Read the Fine Print

nihilist_1137 writes: "This story is about how MS changed its EULA and you just gave them control of your computer. In the section on Windows XP Professional, 'Internet-Based Services Components' paragraph says in part, 'You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.'"

Re:Once again, Slashdotters want to have it both w

[Thomas+Marsh]

Microsoft makes the system able to download and install them itself. All the user has to do is set up auto-install of new updates.

But that's not good enough, because too many users/sysadmins are too stupid to turn this on or check it regularly.

On the contrary, sysadmins are advising that users disable automatic updates on XP because the tendency of the auto update facility to replace, for example, working drivers with faulty ones, as well as not providing information on which packages are being downloaded. (Read that in an article somewhere. Never used auto update myself.)

I do see this as a privacy concern, because it is only with XP that windows update does not say "this is done without sending any information to microsoft." All other versions of windows use the anonymous facility, so they already have a working production update system which they've replaced with this more invasive version. -Coinciding with the EULA changes.

Whether it is an intentional attack on privacy/piracy or simply that MS decided the old mechanism wasn't efficient enough over a slow connection (or some other technical reason) is speculation.

Why do companies tolerate this?

[Phil+Wherry]

[IANAL, so consider these comments accordingly]

I'm really quite surprised that there hasn't been a big backlash from the legal departments of corporate customers over the text in the license agreements from software makers like Microsoft.

Most of the large organizations that I've worked with have relatively paranoid legal departments. The average person cannot, for example, sign a non-disclosure agreement, vendor contract, or do anything else that binds the company without having the document scrutinized in excruciating detail by the company's legal department. And, as anyone who's ever been through this process knows, excruciating is the correct word for this situation.

Yet people install software all the time that binds the company to ridiculously one-sided terms: This software is ours, not yours. Unless it breaks: then it's yours, not ours--and we're obligated to do everything up to and including nothing to help you.

It seems to me like two possible explanations exist--neither of them pleasant:

• Legal departments aren't challenging shrink-wrap licenses because they feel they're not really enforceable contracts. This seems to fly in the face of things like UCITA, though, which allow the software vendor to say "W3 0wn j00" in their license agreements with the force of law to back them up.
  
  
• Legal departments aren't challenging shrink-wrap licenses because they realize that most of the time they're dealing with a powerful monopoly--and that the choice is to accept unconscionable terms or simply be unable to perform essential functions. Most legal departments don't understand open-source software, and I think Microsoft's done a good enough job with its fearmongering campaign about the GPL that there will be a lot of hesitation even if the light bulb ever does come on.
  

There's also the issue of who's allowed to "sign" these things. In most corporate-user situations, the user doing the software installation (and therefore "agreeing" to the click-wrap terms) isn't a corporate officer or someone who's been delegated the authority to bind the company to a set of terms--no matter how reasonable. This seems to me to be pretty dangerous. In the case of a dispute with the vendor, it could potentially put the user at personal risk for representing they had the authority to bind the company when, in fact, they did not. While the economics of pursuing an individual over a company's breach of the license "agreement" probably don't make sense, this remains at least a theoretical risk.

Re:Software auto-update is common

[NumberSyx]

Google's Toolbar does the same thing, according to their official-until-we-change-it legalese

The difference is Google only checks for a single piece of information on a single piece of software and my system does not depend on this software to run. I have never had a Google Toolbar update screw up my entire system or even introduce another bug or open security holes. Google also has a pretty good privacy policy for which it has an excellent track record for following. In short, Google has earned my trust, Microsoft has proven time and time again they can not be trusted and it will take more than setting aside 28 days out of the last 20 years to fix problems to restore that trust.

Re:Two Perspectives

[rseuhs]

Now, maybe where you are corporations rule and buy their own laws left and right but that's not the way it is all over the globe. I have a feeling that in many countries the court would just say "if you want people to understand it then write so that they can."

For example in Germany the whole EULA is completely void, that's why there are no longer OEM-licenses in Germany. (Courts said that users could use them everywhere, not just on the computer it came on)

The funny (or sad) part is that Microsoft also does not follow their own EULA in Germany: You don't get any refunds.

But they still ship everything with the EULA...

Re:MS didn't think anyone would notice ANYTHING

[i_am_nitrogen]

What about OEM installs of Windows? People who buy a computer from Office Max or Wal-Mart don't ever get the "Agree/Disagree" prompt. Usually there's a little book that says "For distribution only with a new PC." inside the box, but does it ever say anywhere "Read me or die a horrible death?"

Re:Hmm..

[TeddyR]

Has anyone else noticed that the windows update with XP no longer says what the 98/2000 versions used to say something along the lines "does not send any information to microsoft" while checking the installed updates.. This has changed to "Windows Update does not collect any form of personally identifiable information from your computer."...

Slight wording differences.. but still... what is "personally identifiable information "? For the longest time, an IP address did not fall into that category.. but as anyone knows... an IP address can id quite alot...

The privacy policy for windows update has:

-----start quote..

Windows Update Privacy Statement
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of information from your computer. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software
Plug and Play ID numbers of hardware devices

Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information. The information collected is used only for the period of time that you are visiting the site, and is not saved.

To provide you with the best possible service, Windows Update also tracks and records whether the download and installation of specific updates succeeded or failed. Windows Update records the ID of the item that you attempted to download and install, and information about your operating system version and Internet Explorer version. The information that is stored cannot be associated with anything that is unique or personally identifiable about you or your computer.

------ end quote