Windows Update v5 Gathering Too Much Information?

LucasR asks: "I was testing out Microsoft's Windows Update v5 and read their latest privacy statement from April 15th of this year, and it appears they are collecting and storing more information than ever. Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim). Some of what they are collecting is really disturbing. I use Microsoft's products but I don't recall wanting them to know everything about my computer and what competing applications I might use. Check it out for yourself. Isn't this amount of collected information a bit much?"

Fixed link

[Matt+Perry]

Here's the fixed link: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en

Standard practice...

[RomSteady]

It's a beta site. Microsoft's beta products usually collect more information in order to help recreate failure scenarios. When I've done betas in the past, I've collected additional information for the same purpose, and I disclosed it the same way.

In this case, I'd say "chill." A stable Windows Update is a boon to security.

The link I believe they wanted

[scupper]

I think this is the page they wanted to link to: http://v5.windowsupdate.microsoft.com/v5consumer/d riversquery.xml

Looks like they added BIOS info collection. This is news?

V5 privacy statement: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en

v4 privacy statement:

Windows Update Privacy Statement (Last Updated 10/17/2003)

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

Get over it, if not, then don't use Windows

[shodson]

Some of what they are collecting is really disturbing

Disturbing? Yeah, now that they know your CPU model and BIOS version number they can clearly learn about your cross-dressing hobby.

Scary Language

[digitalvengeance]

From the article:

The Product ID and Product Key collected are not retained after you are finished using Windows Update, unless the Product ID is not valid.

Though my workplace has all validly licensed copies, there have been occassions where I've just grabbed the closest Product Key during a reinstall rather than pull up the database of which keys go with which machines. They WILL keep a product ID if they deem it to be invalid? How long before we are all getting audited for not memorizing 30 different Product Keys for the 30 different windows licenses we have?

Re:Scary Language

[rritterson]

That's not the point of PID validation. If you have 30 PKey's, then you must have 30 Retail Keys, and therefore have to activate them. If it activates, the key is considered valid.

PID disqualification applies to corporate VLK's, which run on versions of XP that don't need to be activated (can you imagine activating 10000 copies during a deployment of XP). Those copies are, of course, ripe for pirating. Apparently, valid VLK's only generate a subset of possible valid PIDs, so they can tell if you are using a bad key (read: keygen'ed key) by the PID and you won't be able to use WU.

You aren't going to get audited with only 30 XP licences. The cost of the audit far outweighs the cost they could hope to make from you. It's like the IRS auditing a 16 year old kid who makes $1500 yearly at a part time job.

EULAs are more interesting...

[MrHim]

I like the MS Visual Studio EULA better (C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\EULA.txt, if you happen to own it). Section 4.1.2:

Performance or Benchmark Testing. You may not disclose the results of any benchmark test of either the [Server Software] or [Client Software] for Microsoft Message Queue Server, Microsoft Transaction Server or Microsoft Internet Information Server to any third party without Microsoft's prior written approval.

And if you get the Microsoft SDK from windowsupdate, the same restriction is placed on releasing .NET benchmarks.

Let's have a peek:

[NanoGator]

"Computer make and model": In order to figure out if particular motherboards need a fix applied. The AGP problem with Athlons immediately comes to mind.

"Version information for the operating system, browser, and any other Microsoft software for which updates might be available": For security updates to IE, Outlook, Word, etc...

"Plug and Play ID numbers of hardware devices": In case there is a fix for a particular bit of hardware. Maybe a DirectX update or something.

"Region and language setting": What, you don't want your driver interfaces to be in Bulgarian?

"Globally Unique Identifier (GUID)": Eh, not terribly interested in defending this one unless it's to count how many times a particular machine gets updated. I can't say I'm terribly concerned about this one either.

"Product ID and Product Key": Filed under D for DUH.

"BIOS name, revision number, and revision date": Again, may be related to fixes for a particular computer.

This stuff is far less scary when you read through some of the MSDN articles for quick fixes etc. It's pretty obvious that they attain this info for the Automatic Update to actually work. Damn them for creating this free service!

Is that all they're collecting?

[loftwyr]

There is a nice sample of what they're collecting in XML format. Well, it would be useful if it wasn't for the large block of encrypted into that they don't explain.

Maybe I'm just paranoid but if they're going to give a sample of the collected data, shouldn't they tell what's in that block?

Re:Don't they need all of that information?

[Tablespork]

They shouldn't need any information. They just need a list of all available updates, and the client can check to see if any are needed. Microsoft shouldn't need to collect any data whatsoever. I'm not picking on Microsoft, I think any company would/does/has every right to collect this information. It's free usage statistics.

Re:invited... not really

[Delf]

Windows Update version 5 is being rolled out as part of the XP Service Pack 2 stuff, so if you don't have the XP SP 2 beta installed, that would explain why it won't validate you.

Installing SP 2 does require you to accept a EULA.