Slashdot Mirror
Vista is Watching You
greengrass writes "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company."
Is this another example of Bill Gate's Microsoft micromanagement leaking out into the general public, or is this truly a way for Microsoft to help fool-proof Windows operations?
If this is nothing more than a way for Microsoft to ensure that Windows operates properly and to find potential issues, data collection should be an option. A lot of power users won't want it, and a lot of paranoid public won't either.
Of course, what choice do they have if they want/need to run Windows? If enough of the system monitors your usage and activity, not using those services pretty much makes your computer a brick.
Aside from privacy concerns, how much storage space and processing power is being used for this endeavor? Couldn't all that be put to much better use?
I don't have nearly enough ram.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
I hear the icon on the desktop isn't called My Computer anymore, it's now just "Computer". I guess in the fine print it says "BillG's Computer".
You see? You see? Your stupid minds! Stupid! Stupid!
In the article, there's a Vista technology referred to as "Rights Management Services (RMS) Client" - I guess I'm not the only one who's midldy amused about the acronym used for that service ;-)
What's especially delicate about it is that the service's name uses the term "Rights", where many who are in favour of digital freedom would probably deem "Restrictions" a much better fit.
I bet if Richard Stallman were dead by now (please note that I'm glad and happy that he's alive and kickin'!), there'd be a chance he'd be rotating in his grave at high speeds because of this.
:%s/Open Source/Free Software/g
YTARY!
... and this kind of undisclosed(?) sneaky communication has to be considered a security risk from our side, and one which may very possibly invalidate the state of validation (in, again, the FDA-regulated sense) of numerous production-related systems that might eventually run on Vista platforms. We're testing Vista now, and as soon as I get my hands on a copy, I'm gonna poke arounnd and try to figure out what data is sent where, what happens if you cleverly block it, what options there are to just shut these features the f*** off, and many et ceteras,...
Vista's biggest enemy is not Linux -- it's Vista. Americans take their privacy too seriously to ignore this if this becomes public. Of course, one could argue that by now the 'war on terror' has taught us to just bend over when the government says so, but hopefully, the reaction will be a little bit more violent when Microsoft asks us to 'submit'....who knows.
Seems like they would want to keep this data anonymous as much as possible too, or it would seem like they would have an endless barage of subpoenas for civil lawsuits like divorces, where one spouse wants evidence that the other was cheating.
The privacy concerns are obvious. I, for one, do not want to agree to having all kinds of (largely unspecified) information transmitted to Microsoft.
But even putting that aside for a moment. Assume that Microsoft is a friendly company and that you are confident they will never use this information "against you." Even in that case, this is a really bad idea. Why? Because security works best when you *minimize* the avenues of attack. By sending this information to Microsoft HQ, your OS opens itself to new attacks. On the one hand you have the possibility of MS's servers being hacked, and your information stolen (or the transmission being intercepted and copied). But much worse, this transmission functionality can be co-opted by malware or viruses.
Every functionality you include in the OS is a functionality that "the enemy" (malware, viruses, crackers, etc.) can (and will) use against you. In particular, every network-enabled program is a potential security breach. Hence, we should always be disabling as many services (especially network services) as possible. By having all kinds of code that is constantly communicating outside the machine (with no notification to the user), built into services that the user cannot sensibly disable, you are leaving a tempting target for "the enemy" to find vulnerabilities.
Add to this the fact that it makes it harder on network admins to pick out suspicious traffic. If all these Vista installs are constantly sending out packets of information, how can the sysadmin tell when one of those machines has been taken over, and that "phone MS HQ" service is now sending nefarious packets?
It's just: Windows Update, Web Content, Digital Certificates, Auto Root Update, Windows Media Digital Rights Management, Windows Media Player, Malicious Software Removal/Clean On Upgrade, Network Connectivity Status Icon, Windows Time Service, and the IPv6 Network Address Translation (NAT) Traversal service (Teredo).
See, typical /. overreaction
Your ad here. Ask me how!
Good grief, I hate Microsoft as much or more than the average Slashdotter, but most of TFA is just alarmist FUD.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
I expect that the majority of people believe that they're buying a product when they purchase Vista, or when they purchase a PC with Vista pre-installed. That presumption may be entirely wrong though.
... or else nothing, that's the only option. In fact then, you haven't purchased a product at all, but a service without any agreed terms.
... although Microsoft probably wants you to continue purchasing without owning.
Certainly from Microsoft's point of view, and in view of their total focus on WGA, you've agreed to a single-payment licensing deal. EULAs may not be valid in some jurisdictions, but that doesn't seem to concern them. You live within their worldview, or else
Likewise, from the content providers' point of view, your PC and its software certainly doesn't belong to you, which implies that you haven't purchased Vista as a product. Instead, it's just a delivery vehicle for their content, and Microsoft is the guarantor of DRM safety to ensure that this is so. The fact that you've paid for your hardware and software as if it were yours seems to have escaped both content providers and Microsoft alike.
Perhaps in the future, people who are not technical will not own computers at all, but only rent content delivery vehicles?
That's where Vista seems to be heading
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Why don't they tell you? Every halfway serious program I use that has to report information home (or at least wants to, for statistical purposes) asks me first, or at least informs me that it is going to do that now. Some programs even tell you what exactly they're going to send (and, behold, checking source and the transfered data shows that they actually tell you the truth).
Usually I don't mind. They probably sell that information (not about me, but about their "user base") to someone to make some money that way, since I don't pay for the honor to use their program for free. No problems there.
A problem arises when said data is transmitted without my consent. Without me even knowing that it is being sent. Am I supposed to trust a company that it isn't going to do shady business with my data when they're sneaky about it?
Now, I'm not saying MS does. But, seriously, why the cloak-and-dagger approach? Just tell the user "Vista is now gonna send MS the following information about your system, anonymized so it can't be tracked, and we want it to see what hardware platforms our system should run best on. Thanks for your co-op."
What's wrong about that? If someone doesn't care, heck, one more click on "accept" isn't going to be even noticed in Vista. And if someone does care, the smell of fish is not gonna hit his nose when something like this is being exposed.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is not good. Probably only used to invalidate your copy of Windows once you change the motherboard.
This service asks your consent, and is okay and OPTIONAL.
Again: if a device is plugged in, a dialog first comes up and asks the user if he/she wants to search the internet for a driver. And the service NEEDS the name of the device to search for one.
That's because you ASK for it. Similarly if I Google a problem, Google gets my search query. But they're collecting stats on hardware, and that's pretty normal for an OS company. After all, it'll help them build a better OS (not likely though).
Just the extensions?? Big deal. Here's a partial list for my computer: *.raw, *.mov,...wait, this person has some Apple format on their computer...DESTROY. Can they use this information to help with vendor lock-in? Maybe.
Maybe this is going a bit off the deep end. What I install is my business and not theirs.
This asks your consent, and is okay and OPTIONAL. Why are they even including this in this article?
This asks your consent, and is okay and OPTIONAL. So, if you register, it receives the data. No surprise there.
Makes data available to services that contact Microsoft does not mean this data will be SENT to Microsoft. FUD.
If this is actually true, then it's too far. Direct monitoring of the sites!
Too far. But I'm not sure what a Peer Name is now. And I doubt it's very useful.
"What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
Well they say the information is anonymous, but it includes things like your IP address. So they can convert that it non-anonymous information quite easily.
So... some reasons why this is probably a bad idea:
1. If they discover that you are running non-legit software, they can track you down. (And considering that any such analysis will always make mistakes, even users of legitimate copies of software should be worried.)
2. If MS's servers get compromised (or a bug is found in the "secure transmission" protocol), third parties can obtain your data. Depending on exactly what is being sent, this could be a privacy breach, security breach, or both.
3. Having services constantly establishing these connections is a security risk. Malware or viruses may be able to exploit it as a point of infection. Or, they may be able to use it as a means of spreading copies of themselves, or secretly transmitting information back to a third party. Every unnecessary service (from a user perspective) is a security breach waiting to happen.
4. Having code running that doesn't explicitly benefit the user is a waste of resources. This means overhead on your computer and overhead on your internet connection.
5. The EULA seems to state that they can change the terms as it suits them. This means that they can push updates through Windows Update that increase the scope of the data obtained. Perhaps they eventually decide to drop the anonymous clause. I don't think signing over so much freedom and privacy is a good idea, regardless of how "well-intentioned" the recipient of your rights claims to be.
And finally, there is the general "bad vibes" I'm sure we're all getting about this. It would be one thing if it were an additional feature that you could turn on if you wanted to. Something like "Help MS improve the quality of service by sending reports on how your software is running. This voluntary service is under your control, and only human-readable summaries will be sent, which you can inspect before they are sent. Do you wish to participate? Cancel/Allow"
Instead we get something like: "MS reserves the right to monitor your computer and transmit information to MS HQ. We can change these terms at our leisure. By using any of these features, you implicitly agree to this monitoring."
This is not an act of charity on MS's part. This is part of a plan to obtain information that they want, without customers noticing it is happening. That can only be a bad thing.
The things that get transmitted are:r ary/28cd5e13-e955-4941-91d9-fec2525e96c71033.mspx? mfr=true
1. Activation info. Well, duh.
2. Windows Update. -do-
3. Auto Root Update. Updates the list of trusted certificate authorities. You know, Verisign etc.
4. Windows Media DRM. Not an issue if you don't use DRM files, and no, information isn't transmitted every time you play the song.
5. Windows Media Player. To download album art/track names. Again, no different from other players. Easy to disable completely.
6. Malicious Software Removal. What's the problem if info is transmitted to Microsoft that you had an infection and it was cleaned? Non-issue. You can choose not to use it at all.
7. Network Connectivity Status Icon. This doesn't TRANSMIT anything except the HTTP request. It just downloads a small page to check if the Internet connection is working. Easy to disable, no problem.
8. Windows Time Service. Syncs time. Again, what's the problem? It's easy to disable if you really have a problem.
9. Problem reports. It asks you very clearly if data is to be sent to Microsoft, and asks you again if you want to send personal data. And reporting problems is good.
10. Games. Come on, it downloads fucking info and covers.
11. Event Viewer. Data is sent only when you specifically REQUEST for more online help. http://technet2.microsoft.com/WindowsVista/en/lib
12. Customer Experience Improvement Program. Microsoft *SPECIFICALLY ASKS YOU* if you want to opt-in. Once you say no, it never asks you again.
- etc -
The paranoia claims are really ridiculous. The operating system uses Internet resources to improve your experience, like telling you when you are connected to the Internet. Please take your tinfoil hat off for a minute and look at this objectively.
X-ray machines, Jet engines, and more all report operating conditions and usage information back to the manufacturer. Microsoft is doing this anonymously to improve the products. I have no problem with this. They aren't sending back any "personal information" like credit card numbers or even identification information.
There are plenty of reasons you still don't want this happening. Consider...the war on terror continues and somebody gets caught up in the Feds dragnet. They press charges, but don't quite have the evidence they need. The defendant's lawyer (and the ACLU) is probably going to get him to walk unless they can find something. Little known to all, the President (or these days, the VP) issues a secret Executive Order that strips "terror suspects" of the right to attorney-client privilege. The Feds show up at Microsoft's door with several court orders. They order the tracking of the suspect, and they provide the IP addresses of computer in the offices of the defendant's attorney and the ACLU and demand that Microsoft install a backdoor patch to download documents off that computer. Of course the download will be indiscriminate...maybe this lawyer will also have you as a client, and your files will go to the Feds also.
Far-fetched? Perhaps, but certainly plausible. Suppose it's not the American government, but the Chinese looking for a few journalists or Falun Gong members. Still far-fetched? Which way do you think Microsoft will go when the choice is a few journalists in prison or losing access to the Chinese market?
Privacy is always good.
>It appears that Microsoft is slowly trying to head towards a near-constant connection of the end-user to their system, for what purposes is a matter for conjecture.
/author/ of the software, not the user - more DRM, more restrictions on how I can use the software, instead of better software for /me/. It's seriously getting to where I don't trust commercial upgrades anymore. It seems like 90% of the time or better a commercial upgrade limits what I can do with the application instead of enhances it.
And it's not just Microsoft doing it.
This "phone home" crap is the single biggest thing that is driving me to consider open-source alternative operating systems and software.
The second biggest thing is that it seems more and more that with commercial software every time I install an "upgrade" it is really an upgrade for the
It's really all come down to games for me. If my games would all run on Linux I'd be there tomorrow.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
Microsoft is stepping over some big lines here.
Either that, or they're just using their pool of hundreds of millions of users with tens of millions different hardware/software configurations in order to collect bug data.
That's really the most obvious and the most likely answer.
I don't respond to AC's.
Is it paranoia if the OS really *is* sending tons of data to Redmond?
Is it? I saw nothing in the article that actually tried to attempt to see what information, if any, was being sent. All I saw was a really paranoid reading of an EULA.
Is it slander if it's true?
Just because something is in a license agreement doesn't mean its happening. People said the same thing about Windows update. The truth of the matter is it sends what OS / service pack your running and you get a list of updates available, which then is parsed by your computer to see if it needs them or not. Also, what updates are needed but not installed is reported back. Not exactly terrifying data.
"Hi I'm a PC" "And I'm a Mac." Mac sees PC with phone in hand, watching a 3rd person. "So what you doing?" "SHHH! I'm collecting data on that user over there. And phoning hom." *to person on other end* "Yeah, he's reading a news site. No, it's not MSNBC. Is he allowed to do that? Confirm or deny?"
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
As long as companies write such ridiculous EULAs, it is only natural that people will react this way to them. Frankly the only reason that more people are not scared and appalled at EULAs is that no one actually reads them. Probably many of the things claimed in EULAs would not hold up in a court of law. But if all the terms of the EULAs were actually legally enforceable, then it would not be at all paranoid to be concerned about them: the terms are, after all, very consumer-hostile.
Even if you decide that you believe MS 100% and trust that they won't quietly change the terms in a year or two (a right they do reserve) to allow them to collect personally identifying information AND sell, it, just how secure are their servers? Any chance their admins will sell the data on the side for obscene amounts of cash?
Does any unique but not personally identifying information also appear in personally identifying Word documents? What is their policy if the NSA wants a copy? What is their policy if Bill needs a favor from Congress?
Funny, my Linux boxen don't collect any information at all and still they run nice and stable and get their updates as needed.
Let's assume for one moment that what you are saying is correct (although I don't believe for one moment that it is), then since these are independent applications, then it's very easy to disable or uninstall them if you don't like them phoning home. So, pray tell, how would you do this in Windows where the "phoning home" is being done by a stealth application that's running as part of the intrinsic underlying OS.
Also, you're turning this into a "Windows vs Linux" discussion which is an overly simplistic viewpoint. Open Source applications are subject to constant peer review meaning that any suspicious "phoning home" would be rapidly identified and brought out into public attention. I can't comment on YaST as I don't use SuSE Linux but I suspect, as a commercial entity, they are interested in user information but since there are a myriad of Open Source applications that run on Windows also, this is more a case of Open vs Closed Source, not Windows vs Linux.
So, you might charaterize things less harshly as follows : Linux tries to let you keep your personal information private but all of your work product is public, and Windows keeps all of your work product private but your personal information is public.
Sorry, but that's utter trash. Aside from stability, "free beer" and customisability, the main reason I use Linux as my primary OS choice is that it allows *ME* to take responsibility for protecting *MY* information and does not allow me to dump that responsibility into the hands of some private entity.
I am one of the first people to volunteer to take part in surveys and information gathering excercises because when I am *ASKED* to provide information and have the choice of what information to and not to provide, it can be very useful to someone who is designing or marketting a product or service. But I am *NOT* going to let someone just take that information - and if that means never using Vista then so be it...
Gentoo Linux - another day, another USE flag.
"Bottom line...serious cocaine addicts are stuck with crack"
I don't feel like it...
He works in an FDA regulated environment, not works for the FDA. There are several companies that are heavily regulated by the FDA. I used to work for a pharmaceutical research company and almost every piece of software requires some kind of validation in order to protect no only the the pharmaceutical companies, but also the patients as well.
While most IT environments can install Patches and Service Packs and Updates at will, this is not the case for FDA regulated companies. The update or patch will be installed on a system that has no access to any real data, each step of the installation is documented down to each mouse click complete with screen shots, then the installation is performed following that document by a person who didn't write the initial instructions, and they will then take screen shots of their installation. Then once it has passed the installation steps, then there are instructions written up for each thing that needs to be tested and validated, that is also complete with screen shots, and each mouse click and keyboard entry. Those instructions are sent to someone else who goes through each step, and takes screen shots along the way, and if that passes, it can then go on to production where the installation is performed, with screen shots, and a final series of tests, with screen shot is also done. All the documents are printed out as the FDA hasn't completely allowed electronic storage.
So where the normal IT guy clicks download/install and maybe makes a log of it. A simple windows update in an FDA regulated environment will produce a mountain of paperwork. If anything along the line has the potential of revealing any confidential information against FDA regulations, then the software will be rejected. Vista at this point has been rejected so far.
I read Slashdot for the headlines, because the headlines, unlike the articles, are usually original and never duplicated