BILL GATES SAYS security is Microsoft's top priority, but just whose security does he have in mind? Consider some of Microsoft's
recent boilerplate legalese -- language you or your company might already have unknowingly accepted -- and then decide for
yourself.
The language is contained in the Product Use Rights (PUR) document that can be found at
www.microsoft.com/licensing/resources
. As the PUR document is part of most customers' volume license agreements and is subject to periodic change, in theory
Microsoft customers should check it regularly to see what rights Microsoft has decided to grant or take away.
You can be forgiven if you feel like you have better things to do with your life than reading and rereading all this mind-numbing
legal gobbledygook. Fortunately, one Microsoft customer did review the PUR document recently and noticed a change. In the
section on Windows XP Professional, he found the "Internet-Based Services Components" paragraph that said in part, "You acknowledge
and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and
may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer."
The reader was stunned. "By changing that term in the PUR, Microsoft has found a creative way to obtain authorization from
users to access their workstations at will," he said. "How many customers are going to review this PDF file and realize they've
given Microsoft this right? And all the risk for the security and privacy violations due to this are neatly put on the customer's
shoulders, not Microsoft's."
After the reader shared his discovery with me, I asked some other Microsoft volume license customers if they were aware
of the PUR term. Not surprisingly, most were only vaguely aware of the PUR's existence, much less the terms in the XP section.
But they had plenty of concerns once they read it, the most obvious being the damage the most benign of automatic OS upgrades
could cause in a corporate environment. "The idea that Microsoft can change our software without notifying us is totally unacceptable,"
said one corporate IT manager. "Any alteration to our standard configuration can only be rolled out after careful evaluation
and testing. Does Microsoft have no clue?"
Several readers were also worried that Microsoft's broad assertion of its right to access their computers would force their
companies into noncompliance with government security guidelines and various privacy laws. This concern was exacerbated by
additional PUR language in the same Windows XP section. In terms of "Security Updates," users grant Microsoft the right to
download updates to Microsoft's DRM (Digital Rights Management) technology to protect the intellectual property rights of
"Secured Content" providers. It says Microsoft may "download onto your computer such security updates that a secure content
owner has requested that MS, Microsoft Corporation, or their subsidiaries distribute." In other words, it would seem Microsoft's
idea of a security update is one that protects the property rights of vendors, not the security of customers' systems.
Currently, DRM technology is associated just with music or video content, but there's no legal reason it can't be used with
software applications as well. One reader expressed the concern that in order to enforce common license terms, DRM technology
might have to distinguish customer communications from those of internal users at a company. "As I read this, we will be guilty
of violating federal privacy laws if we don't at least warn our customers that Microsoft and its partners may have access
to their records," the reader said. "Perhaps our firewall can prevent Microsoft from doing this, but how can I be sure?"
Microsoft officials say that the language in the PUR agreement, which it confirms is also in the Windows XP EULA (End User
License Agreement) itself, is not intended to force upgrades on customers. "Our goal is to give the user control over whether
a system is being updated, regardless of whether the user is a consumer or an institution," a statement from Microsoft's legal
team read. "The 'Internet-based Services Components' section of the Windows XP EULA was written specifically to ensure that
we are in compliance with all regulations that require notification when the configuration choices that a user makes could
potentially access one of the auto-updating features of Windows XP. We clearly have more work to do to make sure that it's
clear when these automatic features are used, and we are looking at how to do a better job at that. But it is certainly not
our intent to access any user's system when that is not what they desire."
Both corporate and individual customers can choose to turn off Windows Auto-Update, the Microsoft officials pointed out.
Similarly, users will be told when a content owner is requiring an update to Microsoft's DRM technology and they will have
the option to download it. "If the user elects not to update the security component, he or she will be unable to play content
protected by our DRM from that point forward, although content previously obtained would still be usable."
Well, swell. But if it is indeed Microsoft's intent to continue giving users the right to decline downloads, why has the
company written its XP agreements to force users to explicitly surrender that right? Are customers supposed to ignore what
the licenses say and just hope Microsoft won't ever do what the terms say it can do? That's not a concept that will make anyone
other than Bill Gates feel very secure.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
