Check the fine print

BILL GATES SAYS security is Microsoft's top priority, but just whose security does he have in mind? Consider some of Microsoft's recent boilerplate legalese -- language you or your company might already have unknowingly accepted -- and then decide for yourself.

The language is contained in the Product Use Rights (PUR) document that can be found at www.microsoft.com/licensing/resources . As the PUR document is part of most customers' volume license agreements and is subject to periodic change, in theory Microsoft customers should check it regularly to see what rights Microsoft has decided to grant or take away.

You can be forgiven if you feel like you have better things to do with your life than reading and rereading all this mind-numbing legal gobbledygook. Fortunately, one Microsoft customer did review the PUR document recently and noticed a change. In the section on Windows XP Professional, he found the "Internet-Based Services Components" paragraph that said in part, "You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer."

The reader was stunned. "By changing that term in the PUR, Microsoft has found a creative way to obtain authorization from users to access their workstations at will," he said. "How many customers are going to review this PDF file and realize they've given Microsoft this right? And all the risk for the security and privacy violations due to this are neatly put on the customer's shoulders, not Microsoft's."

After the reader shared his discovery with me, I asked some other Microsoft volume license customers if they were aware of the PUR term. Not surprisingly, most were only vaguely aware of the PUR's existence, much less the terms in the XP section. But they had plenty of concerns once they read it, the most obvious being the damage the most benign of automatic OS upgrades could cause in a corporate environment. "The idea that Microsoft can change our software without notifying us is totally unacceptable," said one corporate IT manager. "Any alteration to our standard configuration can only be rolled out after careful evaluation and testing. Does Microsoft have no clue?"

Several readers were also worried that Microsoft's broad assertion of its right to access their computers would force their companies into noncompliance with government security guidelines and various privacy laws. This concern was exacerbated by additional PUR language in the same Windows XP section. In terms of "Security Updates," users grant Microsoft the right to download updates to Microsoft's DRM (Digital Rights Management) technology to protect the intellectual property rights of "Secured Content" providers. It says Microsoft may "download onto your computer such security updates that a secure content owner has requested that MS, Microsoft Corporation, or their subsidiaries distribute." In other words, it would seem Microsoft's idea of a security update is one that protects the property rights of vendors, not the security of customers' systems.