locked
WGA data mining obligatory to get Windows XP bug patches? RRS feed

  • Question

  • Hello, a recent update of the WGA software prompts us to accept the terms of Microsoft which includes allowing them to collect forensic data able to uniquely identify every single one of our PCs (Hard drive serial numbers, BIOS info, PID/SID, etc.).  I declined to accept these terms.  (In one of the recent FAQs Microsoft also states that it might share data collected by the WGA software with third-parties).

    It came as a big surprise to me that the previous versions of WGA were already doing this without having asked my approval.  I had read the "Details..." on the WGA install a long time ago and it did not state that it collected all of this information and sent it to Microsoft.

    Not happy with this, I followed the instructions in KB Article #921914 to uninstall the WGA software.  However, now when I go to the Windows Update web site it forces me to re-install the previous version of the WGA software without prompting me to accept any terms.  I apparently can no longer patch the bugs in WindowsXP from the Windows Update web site without first installing the old WGA software.  This is very strange behaviour.

    Now my question is, how can I run the Windows Update web site to receive software patches for Microsoft Windows XP flaws and bugs without installing the previous or new WGA software?  Or is there a simple option in the WGA software to specifically disable the data collection process?  That last request cannot be too much to ask!?  Are we not entitled to basic PC privacy if we use Windows XP?  You cannot argue that the information collected can't be used to uniquely identify PCs.

    Thank you.

    Monday, July 3, 2006 6:56 PM

Answers

  • Only by directly visiting the Windows or Microsoft Update web site are you required to install WGA.  If you wish not to install WGA, then turn on Automatic Updates and do not visit the Windows or Microsoft Update web site directly.
    Monday, July 3, 2006 7:00 PM
    Moderator

All replies

  • Only by directly visiting the Windows or Microsoft Update web site are you required to install WGA.  If you wish not to install WGA, then turn on Automatic Updates and do not visit the Windows or Microsoft Update web site directly.
    Monday, July 3, 2006 7:00 PM
    Moderator
  • With regards to your concerns over "data mining", I would like highlight the work Microsoft did with a leading German privacy firm – TUViT. Microsoft has commissioned TÜViT, an independent German security auditor to test how well Windows Genuine Advantage Version 1.0 protects customers’ data. TÜV conducted a legal audit of Microsoft’s statements, policies and specifications to set the requirements for a technical audit that determined that the program’s databases, source-code and implementation respect privacy concerns. To learn more about the privacy see: http://www.microsoft.com/genuine/downloads/PrivacyInfo.aspx?displaylang=en

    Again, thanks for the feedback.

    Monday, July 3, 2006 7:38 PM
    Moderator
  •  Carey Frisch wrote:

    [...]Microsoft has commissioned TÜViT, an independent German security auditor to test how well Windows Genuine Advantage Version 1.0 protects customers’ data.

    I'm sorry but I really don't understand how this is supposed to assure us?!  In fact it is downright disturbing that Microsoft boasts that this information is not personal and has paid a company to certify this to convince us.  In the privacy info link Microsoft itself admits to collecting information that uniquely identifies our PCs, such as the a unique system GUID (quote: "A unique number assigned to your computer"), the hard drive serial number, computer make and model, BIOS name, revision number, and revision date, our region and language settings, product ID and key and version information.  Microsoft basically collects forensic information able to uniquely identify every single one of our PCs.

    Is your SSN personal information?  Are your fingerprints or your DNA personal information?  Are photos of the inside of your house personal information?  Is your name personal information?  You could argue that none of these are and you could pay someone to claim they aren't.  But if they can be linked to you to uniquely identify you, then it is personal information!  When the Gestapo breaks down your door because they don't like what books you read from the library or what sites you visited on the internet, they can take your fingerprints, they can take your PC to get those unique identifiers.  A PC can be linked to a person, especially when you have all of its unique identifiers, like DNA can be linked to a person.  Microsoft is being deceitful.  This truly is a disturbing trend on the part of Microsoft, I for one am shocked.  Of course many of Microsoft's MVP's line in these forums is "if you're innocent, you have nothing to worry about"...  Typical far-right corporate thinking, in line with some of the greatest aberrations of justice committed by the self-righteous the world has seen.  Of course, today in 2006 companies are innocent, for example American high-tech companies simply hand over IP address/PC information to the Chinese government; they don't do the actual torturing themselves.

    Tuesday, July 4, 2006 1:55 PM
  • I've been conducting an informal poll, and everyone I've spoken with are very surprised to find out that Microsoft is collecting forensic PC information using WGA.  Many actually just don't believe it when I tell them.  Clearly this is a case of Microsoft breaking privacy rights under people's noses.  Heck, even the new WGA "terms" that users are asked to accept is a big block of legal text that Microsoft very well knows will not be read by the vast majority of users.  The mass media is not aware / clearly spelling out what data Microsoft is collecting with the WGA tool, only reporting that there have been lawsuits, themselves not understanding the full scope.  We need to alert the media and polititians about the extent of Microsoft's intrusion on data privacy, remind them about it's monopoly and the disturbing trend this represents.  If Microsoft sends down a program to ensure that Windows is properly licensed, that's fine, but for that program to send back up forensic data able to uniquely identify each and every one of our PCs is an infringment on our privacy rights.
    Friday, July 7, 2006 5:28 PM
  •  Mark Rilph wrote:
    .....remind them about it's monopoly.......

    What "monopoly"???????

    Just read the posts in this forum-----don't you know that the entire computing world has gone out and dumped Windows, installed Linux and bought Macs just due to the "flap" over the Notifications Tool?

    Judging by the posts, there are only seven people still running Windows, Bill Gates and six Tibetan monks up in the Himalayas.  (The Abominable Snowman is their postman and he's a little slow delivering the newspapers this time of year.)

    You can't have a monopoly if only seven people are using your OS.

    Friday, July 7, 2006 5:53 PM
  • I've gone both ways on this, but I am coming around to this.

    Does anybody have clear proof of, as you say, forensic data going to Microsoft.  I don't mean the media saying "they could be" or "you should be upset because."  I don't mean somebody's brother's friend's uncle said it was uploading his private data to Microsoft.  What I'm talking about is real proof such as a packet transfer of the WGA software checking in with Microsoft showing social security numbers, user names, addresses, etc?  If so, where is it published?

    If not, then it is all speculation and indicates nothing more than a public relations problem for Microsoft.

    Oh yeah, I am not a blind loyalist to Microsoft either.

    Friday, July 7, 2006 5:53 PM
  • Not Very Happy, you appear to have misunderstood.  I was making an analogy with SSN, fingerprints and DNA to make a point that these unique identifiers can be linked to a person to identify an individual.  Similarily an individual could be identified by locating their PC in their home starting from it's IP address and matching it to the unique PC identifiers collected by Microsoft.  Microsoft's plainly admits to collecting PC forensic data, able to uniquely identify PCs, on their web sites like their WGA FAQ page, and their WGA privacy statement for example, which has been linked to in this thread and many others, you just need to click on the links provided...  Hint: look under the heading called "What data is collected?", it's hard to miss.

    http://www.microsoft.com/genuine/downloads/PrivacyInfo.aspx?displaylang=en

    Saturday, July 8, 2006 12:04 PM
  • OK, I've got you now Mark.  I had misunderstood and thought you meant direct collection of private data during the check-in process.  Still I would like to see a packet capture of the daily/weekly/bi-weekly check-in to see what was passed from the user PC.

    I do agree that the technology is there to tie a PC to a specific person.  I read regularly how law enforcement uses web logs to go back (through an ISP) to trace a TCP/IP address to a specific user.  Why couldn't Microsoft do the same?  Well, I do wonder if the ISP would release the information without a court order.  *shrugs*  Not a lawyer here so I don't know.

    Is there room for concern?  Probably.  Are they really doing it?  Who knows.


    Sunday, July 9, 2006 5:30 PM
  • It's a slippery slope, that's what I'm saying.  What right does Microsoft have to come down in my PC, search and collect private PC information that has nothing to do with Microsoft?  Does Home Depot have the right to enter and search your home and collect information on unique features of your house even if it's not considered "personal information"?  No, not even the police have this right!  Microsoft does not own my PC, I do, yet they act like it's theirs to do with what they wish.  Of course they keep reminding us that we can't buy Microsoft software, we are only renting a temporary license to use it, they appear to believe this applies to your entire PC.  Besides, how difficult is it for Microsoft to pick up the "Registered to:" info associated with your unique license?  According to them they can change their policy anytime they want without notice.
    Wednesday, July 12, 2006 4:09 PM
  • WGA does not perform "data mining" of your "private PC information".  A person could learn a lot more about you by knowing the license number from your automotive vehicle or your street address, then looking it up in the public records office of your local governing authority.

    Wednesday, July 12, 2006 4:38 PM
    Moderator
  • Yeah, data mining is probably a little strong, but it is obvious that they are trying to uniquely ID your computer.  The information that is listed under the privacy statement says "The tools collect such information as:".  Not really a difinitive statement, plenty of wiggle room.

    I wonder if this is the way every software vendor will go?  Scanning your computer for info they think is valid/necessary and sending it back to HQ.  Maybe in the future it will take 30 minutes to start your computer as the 50+ applications you have installed collect data and phone home. 

    Wednesday, July 12, 2006 7:47 PM