Windows Genuine Annoyance?
A Microsoft program designed to thwart software piracy has instead opened a Pandora's box of privacy concerns. PC users cried foul when Microsoft's Windows Genuine Advantage (WGA) software frequently phoned home to Microsoft servers and apparently flagged some legitimate copies of the Windows operating system as pirated. The incident spawned two lawsuits and has raised concerns about what Microsoft is adding to its software updates.
WGA consists of two parts. WGA Validation is required for downloading some pieces of software from Microsoft Web sites, but Microsoft says that it is not required for receiving critical security fixes through Automatic Updates. The software sends a PC's Windows license key to Microsoft, which checks the key against ID numbers in a database of putatively pirated copies of the OS.
If the software discovers a match, users receive a recurring alert from WGA Notifications warning them that they are running an illegitimate copy of Windows. But the program doesn't prevent the user from continuing to run Windows. As yet, WGA Notifications (rolled into Automatic Updates in April) is not a mandatory download.
In June, Lauren Weinstein, who is a cofounder of the Internet information and discussion resource group People for Internet Responsibility, found out that WGA Notifications sent data to Microsoft every time someone rebooted an affected PC.
A June 29 Microsoft statement confirmed that some PCs working with a version of WGA Notifications installed during the pilot phase checked a server-side configuration setting at each log-in to determine whether WGA Notifications should run or not. Microsoft has since removed that version of WGA Notifications from its update servers; and the company has released instructions for uninstalling it.
Still, privacy experts debated whether these check-ins--and the initial lack of documentation about them--made the WGA program spyware.
Plaintiffs in two class-action lawsuits, one filed in California and the other in Washington, claim that WGA violates those states' antispyware legislation; but Weinstein doesn't buy the plaintiffs' argument.
"It's not stealing information or damaging [computers]," Weinstein reasons. "It's more a screw-up on Microsoft's part--one they've admitted."
In its statement, Microsoft reiterated that newer versions of WGA (distributed through Automatic Updates) do not connect to Microsoft after every reboot. Instead, they connect and validate keys at least once every 90 days, or whenever Microsoft rolls out an update to WGA. Microsoft has also denied rumors that WGA will eventually include a kill switch to stop unvalidated copies of the operating system from running.
Harvard spyware researcher Ben Edelman questions the appropriateness of Microsoft's decision to release a noncritical, non-security-related update to Windows users via the operating system's Automatic Updates mechanism.
"They are supposed to be security updates, and supposed to be robust, commercially viable code," Edelman says about the WGA service. "This was neither."
Other reports circulating through the Internet cited instances in which WGA had sent repeated piracy pop-ups to people who owned legitimate copies of Windows. Robert Grosshandler, the Evanston, Illinois-based founder of iGive.com, said his computer ran a legitimate copy of Windows prior to a service call. But upon the PC's return, he began getting WGA Notifications alerts.
"Who knows what had been done to the drive," Grosshandler mused. "[It] had been out of my hands for a while."
Grosshandler said that he made a single half-hour call to Microsoft to revalidate his license key. "Throughout, I was given the presumption of innocence," he says.
For users who are receiving invalid license pop-ups, Microsoft has provided a fix that may help them reset the license keys if their copy of Windows is legitimate. Other users may need to call the toll-free number displayed on the WGA Notifications dialog box.
Yet another option: Independent programmers have created RemoveWGA, a WGA Notifications removal tool that will exorcise the piracy-alert demons afflicting your PC.