The Truth About Windows Activation
The interview has been updated to reflect a slight miscommunication. The corrections are highlighted in red.
Much animosity has surfaced recently over a new product activation feature set to debut with Windows XP. In an effort to dissuade piracy, activation acts like a secondary product key, registering each system with a central Microsoft clearinghouse. But privacy groups and many Windows users are concerned about the implications surrounding such a feature. BetaNews
recently sat down with Allen Nieman, Product Manager of Activation at Microsoft, to clear up confusion and sort fact from fiction.
Part one of the interview includes a response to cracks obtained by BetaNews, which offered auto-update functionality to keep current with the latest leaked copies of Windows XP. Even though this "smart crack" seemed to be a step ahead in the cat and mouse game of copyright protection, Nieman claims that product activation has yet to be cracked. He also remarks on cracks in general and how they fit into the overall scheme of piracy.
The second part focuses on specific questions regarding restrictions imposed by Windows activation, and its affect on customer privacy. It clarifies many misconceptions that have been circulating around the Net. Nieman assures BetaNews that activation will err on the side of the consumer, and is intended to prevent illegal imaging and casual copying while preserving a user's privacy.
BetaNews: Does the apparent ease of cracking Microsoft's upcoming next-generation version of Windows concern the company?
Allen Nieman: Actually, product activation in Windows XP has yet to be cracked. I was able to analyze the "smart crack" that you forwarded to me and determined that it includes the same set of instructions that other so-called cracks do; essentially the setting of a registry key that disables activation. We made the existence of this registry key public to our beta testers back in early February and included it as a testing tool, telling them where it was and how to set it to disable activation. We knew what we were doing when we created it and we know how to remove it.
That said, the intellectual property (IP) protection arena is a cat-and-mouse game. All IP protection technologies will be cracked at some point; it's just a matter of time. So we need to take the measure of success into consideration. The measure of success is not completely stopping software piracy, which is probably an unattainable goal. Success is more likely measured in increased awareness of the terms of the license agreement and increased license compliance.
BetaNews: Is Microsoft analyzing these cracks being used to make product activation fool proof? Possibly studying how they are done and covering the loopholes?
Allen Nieman: Certainly we're interested in seeing any purported cracks and testing them to see if, in fact, they work.
BN: What areas of piracy is Microsoft looking to prevent with product activation?
AN: Software piracy comes in many different forms; some more widely known than others. Each type of piracy is unique, and often requires unique protection methods. Counterfeiting is a common form of piracy. Counterfeiting is essentially the duplication of CDs and software and that is then distributed as if it was genuine product. Another form of software piracy is hard-disk loading. Hard-disk loading is the installation of software onto a new PC by a PC maker where the PC maker never licensed the pre-installed software from the intellectual property owner. A third form of piracy is Internet piracy. Internet piracy is primarily identified by its distribution method; the Internet. Someone posts pirated software to the Internet and then someone else downloads it and installs it onto his or her PC in violation of the software's end user license agreement, or EULA.
A fourth form of piracy is called casual copying, or "softlifting." Casual copying is the sharing of software between people in a way that infringes on the software's EULA. For example if I was to get a copy of Office XP and load it on my PC, then share it with you and you loaded it on your PC, then you shared it with a friend and he loaded it on his PC, etc. This fourth form of piracy is much more prevalent than people tend to realize, although the SIIA estimates that casual copying accounts for a staggering 50 percent of the economic losses due to piracy. It is this form of piracy, casual copying, that we are primarily looking to reduce with product activation.
We are addressing the other forms of piracy with other initiatives such as Certificates of Authenticity (COA) that accompany new PCs with genuine licenses, edge-to-edge holograms, educational campaigns and, as needed, enforcement efforts.
BN: Will Microsoft release updates after Windows XP is released to manufacturing aimed at countering new developments in cracks?
AN: We will investigate any reported crack and determine the appropriate action based on what we find during the investigation.
BetaNews: We'd also like to clear up some general FUD that has been spreading about Microsoft's product activation as of late, scaring a lot of consumers. Questions regarding general product activation in Office and Windows XP are as follows:
Is product activation aimed to prevent professional pirates or simply normal computer users who share CDs with their friends? Or both?
Allen Nieman: It's aimed to prevent both, but it will be most successful in preventing the non-professional pirate, the "casual copier," from installing software in violation of the software's end user license agreement, or EULA. It will also help to educate consumers as to their rights with the EULA, on how the product is licensed and how it can be used. Microsoft knows that product activation in Windows XP or Office XP will someday be cracked, though claims by others about the ease of cracking it are greatly exaggerated. However, even when it is cracked it will still be effective at reducing casual copying because the proliferation of cracks is normally done by "professional" crackers.
BN: How is the unique key for product activation created? By taking an inventory of a Network card, motherboard, RAM, etc.?
AN: We don't go into details about this for security reasons however I will tell you the following; if you can imagine a hardware component inside of a PC we are probably using it. The reason we want to use so many is simple: if just one component was used for example, and you changed that component, all of a sudden it would appear to be a different PC. But if many components are used and you change a few components, it still looks essentially like the same PC. Our goal is to make activation as flexible as possible, erring well on the side of the user.
In order to insure the end-user's privacy, we use a one-way hashing algorithm to create the hardware hash used by product activation. Component information is sent through the algorithm in the software, not at Microsoft, to create the hash. We never see the raw data. Once created, the hash information cannot be backwards calculated to the original values either. Insuring end user privacy is a #1 design goal for us with product activation.
BN: How many times can a consumer activate Windows with a new PID if hardware is switched? Two is what BetaNews has heard.
AN: This hasn't been set for Windows XP yet.
BN: How much of the computer must be upgraded or replaced before another activation is required? 30% is what we have heard.
AN: We don't go into details here for security reasons, but the design goal was to develop it such that only a significant hardware change would require a re-activation. We aren’t concerned about the upgrade occurring or what got upgraded etc. The reason for doing it this way is to reduce casual copying of the software through illegally imaged systems.
BN: Will Office XP and Windows XP have the same activation guidelines, or will Office be more stringent since it is more often casually pirated?
AN: Our plan is to have the product activation process for Office XP and Windows XP be as similar as possible.
BN: What information will Microsoft collect when the product is activated and how will the company ensure the data is kept secure?
AN: The only information required to activate is the Installation ID (and for Office XP, the country). The installation ID is made up of two components; the product ID created during installation and a hardware hash. The hardware hash is created based on the PC's hardware configuration. It is a one-way hash. It cannot be backwards calculated and contains not information about the make, model, or type of PC or component. No personally identifiable information is used or required. For purposes of illustration, you can imagine the hash as being a simple algorithm such as ComponentValue1 MOD 3 + ComponentValue2 MOD 3 etc. The product of ComponentValue1 MOD 3 cannot be turned back into ComponentValue1. We wrote it this way specifically to ensure that no information about the PC was actually required as part of activation.
BN: Will IE6 require activation on older copies of Windows (95, 98, Me, etc.)?
AN: No, IE6 does not require activation nor does it require activation of the OS it has been installed upon. I am familiar with the original article written on this. The test they did was not clean and apparently they did not try to reproduce it from a clean environment; IE6 did not create that registry key. What did create the registry key was the installation of the Terminal Services client software and a connection to a Windows 2000 terminal server and it facilitates the licensing of terminal services.
BN: If the user upgrades exceed the allotted times will he or she have to re-purchase a copy of Windows?
BN: What is Microsoft's response to consumer backlash over the feature? Does the company feel it is in its best interests even though consumers feel the new copyright protection technology is violating privacy rights?
Microsoft is very interested and takes very seriously the feedback we receive from our customers. We have been piloting this technology for over four years, beginning with a small pilot with Word 97 in Hungary back in 1997. We followed that up with another small pilot in Brazil and then finally, with the 1999 release of Office 2000. With Office 2000, we began a large pilot by requiring Office 2000 retail purchases to be activated in Australia, Brazil, Hong Kong, New Zealand, PRC and also in the academic channel in Canada and the USA. To date we've had about eight million successful activation transactions from this pilot and we've done both formal and informal research on ease-of-use and customer perception and acceptance. We took the feedback from that research and improved the product activation process, the product UI, and other aspects of product activation.
Obviously customer acceptance is key to any digital rights or license management technology. In creating product activation, we designed it to err on the side of the user. In other words, to allow activity that most people would agree is infringing so as not inconvenience the honest consumer. We believe that we can strike a balance in this way; with a completely anonymous activation process, a commitment to end user privacy, and ensuring that the licensed user is never denied the right to use the product.
BN: And finally, how does product activation affect the large enterprise looking to deploy Office XP or Windows XP to hundreds of desktops?
AN: We understand that large enterprises, and even small businesses, have unique deployment needs and that activation could be make their deployment difficult. For that reason, we do NOT require the customer who acquires their Office XP or Windows XP licenses through one of Microsoft's volume licensing programs, such as Microsoft Open License or Microsoft Select License, to activation those product licenses. It's important to note that Microsoft offers a volume licensing solution for even the smallest customer. A customer can buy into the Microsoft Open License program by making an initial purchase of just five licenses (e.g. three Office XP licenses and two Windows XP licenses).
BN: Thank you for your time, Mr. Nieman.