Microsoft Admits WGA Phones Home
Microsoft acknowledged reports Wednesday that its latest update to Windows Genuine Advantage (WGA), an anti-piracy program implemented to detect counterfeit copies of Windows XP, phones home to the Redmond company on a daily basis.
News of the occurrence surfaced this week after privacy advocate Lauren Weinstein confirmed Internet murmuring that a connection was being made to Microsoft's servers even after WGA had validated a Windows system as legit. Microsoft quickly responded to the issue, saying the feature was a "safety switch."
WGA, which was made mandatory last July for downloading updates from Windows Update, is still considered a pilot program to Microsoft. It says the "call home" functionality was designed to enable the company to shut down the program in case of a problem, such as an influx of false positives.
The addition came as part of a WGA notifications program rolled out in April. The expansion would cause users running counterfeit versions of Windows to be notified directly on their desktop that their operating system was not legitimate.
Users who may have unknowingly purchased counterfeit software are eligible for a free genuine copy at no cost as long as they fill out a piracy report as well as provide proof of purchase and surrender the counterfeit CDs. Microsoft says about 60% of users promoted to install WGA do so.
But since Microsoft was unsure how the feature would be received by the public, it installed a fail-safe. WGA connects to Microsoft's network and checks a server-side configuration setting to see if it should run. This would enable Microsoft to temporarily halt the program if needed.
While no data is exchanged with Microsoft, the company would know the end-user's IP address and the time they connected. A coming update to WGA will scale the connections back from every day to possibly every 90 days, even if the user does not connect to Windows Update. This would allow Microsoft to mark as counterfeit a version of Windows it initially thought was legitimate.
"We can argue about whether or not the tool's behavior is really spyware -- there are various definitions for spyware, and the question of whether or not you feel that the notice provided at upgrade installation time was sufficient is also directly relevant," commented Weinstein. "I believe that the MS officials I spoke to agree with my assertion that additional clarity and a more "in your face" aspect to these notifications in such cases would be highly desirable."
Microsoft says it will make an effort to keep users better informed of such features in the future, even though it feels the daily connection is not a big deal. But Jupiter Research senior analyst Joe Wilcox says he is seeing a disturbing trend coming from the Redmond company.
"The company isn't disclosing all that its beta software does, either because of oversight or intention," Wilcox wrote on the Microsoft Monitor Web log. He cited WGA notifications phoning home and his own experience of Microsoft installing WGA without approval when running Windows Live OneCare.
In addition, Windows Media Player 11 does not allow users to opt out of participating in Microsoft's Customer Experience program. The feature communicates back with Microsoft -- for example when WMP encounters a problem -- and is usually optional.
"Is there a trend here? I have to say yes, based on my personal experience, anyway," says Wilcox. "The point: Something appears to be different--and different should be important to Microsoft competitors and partners, because of the possible impact on them. Different should concern Microsoft, too, as there are legitimate concerns about the response of partners and customers."