me the other day and I refused to prove I didn't steal anything, especially considering she had just watched me walk away from the check stand. I told her that if she thought I stole something to call the cops and walked out.

          • Re: (Score:3, Funny)

            by veganboyjosh (896761)
            Ever been stopped on the way out the door at Costco? You're basically proving to the door lackey that you're not stealing anything.

            you mean...they're not checking to make sure i didn't get overcharged?
          • by Laur (673497)

            Ever been stopped on the way out the door at Costco? You're basically proving to the door lackey that you're not stealing anything. Since when is proving you didn't steal anything between the check stand and the door become part of the game?
            When you signed your membership agreement specifically allowing them to do that. You're right about stores like Wal-Mart and Fry's which don't require a membership, but Costco was a bad example.
          • by jZnat (793348) *
            Well, it works better than those damn electronic scanners. I can't begin to count how many false positives those things get; the employees of some stores just ignore the damn thing because it goes off so often.
    • The next change is Microsoft's privacy policy will allow them to view, copy, alter, or delete any and all data located on a computer running any Microsoft software.

      I just wonder why Windows doesn't just phone home the entire contents of the user's drive... and then realize that the only reason that hasn't happened yet, is because storage of this data would be expensive for Microsoft.
      • by Abreu (173023)
        The next change is Microsoft's privacy policy will allow them to view, copy, alter, or delete any and all data located on a computer running any Microsoft software.

        Ok, I'll bite: Do you have any hard proof to these allegations?

        I really think there's a big difference between "tracking down users" for marketing purposes, or to track down cracked software users... That kind of thing will be mostly transparent to a non-knowledgeable user. ...but if Windows update starts deleting mp3 collections, 3rd party apps
        • by jacksonj04 (800021) <nick@nickjackson.me> on Thursday March 08, 2007 @05:51PM (#18282502) Homepage
          They're not even tracking down individual users for marketing purposes.

          How many slashdotters look at their website logs to see how many people visit and what they use to do so? I'm willing to bet a huge amount of people do, and they're the same people who bitch about MS updates phoning home. To complete HTTP requests you don't *need* anything more than the actual request and an IP address, yet somehow the logs include things like browser versions, screen resolutions and operating systems. You don't complain about those.

          Aggregate data is needed to gauge how a product is being used in order to improve it, be it your website, software, a car, a lawnmower or something else. When MS start actively using personally identifiable information to personally target things then I'll worry, but until that day I have no problems with them knowing that 82% of their user base has installed security patch XYZ.
    • Re: (Score:2, Flamebait)

      by rucs_hack (784150)
      and what exactly can microsoft do with tens of millions of windows installs calling home constantly.

      Such a volume of information almost automatically prohibits targetting individuals, no strategy to target individuals could work. The most that could be hoped for is statistics from which new strategies to combat piracy could be developed.

      I think people take an ego centric view of this and don't like to see that theirs is just an insignificant particle of data in an ocean of information.
      • Re: (Score:3, Insightful)

        by zmollusc (763634)
        Well, there is probably only a few k of data per machine, so you could easily maintain a database of all the copies of windows phoning home. It would just take a few computers, some bespoke software and a fair bit of cash. You could work out what to do with the data later, maybe a targetted "you have been using this pirated os for yonks, give us fifty bucks or we will sue your ass, here are some of the data we will be showing the judge.." mailshot? It would cost pennies to send out, but rake in $$$.
        Hey! May
    • by Jah-Wren Ryel (80510) on Thursday March 08, 2007 @03:39PM (#18280514)

      That's hardly surprising.
      Considering that most of these applications are installed via the windows-update site...
      I doubt you could even maintain a session without sending information back to the web-server.

      Yeah totally, because:
      • Computer make and model
      • Version information for all installed Microsoft software
      • Plug&Play ID numbers of hardware devices
      • Globally Unique Identifier (GUID)
      • BIOS name, revision number, and revision date
      are all necessary to download a single specific update not to mention maintain a session to the web-server.
      • by Lothsahn (221388) <Lothsahn@@@SPAM_ ... u_bastardsyahocm> on Thursday March 08, 2007 @03:57PM (#18280742)
        I'll bite:
        Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?

        Version information for all installed Microsoft software -- Needed to calculate whether or not updates are needed for Windows Media player, etc. Remember, Windows update does more than just Windows--it also updates all included bundled software with Windows.

        Note: Sending information about non-bundled software is needed for Microsoft Update, but not Windows Update. Perhaps lazy coding there--wouldn't YOU want to share the hardware/software detection code for both update utilities?

        Plug&Play ID numbers of hardware devices -- Well, it does update hardware drivers...

        # Globally Unique Identifier (GUID) -- This seems completely unnecessary.

        BIOS name, revision number, and revision date -- I'm not sure, but I believe they may also provide manufacturer-supplied BIOS updates for some manufacturers.

        I'm no huge fan of Microsoft, and I'm not saying Microsoft isn't misusing the information, but in 4 out of 5 cases this seems necessary for the service they are providing. Remember, Windows Update updates drivers, hardware, and bundled software too. Microsoft Update services Microsoft software as well.
        • by ValentineMSmith (670074) on Thursday March 08, 2007 @04:10PM (#18280944)
          Um, no. None of this needs to be sent back to Microsoft to determine which updates need to be downloaded. The local Windows Update control should download a list of all available patches, make the comparisons locally, and then download only the needed patches. They have no need to know what my computer make, model, shoe (and/or bra) size is. Which is one of the reasons that this is being written on a brand spanking new MacBook Pro
          • Re: (Score:3, Insightful)

            by W2k (540424)
            You realize that the complete list of patches and optional downloads, for all supported versions of all supported products, is likely to be freaking huge? You wouldn't want it downloading that every time you run Windows Update - especially not dial-up users.
            • Re: (Score:3, Insightful)

              Define "freakin' huge". Depending on how they wished to encode it, I'd put a guess in at a document around 150-200k or so. I'll go so far as to say 500k tops. That may be an extra 10 seconds on my DSL line. Compared how long it took that stinkin' ActiveX control to initialize in IE, even an extra minute or two would get lost in the underflow.
              • by W2k (540424)
                I could easily imagine it as being in the range of tens of megabytes. You know how many different versions of Windows there are, right? Add to that SQL Server, Office, Visual Studio and lots of other software which Microsoft Update handles. Add to that all the hardware components (likely tens of thousands) that MU carries updates for. Unfortunately, I don't have any hard numbers to back this up.

                I also don't see what the big deal is. Microsoft is getting some information about the hardware and software co
                • I did some quick browsing through Microsoft's web site, but unfortunately, they seem to have some... issues with my non-use of IE. :) Anyway, if I'm not too mistaken, there are only two (or at the most three) major versions of windows that are supported. Vista and XP are supported, and I vaguely remember that 2K has been sunsetted already. So, if we consider 2K, there are three major versions of Windows to support. For SQL server, there is SQL Server 2K and 2K5. Same with Exchange Server.

                  The questio
                  • Anyway, if I'm not too mistaken, there are only two (or at the most three) major versions of windows that are supported.

                    Sorry, missed a few... Windows 2003 Server... Windows CE... Longhorn... the twenty seven flavours [penny-arcade.com] of Vista... the 64-bit versions of all of the above (x86 as well as the unobtanium)... etc... All of which probably have less binary compatability than you seem to believe.

                    • by Jhon (241832) *
                      What was also missed are the various LANGUAGES those packages come in. So multitply that by about 50 or 100 each...
                • Re: (Score:3, Insightful)

                  by PitaBred (632671)
                  So send them "I'm running WindowsXP, SP2 (or later)" and get the list of drivers, etc. for just that sub-version, and then all applications. I mean, I do an update for my Ubuntu system, and that has MANY more packages that Microsoft even ships. And it still goes pretty quickly. There's no need to send them all kinds of info about your system unless something fails, and you click "Yes, of my own free will, I'll help this giant corporation that treats me like a criminal fix their buggy software for no reco
            • Yum and Apt both handle this very well. Its just a matter of design. All your computer needs to know is which packages (downloads) it has, and then request current version numbers for these packages from the update server. If the update server has a new version - download it. It does put a bit more load on your local system, and it requires a log of current versions saved, but the difference is negligible.
              • Yum and apt maintain versions for packages. not specific patches for specific bugs and specific hardware.

                Big Difference.
            • by QRDeNameland (873957) on Thursday March 08, 2007 @04:39PM (#18281338)

              You realize that the complete list of patches and optional downloads, for all supported versions of all supported products, is likely to be freaking huge? You wouldn't want it downloading that every time you run Windows Update - especially not dial-up users.

              I seem to remember Windows Update in Win2000 prominently displayed a message: "Checking your computer for installed updates...this is done without sending any information to Microsoft." And it only downloaded the updates I needed, not every one for every supported product.

              Did something fundamental change as to why that system can't work anymore?

              • Re: (Score:3, Informative)

                by W2k (540424)
                Apparently. That message is not there anymore. Instead, Microsoft Update displays this:

                Concerned about privacy? When you check for updates, basic information about your computer, not you, is used to determine which updates your programs need. To learn more, see our privacy statement [microsoft.com].
                Surprisingly, the linked statement is not written in lawyerspeak.
          • Re: (Score:3, Interesting)

            by trianglman (1024223)
            What would be the difference? If you are downloading updates for a driver, one could reasonable infer that you have the hardware for that driver. Its just whether they are being told you have a piece of hardware or whether you can make a reasonable, educated guess, they are going to get the same results either way.
            • True. But, generally, having an individual piece of hardware is nowhere near as personally identifiable as a combination of machine make, model, GUID and so forth. Anyway, you're missing the point. I was merely refuting parent's comment that this information was required for the service, and it isn't.
        • Re: (Score:3, Interesting)

          by drinkypoo (153816)

          Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?

          Mu.

          HP and Dell don't do their own driver patches. They do roll up other people's drivers in their own packages, but they simply use the drivers of others.

          There ARE non-driver patches for both, but they're related to special, custom software. For example HP has their own version of the software that goes with the Infineon TPM chip inside this HPQ laptop. But Microsof

        • by hurfy (735314)
          Umm, isn't that EXACTLY what the activeX control says it is doing WITHOUT sending any 'personally identifiable data' so it knows which updates to show ?!?

          I take 'personally identifiable data' is still able to identify my machine, my ISP, my IP, my location, my programs, my browser, etc. but it doesn't know my name. Not altogether sure my name is actually in the computer for it to get in fact.

          So, i guess it doesn't send any data back but each update you download using it will...pretty sleazy definitions :(
          • by rfunches (800928)

            The only personally identifiable info I can think of inside the Windows installation is if you were prompted to enter during Windows setup or later changed the name and organization fields that appear on the System properties panel (WinKey+Break). I know that some OEMs preset these fields -- IBM sets them to IBM CUSTOMER -- so I don't see why MS would waste time having that data transmitted other than to tick off /.ers, privacy advocates and the EFF. If you've registered your copy of Windows though (and who

        • by mackyrae (999347)

          I'll bite:
          Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?
          Plug&Play ID numbers of hardware devices -- Well, it does update hardware drivers...

          Why? If you're computer's working just dandy, why change the drivers? Last time I did a driver update through the MS Update thing, I ended up wtih 8-bit color and a 640x480 resolution on an nVidia card (not some relic from the 80s). Update, my ass! That's a downgrade! I don't trust their driver updates. They just break stuff. And hey, if it ain't broke, don't "fix" it!

          BIOS name, revision number, and revision date -- I'm not sure, but I believe they may also provide manufacturer-supplied BIOS updates for some manufacturers.

          Not that I've ever seen. If I recall correctly, BIOS updates are generally done from boot floppies.

          Remember, Windows Update updates drivers, hardware, and bundled software too. Microsoft Update services Microsoft software as well.

          They update your hardware? I

          • The last few BIOS updates I've done have been from windows-based flashing utilities. I think most of them are moving towards that because it's become easier and you don't have to make the user go out and buy a floppy drive for their computer that didn't come with one.
        • Another way Windows update could work is the computer can give the last version of the windows update file it has. The server will then send over a file with all available updates to the computer. The computer will then use information in this file to request individual updates from the server.

          Basically like how most Linux distributions handle things. :-)
  • by blakmac (987934) <blakmac@gmail.com> on Thursday March 08, 2007 @03:18PM (#18280252) Homepage
    "When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users." ...so we are expected to believe (by this wording) that they WILL keep the information relating to illegal installations, but not use it to identify the person using it. Why does that sound like a lie?
    • Re: (Score:3, Informative)

      by AJWM (19027)
      Well, see, they don't use the illegal IDs and product keys "to identify or contact users". But they do also grab the IP number that those came from. Now, they may not use that IP info either, but if a list of IP numbers and illegal product tags were to be passed along to, oh, say, the BSA (Business Software Alliance, not the Boy Scouts of America, aka the enforcers), and the BSA were to ask ISPs for a name and address corresponding to that IP...

      So Microsoft isn't using that info (and certainly not that sp
  • by Arceliar (895609) on Thursday March 08, 2007 @03:22PM (#18280306)
    *In his best E.T. voice*
    P.C. Phone Home

    *ahem* I mean.. uhh.. I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design. But SOME of this information seems a bit excessive. Unless one plans to start banning specific pieces of hardware, but that's just evil.
    • Re: (Score:2, Insightful)

      by punxking (721508)
      I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design.

      Agreed, but they could tell users they are collecting up front, or even *gasp* ask for it first!
    • Re: (Score:2, Insightful)

      by dannannan (470647)
      Without telling Windows Update which software and hardware you have, and which patches you have installed in the past, your only option would be to download every patch for every application and device ever released. This would quickly become unworkable.

      D
      • You would not have to download every patch. Patches could have separate metadata saying "Only install if a device with such and such device is installed" (and similarly for other stuff). The client software could then decide whether to download the full patch based on metadata. Yes, one would have to download all the metadata, but at, say, ~1k bytes per update that would not be prohibitive at all.
      • Without telling Windows Update which software and hardware you have, and which patches you have installed in the past, your only option would be to download every patch for every application and device ever released. This would quickly become unworkable.

        As I posted upthread, Windows Update in Win2000 prominently displayed a message: "Checking your computer for installed updates...this is done without sending any information to Microsoft." And it only downloaded the updates I needed, not every one for eve

      • by jZnat (793348) *
        Or you could download a list of all the latest updates available for download, do the check locally, then fetch only the patches you need...

        Hmm, seems logical.
    • Re: (Score:3, Insightful)

      by Rob the Bold (788862)

      I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design.

      True. They want the information. Maybe even for a reasonable purpose. So what's wrong with asking for it? I want 100 Billion Dollars. But if I just take it without asking, it makes people upset. I have a good reason: it would make me happy. It takes more than just a "want" to justify taking something, even for corporations.

      But SOME of this informatio

    • Re: (Score:2, Interesting)

      by deep_creek (1001191)
      "But SOME of this information seems a bit excessive. Unless one plans to start banning specific pieces of hardware, but that's just evil."

      I have a few friends that play in the stock market and have said for a long time that they bet Bill uses this information to buy/sell stocks and $$$. Think of the unbelievable wealth of information. Which hardware/software/etc... are folks buying and what are they not buying? etc... etc...

  • by swschrad (312009) on Thursday March 08, 2007 @03:26PM (#18280370) Homepage Journal
    software vendors are firmly locked into the attitude that you, LICENSOR, have no rights other than to buy new stuff when we drop support for the old stuff and design the new stuff to only superficially work with the old stuff.

    like, for instance, all of the "cool features" use new runtimes and new features, and none of it is backwards compatible.

    so is anybody really surprised here? if the user hash code field they recover is all over the warez circuit, no matter what the EULA says, someday the number of hits on you is going to run over some trigger number in update. at that point, you will run into a block.

    had to reinstall windows ME legally on a machine last weekend. got all the critical updates pulled off on IE, and from that point on, update kept returning "thank you, you have a Mac, you can't update here." everything worked fine the next day, and I got the rest of the criticals done.

    I can only assume they have all sorts of wonderful blocks and trigger numbers over there, and since they own the software and you own only a cancelled check, it's just tough damn luck.
    • you re-installed Windows ME? on what, your enemy's computer?
      • it's in interim use... 800 MHz athlon whitebox machine, 768k, 30 Gb HDA. you don't put anything up to date on a boatanchor like that, especially since anything up to date will eat the whole machine up before you try and start a single app.

        died from windows rot, so it needed a refresh.
        • Sounds like a decent candidate for linux to me...

          (heck, I've got webservers with less horsepower than that)
          • Ubuntu Edgy works very well on a 750MHz Athlon. I use one with 640mb ram occasionally. It even runs Windows XP inside VMWare Server usably.

            Don't bother installing a modern Linux on a machine 500MHz, though. I've tried it many times as recently as November (a few weeks after Edgy was released) on a few PIII 450MHz machines with 384mb-512mb ram (Dell Optiplex GX-1). It's barely usable.
  • by Tackhead (54550) on Thursday March 08, 2007 @03:28PM (#18280384)
    From the blog [msdn.com]:
    > By learning at what point in the install process some users decide to abandon, we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to give more information so customers will be better informed. We heard from customers that they wanted more information about what the software was and how it worked so we created the install wizard to provide that greater context. Knowing this kind of information about the install wizard installations is critical for us to continue to improve the customer experience of WGA. If we are not hitting that mark, we can use this method to improve.

    By learning at what point in the install process some users decide to say "Fuck this, I didn't sign up for this!", we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to obfuscate and misdirect so customers will either not know how we're spying on them, or for those who figure it out, at least they won't be able to sue us over it. We heard from customers that they wanted to know what else were doing behind their backs so we created the install wizard to provide us with plausible deniability. Knowing this kind of information about the install wizard installations is critical for us to continue to propagate the viral meme of WGA and other notions, like software as a service, and ultimately the notion of an operating system as a subscription-based service, like we're doing with the Windows Vista self-destruct sequence. If we are not hitting that mark, we can use this method to slowly increase the amount of DRM we've crammed up your ass until you look like the Goatse Guy, and if we do it slowly enough, you'll not only pay us, you'll thank us for the privilege!.

  • EULA (Score:5, Interesting)

    by Zapraki (737378) on Thursday March 08, 2007 @03:37PM (#18280492)
    Like the article says:

    "In the Privacy Statement [microsoft.com] of Windows Update Microsoft grants itself fairly far-reaching rights... By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information."

    So I guess it might be a bit sneaky, but it has all been covered by WGA disclosures.

    An example of the XML returned when a user cancels an installation is available here [msdn.com], "just to allay any fears that Microsoft is using any personal information".

    So ya, I don't think this is a huge deal, nor particularly unexpected.

  • Pirates? (Score:3, Interesting)

    by Sean0michael (923458) on Thursday March 08, 2007 @03:43PM (#18280566)
    From the article:

    When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

    Seeing that Microsoft has done very poorly in correctly determining which installations of Windows are legitimate, how competently can they track legal software?

  • This kind of thing is much less of a concern after removing Windows' network drivers, unplugging the network cable, and configuring the router to lock the MAC address out of the internet completely.

    Unfortunately, I've gotten myself into a bit of online gaming lately, so I can't do any of that any more.

  • NO PROBLEM (Score:3, Funny)

    by AnalogDiehard (199128) on Thursday March 08, 2007 @03:53PM (#18280696)
    When I installed Windows I used PENFOLD JACKSON when it asked for my name.

    I doubt M$ will want to retain THAT information...

  • by blindd0t (855876) on Thursday March 08, 2007 @04:03PM (#18280836)
    For example, if you are using the Visual Studio 2005 IDE and use the integrated access to the online MSDN documentation, you can copy the URL from the address bar in VS2005 and paste it into firefox. What you'll find, in many cases, is Firefox asking you if you would like to download "HiddenCheck.exe". Though I have not seen this for some time now, I have recently found that there are a few pages in the online MSDN docs that load fine with IE, yet say the "Resource is not available" in Firefox. Of course, while I'm sort-of whining a little, I may as well go on to complain about how several of the MSDN pages only render properly in IE. :-( I can't trust them enough to use their own browser without feeling like I'm being watched, and I can't use an alternative browser in an attempt to try to protect my privacy. Granted, I'm not doing anything wrong, but that feeling of always being watched is enough to make anybody feel uneasy.
  • The bandwidth costs must be huge.
  • by stevedcc (1000313) * on Thursday March 08, 2007 @04:10PM (#18280938)
    So, I live in the EU. We have rather stronger laws regarding companies holding information on people than you Americans do. I object to this information being collected on me. Whilst I can't stop them collecting it, I CAN force Microsoft to reveal all information they hold about me, after I pay an admin fee of around £10 and it'll cost them far more than that to provide it. One person is nothing, but if a whole bunch of irate people were to start asking for this information - MS would be very unhappy. Now if only EFF Europe or some other organisation would organise a pro-forma, and encourage a mass "ask MS to reveal what they hold on you" - as many people as possible in as small a window as possible. Geurilla consumerism is great fun!
    • Re: (Score:2, Informative)

      by rzei (622725)

      Why would you have to pay at all?

      At least in Finland, I can walk to every place that I suspect might have records on me and ask to be given those records, and the company or what ever, even the police have to comply. AFAIK you can also ask the data to be deleted.

      Also, AFAIK according to Finnish law Microsoft (which does have a company in Finland too) they should have in the open a document (or upon request) that specifies what information is being collected in to their registers.

      Too bad I don't use Windo

      • Re: (Score:2, Interesting)

        by stevedcc (1000313) *

        Heh, "common sense that companies can't keep what ever records they want - secretly at least."

        It may seem common sense to you and me, but that's not how US citizens have it. And yes, we can ask for information to be deleted, but only if it's inaccurate. In the UK, we have to pay a small fee to cover some of the company's admin costs in getting the information and to act as a deterrent against people using this kind of thing for bullying tactics. Of course, since it's so much hassle for the company, y

  • Use Windiz Update [windizupdate.com]!
    • The acticle states that the Patches themselves ar calling home!

      Avoiding WGA and WU doesn't stop MS from getting a jingle.
      • by Runefox (905204)
        Yes, I actually remembered that after posting. Still, Windiz at least avoids phoning home quite so often, and will work on virtually any copy of Windows that you can still get updates for, so long as you're using an alternative browser.
  • by trianglman (1024223) on Thursday March 08, 2007 @04:42PM (#18281382) Journal

    From the WGA Blog [msdn.com]

    • Source ID (which product is requesting an update) - necessary to get the right patches
    • Event Code - Not sure what sort of events this is tracking, curious, but not necessarily evil
    • Version - I assume this means version of the updater, but could mean version of the base software, either way see #1
    • Hash of the event - good security check
    • Custom Data - completely unexplained, this is what worries me the most in the list
    • Return Code - ok from a usability standpoint (most websites track when users leave, so I put this in the same class as that)
    • Part of a domain? - no reason for this to be sent, as far as I can see
    • Partial binary product key - piracy reasons? Can't think of any other good reason for this
    • WPA hash - also unexplained, but probably related to the above
    • OS version - see #1
    • User locale ID (langauge) - reasonable if they are presenting nationalized dialogs, removes a prompt from the user
    • System locale ID (computer default language) - don't see much of a reason for this except as a backup for the first, odd
    • Diagnostic code - reasonable for debugging
    • Client Id - i.e. GUID - why do they get this if they aren't using it for user tracking
    • HD volume serial - no reason for this, except user identification
    • Computer security hash - see above
    Other than those last identifiers, most of the information I see requested make sense.
  • Simple solution (Score:3, Informative)

    by G00F (241765) on Thursday March 08, 2007 @05:33PM (#18282220) Homepage
    Here is the fix,

    on a *Nix box, say maybe the DNS server
    vi /etc/hosts
    127.0.0.3 genuine.microsoft.com

    For windows
    edit c:\windows\system32\drivers\etc\hosts
    0.0.0.0 genuine.microsoft.com
  • Microsoft is directly identifying your MACHINE, if not YOU personally.

    But we don't know that they aren't identifying YOU personally. Maybe they are, depending on what other data mining they are doing internally. The point is, we do not KNOW.

    Maybe they don't care to identify you personally UNTIL they want to at some point in the future - maybe to sell your machine info to the RIAA in the event that your DRM use is suspect.

    Maybe they don't care to identify you personally but are intent on TAGGING your machine

Felson's Law: To steal ideas from one person is plagiarism; to steal from many is research.

Working...