Slashdot Mirror

← Back to Stories (view on slashdot.org)

Examining Microsoft Update

Posted by michael on from the policy-of-no-privacy dept.

eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."

28 of 773 comments (clear)

  1. Complete Breach of Trust by SUB7IME · · Score: 3, Insightful

    Is this not a complete breach of the TOS that Microsoft offers when you sign up for Windows Update?

    If not, it's at least a huge breach of trust, and users should not stand for it.

    1. Re:Complete Breach of Trust by teeker · · Score: 5, Insightful

      This isn't just some random company that nobody has ever heard of, with a clean slate. It's 2003. When people deal with Microsoft they know what they're getting into, regardless of what Microsoft says.

      Sorry, I'm gonna call bullshit on this one. While it's true that people involved in the industry generally know what's up, many people outside of it don't. People who have better things to do than read IT-related media get all of their news about MS from totally mainstream sources in the first place, and lot of people could really give a rat's ass about today's MS article on Yahoo's front page. As far as Joe Sixpack is concerned, it's an IT-related story, and he probably doesn't care what it says. If you are not into the theatre scene, do you read reviews for every play in your area? If you are not interested in business, do you read every story in the business section? Probably not, and my mother doesn't read every store about Microsoft.

      Saying that the victim is at fault is not a solution to the problem, and is not an excuse for bad behavior on MS's part.

      --
      teeker
  2. I wonder what Virtual PC sends ... by adzoox · · Score: 4, Insightful
    I wonder what Virtual PC sends, whether it sends only the info in the Windows Drive image or everything on the Mac.

    This may also be an alterior motive to Microsoft buying Virtual PC from Connectix last week. They want this same data from Mac Users. I imagine if it's not there then it will be added to read all partitions mac/Linux/PC

    Knowing what your customers have on their hard drives is sensitive corporate data. Basically, you know the Hot or Not Programs in the industry and then develop programs based on their hard drive residency!

    --
    Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
  3. EULA says they can take what they want by RichMan · · Score: 3, Insightful

    According to the EULA for the latest versions of the OS Microsoft has the right to read any data you have stored on a computer which runs the OS.
    Theoretically this includes data dumps of hard drive formats which the OS does not even support.

    1. Re:EULA says they can take what they want by Nursie · · Score: 3, Insightful

      Well yeah, they're going to make sure they cover their arses.
      I thought this sort of outrage was already covered by the change in TOS brought in by WinXP SP1? (i.e. we will take whatever info we want from your machine, and if we don't like it we'll lock you out.)

    2. Re:EULA says they can take what they want by malfunct · · Score: 5, Insightful

      I'm not defending microsoft here but nothing in the blurb that you posted says that MS won't collect the list of software on the machine. To play devils advocate its pretty easy to say that the installed software is part of the configuration information on the machine. Further it makes some sense how this is useful in picking which patches are presented to you. If there is a patch in windows update that fixes a bug that affects 1 software package in the world that 1% of users use then wouldn't it be useful to scan to see if that is installed and only present the patch to the 1% of users that need it. Especially given that many bug fixes cause bugs in other software that relies on the broken behavior or some kludgy work around.

      --

      "You can now flame me, I am full of love,"

    3. Re:EULA says they can take what they want by mrpuffypants · · Score: 3, Insightful

      notice, however, that it says it includes that information...that can very well just be a part of what they are collecting, and the only part they are telling you about.

    4. Re:EULA says they can take what they want by aug24 · · Score: 4, Insightful
      Clearly YANAL (You are not a lawyer)!

      Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

      If a lawyer writes "this information includes...", then that's exactly what they mean. They don't mean that it is a complete list; there may be other stuff that they're not explicitly telling you about.

      Justin.

      --
      You're only jealous cos the little penguins are talking to me.
  4. /Tin Foil Hat Off by GLX · · Score: 5, Insightful

    The reason why it sends info about other applications (and third party drivers for that matter) is so that they can attempt to be a single-source vendor of patches if needed.

    While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.

    --
    Sig (appended to the end of comments you post, 120 chars)
    1. Re:/Tin Foil Hat Off by Atzanteol · · Score: 4, Insightful

      But why must this be done on the server, and collected at Microsoft? Can't the client download a list of what MS has for updates, and decide what the local system has?

      --
      "Ignorance more frequently begets confidence than does knowledge"

      - Charles Darwin
    2. Re:/Tin Foil Hat Off by Com2Kid · · Score: 3, Insightful
      • While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.


      Driver updates? No problem.

      SOFTWARE updates? Uh. Problem.

      Windows Update is responsible for updating my SYSTEM, thus the term Windows update, not "universal software updator" or some other such silly name.

      Besides, last time I let Windows Update update my drivers it replaced my Matrox G400 driver with a French G400 driver that refused to be uninstalled. . . .
      --
      Need help treating your acne? Come here!
  5. No verification possible... by Reinout · · Score: 4, Insightful

    Nice claims, but we the free part of the article doesn't show any actual examples of data that's transmitted. At least not data apart from some generic xml tags.

    Any easy way to verify this ourself?

    I'm suspecting their claim is true, but I'd like to see the data...

    Reinout

    --
    Reinout van Rees
  6. And I should be surprised why? Also, a suggestion. by Jack+William+Bell · · Score: 4, Insightful

    Although I often semi-sorta-half-hearted-defend Microsoft when people make unsupported categorical statements or otherwise speak mindlessly, I am also willing to speak out against them when they are wrong. As in this instance.

    I would have to do some research, but I believe this might violate their own privacy policy. Even if it doesn't, they really have no moral right to send any information about your system without letting you know what it is and giving you a chance to abort the whole thing. Yet I am unsurprised, in fact I expect every big company is doing this kind of thing when they can get away with it.

    Not that I am saying "Everyone is doing it, so what is the big deal?" My attitude is more "Let's stop this crap now!"

    So I have a suggestion -- someone should start an open source project to create a re-writing proxy for updates that strips out all the stuff Microsoft is sending in the updates, except what is absolutely needed. Make it open enough that we can plug it re-writers for other companies as well.

    --
    - -
    Are you an SF Fan? Are you a Tru-Fan?
  7. Re:Haha by Ian+Wolf · · Score: 4, Insightful

    A cow-orker of mine actually argued with me one day that "No Information" really meant nothing, nada, zilch was sent back to MS.

    I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got.

    The fact that the program takes the time to rifle through the system is of no surprise to me. While, I think the practice stinks it hasn't stopped me from using the service though. Given the choice between MS finding my installation of UT2003 or some script kiddie looting my system, I'll choose the former.

    --
    "The words of the prophets are written on the Slashdot walls."
  8. Re:Haha by AyeRoxor! · · Score: 4, Insightful

    "I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got."

    They could send a complete list of available patches to your system and let the client running on your computer pick which ones are neccesary, without microsoft ever knowing what software you have installed. Granted, they could deductively determine what hardware you use based on what patches you then request, but since you can only download patches for microsoft software, the best they could do would be to determine what hardware and microsoft software you currently have installed.

  9. Re:Surprise, surprise... by wilstephens · · Score: 3, Insightful

    The manufacture's website was in Japanese only, and I had no idea how to navigate let alone install a Japanese application.

    And, yes, I am lazy. How did you know?

  10. Re:Surprise, surprise... by Anonymous Coward · · Score: 5, Insightful

    Microsoft needs to collect this information for driver updates and other *useful* updates.

    No they don't. They can just send a list of updates to the client, and the client can display the updates that apply to your computer. This is why Microsoft can claim no information is being sent to their server: because sending information isn't necessary.

    This is actually how APT works.

  11. Re:Surprise, surprise... by Ian+Wolf · · Score: 5, Insightful

    If I tell windows to look for the drivers for a particular device than by all means probe the device for information about it. How does scanning all installed applications aid in this endeavor?

    If the reasoning was to better detect and avoid application conflicts I would possibly agree with this method, but the software clearly doesn't do that.

    --
    "The words of the prophets are written on the Slashdot walls."
  12. Re:Surprise, surprise... by Ballsy · · Score: 5, Insightful

    Never confuse "Lazy_ass_user computing" with "computing for people who have better things to do with their time than fuck around searching for drivers on some poorly designed manufacturer website".

  13. Windows Update Privacy Policy by jamesbulman · · Score: 3, Insightful

    Has anybody actually read the policy? If you read it it doesn't really sound like they've done anything they said they wouldn't.

  14. Re:Surprise, surprise... by Tellarin · · Score: 5, Insightful


    so this person with a so precious time should think twice before buying products from a company with such a "poorly designed website" or that don't ship a version of the drive with the product

    --
    -- SouNerd.com
  15. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  16. Re:Surprise, surprise... by japhmi · · Score: 3, Insightful

    But why send a complete list of all of the programs on the computer? Why not send "Windows 98 SE, IE 6.0," and a few things that windows update can actually help with, and not that I am using the WordPerfect suite and not MSOffice (quick, apply the "SlowWordPerfect() operation! and the MakeMozillaCrawl() one two!)

    I know it's a bit of paranoia, but I'd rather them not know what I've got running at all, but I'll let them know what MS software I have because that's what I'm getting fixes for.

    --
    "Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
  17. WU doesn't send software list by phasm42 · · Score: 3, Insightful

    There are a lot of people in this thread that realize that WU does NOT send a list of all software installed, but they are being drowned out by the highly rated comments about the evils of MS. The "software list" is actually a list of drivers installed, which is fine, because MS will post updated drivers for you to download. It should also be noted that one of the articles posted is from the Inquirer, the same people who predicted hell on earth in y2k, and believe in tinfoil hats.

    --
    "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
  18. How does this differ from RH Update? by Canabinol · · Score: 5, Insightful

    I use the Update Agent in RedHat almost on a daily basis - the RH Network knows absolutely everything about my setup (programs, modules, etc.) right down to what version of the Kernel I'm running - that way they can inform me of vulnerabilities and problems that I'm probably susceptible to as soon as there's an update available...it's a "good thing".

    Why is it that when Microsoft does this kind of thing, suddenly there's a more sinister motive behind it all?

    I don't hear anyone complaining about Redhat's privacy policies...

    1. Re:How does this differ from RH Update? by brettlbecker · · Score: 3, Insightful
      Jesus man, how can you compare them? Did you not notice at all that when you registered for RH update you can PICK AND CHOOSE SPECIFICALLY WHICH PACKAGES YOU WANT TO REGISTER? If you don't want them to know which kernel you have, UNCHECK IT.

      This is such a ridiculous non-issue that completely misses the point. If what this article says turns out to be true, it means that MS is spying on you and offering you NO CHOICE to avoid that spying. On TOP of charging an arm and a leg for PROPRIETARY, SECURITY-FUCKED software.

      Another difference is that if you downloaded Red Hat Linux, you got all the software on there from Red Hat. If you add third-party software, it will only register with Red Hat if Red Hat releases a version of it. This is not the case, if this article is correct, with Microsoft. It will record your software whether it can be updated by MS or not. And that is pointless, unless there is a sinister motive.

      B

      --
      "We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
  19. Re:Surprise, surprise... by Hal+Roberts · · Score: 3, Insightful

    There are still solutions that allow no meaningful information to be sent. For example, why not have the client just ask for new updates since a given date and cache the rest? That took me all of about 15 seconds to think up and would result in far less bandwidth use than sending the user every upgrade applicable to her system every time she connects.

    Either 1) privacy is just not a factor for the folks at all or 2) they want the data for other uses. Most likely it's the former, but the fact that the makers of the 95% market share OS don't care enough about privacy to make it even a small concern when designing systems like this is Really Scary, maybe scarier than them purposefully collecting my data, because at least then there's the possibility that they'll be careful with my data once they've got it.

  20. Linkee no workee by Wee · · Score: 4, Insightful
    Try going to that link with Opera. Even Opera in Windows. You get a nice message needing to install IE "in order to use Windows Update". Can't view their web page or get a list of updates with any other browser apparently. So much for HTML being the lingua franca of the Internet.

    Life's far too short to use IE.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.