Microsoft's WGA comes under spotlight
Two class-action lawsuits have been filed against Microsoft, alleging that its WGA program is spyware.
By Tom Spring, PC World.com | PC World | Published: 14:00, 17 July 2006
If it looks like spyware, acts like spyware, and transmits information like spyware - it's practically spyware, say some anti-spyware makers of the anti-piracy features in Microsoft's controversial Windows Genuine Advantage (WGA) program.
Other anti-spyware firms aren't so concerned. "Microsoft has every right to protect itself from piracy," says J.J. Schoch, director of marketing at Panda Software.
Generally, spyware is defined as unwanted software that collects information about a computer user and/or the PC itself, and transmits it back to the software publisher without informed consent by the computer user.
The WGA anti-piracy program works in conjunction with Windows Update to check whether the Windows operating system on a machine has a valid license.
When introduced last year, WGA, which checks a user's copy of Windows XP to ensure it is not counterfeit or pirated, ran only on Windows-based PCs when a user installed the company's Automatic Updates feature.
In April, Microsoft updated WGA, which is still a pilot program, with a Notifications tool that checked the legitimacy of Windows on a system, regardless of whether the Update services were being used. Microsoft agreed to revise Notifications in late June.
The company now says the software will check only periodically (not daily), as to whether a version of Windows is genuine.
For more background on WGA, WGA Notifications, Microsoft updates to the program, information on the wording of the software's EULA agreement, and several ways to remove the WGA Notifications tool, read PC World Staff Editor Erik Larkin's takeon these topics.
Firewall Leak Tester also offers a download that should remove the WGA Notifications tool from your PC.
Some anti-spyware vendors say controversial features of the WGA service are prompting them to consider putting it on their companies' spyware blacklists, while other firms in the same business say recent hysteria over the program and lawsuits like the one filed in Seattle are without merit.
"WGA was indistinguishable from other seedy spyware firms in the Caribbean that steal data off your PC without proper permissions," says Eric Howes, director of malware research at anti-spyware software maker Sunbelt Software.
The firm does not currently classify WGA as spyware, but Howes says a change in status for WGA is under consideration. He acknowledges that Microsoft has since responded to the public outcry and done a better job of informing consumers about what WGA is and what information it collects.
Panda's Schoch, on the other hand, says that the consumer uproar over WGA is somewhat confusing to him.
He points out that the same people who don't trust Microsoft's WGA features are willing to entrust large amounts of Microsoft programs with personal data. "After they've trusted Windows with their personal e-mail and tax information, now they are worried about an innocent file check over the Internet?" he asks.
Microsoft acknowledges that WGA collects hardware and software data but maintains that the data is used only to verify that one copy of an OS has been registered on one computer.
Schoch points out some cyber-crooks are now distributing a worm masked as Microsoft's WGA through America Online's popular AIM instant messaging service. These are the threats that currently top his list of WGA concerns.
Panda and other security firms also are warning the public of the worm that is disguising itself as WGA features in Windows. The worm is capable of disabling a PC's firewall and leaving the system vulnerable to outside control.
Other WGA-focused security concerns come from anti-spyware firm Webroot Software, which says that systems that do not pass WGA validation are not eligible for important Windows security updates and Microsoft security features like Windows' firewall.
"Pirated or not, a computer that is blocked from security updates and features makes the entire Internet more dangerous for all," says Vinay Goel, Webroot's vice president of worldwide marketing. That's because cyber-crooks can more easily exploit non-secure PCs to distribute spam, viruses, and worms and also to carry out cyber-attacks.
In an informal test running an unvalidated version of Windows XP Pro, PC World could not update a test PC while using Windows Update to download the Windows security update Service Pack 2.
An anti-spyware expert for SurfControl says that the practice of having programs make stealthy communications back to software publishers is here to stay and will only grow more prevalent as software continues to be sold as a service rather than a shrink-wrap software product.
"Programs need to communicate back home, whether it's for a software update, patch, upgrade, or to check to make sure that the version being used is bought and paid for," says Jim Murphy, SurfControl's vice president of product marketing.
The one area in which anti-spyware firms are in agreement is that Microsoft implemented WGA poorly, and has not done a good job of obtaining the clear consent of its users.
Sunbelt's Howes gives Microsoft a grade of D- when it comes to obtaining users' consent for WGA. He contends that by Microsoft's own spyware definitions in its anti-spyware software Windows Defender, WGA would be considered spyware.
"Microsoft needs to realise the rules also apply to Microsoft," Howes says.
A spokesperson for anti-spyware vendor Seriniti agrees. Lawrence Phipps says Seriniti doesn't consider WGA spyware, but says that "if it walks like a duck, and talks like a duck, you might as well call it a duck."
