Alarm Bells Over Vista’s “Fine Print”

I like Michael Geist. He’s a law professor at the University of Ottawa and writes a column in the Toronto Star. Not that agree with everything he says, but I certainly do respect the fellow. He’s a sort of Lawrence Lessig of the Great White North, for those of you from the US. A lot of what he says has merit, or at least is worthy of debate. But when I read his last column on how Vista’s legal fine print raises red flags, well, it left me scratching my head a bit. Don’t get me wrong, I don’t think Microsoft is the world’s saviour or anything, and from the perspective of a user I’m not that keen on all the DRM stuff in Vista and the headaches it will cause in using protected content, but OTOH I did raise a bit of an eyebrow to some of his comments on the Vista license. Such as:

Vista’s legal fine print includes extensive provisions granting Microsoft the right to regularly check the legitimacy of the software and holds the prospect of deleting certain programs without the user’s knowledge. During the installation process, users “activate” Vista by associating it with a particular computer or device and transmitting certain hardware information directly to Microsoft.

I don’t particularly like activation, but this is nothing new – Windows XP has activation and as for hardware information, I’m not sure how sensitive I would consider the make or model of my video card to be. I also find the reference to “deleting certain programs” to be a bit overstated. I wasn’t able to find anything about deleting programs in the Vista license I got from the MS website. It implies that Vista can suddenly go wild and start erasing other stuff you’ve installed. The only thing I was able to find was in Section 5(c), which says:

If, after a validation check, the software is found not to be properly licensed, the functionality of the software may be affected. For example, you may

  • need to reactivate the software, or
  • receive reminders to obtain a properly licensed copy of the software,

or you may not be able to

  • use or continue to use some of the features of the software,

Again, nothing particularly surprising – XP had the same thing – you don’t have validated software, you can’t use certain features of the software (i.e. Windows Vista, not other stuff).

Continuing on:

Even after installation, the legal agreement grants Microsoft the right to revalidate the software or to require users to reactivate it should they make changes to their computer components. In addition, it sets significant limits on the ability to copy or transfer the software, prohibiting anything more than a single backup copy and setting strict limits on transferring the software to different devices or users.

On revalidation, again, nothing new at least compared to XP – same complaints of course as well. As for backup copies – well, its pretty standard to only permit one backup. I’d prefer more but I don’t find it super-alarming to be limited to one. As for “strict limits on transferring” these are set out in Section 16:

a. Software Other Than Windows Anytime Upgrade. The first user of the software may
make a one time transfer of the software, and this agreement, directly to a third party. The first
user must uninstall the software before transferring it separately from the device. The first user
may not retain any copies.
b. Windows Anytime Upgrade Software. You may transfer the software directly to a third
party only with the licensed device. You may not keep any copies of the software or any earlier
version.
c. Other Requirements. Before any permitted transfer, the other party must agree that this
agreement applies to the transfer and use of the software. The transfer must include the proof
of license.

I gotta say I don’t find any of the above particularly strict, onerous or burdensome. Before you transfer, you must uninstall and not retain any copies. The transferee must agree to the agreement. You must transfer proof of the license. Hmmm. Doesn’t seem that bad.

Then, onto Windows Defender:

Vista also incorporates Windows Defender, an anti-virus program that actively scans computers for “spyware, adware, and other potentially unwanted software.” The agreement does not define any of these terms, leaving it to Microsoft to determine what constitutes unwanted software.

C’mon. There is a general understanding of what constitutes spyware and adware. And yes, “potentially unwanted software” is vague. But how then, should it be defined? “Bad stuff”? Interestingly he fails to mention the language that follows:

If it finds potentially unwanted software, the software will ask you if you want to ignore, disable (quarantine) or remove it. Any potentially unwanted software rated “high” or “severe,” will automatically be removed after scanning unless you change the default setting. Removing or disabling potentially unwanted software may result in
· other software on your computer ceasing to work, or
· your breaching a license to use other software on your computer.
By using this software, it is possible that you will also remove or disable software that is not
potentially unwanted software.

So Defender will ask you what to do (which he doesn’t mention), except for “high” or “severe” software, which it removes unless you change the setting (which he does). Well, I can understand the auto-removal thing. If it was left off by default (i.e. didn’t remove), then fingers would be pointed at MS at having lousy default security settings – a criticism often levelled (and, I think, justifiably so) at XP’s security settings – the rock on the other side of the hard place Michael identifies.

Then this:

Once operational, the agreement warns that Windows Defender will, by default, automatically remove software rated “high” or “severe,” even though that may result in other software ceasing to work or mistakenly result in the removal of software that is not unwanted.

C’mon Michael, that’s a bit over the top, isn’t it? Even “nice” spyware removers, like Spybot (highly recommended, btw) specifically warn that removing spyware might remove or cause other software not to work any more. Of course. Because many of the filthy, evil, nasty folks who distribute spyware or adware bundle it up with software that people actually want to use, and bundle it up in such as way that you can’t get rid of the spyware without killing the other software. Go figure.

Lastly:

For greater certainty, the terms and conditions remove any doubt about who is in control by providing that “this agreement only gives you some rights to use the software. Microsoft reserves all other rights.” For those users frustrated by the software’s limitations, Microsoft cautions that “you may not work around any technical limitations in the software.”

Grr. Of course. Show me a commercial license that gives anyone “all” rights to use the software without restriction. Actually, even the GPL doesn’t permit that – there are still limitations and restrictions even in open source code as to what you can and can’t do. I don’t think its fair to point to this type of language and imply that Microsoft is up to no good here. Same goes with the last sentence. Sure, you can’t hack the software. Doesn’t surprise me.

I never thought I’d be defending Microsoft’s licensing practices. Not to mention questioning Mr. Geist’s criticisms of same. But there you go. Not that I necessarily think, OTOH, that you should go out and buy Vista. Though it is pretty.

Pretexting, Ethics and Clients

Still catching up a bit – very quick post on the HP “pretexting” thing. As you may recall, HP asserted that its practice of pretexting – i.e. pretending to be someone else to get confidential telephone records – was legal. They were investigated leaks to the press by one of their board members and had resorted to this practice to try and find the leak. I had commented elsewhere long ago when this story first broke that even if it were illegal, very few (if anyone) could consider such actions the least bit ethical.

As most of you know apparently there was some disagreement as to legality and a few folks at HP were charged. Then I read this recent story about how HP was ending its special ties to Larry Sonsini, of the California powerhouse firm of Wilson Sonsini:

Sonsini – famous for decades in these parts – gained national fame in September during HP’s spy scandal hearings in front of Congress. Emails between the lawyer, HP executives and former director Tom Perkins raised serious questions about how sound Sonsini’s advice was around the practice of pretexting. He seemed to indicate that phone record fraud sounded like fair game, after being nudged in that direction by HP’s internal lawyers.

My emphasis. Its unfortunate to hear of something like this. I don’t doubt that he took the time and effort to research the law to come to a reasonable opinion on the matter before advising his client – obviously it was a very grey area of the law. In those circumstances its unfortunate that he didn’t perhaps suggest, notwithstanding the black letter of the law, that it would be unwise do take the course of action they were contemplating. That as good corporate citizens with a significant public profile, that such a practice is not something they should even consider. But then again, maybe he did and they didn’t listen (and of course he would surely have the good sense never to say that in public and embarrass a major client) or maybe he thought that such comments were not for legal counsel to make. Who knows.

The situation is not unfamiliar to many lawyers – particularly when it comes to giving opinions – lawyers are sometimes subjected to pressure to deliver the opinion that a client wants to hear rather than the one they should probably be delivering. By this I’m certainly not suggesting lawyers are delivering bad or incorrect opinions. What I am saying is that there are often grey areas of the law (which tend to be the areas on which legal expertise are sought) and in respect of which opinions can go one of two or more ways. And sometimes, the client will want to hear a certain outcome – for example, in the case of HP, I’m sure they would have liked the comfort to hear from their external counsel that their actions were legal – it would serve as some evidence that they took some degree of diligence and could serve to mitigate consequences if it turned out governmental authorities differed. If he, on the other hand, refused, or proffered a legal opinion that it was fine but qualified with a recommendation not to take such actions, HP likely would have not been very happy with him. And everyone knows what happens when clients aren’t happy.

Its an unfortunate situation to be in. Particuarly in this case, where, at the end of the day, HP still, obviously, isn’t happy with him.