Follow Slashdot stories on Twitter


Forgot your password?
Microsoft Security IT Your Rights Online

All Microsoft Updates Phone Home 233

juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."
This discussion has been archived. No new comments can be posted.

All Microsoft Updates Phone Home

Comments Filter:
  • EULA (Score:5, Interesting)

    by Zapraki ( 737378 ) on Thursday March 08, 2007 @04:37PM (#18280492)
    Like the article says:

    "In the Privacy Statement [] of Windows Update Microsoft grants itself fairly far-reaching rights... By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information."

    So I guess it might be a bit sneaky, but it has all been covered by WGA disclosures.

    An example of the XML returned when a user cancels an installation is available here [], "just to allay any fears that Microsoft is using any personal information".

    So ya, I don't think this is a huge deal, nor particularly unexpected.

  • by Jah-Wren Ryel ( 80510 ) on Thursday March 08, 2007 @04:39PM (#18280514)

    That's hardly surprising.
    Considering that most of these applications are installed via the windows-update site...
    I doubt you could even maintain a session without sending information back to the web-server.

    Yeah totally, because:
    • Computer make and model
    • Version information for all installed Microsoft software
    • Plug&Play ID numbers of hardware devices
    • Globally Unique Identifier (GUID)
    • BIOS name, revision number, and revision date
    are all necessary to download a single specific update not to mention maintain a session to the web-server.
  • Pirates? (Score:3, Interesting)

    by Sean0michael ( 923458 ) on Thursday March 08, 2007 @04:43PM (#18280566)
    From the article:

    When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

    Seeing that Microsoft has done very poorly in correctly determining which installations of Windows are legitimate, how competently can they track legal software?

  • by hguorbray ( 967940 ) on Thursday March 08, 2007 @04:52PM (#18280682)
    Usually you will be forced to download WGA before you can get to other updates -and your new install of Windows XP or Vista will stop booting after about 45-60 days if it has not been validated online. Obviously there are OEM and corporate versions cracked versions which will install without online validation, but the requirement for WGA for software updates is probably still on.

    My hope is that is all of these things make running pirated versions of Windows more difficult -particularly in the developing countries where internet connectivity is spotty such that OSS can gain in popularity and use. This could end up being a real win for Linux and other OSS.

    cue stories of entire countries running off a single pirated copies of Windows and Office.....

    -I'm just sayin'
  • by deep_creek ( 1001191 ) on Thursday March 08, 2007 @04:56PM (#18280730)
    "But SOME of this information seems a bit excessive. Unless one plans to start banning specific pieces of hardware, but that's just evil."

    I have a few friends that play in the stock market and have said for a long time that they bet Bill uses this information to buy/sell stocks and $$$. Think of the unbelievable wealth of information. Which hardware/software/etc... are folks buying and what are they not buying? etc... etc...

  • by blindd0t ( 855876 ) on Thursday March 08, 2007 @05:03PM (#18280836)
    For example, if you are using the Visual Studio 2005 IDE and use the integrated access to the online MSDN documentation, you can copy the URL from the address bar in VS2005 and paste it into firefox. What you'll find, in many cases, is Firefox asking you if you would like to download "HiddenCheck.exe". Though I have not seen this for some time now, I have recently found that there are a few pages in the online MSDN docs that load fine with IE, yet say the "Resource is not available" in Firefox. Of course, while I'm sort-of whining a little, I may as well go on to complain about how several of the MSDN pages only render properly in IE. :-( I can't trust them enough to use their own browser without feeling like I'm being watched, and I can't use an alternative browser in an attempt to try to protect my privacy. Granted, I'm not doing anything wrong, but that feeling of always being watched is enough to make anybody feel uneasy.
  • by stevedcc ( 1000313 ) * on Thursday March 08, 2007 @05:10PM (#18280938)
    So, I live in the EU. We have rather stronger laws regarding companies holding information on people than you Americans do. I object to this information being collected on me. Whilst I can't stop them collecting it, I CAN force Microsoft to reveal all information they hold about me, after I pay an admin fee of around £10 and it'll cost them far more than that to provide it. One person is nothing, but if a whole bunch of irate people were to start asking for this information - MS would be very unhappy. Now if only EFF Europe or some other organisation would organise a pro-forma, and encourage a mass "ask MS to reveal what they hold on you" - as many people as possible in as small a window as possible. Geurilla consumerism is great fun!
  • by trianglman ( 1024223 ) on Thursday March 08, 2007 @05:19PM (#18281080) Journal
    What would be the difference? If you are downloading updates for a driver, one could reasonable infer that you have the hardware for that driver. Its just whether they are being told you have a piece of hardware or whether you can make a reasonable, educated guess, they are going to get the same results either way.
  • by drinkypoo ( 153816 ) <> on Thursday March 08, 2007 @05:27PM (#18281220) Homepage Journal

    Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?


    HP and Dell don't do their own driver patches. They do roll up other people's drivers in their own packages, but they simply use the drivers of others.

    There ARE non-driver patches for both, but they're related to special, custom software. For example HP has their own version of the software that goes with the Infineon TPM chip inside this HPQ laptop. But Microsoft isn't going to be delivering those patches to you.

    Absolutely the only thing they need to provide updates are device and vendor IDs. For ISA and PCI cards that's provided by PnP. For USB devices, it's part of the initial conversation with the host, as well as for bluetooth. I don't know precisely what PCI-E does, but it's probably the same old PCI/PnP-style vendor and type.

    Note: Sending information about non-bundled software is needed for Microsoft Update, but not Windows Update. Perhaps lazy coding there--wouldn't YOU want to share the hardware/software detection code for both update utilities?

    The code is probably already able to distinguish between OS information and everything-else information. This can only be a deliberate decision. Wouldn't you want to retrieve as little data as possible to minimize the effects of bad network links and to avoid having unnecessary data complicating your life? Of course you would. Unless you wanted that data...

    BIOS name, revision number, and revision date -- I'm not sure, but I believe they may also provide manufacturer-supplied BIOS updates for some manufacturers.

    I've never seen one. I think they did deliver me a video bios update once though. Anyone know this for sure?

  • by Raistlin77 ( 754120 ) on Thursday March 08, 2007 @05:55PM (#18281604)
    Don't get me wrong, I think it's a great idea. However, you'd be hard pressed to find any major software company that would willingly put such a label on their products. People definitely need guidance to stay focused on the important things, but it seems that the only play in most large American corporations' playbooks is the Kansas City Shuffle [].
  • by stevedcc ( 1000313 ) * on Thursday March 08, 2007 @08:04PM (#18283430)

    Heh, "common sense that companies can't keep what ever records they want - secretly at least."

    It may seem common sense to you and me, but that's not how US citizens have it. And yes, we can ask for information to be deleted, but only if it's inaccurate. In the UK, we have to pay a small fee to cover some of the company's admin costs in getting the information and to act as a deterrent against people using this kind of thing for bullying tactics. Of course, since it's so much hassle for the company, you still can use it to bully; I did this to my bank once:

    Me: I'd like 3 duplicate bank statements please, for these months...

    Bank: That'll be £15 please

    Me: What's your fee for a data protection act request? can't I get access to all information you hold on me?

    Bank: £10

    Me: I may as well get all the information you have then, if that's cheaper

    Bank: That's all right sir, we'll do the statements for free

    Wasn't that nice of them :)

  • by Anonymous Coward on Thursday March 08, 2007 @08:26PM (#18283624)
    > I CAN force Microsoft to reveal all information they hold about me

    Here's a link to Microsoft UK's data protection registration information, for the curious: DoSearch.asp?reg=3273345 []

    However, if you paid your £10 and asked, he answer would probably be "nothing". The definition of "personal data" in the Data Protection Act (which you can read online at [] - do have a look, it's not too hard to decipher; all EU states have essentially equivalent legislation) is

      "personal data" means data which relate to a living individual who can be identified-
          (a) from those data, or
          (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

    I think they would claim that they cannot identify you from the information that they record. Any thoughts?

"Never face facts; if you do, you'll never get up in the morning." -- Marlo Thomas