Bill Totten's Weblog

Wednesday, July 18, 2007

Forget about the WGA!

More than Twenty Windows Vista Features and Services Harvest User Data for Microsoft from Your Machine!

by Marius Oiaga, Technology News Editor

Softpedia


Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of twenty Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.

Microsoft makes no secret about the fact that Windows Vista is gathering information. End users have little to say, and no real choice in the matter. The company does provide both a Windows Vista Privacy Statement and references within the End User License Agreement for the operating system. Combined, the resources paint the big picture over the extent of Microsoft's end user data harvest via Vista.


Reading Between the EULA Lines

Together with Windows Vista, Microsoft also provides a set of Internet-based services, for which it has reserved full control, including alteration and cancellation at any given time. The Internet-based services in Vista "coincidentally" connect to Microsoft and to "service provider
computer systems". Depending on the specific service, users may or may not receive a separate notification of the fact that their data is being collected and shared. The only way to prevent this is to know the specific services and features involved and to either switch them off or not use them.

The alternative? Well, it's written in the Vista license agreement. "By using these features, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you."

The Redmond company emphasized numerous times the fact that all information collected is not used to identify or contact users. But could it? Oh yes! All you have to know is that Microsoft could come knocking on your door as soon as you boot Windows Vista for the first time if you consider the system's computer information harvested. Microsoft will get your "Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software". But all they really need is your IP address.


What's Covered in the Vista License?

Windows Update, Web Content, Digital Certificates, Auto Root Update, Windows Media Digital Rights Management, Windows Media Player, Malicious Software Removal / Clean On Upgrade, Network Connectivity Status Icon, Windows Time Service, and the IPv6 Network Address Translation (NAT) Traversal service (Teredo) are the features and services that collect and deliver data to Microsoft from Windows Vista. By using any of these items, you agree to share your information with the Redmond Company. Microsoft says that users have the possibility to disable or not use the features and services altogether. But at the same time Windows update is crucial to the security of Windows Vista, so turning it off is not really an option, is it?

Windows Vista will contact Microsoft to get the right hardware drivers, to provide web-based "clip art, templates, training, assistance and Appshelp", to access digital software certificates designed "confirm the identity of Internet users sending X.509 standard encrypted information" and to refresh the catalog with trusted certificate authorities. Of course that the Windows Vista Digital Rights Management could not miss from a list of services that contact Microsoft on a regular basis. If you want access to protected content, you will also have to let the Windows Media Digital Rights Management talk home. Windows Media Player in Vista for example, will look for codecs, new versions and local online music services.

The Malicious Software Removal tool will report straight to Microsoft with both the findings of your computer scan, but also any potential errors. Also, in an effort to enable the transition to IPv6 from IPv4, "by default standard Internet Protocol information will be sent to the Teredo service at Microsoft at regular intervals".


Had Enough? I Didn't Think So!

Microsoft has an additional collection of 47 Windows Vista features and services that collect user data. However, not all phone home and report to Microsoft. Although the data collection process is generalized across the list, user information is also processed and kept on the local machine, leaving just approximately fifty percent of the items to both harvest data and contact Microsoft. Still, Microsoft underlined the fact that the list provided under the Windows Vista Privacy Statement is by no means exhaustive, nor does it apply to all the company's websites, services and products.

Activation, Customer Experience Improvement Program (CEIP), Device Manager, Driver Protection, Dynamic Update, Event Viewer, File Association Web Service, Games Folder, Error Reporting for Handwriting Recognition, Input Method Editor (IME), Installation Improvement Program, Internet Printing, Internet Protocol version 6 Network Address Translation Traversal, Network Awareness (somewhat), Parental Controls, Peer Name Resolution Service, Plug and Play, Plug and Play Extensions, Program Compatibility Assistant, Program Properties―Compatibility Tab, Program Compatibility Wizard, Properties, Registration, Rights Management Services (RMS) Client, Update Root Certificates, Windows Control Panel, Windows Help, Windows Mail (only with Windows Live Mail, Hotmail, or MSN Mail) and Windows Problem Reporting are the main features and services in Windows Vista that collect and transmit user data to Microsoft.

This extensive enumeration is not a complete illustration of all the sources in Windows Vista that Microsoft uses to gather end user data. However, it is more than sufficient to raise serious issues regarding user privacy. The Redmond company has adopted a very transparent position when it comes to the information being collected from its users. But privacy, much in the same manner as virtualization, is not mature enough and not sufficiently enforced through legislation. Microsoft itself is one of the principal contributors to the creation of a universal user privacy model.

The activation process will give the company product key information together with a "hardware hash, which is a non-unique number generated from the computer's hardware configuration" but no personal information. The Customer Experience Improvement Program (CEIP) is optional, and designed to improve software quality. Via the Device Manager, Microsoft has access to all the information related to your system configuration in order to provide the adequate drivers. Similarly, Dynamic Update offers your computer's hardware information to Microsoft for compatible drivers.

Event Viewer data is collected every time the users access the Event Log Online Help link. By using the File Association Web Service, Microsoft will receive a list with the file name extensions. Metadata related to the games that you have installed in Vista also finds its way to Microsoft. The Error Reporting for Handwriting Recognition will only report to Microsoft if the user expressly desires it to. Through IME Word Registration, Microsoft will receive Word registration reports. Users have to choose to participate in the Installation Improvement Program before any data is sent over at Microsoft.

Ever used a print server hosted by Microsoft? Then the company collected your data through Internet Printing. Network Awareness is in a league of its own. It does not premeditatedly store or send directly information to Microsoft, but it makes data available to other services involving network connectivity, and that do access the Redmond company. Via Parental Controls, not only you but also Microsoft will monitor all the visited URLs of your offspring.

Hashes of your Peer Name tied to your IP address are published and periodically refreshed on a Microsoft server, courtesy of the Peer Name Resolution Service. Every time you install a Plug and Play device, you tell Microsoft about it in order to get the necessary device drivers. The same is the case for PnP-X enabled device, only that Windows Update is more actively involved in this case.

The Program Compatibility Assistant is designed to work together with the Microsoft Error Reporting Service, to highlight to Microsoft potential incompatibility errors. For every example of compatibility settings via the Compatibility tab, Microsoft receives an error report. The Program Compatibility Wizard deals with similar issues related to application incompatibility. File properties are sent to Microsoft only with the item that they are associated with.

You can also volunteer your name, email address, country and even address to Microsoft through the registration process. A service such as the Rights Management Services (RMS) Client can only function in conjunction with your email address.

All the queries entered into the Search box included in the Windows Vista Control Panel will be sent to Microsoft with your consent. The Help Experience Improvement Program also collects and sends information to Microsoft. As does Windows Mail when the users access Windows Live Mail, Hotmail, or MSN Mail. And the Windows Problem Reporting is a service with a self explanatory name.

But is this all? Not even by a long shot. Windows Genuine Advantage, Windows Defender, Support Services, Windows Media Center and Internet Explorer 7 all collect and transmit user data to Microsoft. Don't want them to? Then simply turn them off, or use alternative programs when possible or stop using some services altogether. Otherwise, when your consent is demanded, you can opt for NO.


What Happens to My Data?

Only God and Microsoft know the answer to that. And I have a feeling that God is going right now "Hey, don't get me involved in this! I have enough trouble as it is trying to find out the release date for Windows Vista Service Pack 1 and Windows Seven!"

Generally speaking, Microsoft is indeed transparent - up to a point - about how it will handle the data collected from your Vista machine. "The personal information we collect from you will be used by Microsoft and its controlled subsidiaries and affiliates to provide the service(s) or carry out the transaction(s) you have requested or authorized, and may also be used to request additional information on feedback that you provide about the product or service that you are using; to provide important notifications regarding the software; to improve the product or service, for example bug and survey form inquiries; or to provide you with advance notice of events or to tell you about new product releases", reads a fragment of the Windows Vista Privacy Statement.

But could Microsoft turn the data it has collected against you? Of course, what did you think? "Microsoft may disclose personal information about you if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with the law or legal process served on Microsoft; (b) protect and defend the rights of Microsoft (including enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety of Microsoft employees, users of Microsoft software or services, or members of the public", reveals another excerpt.

And you thought that it was just you ... and your Windows Vista. Looks like a love triangle to me ... with Microsoft in the mix.

Copyright (c) 2001 - 2007 Softpedia. All rights reserved.

http://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Features-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml


Bill Totten http://www.ashisuto.co.jp/english/index.html

0 Comments:

Post a Comment

<< Home