Windows Update v5 Gathering Too Much Information?

LucasR asks: "I was testing out Microsoft's Windows Update v5 and read their latest privacy statement from April 15th of this year, and it appears they are collecting and storing more information than ever. Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim). Some of what they are collecting is really disturbing. I use Microsoft's products but I don't recall wanting them to know everything about my computer and what competing applications I might use. Check it out for yourself. Isn't this amount of collected information a bit much?"

Fixed link

[Matt Perry]

Here's the fixed link: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en [microsoft.com]

Re:Fixed link

[the_greywolf]

the XML document it links to appears to be an XML conversion of a system .nfo file. other companies [securom.com] need identical information to provide their services.

honestly, it doesn't look all that bad unless the IP address is actually assosciated with the GUID.

Re:Fixed link

[ratboy666]

"To generate accurate statistics, Windows Update evaluates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any information that can be used to identify you."

Um... the GUID *is* an indentifier for that particular computer. It will not identify an individual *only* in the in the case of a shared computer. Other than that, "they" know who you are. Even if your IP address changes (eg. you move, or use DHCP), the GUID WILL NOT CHANGE. So the

Re:Fixed link

[itwerx]

I wonder what exactly is in that encrypted section at the beginning...?

Standard practice...

[RomSteady]

It's a beta site. Microsoft's beta products usually collect more information in order to help recreate failure scenarios. When I've done betas in the past, I've collected additional information for the same purpose, and I disclosed it the same way.

In this case, I'd say "chill." A stable Windows Update is a boon to security.

Re:Standard practice...

[Anonymous Coward]

All these anit MS freaks just dont understand. The more data you have, the more accurate your solutions can be.

If there is some obscure driver in a turtle beach sound card which causes an IE update to crash, they will know about it just by the numbers.

Try supporting a 200+ user environment. Then let me know if you think hardware/software reporting are a bad thing.

Way to test the URLs

[np_bernstein]

The editors here are getting paid right?

Re:Way to test the URLs

[foobsr]

The editors here are getting paid right?

One would tend to answer no, right?

Alternatively one might consider that many Open Source developers are not paid - so it is all consistent.

CC.

Beta

[prostoalex]

The current version is v4 [microsoft.com], so if you tested v5, you apparently signed up for it, or were invited or decided it was worth it to get on the beta testing team.

Betas usually ask testers to provide more information so that SQA can re-create the problem and such. If you feel uneasy, then don't sign up for beta testing.

Re:[OT] Your sig

[prostoalex]

Leave a comment on whatever you find wrong. The questions come from variable sources, some, ahem, less reliable than the others. I try to keep up, but I can't manage a dozen of languages and technologies myself.

Re:[OT] Your sig

[Mr Z]

In some cases, the wrongness is simply horrible grammar. For instance, I can't tell what this actually means, since it isn't even a complete sentence: "In header files whether functions are declared or defined?"

You know, if you're going to ask a subtle question (what's the difference between declaration and definition, and which one belongs in a header file?), you need to word it so it's unambiguous.

--Joe

invited... not really

[zoloto]

i connected to windowsupdate recently and manually changed the v4.windo---- to v5.windo--- just for kicks (b/c of rumors etc) and instantly i was sent to the new site.

It was interesting and they automatically update your "windows update" client that's on your PC. Oh yeah, even very FIRST generation versions of XP licenses aren't valid (i have a valid license but they say it's not... so I'm a bit confused.)

anywho. it's not an invite only thing. but maybe it is if it won't verify my key..?? perhaps so.

Re:invited... not really

[Delf]

Windows Update version 5 is being rolled out as part of the XP Service Pack 2 stuff, so if you don't have the XP SP 2 beta installed, that would explain why it won't validate you.

Installing SP 2 does require you to accept a EULA.

Don't they need all of that information?

[yotaku]

"Here is only some of what they are now collecting: computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug and Play ID numbers of hardware devices, and IP address (though only for aggregate statistics so they claim)."

Other than the IP address, I would assume that they would have to know all of that information in order to be able to provide you with all the updates you may need. The hardware information is needed in order to provide updated drivers. I'm going to assume that by browser they mean information about IE, since we all know that that needs fequent updates. The only iffy things I see here is the IP address, and every web page you visit gets that, so I dont think its something to be overly concerned about.

And then there is the version information for other Microsoft software. Personally I love this. I hate having to go to OfficeUpdate to seperately check for updates to office. It would be nice if all my software could get updated thought windowsupdate. But I dont see Microsoft opening it up for other companies to use - so I will settle for just all microsoft software.

Re:Don't they need all of that information?

[Tablespork]

They shouldn't need any information. They just need a list of all available updates, and the client can check to see if any are needed. Microsoft shouldn't need to collect any data whatsoever. I'm not picking on Microsoft, I think any company would/does/has every right to collect this information. It's free usage statistics.

Re:Don't they need all of that information?

[Gadget_Guy]

They just need a list of all available updates, and the client can check to see if any are needed.

So instead of uploading 10 or so IDs for the server to do a query with, you would have to download thousands of them so they can check them on the client side. That would really slow down the Windows Update process.

Re:Don't they need all of that information?

[shadowarts]

Your forgetting, half the Windows population (at least half, probally more) wouldn't know what to download. The Windows Update selects what they should download. You give a novice user a list of 2000 files they'll just close the program.

Re:Don't they need all of that information?

[chriso11]

They don't need to know the hardware ids for every component. They could get by just knowing the make/model. That much data is excessive.

Re:Don't they need all of that information?

[markhb]

Is the PnP ID unique to a particular part (like a MAC address), or simply a unique identifier for the make/model?

Re:Don't they need all of that information?

[NetJunkie]

Hah! Make and Model of the PC? No way. IBM/Dell/Gateway change specific components all the time in a model of PC.

The link I believe they wanted

[scupper]

I think this is the page they wanted to link to: http://v5.windowsupdate.microsoft.com/v5consumer/d riversquery.xml [microsoft.com]

Looks like they added BIOS info collection. This is news?

V5 privacy statement: http://v5.windowsupdate.microsoft.com/v5consumer/p rivacy.aspx?ln=en [microsoft.com]

v4 privacy statement:

Windows Update Privacy Statement (Last Updated 10/17/2003)

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

From the article...

[meta-monkey]

Windows Update evaluates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any information that can be used to identify you.

So, the Unique Identifier cannot be used to identify. Sounds really useful :)

Re:From the article...

[My name isn't Tim]

It can't identify YOU the individual, but your computer (well in it's current Windows installed state) it can. Presumably they could track what GUID has downloaded what from Windows Update and they could further figgure out what segment of the population is upgrading and who isn't. (based on the data they may also collect such as make and model and software installed)

that's my take on it anywho

Re:From the article...

[Too Much Noise]

Add to that various connection patterns they can obtain by correlating the GUID with the IP. Still, not a big privacy issue yet.

However, I'm not sure how exact this list is - given that previous examples of info capture showed that WindowsUpdate didn't bother to select only the MS products from the registry list it grabbed and sent the full list of installed software.

Re:From the article...

[3) profit!!!]

Windows Update evaluates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely

identify it. The GUID does not contain any information that can be used to identify you.

Note that it is identifying your computer, just not you personally.

What's to be worried about?

[/dev/trash]

MS has been collecting this info for years. They're just telling you about it now to make you feel good.

Get over it, if not, then don't use Windows

[shodson]

Some of what they are collecting is really disturbing

Disturbing? Yeah, now that they know your CPU model and BIOS version number they can clearly learn about your cross-dressing hobby.

Scary Language

[digitalvengeance]

From the article:

The Product ID and Product Key collected are not retained after you are finished using Windows Update, unless the Product ID is not valid.

Though my workplace has all validly licensed copies, there have been occassions where I've just grabbed the closest Product Key during a reinstall rather than pull up the database of which keys go with which machines. They WILL keep a product ID if they deem it to be invalid? How long before we are all getting audited for not memorizing 30 different Product Keys for the 30 different windows licenses we have?

Re:Scary Language

[rritterson]

That's not the point of PID validation. If you have 30 PKey's, then you must have 30 Retail Keys, and therefore have to activate them. If it activates, the key is considered valid.

PID disqualification applies to corporate VLK's, which run on versions of XP that don't need to be activated (can you imagine activating 10000 copies during a deployment of XP). Those copies are, of course, ripe for pirating. Apparently, valid VLK's only generate a subset of possible valid PIDs, so they can tell if you are using a bad key (read: keygen'ed key) by the PID and you won't be able to use WU.

You aren't going to get audited with only 30 XP licences. The cost of the audit far outweighs the cost they could hope to make from you. It's like the IRS auditing a 16 year old kid who makes $1500 yearly at a part time job.

Re:Scary Language

[forged]

The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.

So much for the majority of consumers running pirated XP Corp versions... Since they would no longer be able to get updates, I wonder how long until they become the next source of virus-spreading craze.

As an interesting side effect, perhaps this will finally encourage people in this group to massively ditch XP Corp and go for Linux instead.

Re:Scary Language

[Phillup]

Use a corporate licence key.

The computers will most likely have a non-routable IP address assigned, and all of them will show up w/ the IP address of the firewall.

Even if they note the number of individual computers connecting w/ that license... there are so many "spares" and "rebuilds" in the corporate environment to make tracking a fruitless proposition.

What info does a WUS server share with M$

[scupper]

Does anyone know how much of the info collected by a WUS server, which is also collected by windows update, is passed on to M$ by the WUS server and/or the WUS client? It all seems to me to be relevent and useful info to collect, considering you've already overcome your privacy issues by agreeing to the EULA and have purchased CALs.

Re:What info does a WUS server share with M$

[scupper]

I meant to say SUS.

EULAs are more interesting...

[MrHim]

I like the MS Visual Studio EULA better (C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\EULA.txt, if you happen to own it). Section 4.1.2:

Performance or Benchmark Testing. You may not disclose the results of any benchmark test of either the [Server Software] or [Client Software] for Microsoft Message Queue Server, Microsoft Transaction Server or Microsoft Internet Information Server to any third party without Microsoft's prior written approval.

And if you get the Microsoft SDK from windowsupdate, the same restriction is placed on releasing .NET benchmarks.

Quite standard nowadays

[Wudbaer]

While somewhat stupid, a lot of vendors have such limitations in their license agreements nowadays. AFAIK Oracle started with this some years back.

Let's have a peek:

[NanoGator]

"Computer make and model": In order to figure out if particular motherboards need a fix applied. The AGP problem with Athlons immediately comes to mind.

"Version information for the operating system, browser, and any other Microsoft software for which updates might be available": For security updates to IE, Outlook, Word, etc...

"Plug and Play ID numbers of hardware devices": In case there is a fix for a particular bit of hardware. Maybe a DirectX update or something.

"Region and language setting": What, you don't want your driver interfaces to be in Bulgarian?

"Globally Unique Identifier (GUID)": Eh, not terribly interested in defending this one unless it's to count how many times a particular machine gets updated. I can't say I'm terribly concerned about this one either.

"Product ID and Product Key": Filed under D for DUH.

"BIOS name, revision number, and revision date": Again, may be related to fixes for a particular computer.

This stuff is far less scary when you read through some of the MSDN articles for quick fixes etc. It's pretty obvious that they attain this info for the Automatic Update to actually work. Damn them for creating this free service!

Re:Let's have a peek:

[loftwyr]

The plug and play ID's are for the driver updates you can get through the site. It's tough to give you drivers if it can't ID the device...

Is that all they're collecting?

[loftwyr]

There is a nice sample [microsoft.com] of what they're collecting in XML format. Well, it would be useful if it wasn't for the large block of encrypted into that they don't explain.

Maybe I'm just paranoid but if they're going to give a sample of the collected data, shouldn't they tell what's in that block?

Re:What Else?

[siliconjunkie]

what makes you think they record the items you listed? seriously. i'm curious how you've come to this conclusion.

I dont care unless...

[AliasTheRoot]

...they attach my name in real life to the bits they collect and start selling that information.

it's not an invasion of privacy to collect information on hardware.

They might be gathering it for Intel

[Gary Destruction]

Intel has the power to shape the hardware industry. If they want the floppy to disappear, they can make it happen. The information gathered can be used to give an idea of how much legacy hardware is still in use and it could be used to predict future demands in hardware. Take that as opposed to old motherboards and expansion cards sitting at the dump. If the user visits Windows Update, then it's know that the hardware is still in use.

Focus

[nusratt]

Where are your priorities?
Sincerely, not trying to flame, but this microsoft issue in this article is the only slashdot comment I find which has been authored by http://ask.slashdot.org/~LucasR

So I have to ask:
with everything else which is happening to steal or threaten our medical confidentiality, our privacy, our freedom to travel, freedom of speech, freedom of association, and other civil liberties -- things which appear on /. almost every day, such as
http://slashdot.org/article.pl?sid=04/07/05/1 6 3721

Note on the page

[Tomahawk]

When you run Windows Update, you get the following message:

Note Windows Update does not collect any form of personally identifiable information from your computer.

Under that is a link to the privacy statement telling you what they do collect. Here is the text behind the link:


Windows Update Privacy Statement (Last Updated 10/17/2003)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session, unless the Product ID is not valid.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.


(note that the update date is 17 October 2003)

T.

What if we send more than 1MB of data each?

[TheLink]

I suspect that in their opinion they won't think they're gathering too much info till they need petabytes or exabytes of storage, if you know what I mean.

So, any bright sparks know how to create a way to give them enough info so that they stop asking us for info?

Clicking on something or making an HTTP access to something doesn't make it a legal contract. Tons of people click I agree coz they want to update their PC.

v5

[bendsley]

They are able to tell whether or not the key you are using for your XP install is a valid key or not. I can pull updates from v4, but not v5. Oh well.

Re:v5

[jameslore]

That's because in V5 they block product keys which aren't of the subset they've distributed.

It's fairly easy to get around (not that I'm going to provide help), but it should server it's purpose - it'll knock out most of the leaked (or generated) corporate keys. And while it's a minor irritant to anyone sufficiently motivated to get around it, it'll block those without the knowledge or inclination to beat it.

Personally I think MS should be taking the moral high ground and supplying at least security patch

Ye Gods!

[mcocke]

A unique identifier and your IP address, as well as a list of all your hardware and software. Looks like I won't be using Microsoft update again. Thanks to the OP for the heads up.

A bit much?

[Nyhm]

A bit much? That's several bytes too much!

What competing products?

[belchingjester]

I use Microsoft's products but I don't recall wanting them to know everything about my computer and what competing applications I might use.

I don't see anywhere in their disclosure statement where products other than MS products are tracked, so I'm not sure why you're being alarmist about "competing products". Perhaps they are collecting more info than they say they are, but that's not the issue you raised.

The Slashdot Paradox

[fluor2]

I think its really a paradox that I actually feel SAFER when doing these update internet thingies on Windows, since we have all those people around the world, monitoring what Microsoft do every day.

I'm sure it would be even in the news if Microsoft did something that was not allowed by laws of your government.

However, wget a mySUPER-GPL-programtar.gz leaves me with much less security when I run ./configure make and such. Coz the userbase for that program might be very small, and sending private information might be un-known to the general public.

I sure hate the fact.

Is the speed issue?

[bill_mcgonigle]

For some reason visiting the Windows Update website causes a considerable delay in the browser, on the order of twenty to thirty seconds on a reasonable computer.

This compares poorly with about 5 seconds on a Mac or even 10 seconds for an apt-get update.

Could it be because it has to upload and/or analyze all this information?

If it's sending a GUID certain data should only need to be sent once, or at least the OS could manage when it needs to be sent again (new hardware, etc.)

Linux and Firefox

[nandhp]

The amusing thing, is that you can go to http://v5.windowsupdate.microsoft.com/ [microsoft.com] in Firefox on Linux and it will say:

Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute. During this time, you may receive one or more security warnings. Review each security warning to ensure that the content is signed by Microsoft, and then click Install or Yes to install the software.

While nothing actually works, except for the Mozilla-customize