Windows Updates and Software Ownership
Do you own the software on your computer, or do the software companies? That's really the issue that lies at the heart of a brouhaha that arose last week regarding Windows Updates that apparently are installed without user permission. What I find most fascinating about the incident is what it reveals about the world of EULAs and DRM in which, at least if you listen to the software industry, we all now live. A story last week in the Windows Secrets newsletter reported that recently Windows Update for XP and Vista has stealthily downloaded a number of updates even for users who don't want automatic updates. Subsequent observers confirmed the updates had indeed gone out.
In what appears to be closest thing to an official response, a Microsoft program manager blogs that the updates -- minor patches for the Windows Update software itself -- need to be installed if the update process is to work as users expect. While none of the observers have seen any sign the Windows Update updates cause any harm, Microsoft's argument struck many as being a Redmond-knows-what's-best-for-you approach. "The idea they can't give the user a choice in a situation like this is just nonsense," one reader wrote me. "There are some very good reasons some of us choose just to be notified of updates rather having them automatically installed ... starting with the litany of buggy releases Microsoft has foisted on us through they years.
It's my machine, and they have no business making changes to executables without telling me." Business users in particular have security and accountability issues if their software assets aren't actually under their complete control. "An owner and an operator of a computer in an enterprise can absolutely no longer claim to be able to audit the machine if control of the updates are being done without the owner even being notified," wrote another reader.
"What Microsoft is doing is sheerly Orwellian, and clearly designed with the intent of taking remote control of a consumer's PC at their whim if Microsoft chooses to determine the consumer has violated their EULA or decides a licensed copy is not a licensed copy. Of course the recent collapse of the Windows Genuine Advantage servers shows what a dangerous strategy that is, and the disastrous consequences when a single point of failure at Microsoft occurs. Sadly, it is not just Microsoft. Every software vendor seems to think they can do anything they want." But this is actually something of an old story, both in terms of the issues readers are raising expressing and Microsoft's somewhat vague reassurances of their good intentions. Back when Windows XP was newly released I wrote about some very similar concerns readers had about XP EULA terms that gave Microsoft the right to automatically update components of the operating system. And the response Microsoft had back then echoes what they're saying now. "We clearly have more work to do to make sure that it's clear when these automatic features are used, and we are looking at how to do a better job at that," the Microsoft spokesperson said in 2002. "But it is certainly not our intent to access any user's system when that is not what they desire." So after all these years, why is it that Microsoft still has to admit that it's not being as clear about all this as it ought to be? Well, I think we can see a clue if we compare the old and new EULAs. The early XP EULA said that: "You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer."
The Vista EULA is at least a little more direct about what the purpose of an involuntary download is:
"The software will from time to time validate the software, update or require download of the validation feature of the software." While the wording has changed a little bit, the meaning remains the same. It's all about the DRM. If Microsoft's various and sundry anti-piracy schemes are to work, it has to have the right to make changes to components of the operating system whether you want them to or not. And, however good Microsoft's intentions might be, if any of those changes happen to cripple your computer at a bad time, hey, read the EULA. It's your problem, not Microsoft's. It would be easy for Redmond to make this crystal clear, but I guess just coming out and saying that Microsoft has the right to disable your computer at any time would be a little too blunt. So who owns the operating system on your computer? If you run Windows, the answer is that Microsoft thinks it does, and you should take that fact into account.