Lawsuit Claims WGA Is Spyware

twitter writes "Windows Genuine Advantage (WGA), Microsoft's euphemistically named digital restrictions scheme, is the target of another spyware and false advertising lawsuit. 'Microsoft this week was sued in a Washington district court for allegedly violating privacy laws through Windows XP's Windows Genuine Advantage (WGA) copy protection scheme. Similar to cases filed in 2006, the new class action case accuses Microsoft of falsely representing what information WGA would send to verify the authenticity of Windows and that it would send back information [daily IP address and other details that could be used to trace information back to a home or user]. The complaint further argued that Microsoft portrayed WGA as a necessary security update rather than acknowledge its copy protection nature in the update. WGA's implementation also prevented users from purging the protection from their PCs without completely reformatting a computer's system drive.' There were at least two other lawsuits launched in 2006 over WGA. According to the Wikipedia article, none of them have been resolved. The system is built into Vista and Windows 7."

I've tried to tell people about this sort of thing

[palegray.net]

I'll admit that I don't use Windows anymore. These days I use an iMac and a MacBook Pro for most of my desktop computing, and I almost exclusively deploy Debian on servers. That said, I've been along for the ride with respect to Microsoft products for a very long time, both as a user and an I.T. professional deploying systems on customer networks and writing I.T. policies.

Honestly, most consumers get that "deer in the headlights" look when you try to explain what WGA and similar systems actually do. In many cases, people simply don't care what's being sent to Microsoft, as there's a sense of implicit trust in large corporations. I have no idea where this trust comes from, but it's definitely real. I assume it's largely because the majority of users are largely ignorant of how their systems function, choosing to focus only on what's immediately presented by the OS (applications). There's no psychology degree on my wall, so I'm not qualified to guess further on the topic.

This continuous erosion of privacy gets noticed in the I.T. world, but the general public remains almost completely in the dark. Major media outlets don't carry headline stories about these issues, possibly because their "tech journalists" are barely more educated than their readership on these topics. I have no idea how this can be fixed, but I'd love to hear some suggestions.

Re:Nothing will happen

[causality]

Except that MS has to hand out vouchers for more MS products, giving them an even bigger market share.

[see Sony Rootkit settlement for details]

Yeah, and that's what's broken about the way the law handles corporations.

Corporations should face jailtime for any crime or activity that would result in a person being incarcerated. Jail for a person means the loss of most freedoms and it also means they are separated from the rest of society. "Jail" for a corporation should mean that all assets are frozen and all business activities are forced to halt for the same number of days that a real person would have been incarcerated. If the lost sales result in bankruptcy, that's too bad, just like if a person with a few years to live commits a violent crime and gets locked up for a long time and dies in prison, that's also too bad.

This to me would be the proper treatment of "corporations have the same rights as real individuals." A good alternative might be to keep the limited liability nature of a corporation for any failures or accidents, but to remove it and allow for personally prosecuting and imprisoning any and all members of upper management who knowingly support an illegal action wherever intent can be proven.

Go free market!

[RazorSharp]

Unfortunately Microsoft will probably win this because there's a difference between spyware and an abusive contract. To the best of my knowledge, abusive contracts are perfectly legal, which is why MS got over on IBM so bad. These license agreements which you click before using software have been legally upheld in court, so Microsoft may be doing something immoral, but it's still legal. The only thing that makes spyware illegal is that they bypass a contract and install without the user's permission.

I love to blame Microsoft as much as anyone here but I think this is a case where the lack of legislation is, in a legal sense, to blame. Companies have no legal obligation to behave ethically. I would love to see a law which prohibits these ridiculous lawyer-speak click-contracts. There has to be a better way to protect both the company and consumer.

It does sound as if their main case is that the WGA contract is misleading and dishonest, and if that's true, they may have a case. I wouldn't know because I've never read it and don't intend to. I don't use Windows.

Re:Nothing will happen

[BitterOak]

"Jail" for a corporation should mean that all assets are frozen and all business activities are forced to halt for the same number of days that a real person would have been incarcerated.

The problem is that you'd be punishing a lot more people than those at Microsoft. Microsoft doesn't just sell operating systems for home computers; they sell and support a large number of business applications to a HUGE number of businesses. If Microsoft "went offline" for even just a few months, there'd be huge ripples throughout all sectors of the economy. Imagine if a critical security flaw were found in Windows, or IIS, or SQL Server and Microsoft couldn't patch it because they were "in jail". Just because you might not use MS products doesn't mean you don't do business with someone who does. It would be a disaster.

Re:What did you think it was, a fluffy bunny?

[nurb432]

Just because you agreed doesn't negate it being spyware.

And from what i gather the issue is that its doing things that are NOT in the eula.

Sick of WGA running monthly

I can't stand WGA. I have a single WinXP system that I have set up for family to use when they come over because I use Linux and they aren't familiar with the OS. It seems like that every single time that I turn the system on WGA is downloading once again either on its own or with other Windows Updates. It is WGA because any time that I let it install it pops up with the window to let it install, and the rest of the updates won't continue until you hit that finish button.

Can't tell you how many times I accidentally left the "Tell me how WGA enhances my system" button checked, and I love the answer. To paraphrase, "WGA reports back to MS to make sure that your copy isn't pirated." How many times does WGA need to report back, seriously? Like I said, it seriously runs about once a month on this system, not that it is run that often anyway. Shouldn't there be something resident that once WGA checks and confirms authenticity it will remember it.

This is one of the main reasons that I switched to Linux, I haven't had to put of with this garbage in years. No viruses, no spyware, no WGA, no DRM, no hardware lock-in, none of that stuff that is a pain with Windows and Macs.

Re:I don't get why this is a problem

[Bent+Mind]

According to the WGA FAQ [microsoft.com]

That was an interesting FAQ. I especially like this part:

Q: What happens when WGA Notifications communicates with Microsoft when a PC is booted up? A: The pilot version of this software periodically contacts Microsoft after validation; however, this feature has been removed from the final version of WGA Notifications.

That seems to contradict your statement:

So why is "phoning home" okay? Why not do it once and be done with it? ... Either way, Microsoft has not kept this a secret, and even promised to reduce checking to once every two weeks [zdnet.com]

If WGA does send information to Microsoft, even if it is only every two weeks, and their FAQ specifically says they do not, I'd say that is the very definition of spyware.

Of cource, Microsoft has their own definition of spyware:

Q: Some people are saying that WGA is spyware. Is this true? A: Broadly speaking, spyware is deceptive software that is installed on a userâ(TM)s computer without the user&#39s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. If the user declines the EULA, WGA Notifications will not be installed on userâ(TM)s machine. Once installed, WGA Notifications becomes a permanent part of Windows XP software, and therefore cannot be uninstalled.

Let's see: spyware is deceptive software (check), installed on a userâ(TM)s computer without the userâ(TM)s consent (debatable, it is installed as a critical update via automatic updates. Microsoft strongly encourages the use of automatic updates to keep your system secure. If this were an optional update, I might buy that it is opt-in. Microsoft then tells you that the system will be crippled in small ways if you don't install it. There is no option to opt-out. Technically, it is opt-in, but only technically.) , and has some malicious purpose. (Depends on what you consider malicious. From Microsoft's point of view, it is not malicious. However, I'm sure that most spyware authors do not consider their software malicious.)

There's a better way.

[Nero+Nimbus]

From the summary: WGA's implementation also prevented users from purging the protection from their PCs without completely reformatting a computer's system drive.

This line is so stupid that it hurts, because it makes the assumption that WGA is somehow going to vanish in a puff of smoke if you'll just nuke from orbit and start over. These people should just do the following, if WGA offends them so badly:

1. Make a text file, but give it a .bat extension. Make it something like, oh, I don't know, "wganuke.bat."
2. Paste the following into your new text file:

echo Y > cacls wgatray.exe /d everyone
echo Y > cacls wgalogon.dll /d everyone
echo Y > cacls legitcheckcontrol.dll /d everyone


3. Save.
4. Double-click on the icon for your new text file.
5. No more WGA (Sorry, no PROFIT! jokes here). Updating also works like a charm. The above was tested on XP SP3, but I have no reason to believe that it wouldn't work on Vista or Win7.

Re:Nothing will happen

[Wolfier]

I completely agree with your point of view.

Therefore, the solution should not be vengeful actions on persons until evidence is gathered on the questionable conducts.

Instead, the only suitable course would be to put an end to the failed experiment called "corporate personhood". A corporation is by the laws of nature not the same as a person. Therefore what works on a human being (rights, responsibilities, awards, punishments) are totally meaningless to corporations, or at least have their very definitions entirely twisted.

If corporations are to be granted human-like rights, there should be a separate constitution for them so that laws made to enforce responsibilities and rights of corporations would be well-defined.

For example, currently corporations can donate to political courses just like individual persons can. This makes no sense because corporations' concern (mostly, profit maximization, either short term or long term) is entirely different - in fact a lot of the time are totally at odds with individual persons' concerns. Do corporations need to eat? No. Do they have a health that can deteriorate if they ingest something poisonous? No. Can they have children that they care a lot? No. Do they have concerns about privacy? Yes, but if you snoop on them like they do on you, it'll be labeled as industrial espionage.

There are numerous examples to show that corporations will do whatever it can when they can get away with it. It's just "corporate nature". What a wonderful world it'd be if these desires weren't usually in conflict with desires of real persons.

Re:I don't get why this is a problem

[Techman83]

Every time I've rebuilt someone's machine(usually a few upgrades as well), I read the S/N off the sticker on the side and plug it on in. Come time to finally log in, activate, fail, you have to call MS, read off some ridiculously long number, convince them that you are indeed installing it on the same computer you purchased it for, then input an even longer number (for the love of god, don't get one digit wrong..). I have wasted many hours of my life doing pointless activations, where as applying a WGA patch can be done in a minute.

Path of least resistance will win time and time again, which for me is Ubuntu/Arch/Debian/Suse/CentOS etc.

Re:Nothing will happen

[node+3]

Actually, they can't eat cake, because they don't really exist. It's the same reason you can't really punish them.

It's called a metaphor. Very seldom does it actually rain cats and dogs. Do you find you have trouble talking with people at times?

So, can a corporation have free speech? No, because it doesn't have a mouth. Can a corporation carry a gun? No, because it doesn't have any hands to hold it with. Etc.

Bull Shit. The reason we have lobbyists running so rampant in Washington is that the Supreme Court decided that corporations are people, and because people, not "natural persons", have the right to free speech, then so to do corporations.

And back to your lack of English comprehension, free speech doesn't require a mouth. The newspapers have the right of free speech (and actually *are* mentioned by name in the Constitution, which would be unnecessary if the Constitution meant for corporations to be included as persons).

Ah, now we get to it. You don't like executives and think they should go to jail when a large group of people all get together and make an agreement to undertake a risky venture and said venture goes south.

I said no such thing. When a bunch of people take a risk and they fail and they suffer the consequences, I don't hate them. In fact, although they failed, I applaud them for trying (assuming their venture wasn't completely idiotic or deliberately detrimental to others).

On the other hand, when executives make decisions which will knowingly and unnecessarily lead to significant bodily harm, and even death, like the Pinto. Then yes, fuck them hard. They belong in jail for the remainder of their lives.

Stated again, with the Pinto example, the executives knew the car had a defect that would absolutely lead to the deaths and severe injury to their customers. They knew small children would burn to death, but they green lighted the project because those deaths were cheaper than either fixing the car or scrapping it altogether. Men who make such decisions do not deserve to interact with society unless they're wearing orange jump suits and cleaning the side of the highway.

Yes, that's how it used to be before incorporation, and the trouble with that system is that no one will take charge of those risky ventures because they'd be afraid of going to jail.

I'm not talking against incorporation. I'm talking against treating corporations as people and giving them rights which they were never meant to have. I made this very clear in my post. Your local community college will be glad to enroll you in remedial reading comprehension classes. It's rather inexpensive.

You talk about class and rights, but really you're just feeling vengeful and envious of people you don't even know, and I think you're pretty hypocritical in feigning concern for the little guy when under your system he'd be mired in poverty right now.

Are there unicorns in the world you live in?

Re:Nothing will happen

[corsec67]

Better solution:
Require the Lawyers to be paid in the EXACT same way as the class.

So if the reward is coupons, then the lawyers get 30% of the coupons.