Microsoft wants access to your private information

Microsoft wants access to your private information
Ova se vika mashala...

Get ready for Microsoft, cable and phone companies, and quite a few other people to know a lot more about what you do on your computer, thanks to House Bill 2083.

It’s supposed to protect you from predators spying on your computer habits, but a bill Microsoft Corp. helped write for Oklahoma will open your personal information to warrantless searches, according to a computer privacy expert and a state representative.

Called the “Computer Spyware Protection Act,” House Bill 2083 would create fines of up to a million dollars for anyone using viruses or surreptitious computer techniques to break on to someone’s computer without that person’s knowledge and acceptance, according to the bill’s state Senate author, Clark Jolley.

“The bill has a clear prohibition on anything going in without your permission. You have to grant permission,” said Jolley, R-Edmond. “You can look at your license agreement. It will say whether they have the ability to take that information or not.”

But therein lies the catch.

If you click that “accept” button on the routine user’s agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for “detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.”

That means that Microsoft (or another company with such software) can erase spyware or viruses. But if you have, say, a pirated copy of Excel — Microsoft (or companies with similar software) can erase it, or anything else they want to erase, and not be held liable for it. Additionally, that phrase “fraudulent or other illegal activities” means they can:

—Let the local district attorney know that you wrote a hot check last month.

—Let the attorney general know that you play online poker.

—Let the tax commission know you bought cartons of cigarettes and didn’t pay the state tax on them.

—Read anything on your hard drive, such as your name, home address, personal identification code, passwords, Social Security number … etc., etc., etc.

“I think in broad terms that is still a form of spying,” said Marc Rotenberg, attorney and executive director of the Electronic Privacy Information Center in Washington, D.C. “Some people say, ‘Well, it’s justified.’ I’m not so clear that should be the case. Particularly if the reason you are passing legislation is to cover that activity.”

The bill is scheduled to go back before the House for another vote. Will the Oklahoma House, on behalf of all computer users in the state of Oklahoma, click “accept”?

Where did you go yesterday?

Computer users first accepted updates when anti-virus makers, such as Symantec Corp. or McAfee, began back in the Nineties offering regular updates in an attempt to stay current with the alarming number of viruses introduced over the Internet. This was followed by Windows ME and 2000 allowing updates to their programs via downloads. By the time Windows XP came out, regular online updates became part of the product one purchased.

At around the same time, the Napster phenomenon pushed music corporations, courts and lawmakers into taking action against online file sharing of music. Hip, computer-savvy listeners traded pirated MP3 recordings beyond count, leading to action by the music industry to go on a search and destroy mission against the online music traders, even in Oklahoma. In 2000, Oklahoma State University police seized a student’s computer containing thousands of downloaded songs after he was traced by a recording industry group.

Anti-spyware bill author Jolley said that’s what people like the OSU student get for sharing their information online.

“You have to look at the other side of that issue,” Jolley said. “When they agreed to put their files online, they literally agreed to allow people to come on their computers and search the files online. On a P-to-P (peer-to-peer) network, you are inviting other people to see what you have. That’s a risk you run by participating in file share.”

Jolley said his spyware bill is supposed to stop “phishers” from stealing one’s identity off of one’s computer, is supposed to stop “Trojan horse” viruses from being installed on the computer and is supposed to make illegal a host of other techniques for spying on a user’s personal information.

“It prohibits them from taking things as basic as your home address, your first name, your first initial in combination with your last name, your passwords, any personal identification numbers you have, any biometric information, any Social Security, tax IDs, drivers licenses, account balances, overdraft histories — there is a clear prohibition on that,” Jolley said.

Indeed, Sections 4 and 5 of the act specifically forbid anyone from doing so without the user’s permission.

However, Section 6 of the act says such a prohibition “shall not apply” to “telecommunications carrier, cable operator, computer hardware or software provider or provider of information service” and won’t apply to those companies in cases of “detection or prevention of the unauthorized use of or fraudulent or other illegal activities.”

Which means software companies updating a user’s software or the cable company monitoring that user’s activities on a broadband modem hookup can turn over that user’s history of writing hot checks to the district attorney if the company feels like it, said Rotenberg.

“You go back to the old-fashioned wiretap laws,” Rotenberg said. “There was an exception to allow telephone companies to listen in on telephone calls. The theory was that it was necessary to make sure that the service was working. Part of what’s going on here is to significantly expand that exemption to a whole range of companies that might have reason for looking on your computer. The statute will give them authority to do so. I think it’s too broad. I think the users in the end need to be able to allow that themselves.”

Jolley insists his proposed law would not allow Microsoft, Symantec or Cox Communications to become “Big Brother.”

“The goal of this is not to allow any company to go through and scan your computer,” Jolley said. “If they are, it has to be for a specific purpose. If you don’t want them doing that, don’t agree to (the user’s agreement).”

Which means, when a user accepts Microsoft’s Windows operating system on that new computer, or Norton AntiVirus, or Apple’s operating system or a host of other online-upgradable programs, that user agrees to being watched by the company.

Who on Earth would write such a law? It wasn’t Jolley, or anyone in Oklahoma.

OooOo MS Expands Anti-Piracy Program, Reissues Patch

Microsoft today began expanding its anti-piracy program by quietly pushing out a software update that in many cases automatically scans Windows computers and reports on whether they are powered by unlicensed software.
The "new pilot program" is a fairly broad expansion of Microsoft's Windows Genuine Advantage program, under which the anti-piracy check was required only for users who wish to download security updates or other free programs from Microsoft's site. Under WGA, users who chose to receive fixes via Automatic Updates were not prompted to install and run the anti-piracy software.
Starting today, however, Windows XP users in the United States who have set up automatic security updates will receive the anti-piracy tool. After installation and reboot, they may find their computers popping up an alert that reads: "This copy of Windows is not genuine; you may be a victim of software counterfeiting." Microsoft also is pushing the new tool out to auto-update users in Britain, Malaysia, Australia and New Zealand.
I hadn't heard about this program until today, when my laptop -- which of course is running a legitimate copy of XP Home Edition -- received this update today and prompted me to restart. When I rebooted the machine and went to "Add Remove/Programs," the hyperlinked Microsoft Knowledge Base article that was supposed to describe more about this patch was not available, so I sent a few questions over to Microsoft. Below are their answers:

How does Microsoft plan to disseminate this? Through automatic updates?:

"Yes. As part of the pilot program, some customers in the U.S. U.K., Malaysia, Australia and New Zealand will be invited to receive WGA Notifications through Automatic Updates (AU) to learn whether or not they are running genuine Windows. Customers who opt in to the pilot and learn they are using non-genuine versions of Windows will receive a message during logon that their copy of Windows appears to be non-genuine and will be directed to the WGA Web site to learn more. If they choose not to obtain a copy of genuine Windows at that time, the customer will receive reminders until they are running genuine Windows. While the pilot is presently opt-in, as it expands later in the year, AU and WU customers may be required to participate. Users who have not validated their machines as genuine through WGA will not be able to download IE 7 and Windows Defender among other downloads and updates. However, they will not be denied critical security updates" (my emphasis added).

Will the Windows customer who uses auto-updates have the opportunity to decline this update and still install other updates?:

"The pilot is opt-in, so all participants are given a choice about whether or not they wish to participate. The opt-in is via a License Terms dialog, and users can chose to accept or decline. Only users who accept will receive the software. Once installed, participants will have the option to suppress notifications for some length of time. Users will not have the option of uninstalling WGA Notifications. Customers [already] running genuine Windows Advantage will be unaffected by WGA notifications. Users running non-genuine Windows will see the notifications at boot time, login time, and periodically to via a system tray bubble notification. Messages are displayed until the system is running genuine Windows. Users can choose to suppress the notifier. The notifier will remind such users that they are not running genuine Windows and direct them to the WGA failure page, where they can learn more about the benefits of genuine software and take advantage of the Microsoft genuine Windows offers designed to help victims of counterfeit software. All users are able to receive High Priority Security & reliability updates regardless of their validation status. Users will not have the option of uninstalling WGA Notifications" (again, my emphasis).

What has been the rate of acceptance among Windows users to the Genuine Advantage program so far? How many potentially pirated versions of Windows has Microsoft received reports of thus far through the WGA program and installed tools?

"To date, we have already validated more than 150 million systems worldwide with WGA. As of March 2006, the WGA notifications program has been offered to more than 13 million users and we estimate an additional 13 million customers will receive the program with the present expansion. The ultimate goal of WGA is to differentiate genuine Windows software from non-genuine software. WGA also helps Microsoft learn more about counterfeit resellers and their illegal practices. We don't have specific numbers to share."

What exactly happens in the event that the tool finds a PC that is suspected of running a counterfeit version of Windows (what info, if any, is then shared with Redmond)?:

"WGA Notifications is for Windows XP users. Our client software does not collect any information that can be used to identify or contact a user. We use the same process used by many popular search engines and Web sites to determine where their users are from -- a form of IP lookup. This IP lookup process does not include any information that is used to identify you or contact you, and only gives a rough geographic representation of where users are located."
Microsoft also said it is planning to expand the anti-piracy pilot to Microsoft Office products. Initially this will affect users of various foreign language versions of Office, including Brazilian Portuguese, Czech, Greek, Korean, Simplified Chinese, Russian and Spanish.
Microsoft has every right to defend its intellectual property rights, and I don't for a single second begrudge the company for trying to quash software piracy, which is a very costly and global problem. But I'm a little concerned that this action could cause a number of Windows users to turn off automatic updates completely, and as such leave their systems unpatched and sitting ducks for would-be attackers who might use those machines for criminal purposes.
For my part, I turned off Automatic Updates several months ago, mainly because I got sick of telling Windows not to install its "malicious software removal tool," (even though I checked the box next to "don't ask again" or something to that effect, Windows asks permission to reinstall the program every time other updates are available).
Microsoft also released today an update to fix a Windows security patch (MS06-015) it issued a week ago that caused problems for some users of Hewlett-Packard hardware and software, as well as some Windows users who have certain Nvidia graphics cards installed.
Microsoft said that if you are configured to receive automatic updates, you don't need to do anything: "It will detect if you have the problem and deliver the update to you. If you have not yet installed MS06-015, the revised version will be offered to you." Automatic update users will also get a complimentary copy of the new Windows anti-piracy tool as well.
OooOo Microsoft patents the super cookie

Yesterday, the USPTO awarded Microsoft a patent for tracking usage behavior in computer systems. Similar to what's known as web beacons and domain cookies, Microsoft's new patent describes ways to track users through invisible images and tiny cookies.

US Patent 7039699, as it is formally known, will provide developers with an Application Program Interface (API) which can be called from languages such as JavaScript, ASP, and VBScript. The permanent cookie can contain four data types consisting of bits, counters, dates, and strings. In the patent description, Microsoft also notes that the cookie is flexible enough to allow for new data types in the future. But boring technical details aside, what is Microsoft's goal with the patent? Nothing but the obvious.

Using the information found in the domain cookie, Internet content sites will have the opportunity to determine those user behaviors observed in particular segments of the Internet content sites that may be helpful to differentiate the user when visiting each of those segments. Moreover, with the use of the domain cookie, Internet content providers are given an opportunity to determine those behaviors that are observed in a particular segment of the Internet content sites that may be helpful to differentiate the user when visiting other segments of the Internet content sites.

Need an example?

For example, the following user behaviors on the MSN network may easily be recorded to assist Internet content providers to enhance a user's experience: Did the customer ever buy a plane ticket on EXPEDIA.MSN.COM (an Internet content site dedicated to selling airline products and services)? What was the destination of the journey? Does the customer have a Hotmail (Internet based centralized e-mail) account? How many times did the customer visit MSN.COM? Based on this information, MSN web sites will be able to render more relevant content for a given user and to provide customized content in accordance with behavioral data that has been collected about the user, and/or a user's preferences. Customized content may range from targeted advertising, to special limited services.

That's the patent in a nutshell. To me, it doesn't seem very original since web developers have been using what are essentially cookies for years. Even if Microsoft did slide some new ideas into the mix (the end of the Claims has some originality), I still have trouble seeing how this was granted. Microsoft now owns the rights to the "cookie on steroids."