Slashdot Mirror
Windows Update v5 Gathering Too Much Information?
LucasR asks: "I was testing out Microsoft's Windows Update v5 and read their latest privacy statement from April 15th of this year, and it appears they are collecting and storing more information than ever. Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim). Some of what they are collecting is really disturbing. I use Microsoft's products but I don't recall wanting them to know everything about my computer and what competing applications I might use. Check it out for yourself. Isn't this amount of collected information a bit much?"
Here's the fixed link: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
It's a beta site. Microsoft's beta products usually collect more information in order to help recreate failure scenarios. When I've done betas in the past, I've collected additional information for the same purpose, and I disclosed it the same way.
In this case, I'd say "chill." A stable Windows Update is a boon to security.
RomSteady - I came, I saw, I tested. GamerTag: RomSteady / http://www.romsteady.net
The current version is v4, so if you tested v5, you apparently signed up for it, or were invited or decided it was worth it to get on the beta testing team.
Betas usually ask testers to provide more information so that SQA can re-create the problem and such. If you feel uneasy, then don't sign up for beta testing.
"Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim)."
Other than the IP address, I would assume that they would have to know all of that information in order to be able to provide you with all the updates you may need. The hardware information is needed in order to provide updated drivers. I'm going to assume that by browser they mean information about IE, since we all know that that needs fequent updates. The only iffy things I see here is the IP address, and every web page you visit gets that, so I dont think its something to be overly concerned about.
And then there is the version information for other Microsoft software. Personally I love this. I hate having to go to OfficeUpdate to seperately check for updates to office. It would be nice if all my software could get updated thought windowsupdate. But I dont see Microsoft opening it up for other companies to use - so I will settle for just all microsoft software.
I think this is the page they wanted to link to: http://v5.windowsupdate.microsoft.com/v5consumer/d riversquery.xml
p rivacy.aspx?ln=en
Looks like they added BIOS info collection. This is news?
V5 privacy statement: http://v5.windowsupdate.microsoft.com/v5consumer/
v4 privacy statement:
Windows Update Privacy Statement (Last Updated 10/17/2003)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.
To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.
It can't identify YOU the individual, but your computer (well in it's current Windows installed state) it can. Presumably they could track what GUID has downloaded what from Windows Update and they could further figgure out what segment of the population is upgrading and who isn't. (based on the data they may also collect such as make and model and software installed)
that's my take on it anywho
There is a nice sample of what they're collecting in XML format. Well, it would be useful if it wasn't for the large block of encrypted into that they don't explain.
Maybe I'm just paranoid but if they're going to give a sample of the collected data, shouldn't they tell what's in that block?
That's not the point of PID validation. If you have 30 PKey's, then you must have 30 Retail Keys, and therefore have to activate them. If it activates, the key is considered valid.
PID disqualification applies to corporate VLK's, which run on versions of XP that don't need to be activated (can you imagine activating 10000 copies during a deployment of XP). Those copies are, of course, ripe for pirating. Apparently, valid VLK's only generate a subset of possible valid PIDs, so they can tell if you are using a bad key (read: keygen'ed key) by the PID and you won't be able to use WU.
You aren't going to get audited with only 30 XP licences. The cost of the audit far outweighs the cost they could hope to make from you. It's like the IRS auditing a 16 year old kid who makes $1500 yearly at a part time job.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
When you run Windows Update, you get the following message:
Note Windows Update does not collect any form of personally identifiable information from your computer.
Under that is a link to the privacy statement telling you what they do collect. Here is the text behind the link:
Windows Update Privacy Statement (Last Updated 10/17/2003)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.
To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.
(note that the update date is 17 October 2003)
T.
While nothing actually works, except for the Mozilla-customized CSS, it is rather amusing that I can get it to the real Windows Update website without resorting to User-Agent Switcher.
If you try to go to http://v4.windowsupdate.microsoft.com/, it informs me that I need a Windows operating system to use Windows Update.