A random collection of stuff mostly about operating systems, software licensing, technology, and privacy



MikeCh’s stuff…

Why I dislike Windows Genuine Advantage

February 21st, 2010 (Revised August 16th, 2013

Since its troubled introduction in 2006, I have had this nagging dislike of Windows Genuine Advantage (WGA). The recent dismissal of the class action lawsuit against Microsoft over WGA, and the release of the latest version, now called Windows Activation Technologies, has forced me to revisit the subject—and I have to say that even after a second look I still don’t like it.

Before going any further, let me state for the record that I understand that Microsoft has the right to protect its intellectual property. But piracy is not just a problem for Microsoft—manufacturers of many products including pharmaceuticals, watches and handbags also wage on-going battles with IP thieves (pirates). Apparently some criminals are even selling non-genuine iPhones in bars.

Activation and validation

Microsoft defines software piracy as “the mislicensing, unauthorized reproduction and illegal distribution of software, whether for business or personal use.” According to Microsoft, illegal copying of its software products in violation of its software license agreements is responsible for a large portion of its economic losses due to theft.

Microsoft uses software activation to target the casual copying of its products by end users, a form of piracy that is sometimes called end-user piracy or softlifting. Microsoft defines other types of piracy here.

Activation meets Microsoft’s goal to reduce piracy by preventing the overwhelming majority of users from copying and sharing software in violation of the license agreement. It accomplishes this goal by notifying Microsoft when one of its software products has been installed on a specific computer. Although customers can defer activation for a short period of time (30 days), if the software product is not activated or fails activation, the user is notified and presented with options to learn more about the failed activation.

I could be persuaded to accept activation, because it is tied to finalizing the installation of a product on a computer. But I have long struggled with why a product that was successfully activated, also needs to be validated?

Thankfully Ed Bott provided me with the scenario that explains the need for validation. Suppose some sophisticated software pirate has figured out how to evade or circumvent activation by tampering with the activation service in the copy of Windows they sell to a user. When the user with the non-genuine copy with the tampered activation code attempts to activate the software, it activates in the same way that a genuine copy would because Microsoft is not yet aware of this particular method for circumventing activation.

As more people activate other non-genuine copies using the new circumvention, Microsoft will eventually detect the tampering, and determine how to test for the presence of this particular tampering. Then Microsoft can prepare a signature file that describes the tampering, and this file can downloaded to the computer and used to detect the circumvention the next time the activation or validation agent runs. So the software, which incorrectly passed activation, will now fail validation, and the user would be prompted to work with Microsoft to determine how best to get a genuine copy of the software.

The initial introduction of WGA was not handled as smoothly or as transparently as it could have been (which was the basis of the failed lawsuit), but Microsoft has addressed most of these technical problems. Again, Ed Bott has done a great job of testing and documenting the current version.

My problem with validation

If my problems with validation do not revolve around Microsoft’s protecting its intellectual property, what is it that I object to? My problems with validation are:

  • The use my computer to join their little software posse comitatus. Here I am a lowly computer user (rancher), who just wants to use the computer I purchased (mind my cattle), when Microsoft (the sheriff) comes along and says its going to use my computer (saddle up and come with us) to fight the pirates (the bad guys).
  • The on-going nature of the conscription—the sheriff and his posse are going to come back every 90 days just to make sure I haven’t joined the bad guys and they aren’t hiding out in my barn.

Of course the simple answer to both of these problems is not to use Microsoft software: don’t use Microsoft software and you don’t have to accept their EULA. This is one of the reasons why I now own as many computers that run Mac OS X as run Windows. And I am about to buy my first server with open source virtualization and operating systems, in part because of validation.

But I cannot avoid the Microsoft EULA completely. I use my computers for work, and my work as a Windows analyst requires that I run Windows operating systems.

Maybe two scenarios—the watch and the landlord—better illustrate how validation feels to me.

The watch

You have an on-going relationship with a local jewelry store. You purchase all your jewelry from this store because you know and trust the jeweler—she sells quality goods at a fair price.

You need a new watch, and you know that your favorite jewelry store handles a variety of high-end watches. With the help of the jeweler you examine the various brands and models and select a high-end watch made by a well-known manufacturer. As the representative of the manufacturer, the jeweler was the one who educated you about the watch’s features and benefits. They guided you in your selection. You know if you have any issues with the watch the jeweler will stand behind it, as (you assume) will the manufacturer.

You pay for the watch, and because you like it so much, you decide to wear it home. Your new watch is working great, and even though you suspect it will only lead to more unwanted advertisements, you carefully write the serial number of the watch on the warranty card and mail it to the manufacturer. Now the manufacturer knows that the jeweler sold you that particular watch.

Your friends notice the watch and you tell them what a great watch it is—in fact you are rarely late for meetings anymore.

Thirty days later, just as you are sitting down to dinner with your family the door bell rings. A nice young lady is standing there, and she introduces herself as an employee of the watch manufacturer. She has picture ID which identifies her as a representative of the manufacturer, and she asks if you purchased a model of their watch with a specific serial number.

You are somewhat surprised, because after all, you have only a passing relationship with the manufacturer, but she very sweetly says she is sorry to bother you, and she won’t take more than a minute of your time, but after-all, pirates sell fake versions of the watch and she merely wants to look at your watch to assure you that your jeweler sold you a genuine watch and not a crummy fake. She says that the manufacturer totally trusts the jeweler, and they totally trust you for that matter, but you know, these fake watches are a real problem for the manufacturer, and many people are late for appointments because the fake watches do such a poor job of keeping time. You hand her the watch, and she looks it over carefully, checking for the various hidden clues that the manufacturer uses to identify a genuine version of the watch. “Your in luck,” she says, “its genuine!” and she thanks you for your time.

Three months later there is another knock at your door. This time it is a different employee of the watch manufacturer. He tells you that those darn pirates are so tricky that their first representative wasn’t up-to-date on the latest fakery. However he has just returned from the manufacturer’s ‘Fake Watch Spotting University’ and it really is in your best interest to once again let him to look at the watch, this time he will give it a closer and more thorough examination.

You take the watch off your wrist, hand it to the manufacturer’s validator, who carefully examines the watch, tells you it is okay, but as he turns to leave he says “See you in 90 days.”

Now I know this isn’t a perfect fit, because watches don’t yet come with a EULA, and the process of answering the door, talking to the person, and having them verify the watch is more intrusive then a simple software check. But even a software agent is using my computer’s processor, memory, network card, and my ISP connection for its purposes—my benefits if any are minor.

The landlord

If the watch scenario doesn’t work for you, consider this. You rent an apartment in a nice apartment building. The lease is similar to a EULA—you don’t own the apartment, you agree pay for the right to live there (use it). The lease says that the landlord can enter your apartment without notice but only in an emergency; on all other occasions, she must notify you two days in advance, and you have the right to negotiate a time when you can be there.

Despite the lease, the landlord is concerned because the water bill for the apartment building is too high. It isn’t an emergency, water is not flowing from one apartment to another, and there is no sign of water damage in any of the common areas or hallways.

But the landlord decides to use her master key to check all the apartments for leaks so she lets himself into your apartment to check to see if any of the faucets are dripping. She goes into your kitchen, through the living room to get to the laundry room, and then down the hallway to the bedrooms to check the faucets and toilets in the bathrooms.

While she is wondering through your apartment she peeks at your thermostat because, as long as she is there, what could it hurt and frankly the gas-bill has been pretty high too. I mean, with all the concern about the environment everyone is in favor of saving water and having that smaller carbon footprint—why her entering your apartment is practically a public service.

So even if you let this first check go (stretching to consider it a pseudo emergency), does this allow the landlord to enter you apartment once every three months, just to check you are still a good tenant.

Just looking around

One reason I like the landlord example is because it lends itself to a key point. Even though the landlord has a ‘pure’ motive in entering your apartment, by her very presence in your property (under the terms of the lease), she can observe things about you. She does not take anything, but just by observation she learns what you like. She may see what magazines you subscribe to, what videos and games you play, what shampoo you use and what medicines you take. She knows that you leave wet towels on the bathroom floor because you were late for work (damn that fake watch).

Okay, this is all relatively innocuous but I argue it is a short leap from looking for dripping faucets to running amuck in your underwear drawer or peeking at the bank statements in your desk to make sure you are the kind of tenant they want in the building and want to ensure you can afford to stay there.

You see it starts simply and with the best of intentions, Microsoft just wants to see if activation software has been tampered with. By agreeing to the EULA you agree to allow this. I am not saying Microsoft is snooping through computer files, but if they decide there is additional information they need in the name of fighting piracy all they have to do is update the EULA and their privacy policy as needed, give you another chance to read these documents, and have you accept the EULA again.

And what are the chances that you could now decline the updated EULA? How likely are you to decline any additional updates and service packs in order to leave the computer in the state where the original EULA applies.

Having your cake and eating it too

Finally, when it comes to piracy you cannot have your cake and eat it too. If you are going to crack down on piracy then it must be all forms of piracy.

But the reality is that Microsoft finds piracy quite useful—just not your piracy. In a 1998 interview available at CNET Bill Gates said: “Although about three million computers get sold every year in China, but [sic] people don’t pay for the software. Someday they will, though. As long as they are going to steal it, we want them to steal ours. They’ll get sort of addicted, and then we’ll somehow figure out how to collect sometime in the next decade.”

Even Jeff Raikes, who at the time of this quote was Microsoft’s business group president talking to analysts at the Morgan Stanley Technology conference in 2007 essentually said: “If people are going to use pirated software, he’d prefer they use bootleg copies of Microsoft programs.”

This may explain the ‘Wink-Wink, Nod-Nod, Oh yes, you’re a student of life’ lax enforcement of who can use the student edition of Office.

And finally an article in the Economist (sorry subscription required) shows as recently as 2008 this attitude still prevailed. Because of piracy’s potential to open new markets, “Officially, the software giant has taken a firm line against piracy. But unofficially, it admits that tolerating piracy of its products has given it huge market share and will boost revenues in the long term, because users stick with Microsoft’s products when they go legit.”

Therefore, before I can jump on board the validation bus, I would like to see 1) Microsoft speak out against all piracy, even when do to otherwise might help its market share (after all, lowering prices might accomplish the same goal); 2) simplify the terms of its EULAs to clairify what people can and cannot do, and 3) reduce validation checks to those times that make sense (such as when requesting support or downloading non-security enhancements.