Windows Update v5 Gathering Too Much Information?

LucasR asks: "I was testing out Microsoft's Windows Update v5 and read their latest privacy statement from April 15th of this year, and it appears they are collecting and storing more information than ever. Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim). Some of what they are collecting is really disturbing. I use Microsoft's products but I don't recall wanting them to know everything about my computer and what competing applications I might use. Check it out for yourself. Isn't this amount of collected information a bit much?"

Fixed link

[Matt+Perry]

Here's the fixed link: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en

Standard practice...

[RomSteady]

It's a beta site. Microsoft's beta products usually collect more information in order to help recreate failure scenarios. When I've done betas in the past, I've collected additional information for the same purpose, and I disclosed it the same way.

In this case, I'd say "chill." A stable Windows Update is a boon to security.

Re:Standard practice...

All these anit MS freaks just dont understand. The more data you have, the more accurate your solutions can be.

If there is some obscure driver in a turtle beach sound card which causes an IE update to crash, they will know about it just by the numbers.

Try supporting a 200+ user environment. Then let me know if you think hardware/software reporting are a bad thing.

Way to test the URLs

[np_bernstein]

The editors here are getting paid right?

Beta

[prostoalex]

The current version is v4, so if you tested v5, you apparently signed up for it, or were invited or decided it was worth it to get on the beta testing team.

Betas usually ask testers to provide more information so that SQA can re-create the problem and such. If you feel uneasy, then don't sign up for beta testing.

Don't they need all of that information?

[yotaku]

"Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim)."

Other than the IP address, I would assume that they would have to know all of that information in order to be able to provide you with all the updates you may need. The hardware information is needed in order to provide updated drivers. I'm going to assume that by browser they mean information about IE, since we all know that that needs fequent updates. The only iffy things I see here is the IP address, and every web page you visit gets that, so I dont think its something to be overly concerned about.

And then there is the version information for other Microsoft software. Personally I love this. I hate having to go to OfficeUpdate to seperately check for updates to office. It would be nice if all my software could get updated thought windowsupdate. But I dont see Microsoft opening it up for other companies to use - so I will settle for just all microsoft software.

Re:Don't they need all of that information?

[Tablespork]

They shouldn't need any information. They just need a list of all available updates, and the client can check to see if any are needed. Microsoft shouldn't need to collect any data whatsoever. I'm not picking on Microsoft, I think any company would/does/has every right to collect this information. It's free usage statistics.

The link I believe they wanted

[scupper]

I think this is the page they wanted to link to: http://v5.windowsupdate.microsoft.com/v5consumer/d riversquery.xml

Looks like they added BIOS info collection. This is news?

V5 privacy statement: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en

v4 privacy statement:

Windows Update Privacy Statement (Last Updated 10/17/2003)

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

From the article...

[meta-monkey]

Windows Update evaluates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any information that can be used to identify you.

So, the Unique Identifier cannot be used to identify. Sounds really useful :)

Re:From the article...

[My+name+isn't+Tim]

It can't identify YOU the individual, but your computer (well in it's current Windows installed state) it can. Presumably they could track what GUID has downloaded what from Windows Update and they could further figgure out what segment of the population is upgrading and who isn't. (based on the data they may also collect such as make and model and software installed)

that's my take on it anywho

Get over it, if not, then don't use Windows

[shodson]

Some of what they are collecting is really disturbing

Disturbing? Yeah, now that they know your CPU model and BIOS version number they can clearly learn about your cross-dressing hobby.

Scary Language

[digitalvengeance]

From the article:

The Product ID and Product Key collected are not retained after you are finished using Windows Update, unless the Product ID is not valid.

Though my workplace has all validly licensed copies, there have been occassions where I've just grabbed the closest Product Key during a reinstall rather than pull up the database of which keys go with which machines. They WILL keep a product ID if they deem it to be invalid? How long before we are all getting audited for not memorizing 30 different Product Keys for the 30 different windows licenses we have?

Re:Scary Language

[rritterson]

That's not the point of PID validation. If you have 30 PKey's, then you must have 30 Retail Keys, and therefore have to activate them. If it activates, the key is considered valid.

PID disqualification applies to corporate VLK's, which run on versions of XP that don't need to be activated (can you imagine activating 10000 copies during a deployment of XP). Those copies are, of course, ripe for pirating. Apparently, valid VLK's only generate a subset of possible valid PIDs, so they can tell if you are using a bad key (read: keygen'ed key) by the PID and you won't be able to use WU.

You aren't going to get audited with only 30 XP licences. The cost of the audit far outweighs the cost they could hope to make from you. It's like the IRS auditing a 16 year old kid who makes $1500 yearly at a part time job.

Re:Scary Language

[Phillup]

Use a corporate licence key.

The computers will most likely have a non-routable IP address assigned, and all of them will show up w/ the IP address of the firewall.

Even if they note the number of individual computers connecting w/ that license... there are so many "spares" and "rebuilds" in the corporate environment to make tracking a fruitless proposition.

EULAs are more interesting...

[MrHim]

I like the MS Visual Studio EULA better (C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\EULA.txt, if you happen to own it). Section 4.1.2:

Performance or Benchmark Testing. You may not disclose the results of any benchmark test of either the [Server Software] or [Client Software] for Microsoft Message Queue Server, Microsoft Transaction Server or Microsoft Internet Information Server to any third party without Microsoft's prior written approval.

And if you get the Microsoft SDK from windowsupdate, the same restriction is placed on releasing .NET benchmarks.

Let's have a peek:

[NanoGator]

"Computer make and model": In order to figure out if particular motherboards need a fix applied. The AGP problem with Athlons immediately comes to mind.

"Version information for the operating system, browser, and any other Microsoft software for which updates might be available": For security updates to IE, Outlook, Word, etc...

"Plug and Play ID numbers of hardware devices": In case there is a fix for a particular bit of hardware. Maybe a DirectX update or something.

"Region and language setting": What, you don't want your driver interfaces to be in Bulgarian?

"Globally Unique Identifier (GUID)": Eh, not terribly interested in defending this one unless it's to count how many times a particular machine gets updated. I can't say I'm terribly concerned about this one either.

"Product ID and Product Key": Filed under D for DUH.

"BIOS name, revision number, and revision date": Again, may be related to fixes for a particular computer.

This stuff is far less scary when you read through some of the MSDN articles for quick fixes etc. It's pretty obvious that they attain this info for the Automatic Update to actually work. Damn them for creating this free service!

Is that all they're collecting?

[loftwyr]

There is a nice sample of what they're collecting in XML format. Well, it would be useful if it wasn't for the large block of encrypted into that they don't explain.

Maybe I'm just paranoid but if they're going to give a sample of the collected data, shouldn't they tell what's in that block?

invited... not really

[zoloto]

i connected to windowsupdate recently and manually changed the v4.windo---- to v5.windo--- just for kicks (b/c of rumors etc) and instantly i was sent to the new site.

It was interesting and they automatically update your "windows update" client that's on your PC. Oh yeah, even very FIRST generation versions of XP licenses aren't valid (i have a valid license but they say it's not... so I'm a bit confused.)

anywho. it's not an invite only thing. but maybe it is if it won't verify my key..?? perhaps so.

Re:invited... not really

[Delf]

Windows Update version 5 is being rolled out as part of the XP Service Pack 2 stuff, so if you don't have the XP SP 2 beta installed, that would explain why it won't validate you.

Installing SP 2 does require you to accept a EULA.

They might be gathering it for Intel

[Gary+Destruction]

Intel has the power to shape the hardware industry. If they want the floppy to disappear, they can make it happen. The information gathered can be used to give an idea of how much legacy hardware is still in use and it could be used to predict future demands in hardware. Take that as opposed to old motherboards and expansion cards sitting at the dump. If the user visits Windows Update, then it's know that the hardware is still in use.

Note on the page

[Tomahawk]

When you run Windows Update, you get the following message:

Note Windows Update does not collect any form of personally identifiable information from your computer.

Under that is a link to the privacy statement telling you what they do collect. Here is the text behind the link:


Windows Update Privacy Statement (Last Updated 10/17/2003)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.


(note that the update date is 17 October 2003)

T.

A bit much?

[Nyhm]

A bit much? That's several bytes too much!

What competing products?

[belchingjester]

I use Microsoft's products but I don't recall wanting them to know everything about my computer and what competing applications I might use.

I don't see anywhere in their disclosure statement where products other than MS products are tracked, so I'm not sure why you're being alarmist about "competing products". Perhaps they are collecting more info than they say they are, but that's not the issue you raised.

The Slashdot Paradox

[fluor2]

I think its really a paradox that I actually feel SAFER when doing these update internet thingies on Windows, since we have all those people around the world, monitoring what Microsoft do every day.

I'm sure it would be even in the news if Microsoft did something that was not allowed by laws of your government.

However, wget a mySUPER-GPL-programtar.gz leaves me with much less security when I run ./configure make and such. Coz the userbase for that program might be very small, and sending private information might be un-known to the general public.

I sure hate the fact.

Linux and Firefox

[nandhp]

The amusing thing, is that you can go to http://v5.windowsupdate.microsoft.com/ in Firefox on Linux and it will say:

Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute. During this time, you may receive one or more security warnings. Review each security warning to ensure that the content is signed by Microsoft, and then click Install or Yes to install the software.

While nothing actually works, except for the Mozilla-customized CSS, it is rather amusing that I can get it to the real Windows Update website without resorting to User-Agent Switcher.

If you try to go to http://v4.windowsupdate.microsoft.com/, it informs me that I need a Windows operating system to use Windows Update.