Slashdot Mirror
Read the Fine Print
nihilist_1137 writes: "This story is about how MS changed its EULA and you just gave them control of your computer. In the section on Windows XP Professional, 'Internet-Based Services Components' paragraph says in part, 'You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.'"
"may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer."
If you would consider the average user for a moment. He does not give a damn about most issues you would start campaigns for. All she/he cares for is whether he can watch movies, listen to music and basically create word documents. So would he not like automatic fixes of bugs? From his point of view, it would be convenient.
It's about time you took note of the average userbase Microsoft are aiming for with XP.
-Shaunak.
Doesn't this just refer to the option to have XP auto-update your pc? You can turn that option off on the desktop if you don't want it, and the first time it runs it prompts you for what it's default behavior should be.
.....betweeen a Microsoft Product and a Virus/Trojan ?
The EULA.
We've been complaining on this site for months, if not years, about Microsoft's security. They have a bug? We want a patch right away. We complain about downloading patches? Microsoft makes the system able to download and install them itself. All the user has to do is set up auto-install of new updates.
But that's not good enough, because too many users/sysadmins are too stupid to turn this on or check it regularly. So we complain that Microsoft isn't doing enough -- that they need to make the OS download security upgrades automatically, whether or not the stupid user asks for it or not. This, we argued, is the only way Microsoft can stay ahead of security holes and make sure we take them up on the patches.
So Microsoft does this. But because doing so requires the user to agree to let Microsoft access and update their system, they have to add it to the EULA.
And then Slashdot complains that MS is taking too much control.
The mind boggles.
From the website
"XP-AntiSpy is a little utility that let's you disable some built-in update and authetication 'features' in WindowsXP. For example, there's a service running in the background wich is called 'Automatic Updates'. I don't know what this service transfers from my machine to other machines on the internet, especially the MS ones. So I play it safe and disable such functions. If you like, you can even disable these function manually, by going through the System and checking or unchecking some checkboxes. This will take you approximately half an hour."
An Education is the Font of All Liberty
(1) I have not seen any credible posts demanding that auto-download and install of patches be on by default on Windows systems. There have been buggy patches before for Windows, could be again.
(2) Slashdot isn't a unitary entity. If you make the mistake of expecting every J. Random Poster's comment taken together to represent a coherent position on anything, you will be disappointed.
On the contrary, sysadmins are advising that users disable automatic updates on XP because the tendency of the auto update facility to replace, for example, working drivers with faulty ones, as well as not providing information on which packages are being downloaded. (Read that in an article somewhere. Never used auto update myself.)
I do see this as a privacy concern, because it is only with XP that windows update does not say "this is done without sending any information to microsoft." All other versions of windows use the anonymous facility, so they already have a working production update system which they've replaced with this more invasive version. -Coinciding with the EULA changes.
Whether it is an intentional attack on privacy/piracy or simply that MS decided the old mechanism wasn't efficient enough over a slow connection (or some other technical reason) is speculation.
I'm really quite surprised that there hasn't been a big backlash from the legal departments of corporate customers over the text in the license agreements from software makers like Microsoft.
Most of the large organizations that I've worked with have relatively paranoid legal departments. The average person cannot, for example, sign a non-disclosure agreement, vendor contract, or do anything else that binds the company without having the document scrutinized in excruciating detail by the company's legal department. And, as anyone who's ever been through this process knows, excruciating is the correct word for this situation.
Yet people install software all the time that binds the company to ridiculously one-sided terms: This software is ours, not yours. Unless it breaks: then it's yours, not ours--and we're obligated to do everything up to and including nothing to help you.
It seems to me like two possible explanations exist--neither of them pleasant:
- Legal departments aren't challenging shrink-wrap licenses because they feel they're not really enforceable contracts. This seems to fly in the face of things like UCITA, though, which allow the software vendor to say "W3 0wn j00" in their license agreements with the force of law to back them up.
- Legal departments aren't challenging shrink-wrap licenses because they realize that most of the time they're dealing with a powerful monopoly--and that the choice is to accept unconscionable terms or simply be unable to perform essential functions. Most legal departments don't understand open-source software, and I think Microsoft's done a good enough job with its fearmongering campaign about the GPL that there will be a lot of hesitation even if the light bulb ever does come on.
There's also the issue of who's allowed to "sign" these things. In most corporate-user situations, the user doing the software installation (and therefore "agreeing" to the click-wrap terms) isn't a corporate officer or someone who's been delegated the authority to bind the company to a set of terms--no matter how reasonable. This seems to me to be pretty dangerous. In the case of a dispute with the vendor, it could potentially put the user at personal risk for representing they had the authority to bind the company when, in fact, they did not. While the economics of pursuing an individual over a company's breach of the license "agreement" probably don't make sense, this remains at least a theoretical risk.We've been complaining on this site for months, if not years, about Microsoft's security. They have a bug? We want a patch right away. We complain about downloading patches? Microsoft makes the system able to download and install them itself. All the user has to do is set up auto-install of new updates.
The problem is when you not only tell it you do NOT want auto-updates but also you STOP THE AUTO UPDATE SERVICE and then, when your computer becomes unbearably slow and unresponsive you check the process list and, uh, what's that, autoupd using all my CPU time?! But I told it I didn't WANT auto updates! ARGH..
It really happens... You cannot turn off auto updates in XP.
-- iCEBaLM
" Several readers were also worried that Microsoft's broad assertion of its right to access their computers would force their companies into noncompliance with government security guidelines and various privacy laws. This concern was exacerbated by additional PUR language in the same Windows XP section. In terms of "Security Updates," users grant Microsoft the right to download updates to Microsoft's DRM (Digital Rights Management) technology to protect the intellectual property rights of "Secured Content" providers. It says Microsoft may "download onto your computer such security updates that a secure content owner has requested that MS, Microsoft Corporation, or their subsidiaries distribute." In other words, it would seem Microsoft's idea of a security update is one that protects the property rights of vendors, not the security of customers' systems."
What Microsoft is preparing us for is the next step: No root access to a machine.
This is scary ass stuff. Note that MS's EULA gives them the right to change these license terms on a whim. Your license with MS is one sided, MS can change anything they like, and you have no rights other than those MS chooses to grant you.
Running a business on such a system to me would see m an unwarranted risk, especially given MS's pathetic record when it comes to security related bugs and holes.
What MS is saying is that they have "root" access to your machine and can read anything or install anything at will.
This is clearly over the line. NO OTHER industry in the USA can sell a product and attatch the kinds of "strings" to it's use, while disclaiming any and all liability for defects as the software industry.
MS and other proprietary software vendors have had it totally their way for too damn long. We need some sort of law limiting what can be in a EULA, restoring the "first sale" doctrine, and at the very least, a right to "opt out" of new license changes made AFTER the sale.
The best solution is to use Linux or other OSS software. Sooner or later, Microsoft and their goons will go a step too far, and the business world will realize the danger of allowing such meglomaniacs THAT kind of control over their information system arteries.
If this little nugget isn't it, WHAT will be?
=== The price of freedom is eternal vigilance
I think the most important issue here is that MS can have its OS's download and perform upgrades WITHOUT having to have this kind of language in the EULA.
/. crowd will do anything to bash MS, there is something to be concerned about here.
All it would need to do is have an automatic wizard pop up ever week (or month) or so and ask your PERMISSION to check for and download the latest updates. The Wizard can even provide a lengthy explanation of what it's about to do for those who want more information.
That is all that's required for REAL updates.
This language in the EULA sounds like it might be giving them EXTRA permission to do other things. Checking version numbers of WHAT software? As someone else pointed out, will this include OfficeXP? Is it checking for pirated warez?
So despite all of the people up here screaming that ONCE AGAIN the
Rich...
Ignore Alien Orders
Ever hear of port 80? Web services?
MS doesn't need a big hole. SOAP would do fine.
1-> i connect to a server and get a list of stuff thats updated. then my computer makes a decision.
the eula above
2-> their server can connect to mine and poke around at will.
up2date is a choice and not required by the installation. you must register your computer to use up2date. up2date is not something you explicitly agree to when you install the operating system.
to me there is a big difference.
-- john
There's no justification for needing legal authority to install anything, as the system functions today. To "need" this level of authority, Microsoft would have to argue that THEY, not you, are in fact installing the software in question. In my opinion, (not a lawyer) that's crazy.
In order for the software to be installed, you (a person of sound mind and body) have to take the active step of saying "Yes." You're doing it. It's one-click installation, but you made the choice.
Unless future versions of Windows Update will automatically install things? I don't know whether to laugh or cry.
Got Code Red Part 44 after the Code Red Part 43 patch auto-installed? "Sorry, you agreed we could install anything we want, including buggy, poorly-tested code."
After all, Microsoft would never release a patch that opened up new holes in the feature it was supposed to fix. (Or in other random products.) Anyone claiming contrary will be burned as a witch.
Who did what now?
This is a tech "shock" article, designed to get zealots in an uproar, and it should not even be bothered to be read.
Google's Toolbar does the same thing, according to their official-until-we-change-it legalese
The difference is Google only checks for a single piece of information on a single piece of software and my system does not depend on this software to run. I have never had a Google Toolbar update screw up my entire system or even introduce another bug or open security holes. Google also has a pretty good privacy policy for which it has an excellent track record for following. In short, Google has earned my trust, Microsoft has proven time and time again they can not be trusted and it will take more than setting aside 28 days out of the last 20 years to fix problems to restore that trust.
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
For example in Germany the whole EULA is completely void, that's why there are no longer OEM-licenses in Germany. (Courts said that users could use them everywhere, not just on the computer it came on)
The funny (or sad) part is that Microsoft also does not follow their own EULA in Germany: You don't get any refunds.
But they still ship everything with the EULA...
What about OEM installs of Windows? People who buy a computer from Office Max or Wal-Mart don't ever get the "Agree/Disagree" prompt. Usually there's a little book that says "For distribution only with a new PC." inside the box, but does it ever say anywhere "Read me or die a horrible death?"
A solution to the problem with music today
Has anyone else noticed that the windows update with XP no longer says what the 98/2000 versions used to say something along the lines "does not send any information to microsoft" while checking the installed updates.. This has changed to "Windows Update does not collect any form of personally identifiable information from your computer."...
Slight wording differences.. but still... what is "personally identifiable information "? For the longest time, an IP address did not fall into that category.. but as anyone knows... an IP address can id quite alot...
The privacy policy for windows update has:
-----start quote..
Windows Update Privacy Statement
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of information from your computer. This information includes:
Operating-system version number
Internet Explorer version number
Version numbers of other software
Plug and Play ID numbers of hardware devices
Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information. The information collected is used only for the period of time that you are visiting the site, and is not saved.
To provide you with the best possible service, Windows Update also tracks and records whether the download and installation of specific updates succeeded or failed. Windows Update records the ID of the item that you attempted to download and install, and information about your operating system version and Internet Explorer version. The information that is stored cannot be associated with anything that is unique or personally identifiable about you or your computer.
------ end quote
--
Time is on my side