RealTime IT News

When Is Spyware Not Spyware?

Reporter's Notebook: It was ironic timing. Microsoft released a report on how splendid a job its Windows Malicious Software Removal Tool had done at removing malware from computers.

This was just days after news broke that the Windows Genuine Advantage program, something it forced on every single Windows user, was sending data back to Microsoft every night.

WGA doesn't do anything other than verify that your copy of Windows XP is not pirated. The logic behind it is sound: one of the biggest offenders when it comes to Windows piracy isn't Torrent traders, it's mom-and-pop computer shops that build no-name PCs and just slap a copy of Windows on the computer from the same CD each time they build a computer.

Now, I can believe this. In Los Angeles, which I called home up until two months ago, we had these screwdriver shops everywhere (curiously, they are virtually non-existent in San Francisco), I knew a few people at those places, and yes, they were bad about it. They had one or two Windows 2000 CDs in the place and used the same discs to install Windows on every computer they built.

Microsoft attempted to solve the problem with Windows Activation in Windows XP, but of course hackers found a way around that. The solution, then was WGA, quietly launched in September, 2004. If it found your copy of Windows to be pirated, pop-up windows would nag you to get a legitimate copy.

The problem is that WGA was mandatory. You had no option to not install it. At first, you did, but you couldn't get anything other than critical updates if WGA was not installed on your computer. Then, starting last year, WGA was a mandatory download that you could not uncheck from the Windows update list.

It all hit the fan in late May when it was discovered that WGA connects to Microsoft every night, something Microsoft failed to disclose to its users. David Lazar, who directs the Windows Genuine Advantage program at Microsoft program, told the Seattle Post-Intelligencer that the program was a "pilot program" and that the company was worried about some unforeseen emergency that would require the program to terminate quickly.

True enough, it is beta software, and there have been reports of false positives.

Since then, Microsoft said it would cut back and have WGA phone home every two weeks rather than daily, but made it clear it's not removing WGA.

In an attempt at damage control, Microsoft posted an FAQ on the WGA that casts it in a positive light. The company addressed the issue of why it didn't tell us Windows was phoning home every night as follows:

Not specifically including information on the periodic check was an oversight.

Right. So they didn't notice the millions of reports coming in every day.

When addressing the accusation that WGA is spyware, Microsoft replied:

Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware.

But plenty of labs, both independent and at tech publications, have documented that WGA is not optional. It passes itself off as a critical update. Protecting ones intellectual property may not be malicious, but the fact is, WGA is forced onto the user's system with no option to bypass it and it is engaged in monitoring your computer.

That's spyware, period. It may not be malicious but it's certainly not welcome nor is its present by consent.

And if I may engage in a tinfoil hat moment, what would stop one programmer from slipping something into WGA to do almost anything? In a company that big, it would probably be easy. The issue of WGA is as much as what it could do as what it does now.

Two things truly bother me about this. One is the betrayal of trust. You really don't want to think that Microsoft, a company that is pretty much mandatory in our computing lives, would use its position to force spyware into our computers.

But the big surprise, the shocker for me, is the near-complete indifference by the public and privacy advocates on this. All manner of hell broke loose over the major phone companies reportedly cooperating with the National Security Agency over international phone calls, but the news that Microsoft is watching every single Windows XP PC has been met with deafening silence.

I'm left to wonder how the Electronic Frontier Foundation can sue AT&T over an allegation, which AT&T denies, yet they let Microsoft skate for something equally as intrusive that Microsoft has admitted to doing. The EFF is on a fishing expedition just to find out of AT&T violated people's privacy, and yet it's been silent so far when Microsoft admits to doing just that.

If Microsoft wants to boast about how it's defeating spyware, the first thing it should do is remove WGA from our computers and make it an optional check that runs from a browser. Microsoft has every right to protect its products and its customers, but it needs to ask us for permission to look on our computers, not force its way in.

Andy Patrizio is a senior editor of internetnews.com in its San Francisco bureau.