As vendors increasingly look to sell applications that "phone home" customer information, there's a movement afoot to protect consumer rights by making sure companies are up front about the existence and intent of such software, and that users can uninstall it.
Companies can expect to see more software hit the market that, once installed, can soak in its surroundings and report back on what it finds. But vendors won't necessarily be able to bully this technology onto their customers' computers, as Microsoft tried with its Windows Genuine Advantage anti-piracy software. The benefits of fighting software piracy are clear, but users should also know they have rights when it comes to having software surreptitiously installed on their systems.
Microsoft is learning this the hard way as it defends itself from two lawsuits before the U.S. District Court for the Western District of Washington State that accuse the company of installing spyware on its users' computers under the guise of a "critical security update" that turned out to be the Windows Genuine Advantage Notification software. Installed as part of Windows Auto Update, WGA searches for pirated copies of Windows XP.
Plaintiffs in the cases against Microsoft claim that even though they clicked their consent to Microsoft downloads, they didn't consent to the company's use of WGA, which they consider to be spyware. Legal experts point out that this could be a valid complaint. The courts have found that burying disclosure of spyware in a licensing agreement invalidates the user's consent to that provision, says Kristen Mathews, an attorney with law firm Brown Raysman Millstein Felder & Steiner LLP. Spyware is primarily governed by state law, with at least a dozen states having anti-spyware laws thus far, she adds.
Microsoft changed its WGA end-user license agreement on June 27, the day after the first lawsuit was filed and a few days before the second lawsuit, a class-action suit that includes corporate customers Engineered Process Controls LLC and Univex Inc. as plaintiffs. The original license agreement that permitted WGA to be installed as a security update has been replaced with a license agreement that better explains the purpose of the software, a Microsoft spokeswoman says. In addition, rather than checking the configuration of systems running Microsoft software each time a user logs on to Windows XP, WGA now checks these configurations when new Windows software is added or existing software is updated. Users are also able to remove WGA from their systems, something they couldn't previously do without reformatting their hard drives. And WGA has been reclassified as "high-priority" rather than a "critical" update.
But these moves won't have much of an impact on the suits already filed. The courts have ruled in previous cases that simply changing the provisions of a license agreement to avoid a lawsuit isn't good enough to keep the offending company out of court. When the Federal Trade Commission in 2004 sued Seismic Entertainment Productions Inc. to get the company to stop distributing spyware, Seismic defended itself by saying it had already gotten out of the spyware business. The U.S. District Court for the District of New Hampshire in September 2005 ruled, however, that the FTC's injunction should stand in order to prevent Seismic from changing its mind and attempting to distribute spyware in the future.
"There's a reason both Microsoft and Sony got in trouble on this same [spyware] issue," says Ben Edelman, a lawyer and independent spyware researcher who has done consulting work for Microsoft. "If they affirmatively and openly told users what they wanted to do, many users would refuse."
It's the method more than the message that users oppose. Brown University IT security directory Connie Sadler doesn't have a problem with software vendors fighting piracy. "If they want to do it in an automated fashion, I think that's fine--as long as the tracking software is made public, so people know how it works," she says, adding that Brown proactively does its own software license auditing using Sassafras Software's KeyAccess and KeyServer software.
Others caution that software that "phones home" or otherwise surreptitiously provides vendors with information about their customers threatens each person's privacy and security. "One of the concerns that we have is that while technologies such as Microsoft's WGA and Sony's [digital rights management] rootkit may have some benefits both for the consumer and the vendor, what's hyped by the vendor are the benefits," says David Wright, a partner with Trilateral Research & Consulting, which is part of the Safeguards in the World of Ambient Intelligence consortium formed to investigate the impact of embedded and pervasive computing on society. "I don't want to imply that all business and governments are out to act like Big Brother, but the risks are there."
With Sony and Microsoft having to come clean about their covert means to enlist their users to thwart piracy, at least now businesses have a choice as to how they join the fight.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.