Windows genuine disadvantage

A step too far?

Combat fraud and increase customer satisfaction

As originally instituted in April, 2004, the WGA program was a way for you to scan you own PC and determine whether your copy of the Windows OS was appropriately licensed. The software was listed as an "update" - and a high priority update at that, when you went to download and install security updates. So you would think that this was a high priority update to help you to secure your own computer. But no. What it was, in fact, was a program that you would install on your computer that would collect information for the benefit of Microsoft. Indeed, assuming that the pirated software was genuine pirated software (that is, not a Trojan horse program) then by installing the program you actually became less secure.

A few observations are in order. Out of the box, with no updates, service packs, or patches, the Microsoft OS of your choice is buggy and has obvious security vulnerabilities. Indeed, if you buy a new PC, fully licensed out of the box, once you connect to the internet, it can take as long as several hours for you to download and install all of the relevant patches, updates and drivers just to get the machine functional. And that doesn't include things like firewall settings, anti-viral and anti-spyware software, which you have to buy separately from Microsoft or other vendors.

The plain truth was that most casual users never did these downloads. As a result, most systems were woefully insecure. In an effort to "take the human out of the loop", Microsoft introduced an automatic update service. After agreeing to a general End User License Agreement, you would set your computer up in automatic mode, and it would download and install updates necessary to protect not only your computer but any computer to which your computer might connect.

You also had the option to have more control over the settings and just install the software, or you could simply manually update your system. But again, the more updated your system was, presumably the more secure. So automatic update was the way to go.

If you have automatic updates set up, you get the WGA installed automatically. According to the complaint, Microsoft's director of Genuine Windows, David Lazar described the WGA program stating:

"The system works by identifying unique characteristics of a system and implanting a software key that can be read by Microsoft when updates are requested. The only way to remove the key is to reformat the hard drive [...] The key won't be used to identify individual users, only individual systems [...] I would go back to our privacy policy which says we have no knowledge of the identity of the users, so a user shouldn't be concerned about the use of that key."

Um... not quite.

First of all, the software looks at a bunch of things in the hardware to develop a profile of the user - the MAC address, the serial number of the hard drive, its size, and so on. Thus, if you get a new hard drive or other hardware, the key won't match, and you could be flagged as a pirate for using your licensed software.

Second, the statement suggests that the only time you get electronically frisked is when you affirmatively request an update. Also not true. With automatic updates on (a setting suggested by Microsoft) you are frisked every time your computer updates - or every time Microsoft pushes an update to you. Indeed, you are frisked more often than that. Finally, and most disturbingly, is the allegation that the key won't be used to identify individual users. Oh really? Cross your heart and hope to die, pinky promise?

Broken promises?

In July 2005, Microsoft changed the WGA program, making users install an Active X control that also generated a software key, and again promised that Microsoft does not collect any information during this process] that can be used to identify you or contact you." Similar promises were contained in the FAQs and privacy policy of Microsoft.

In April 2006 the program was expanded once again - to Microsoft's advantage. Now, as you automatically updated the software using Windows Automatic Update, the WGA validation program was automatically added to your system. If the software thought your software wasn't valid, you got annoying pop-ups prompting you to get legal, allegations that you were breaking the law, and slower boot up times.

In addition, this high priority update was now being used to hold users hostage - no longer could they automatically get software necessary to make their buggy OS reasonably secure without agreeing to the electronic frisking. Without the possibility of pop ups and accusations, you could not get critical security updates.

In May 2006, the head of Microsoft's antipiracy program, Michala Alexander told CNet that: "... the WGA is a voluntary service. You can turn off the pop-ups, and people can opt out of it. They still get all the core downloads, but what they don't get is stuff such as Windows Defender. They still get all the security patches - we don't penalise customers for not joining."

Not quite. You couldn't get the stuff automatically. Thus, if you didn't install the WGA software, you were putting everyone else on the internet at risk. Fun stuff.

Once installed, the EULA says that "you will not be able to uninstall the software..." It describes the fact that the software will connect to Microsoft, that by using the now permanent software you consent to this, and that you will not be notified when the connection is made. The EULA notifies you that it uses internet protocols which sends to Microsoft computer information such as your XP product key, PC manufacturer, OS version, XP product ID, PC BIOS information, locale setting and language version of Windows XP.

It then explains that Microsoft does not use the information to identify or contact you. Yeah...right. Well, not today... maybe.

Windows Genuine Advantage versus spyware

So what does the WGA software do, exactly? It runs surreptitiously on your computer. It scans the software and hardware, and extracts information about it. If you DON'T run it, your computer becomes unsafe. If you do run it, you have the possibility of getting pop-ups and slowing down your system.

Indeed, Microsoft on July 2, 2006, promised that the unlicensed user experience would get even worse. This was with Microsoft's PR flack telling Computerworld that: "In Windows Vista, we are making it notably harder and less appealing to use counterfeit software, and we will work to make that a consistent experience with older versions of Windows as well." Sounds an awful lot like spyware to me.

Indeed, the EULA here is more onerous and less clear than that which the FTC found actionable for online spyware manufacturer Odysseus, who purported to allow people to download software to make Kazaa P2P software anonymous, but which actually collected personal information and sent adware to the users (PDF). In plain terms, spyware EULAs aren't enforceable, and the WGA license sure sounds like a spyware EULA.

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.