Check the fine print
Language contained in Microsoft’s Product Use Rights document raises concerns about security issues and privacy
BILL GATES SAYS security is Microsoft’s top priority, but just whose security does he have in mind? Consider some of Microsoft’s recent boilerplate legalese — language you or your company might already have unknowingly accepted — and then decide for yourself.
The language is contained in the Product Use Rights (PUR) document that can be found at www.microsoft.com/licensing/resources . As the PUR document is part of most customers’ volume license agreements and is subject to periodic change, in theory Microsoft customers should check it regularly to see what rights Microsoft has decided to grant or take away.
You can be forgiven if you feel like you have better things to do with your life than reading and rereading all this mind-numbing legal gobbledygook. Fortunately, one Microsoft customer did review the PUR document recently and noticed a change. In the section on Windows XP Professional, he found the “Internet-Based Services Components” paragraph that said in part, “You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.”
The reader was stunned. “By changing that term in the PUR, Microsoft has found a creative way to obtain authorization from users to access their workstations at will,” he said. “How many customers are going to review this PDF file and realize they’ve given Microsoft this right? And all the risk for the security and privacy violations due to this are neatly put on the customer’s shoulders, not Microsoft’s.”
After the reader shared his discovery with me, I asked some other Microsoft volume license customers if they were aware of the PUR term. Not surprisingly, most were only vaguely aware of the PUR’s existence, much less the terms in the XP section. But they had plenty of concerns once they read it, the most obvious being the damage the most benign of automatic OS upgrades could cause in a corporate environment. “The idea that Microsoft can change our software without notifying us is totally unacceptable,” said one corporate IT manager. “Any alteration to our standard configuration can only be rolled out after careful evaluation and testing. Does Microsoft have no clue?”
Several readers were also worried that Microsoft’s broad assertion of its right to access their computers would force their companies into noncompliance with government security guidelines and various privacy laws. This concern was exacerbated by additional PUR language in the same Windows XP section. In terms of “Security Updates,” users grant Microsoft the right to download updates to Microsoft’s DRM (Digital Rights Management) technology to protect the intellectual property rights of “Secured Content” providers. It says Microsoft may “download onto your computer such security updates that a secure content owner has requested that MS, Microsoft Corporation, or their subsidiaries distribute.” In other words, it would seem Microsoft’s idea of a security update is one that protects the property rights of vendors, not the security of customers’ systems.
Currently, DRM technology is associated just with music or video content, but there’s no legal reason it can’t be used with software applications as well. One reader expressed the concern that in order to enforce common license terms, DRM technology might have to distinguish customer communications from those of internal users at a company. “As I read this, we will be guilty of violating federal privacy laws if we don’t at least warn our customers that Microsoft and its partners may have access to their records,” the reader said. “Perhaps our firewall can prevent Microsoft from doing this, but how can I be sure?”
Microsoft officials say that the language in the PUR agreement, which it confirms is also in the Windows XP EULA (End User License Agreement) itself, is not intended to force upgrades on customers. “Our goal is to give the user control over whether a system is being updated, regardless of whether the user is a consumer or an institution,” a statement from Microsoft’s legal team read. “The ‘Internet-based Services Components’ section of the Windows XP EULA was written specifically to ensure that we are in compliance with all regulations that require notification when the configuration choices that a user makes could potentially access one of the auto-updating features of Windows XP. We clearly have more work to do to make sure that it’s clear when these automatic features are used, and we are looking at how to do a better job at that. But it is certainly not our intent to access any user’s system when that is not what they desire.”
Both corporate and individual customers can choose to turn off Windows Auto-Update, the Microsoft officials pointed out. Similarly, users will be told when a content owner is requiring an update to Microsoft’s DRM technology and they will have the option to download it. “If the user elects not to update the security component, he or she will be unable to play content protected by our DRM from that point forward, although content previously obtained would still be usable.”
Well, swell. But if it is indeed Microsoft’s intent to continue giving users the right to decline downloads, why has the company written its XP agreements to force users to explicitly surrender that right? Are customers supposed to ignore what the licenses say and just hope Microsoft won’t ever do what the terms say it can do? That’s not a concept that will make anyone other than Bill Gates feel very secure.