Examining Microsoft Update

eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."

Haha

[mao+che+minh]

Remember the little "No information is being sent to Microsoft at this time...." message during updates? Wait, why am I laughing?

Re:Haha

[Zocalo]

Frankly, I've always wondered why they didn't adopt this approach in the first place. Not only would it have avoided all the issues with privacy that people get all worked up about, but has the potential to be extended to third party apps too. All you would need is a local database of vendor/server(s) to tell the local client which server to go to for your updates which could be ammended by any software during it's install process. There is an issue with re-pointing a vendor's update server to another offering a trojan disguised as a patch, so you'd need a security mechanism, but apart from that...

Hell, since this is Microsoft we're talking about, they could have even *sold* the back-end update server software to the third parties and made a few more dollars for Bill to roll around in.

Re:Haha

[edsel]

The message reads: "Note Windows Update does not collect any form of personally identifiable information from your computer"

I think that it used to say something like: "No information will be sent to Microsoft"....

Their privacy policy states that they check your system for a valid Windows license.

Re:Haha

[sckeener]

None of this configuration information can be used to identify you.

They might not be able to identify you, but they can identify the machine at least for XP. Since XP requires registration, I'd say they know your machine and who paid for XP to go on there.

I wouldn't be surprised if at some later date they claim this is for the catch all 'security reasons.'

Re:Haha

[mobiGeek]

It would be a [] huge file... it would have to send all patches of all time

I strongly suspect that it would be smaller than that of, say, Red Hat's RHN since MS is only worried about the OS and a few of its software titles. RHN on the other hand offers thousands of packages.

And even if the list was quite massive, why would it have to resend everything all the time? Why not send a list of the changes since the last time the user downloaded (the client could say "everything since 2003/01/21 08:45:00" or something similar).

If RHN and other upgrades can download a list of packages, why can't MS? They not smart enough? No, the answer is that they don't get enough "feedback" when they do it that way.

During the beta of Win95 they tried this trick and the press was all over them. They realized they made a mistake introducing such a shocking "big brother" utility at the same time that they were releasing such a major product. Instead, MS is beginning to learn that when it goes to violate people's privacy (and rights), it should do things in small increments:

1. Tightly couple software into the OS
2. Make s/w upgrades hard for the average user
3. Create an "upgrade" system that is "easy" and doesn't infringe on users rights.
4. Release second version of upgrade system (make it mess up less systems)
5. Release third version of upgrade system (people begin to trust it)
6. Release fourth version of upgrade system (invade privacy)
7. Claim piracy is killing jobs in the U.S. (see previous point)
8. ???
9. Eliminate Free software

Re:Haha

[egreB]

Well - then I must be allowed to point out the merits of my own particular religion.

$ sudo apt-get update
$ sudo apt-get upgrade
(The last step can replaced with apt-get dist-upgrade if you're doing some serious stuff.)

Da-dum, da-dum and wait a little while the packages download from Your Local Mirror and watch nifty little statistics on how many files you've got installed.. ..and whammmoo! System updated, and there's no need for compiling a single source! There's even nice GUIs with WIMP (Windows, Icons, Menus, Pointers) if you're the kind of type that don't type. Dead easy.

To keep on topic (for a split second), no personal identifiable information is sent to anybody (perhaps except for my IP address and some FTP-commands).

I know, I know, I dont't get any system-specific optimizations. But who can afford the time to compile stuff (other than kernels) these days? This is a 400MHz compter! It can barely compile my kernels (wich, BTW, are nicely fitted as a Debian package to install). Of course, if you've got the spare cycles, there's always source available for you.

But it must be noted that since people's saying so much nice about Gentoo, I've got to try it. I don't doubt it rocks a bit.

Well, wasn't that a rant! (-8

Is this surprising?

[guacamolefoo]

I am shocked - shocked - by this revelation.

I can see a legitimate purpose for it, from a bug-hunting and trouble-shooting standpoint, but I am highly skeptical that these are the only ways that this information is used. For instance, I expect that if MS sees a high number of installs for a particular app, that it might decide to include that app in the "OS", such as a personal firewall, for instance. Oh, wait...they already did.

An interesting compare/conrast to see is what MS license agreement says about this and what their public statements have been.

Also, is there going to be a DMCA action here? Ugh.

GF.

Re:EULA says they can take what they want

[gmuslera]

The EULA also says that they can delete what they want (at least what they say that violates DRM, and their sofware is not know to be very intelligent), and have others that says something like they own all what you transmit thru they servers...

In fact using their software (and then accepting the EULA) is like simply close your eyes and pray that the big depredator which is in front of you isn't hungry right now, and will not be all the long time you be there.

No software collected

[IamTheRealMike]

No, sorry, Microsoft doesn't collect lists of softare, not even the article says that. What it does say is that if they wanted to, they could locate what software you have by looking for registry keys or files specific to that app.

In fact the article says the biggest privacy concern is the hardware list, which doesn't seem that big a deal to me.

Re:No software collected

[Trogre]

No, sorry, Microsoft doesn't collect lists of softare

How do you know this?
I hope you don't mean "because ZoneAlarm hasn't picked up anything weird"

Have you run an external packet sniffer on your net connection?

Please do not think any utility run on Windows cannot be bypassed by a few lines of code in kernelspace.

If you actually *look* at the information sent...

... you'll see that - contrary to the Inquirer story - it doesn't include anything about 'installed software', with the exception of device drivers. No applications, no utilities - nothing that MS is likely to want to compete with, and indeed nothing that MS doesn't overtly mention in its own privacy policy.

So what's the problem?

Re:/Tin Foil Hat Off

[Fishstick]

I did that once, I was sorry. windowsupdate showed an "updated driver" on for my vid card on my laptop (neomagic, I think). Now, normally I don't go and update device drivers unless there is some specific reason (something not working/ imcompat w some software), but I thought I'd give it a try.

What a mistake. When I rebooted I started getting error messages and it threw me into generic VGA. I had to then dig out the disks that came with the thing and re-install the driver.

Since then, I've avoided this like the plague. Sorry, I'll update any non-ms software myself, thanks. Windowsupdate is convenient given the number of "security updates". It saves me from having to keep track of what I've installed on my machines and it is fairly painless to go out there a couple times a month to see what is available.

But it also encourages the mindset that you should install software updates just because, well, it updates you to the latest version. Updating windows with all the latest security patches, fine. Updating IE or media player just because there is a new version? No thanks.

Same goes for drivers and non-ms software. I'll grant that it would be convenient to see that there are updates and then be able to install right there (remember Oil Change?), but I personally don't need to always need to keep my apps and drivers "up to date", especially if they are working fine otherwise.

Two things.

One, a majority of Windows Users like what Windows Update does for them. Hell, I as an IT Administrator (who also manages several Linux servers) like what it does for me. I spend enough of my life as it is reinstalling Windows due to system failures, upgrades, employee arrivals and departures...there just really are more interesting things to do in life than browse Microsoft's site for patch updates. Really. Windows Update and Office Update probably halve or third the time I have to spend per box to make them as secure as I'm going to bother with.

Two, Microsoft is just doing what all companies have figured out works - mentally tire out the masses. If you start Windows Update three years ago, and say that no personal information is sent, you can have a debate about what 'personal information' means, and you can even slowly ratchet up how much is sent.

Great. But who's going to object? Shareholders, who at best can create non-binding resolutions to change policy in the company? Whether personal information is taken by force or otherwise doesn't matter to them. They want higher stock prices.

Executives and whistleblowers in the office? We have to define what 'personal information' means again.

That leaves customers. And even if your local news does a big 'expose'!' on how Microsoft lies to you about what information is sent to them, how long can people stay mad? An evening? A week? People can't keep enough rage bottled up to do anything about these things. People aren't being denied the right to vote, they're just being lied to. And we know how people rationalize politicians doing that to them already.

Personally, if Microsoft just tells me (and they do) what they're taking from the computer, great. But the fact is, even if they were copying the whole contents of my hard disk, my choices would be not to use Windows Update at all and waste a lot of my life staring at the Microsoft Developer's Connection, or to use it anyway. (Linux, not having, say, Visio, is not an option for my company). And most people just don't care, so they will no matter how onerous the terms...until it gets as bad as 'Your personal data is being transmitted and archived to Microsoft'.

What if your personal data was sent and temporarily cached, for virus scanning, even with the best intentions? Some might STILL sign up. Give it thought...

Re:Not news.. but a nice update.

[cperciva]

Personally, I like the way cvsup works. You ask for what you need and a file list. Or so it seems.

cvsup is far more invasive than Windows Update. When you run cvsup, it sends a list of all your files (in the relevant directory, of course) to the server. The server then looks at the list you're sending it and decides what you need to have updated.

Re:/Tin Foil Hat Off

[Zathrus]

The list of patches that Microsoft must have is HUGE

Yes, as it is for any OS vendor. But so what? How much data to you actually have to send? Not a whole lot - just enough to identify what piece of software it's for and what version it is. If you can't store all of that in, oh say, 20 bytes, then you're screwed in oh-so-many ways. Hint - encode the software identifier in a 32-bit or 64-bit number, and the version string in the remaining bytes.

So, let's say you have 1000 patches available for the OS in question -- and, yes, patches are OS specific and MS has that much info from you already. That's a 20,000 byte download. Even at 14.4k it's only 20 seconds. Big deal.

The system then has to process the list and figure out what it may need, then request additional data for each potential patch... but you're going to have to download that information anyway, and there is minimal additional overhead.

It might take slightly longer, particularly over slow links, but it's a hell of a lot more user and security friendly.

Errrm

I've just read the mirrored PDF to the end (try it sometime...) and the article itself says that the process does *not* get a list of all software but *may* if M$ decide blah, blah..

Nothing to see here other than dotters frothing

Regardless of how much we all rant

[MindNet]

The majority of the world is not going to be aware that Microsoft is "Evil" or at least that they are intruding on personal privacy. Microsoft knows this, thats why they let sites like Slashdot live, because it gives those of us who are in-the-know a place to rant and feel like we're doing something about all the Intellectual Property and Privacy B.S. thats taking place. We rant among ourselves, and the rest of the world is oblivious.. and Microsoft continues to make money off the oblivious.

Microsoft isn't going to get nervous, and things woun't change for the better until someone makes a movie about this whole mess. That way, not just us 'smart' people will know whats going on, but the knowledge and severity of whats going on will actually be accessible to those who aren't very 'smart' (aware of the computer industry and current intellectual property issues, and how they affect everyone).

If the information is dumbed down and put into a drama, then hundreds of thousands of people would be aware of issues we've all been worrying about and fighting for for years, and it would happen over night.

~ M. Knight Shyamalan, do you read Slashdot?

Easy Solution

[swordboy]

Why doesn't some enterprising individual simply monitor Microsoft's various OS's for updates and then link to the downloadables? Of course, it would be possible for MS to remove downloadables but then this really causes frustration for those who are maintaining systems that cannot access windowsupdate.com. I'm not sure that they could do it - they'd have to install spyware in the actual patches. But then we could configure the firewall to block everything MS.

Or we could all just get Mac's. I'm almost there, unless someone can put together a KDE or Gnome with some usable functionality (like device management and system configuration in ONE GODDAMMED FUCKING LOCATION).

Apple!!!! Bring OSX to X86 and we will make it worth your while!

Re:Surprise, surprise...

[Xformer]

Even if the poorly designed manufacturer's website is the only one with the working driver?

I had a bad experience along those lines with the Windows Update site, where a particular sound driver (I forget which, at the moment) from them would not work with my hardware, where the one from the manufacturer's website did.

Re:Always wondered About That...

[Queuetue]

They could do it all client-side, keeping the data store and package list avaliable locally.

Portage (I assume) doesn't tell gentoo home base what packages I have installed, but it knows which ones I need all the same.

Re:Complete Breach of Trust

[BWJones]

Give me a break. Your acting like windows users should be living with a constant fear that Microsoft "agents" will suddenly appear at their front door to give them a beating.

Ummm, years ago when I was in high school and working for my mother, we had purchased a software package from a company that wrote medical office management software. I had noticed that all of the manuals were photocopied and we had no original disks for Microsoft software that was included in the package. I called Microsoft about this and they had in our office the *next* day two dudes from Microsoft and an FBI agent asking to examine our computers. We ended up getting screwed because the guy whose software we purchased was smacked hard by M$ as the package we bought went unsupported after that.

Of course this guy was absolutely stealing and should have gotten what he deserved, but my point is simply that, yeah, there are Microsoft agents of a sort and they do show up at your door.

Re:Complete Breach of Trust

[ergo98]

How is this insightful? More like "Vehemently anti-Microsoft".

When it comes to Windows users, I really do blame the victim. There's a point where a reputation becomes so soiled, so repeated, and so publically, that it really is either dishonest or stupifyingly negligent for someone to say they didn't know. There just aren't any rocks in the world that are big enough for someone to live under and not hear about Microsoft.

Would you mind pointing out some of those instances where Microsoft abused the privacy of their customers? Given your claims of the prevalence of such information, I'm really eager to listen to the examples you surely will be able to give. Undercutting Netscape and extending Java don't count, by the way, and only the fervently anti-Microsoft can't see the grayness in those areas (i.e. Microsoft is hardly the villain).

For all of the "I told you so!" rhetoric in here (hardly surprizing), I personally find Microsoft to be one of the most trustworthy companies when it comes to privacy: They have gone far above and beyond the call of duty time and time again to put the privacy of their customers ahead of the value of the information. If, indeed, this is sending information on other products installed I would bet a pretty good penny (two pennies in fact!) that it is entirely unintentional.

Re:Complete Breach of Trust

[hammock]

I don't see why thier jackbooted BSA/Microsoft thugs don't work in the following manner.

BSA/Microsoft accuses you of being a pirate of the high seas, and demands license proof. Microsoft puts up $LARGE_SUM to a trusted authoritive third party. Audit ensues, licensing is verified.

If you are stealing software, BSA/Microsoft gets $LARGE_SUM back, and the entity stealing the software has to pay $FINES, $LICENSES, or $OUT_OF_COURT_SETTLEMENT.

If your licenses are in order, or you are using GNU/Linux, BSA/Microsoft's $LARGE_SUM is awarded to you, covering your work disruptions, legal fees, and more.

This is how it works at the local track if you think one of your competitors has modified thier engine outside of the class specifications. You pony up for the accusation and get rewarded if it's true, and take a loss if it's not.

*ahem*

[vmfedor]

Windows Update Privacy Statement
(Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.

Maybe you should verify the information before automatically declaring "Microsoft is evil" to any and all anti-Microsoft posts.

Re:Surprise, surprise...

[forgetful_ca]

Never confuse "Fast, Easy Computing" with "Lazy_ass_user computing".

Not only that, but using ms update restricts you to using ms signed drivers. I for one don't wish to give ms that particular club to wield over anyone. They've proven to me they aren't responsible enough to be far to anyone, so I don't think they are entitled to be the judge of anything that makes it to my machine.
Secondly, there's no way I can believe that ms would acquire your data and subsequently throw it away. None. They are gathering stats and keeping them.

Microsoft profiting from Autoupdate site?

[netr00t]

I wonder, is microsoft using their autoupdate site to spike or sabotage their updates on old products to force the users to purchase newer upgrades? I am an avid (and registered) user of windows 98 2nd ED for 2 of my machines. The others run BSD, RH Linux, and Solaris, it seems like the more i update from the original install the worse it operates, on both machines, new and old. I figured it was my own machine until i reinstalled the entire os and performed an internet upgrade. Now the explorer locks up after upgrading a clean install but not before. The entire pc gets unstable after upgrading and I am concerned that they are sabotaging the upgrades to create instability to force me to buy their new XP. I WILL NOT BUY OR UPGRADE TO XP! This is insane, I wouldn't run Windows at all if all the darn games that I play worked on other OS's. Just my 2 cents. Hey, and let me know if they are sabotaging their upgrades or its just me.

Re:Complete Breach of Trust

[drxenos]

Got a similar story: A friend of mine works for a small chemical company. One day out of the blue, a MS rep. walked in an flashed his MS ID and demanded (demanded!) to be allowed to inspect all their computers for unauthorized MS software. He acted like he was some sort of offical, or goverment agent or something. The freakin' audacity!

Why doesn't it update other MS ware?

[EvilStein]

Damn it, if Microsoft is going to collect information on software on my machine, the least that the bastards could do is give me the latest patches for Age of Empires II and Age of Mythology. Geez!

Now I have to go download them myself. Thanks a lot, Microsoft.

People will believe anything

[EggMan2000]

First of all, nowhere in either article does it say that Windows Update is sent info on what software you have installed. The payper view article mentions that it does send hardware info, though. But we knew that via both the EULA, and the fact that this is the intended purpose, to update drivers for hardware and OS patches.

Don't believe the alarmist titles to articles. Do you all fall into this trap with the evening news as well? "Tune in for the Radon discover that just might save your familyu's life."

I know that you guys are smarter than this. Use your brains.

Re:Surprise, surprise...

[1010011010]

Microsoft doesn't offer updates for SQL Server or Office, or Photoshop for that matter, via WindowsUpdate. So why do they need that information to NOT supply updates for those programs?

BeOS

[Amiasian]

My friend, Virtual PC does run BeOS. However, that said, there is a major bug. I can do everything with it, except type; it hangs on keyboard input. That said, I get a 16 bit 1200 x 1600 display for BeOS with the ability to run any application natively installed on the OS, plus some downloads which I used shared disks to transfer into Be.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Who cares about windows update?

ANYONE know the IP's, Subnets, and/or hostnames that Windows uses for updates?

If anyone knows where it connects to for updates please post it, thanks !

Do other companies do this??

After reading these articles I concerned about my privacy. Do other OSes do this. I've heard microsoft is a "trustworthy" company, and after what the DOJ did to them I'm sure they play it all by the book.

So my concern is with repsect to the intregitty of the fly-by-night free software. Specifically does my debian/testing system send back my playist from gqmpeg and my viewing habit from galeon?

Should I change to OS-X??

Thanks
concerned linux user.

You needed to hack it to know this?

[kap1]

/. paranoia strikes again. All this information is available in the Windows Update Privacy Statement. I guess it's good that someone bothered to verify, but this "scoop" is not much of a shocker.

Sun has a much better way of doing it...

[illumin8]

I really like the way Sun handles patches, they have a much more intelligent system that doesn't rely on invading your privacy. Here's how it works:

1. You download the patchdiag.xref file from Sunsolve. This file is updated daily and contains a list of all patches available for all versions of Solaris. It's currently about 1.4 megabytes in size. You only need to download this once, throw it up on an NFS server and all of your Solaris hosts can use it.

2. You execute a Perl script called patchk.pl that compares your currently installed patches with what's available for your OS and generates an HTML page that is automatically opened in Netscape. The HTML page simply lists every patch you need and has check-boxes, a lot like Windows Update.

3. Check all the boxes for patches you need and click a button at the bottom of the page and Sunsolve generates a tarball of all your patches for you.

4. Download tarball and install from single user mode.

That is the proper way to do it, and it seems like Windows Update used to do that in previous versions but the xref file got to be too big for every single client to download every time. MS should provide an xref file that Windows administrators can download and run Windows Update across their enterprise using the xref file, not sending any information to Microsoft.

Sun has been selling systems to three letter governement agencies for quite some time that would never even consider purchasing a product that "phoned-home". If Microsoft wants to play in that ball-game they need to pull their head out of their ass and provide real enterprise level patch management.

P.S. The ability to roll-back a failed Windows Update would be nice too...