Is Windows XP's 'Product Activation' A Privacy Risk?
Is Microsoft's mandatory registration scheme also a back door for snooping?
Microsoft's forthcoming XP operating system, which represents the final merging of the Win9X and WinNT/2K product lines, will be a watershed for a number of reasons. We'll deal with many of them over time, but for now, let's focus on its privacy issues.
As XP rolled out in betas, two major areas of privacy-related concerns bubbled to the surface. One was HailStorm, a set of services based on Microsoft's Passport technology (a Microsoft Passport account can contain a large amount of individually identifying data). HailStorm is a large and complex topic, deserving its own extended coverage, so we'll do that in a future column. (To get up to speed in the meantime, you can read Microsoft's explanation and spin about HailStorm and InformationWeek's reporting on the topic (see HailStorm Ties Microsoft To Its Future And Past and other recent articles).
- Leveraging The Cloud For Business Resilience
- How crowdsourced testing has changed the game for innovative software companies
Today, we'll focus on the other major area of privacy concern: XP's anti-piracy "Windows Product Activation" feature. While our main focus will be on the operating-system-level WPA, we'll also discuss the WPA that also appears in Microsoft's XP line of Office applications and suites.
Once you install XP software, the WPA system keeps track of how many times you've launched the software and how much time has passed. Before the end of a Microsoft-determined amount of time or number of launches, you must--must--register the software, or it reverts to a reduced functionality mode. For example, after 50 launches without registration, Office XP will let you view your documents, but not change them or create new ones. The allowed number of launches and time varies by product. For example, with the XP operating systems, you have 30 days before you must register.
So, with the WPA, Microsoft is quite literally forcing you to register--to provide it with some personally identifiable information--to keep using the products that you already bought and paid for!
Of course, in legal terms, you don't usually buy software; you don't even buy the CDs on which the software resides. You're actually buying a license that lets you use the vendor's software on the CDs. The company selling the license--in this case Microsoft--can make up whatever rules it wants, and you must agree to those rules if you use its software.
While larger enterprises are well-versed in the licensing model, medium and smaller business (and individual users) usually still think of software in retail terms: "buying" and "owning" the CDs. To these tens of millions of users, XP's WPA will be a bucket of cold water in the face, reminding them that that, even after paying full retail prices, they don't really own the software on their PCs. I expect Microsoft to experience a consumer backlash from this, especially in light of the rest of the Windows Product Activation story.
Hardware Hashing And Phoning Home
You might think you could evade the mandatory registration by doing what many users do when confronted with an invasive request for personal information: lie. You could, for example, make up information and register from a throwaway E-mail account.
Except that won't accomplish much with XP. Here's why:
When you register XP software, the registration process creates and sends to Microsoft a unique 50-digit numeric fingerprint or code. The code is a combination of the serial number of your copy of XP, plus additional information about 10 major hardware elements in your system. According to the German software firm Fully Licensed, which reverse-engineered the beta XP registration codes (see WPA Resource Center), the hardware "hash" code is based on the following information from your PC:
- CPU serial number
- CPU model number/type
- Amount of RAM in the system
- Graphics adapter hardware ID string
- Hard drive hardware ID string
- SCSI host hardware ID string (if present)
- Integrated development environment controller hardware ID string
- MAC address of your network adapter
- CD-ROM drive hardware identification string
- Whether the system is a dockable unit (e.g. a notebook) or not
But that's not all. Even when it's been fully registered, the WPA component wakes up from time to time. It verifies that it's on the original system where it was first installed, and it "phones home" to check with the central Microsoft database to make sure it's still, indeed, a registered copy.
If the WPA discovers that it's no longer on the system where it was originally installed, or if the Microsoft database at the other end of the phone-home connection says you're not registered, then reduced-functionality mode kicks in.
But note: The WPA software identifies the PC on which it's loaded by the "hash" code of the 10 hardware elements listed above. So if you perform a major upgrade on your PC (say, you installed a new motherboard) the WPA software will assume it's been pirated to a new PC and drop to reduced functionality mode. That will happen even if you're the legitimate license holder working on your own PC, with absolutely no pirating going on. Under the original WPA plan, you'd then have to contact Microsoft by phone, hat in hand, to ask for a new activation of the product you already paid for and registered. It's positively Dickensian: "Please, sir, I want some more."
As you might imagine, many users are incensed at this level of monitoring, intrusion, and control by Microsoft. Some are upset at the inconvenience this represents; others are deeply worried about the privacy-invading "Big Brother" nature of the system. There's even a grass-roots campaign to petition Microsoft to change its WPA process.
What's Being Phoned Home?
Longtime readers know I'm no fan of phone-home applications, on the general principles that no app should decide that it's going to consume some of my bandwidth for its own benefit; also, I want to control what information various companies can gather about me. (It can be hard or impossible to know exactly what a phone-home app is sending back.)
So, on those bases alone, WPA gets a big black mark.
But to its credit, Microsoft has played clean in the past with other phone-home apps, such as the automated versions of Windows Update. To my knowledge, there's never been a documented case where those apps have violated user privacy or sent back inappropriate data to Microsoft. I don't believe there's any reason to suspect that the phone-home elements of WPA, per se, will behave any differently. (The HailStorm/Passport issue is separate; we'll come back to that in another column.)
And, although the XP operating system is in beta at the time of this writing, independent third parties who have packet-sniffed the WPA's phone-home exchanges report nothing nefarious is going on and that it's not--repeat, not--a wide-open back door by which Microsoft is snooping on your private data.
So I am happy to report that--despite what you may hear in the more alarmist corners of the Web--the WPA phone-home process does not, in itself, appear to be a major issue in terms of active snooping.
But that still leaves the larger issue of forced registration in general, and that's a huge one. So big, in fact, I think there's a good chance it will turn into a debacle for Microsoft.
A Pyrrhic Victory Over Pirates
Without a doubt, Microsoft's intent with WPA was simple: It's an anti-piracy measure, designed to ensure that Microsoft is paid for every copy of its software in use. If, for example, the Microsoft registration database shows many different machines popping up with the same software serial number, they'll know those copies of the software were stolen and can theoretically trace them back to the original purchaser.
Piracy isn't defensible. It's wrong--a form of theft. But there are many, many problems with the WPA approach to stopping piracy.
At the conceptual level, it's hard to work up much moral outrage in favor of a company that seems intent on gouging its honest customers. Don't you think it's silly for an Office suite to cost almost as much as much as some brand-new PCs do? Isn't it nuts for a Microsoft operating system to cost hundreds of dollars, when some major competitors cost only a few tens of dollars or even are free? Theft is wrong, but Microsoft muddies the moral waters by charging what I think are unconscionably high prices for its products. It's not as though Microsoft is a tiny company struggling to find black ink, impeded by dastardly software pirates. No, Microsoft is insanely profitable and certainly could cut its customers a little slack. Piracy is wrong, but so is price gouging.
Even given Microsoft's legal right to enforce its licenses, WPA is a heavy weapon aimed at the wrong people. Malicious hackers and the "warez" piracy crowd will crack the registration code algorithms soon after XP's release. Microsoft even freely admits this will happen: The "intellectual property protection arena is a cat-and-mouse game. All IP protection technologies will be cracked at some point; it is just a matter of time." So, Microsoft admits its WPA policies will not seriously impede the overtly illegal software cloners and copiers, and it's obvious that WPA will hamper the mostly lawful, mostly loyal users who aren't the real source of the piracy problem in the first place! It's almost as if Microsoft is saying, "First, we'll gouge you with high prices, then we'll make you jump through flaming hoops."
But one group of users will be stopped cold by WPA: the people who allow casual (albeit illegal) copying in offices and homes. One user buys a legitimate copy and lets someone else make a duplicate installation. XP's WPA scheme will, indeed, largely prevent this type of copying. But I think this will be a full-bore Pyrrhic victory for Microsoft.
You see, Microsoft has made the foolish assumption that all those excess copies will magically transform into cash as users open their wallets and go legit. But most of those illegal copies are the result of Microsoft's high prices in the first place. If people couldn't afford to buy legal copies of Microsoft software before, they're not going to suddenly cough up hundreds of dollars per seat to go legit just because XP has arrived.
Instead, I think these people--for whom obtaining multiple full-price copies is out of the question--will flock to free and low-cost options such as Sun Microsystems' StarOffice Suite and the Linux operating system.
Instead of finding a way to embrace its marginal customers, Microsoft will be driving them away. Does that sound like a solid business strategy to you?
Sticks And Carrots
I think Microsoft is going about product registration all wrong. In return for asking users to give up some privacy and anonymity by registering, Microsoft could have offered a carrot: some meaningful enticement or truly valuable benefit that users would gain by registering. (In the past, Microsoft has offered trivial, low-value incentives--trinkets and freebies--to registrants, but to my knowledge, it's never tried offering a meaningful inducement.)
Need a suggestion, Microsoft? How about giving a $150 rebate to people who register a $300 piece of software? If the rebate were real--if you didn't further jack up the software prices to offset this rebate--I'd bet your level of voluntary registration compliance would go through the roof, and the level of piracy would plummet. I'd bet you'd more than make up in sales volume and piracy prevention what you'd lose through funding the rebate. And you'd be the good guys again.
But instead of using a carrot, Microsoft has opted to use a stick to force compliance by crippling your XP software--software you've paid top dollar to use--if you don't register within the time frame and by the means that it wants. Microsoft wants your full-fare money and it wants to know who you are, where you are, and what PC you're using--and you'd better hand it over, buster, or the company will cripple your software.
It's also horrible psychology: With behavior like this, how can anyone not regard Microsoft as an out-of-control bully? How can this jackbooted registration process win customer loyalty and goodwill? What on earth is Microsoft thinking?
Microsoft was once a truly great company, but got itself into trouble by bullying its competitors. Now, with WPA, it wants to bully its customers. That's insane; Microsoft is undermining its own future by alienating the very people who elevated it to its present stature and who are the key to its future.
Time To Change WPA?
The Windows XP operating system hasn't shipped yet. Although it's very late in the game, there's still some wiggle room. As word about various WPA elements has filtered out, Microsoft has already softened some of it.
For example, the whole, from-scratch WPA registration/activation process is triggered not only at first install, but also if (read: "when") you reinstall the software or if you legitimately move the software to a new machine or if you perform a major upgrade of the machine the XP software originally was installed on. As mentioned earlier, the original plan was for you to have to make a phone call to Redmond and, in effect, beg for permission to reuse the software you'd already paid for and registered.
When users screamed, Microsoft bent the rules. Now you'll be allowed to make some significant changes to your setup, over time: As first reported in depth in Scot Finnie's excellent newsletter, the WPA software is being adjusted to allow more latitude for such things as replacing network cards and graphics cards and adding RAM, without automatically triggering the need to reregister manually. Although the specifics aren't yet clear, the intent is to allow for normal, routine hardware changes over time, while still allowing Microsoft to detect wholesale cloning/pirating of software. However, even these "allowed" (gee, thanks) hardware changes will be communicated back to the Microsoft central database via the phone-home connection.
Corporate customers also got a modest WPA change. Site-license holders can enter a master key code that obviates the need to separately register every machine in the company. (But it's unclear whether or not the phone-home activity stops; my read is that it does not and that could end up eating a lot of bandwidth in companies with many PCs.)
Because Microsoft already has adjusted Windows Product Activation, perhaps there's some slim hope that further changes can be made.
So, add your voice. What's your take on WPA? How do you feel about being forced to register your software? How do you feel about WPA monitoring your hardware setup? What about its phone-home activity? Or its ability to cripple your software setup? Do you think WPA will convert pirates into paying customers for Microsoft, or will it drive people to less-expensive, user-friendlier competitors? Will you use XP? Your voice is your vote--please join the discussion!