Microsoft is in damage control mode, after it has been revealed that their latest attempt to control piracy phones home to Microsoft every day. The extent of the daily communication appears to be just checking with a Microsoft server that the program should continue to run, and it does not appear to pass any information back to Microsoft other than your computer’s IP address.

However, this daily communication is not disclosed in the EULA displayed during the program’s installation–only the fact that it gathers information about your computer. The interesting question is whether, in initiating undisclosed communications back to Microsoft’s server, Microsoft has broken any laws — because this is very similar to the behaviour that malware exhibits (except that malware often transmits back other data about or from your computer).

The program, Windows Genuine Advantage, does not ship with Windows, but has recently been made available as part of Microsoft’s online automatic update function. It appears in the list of updates alongside all other updates that Microsoft thinks should be applied to your Windows installation. Once installed, the program checks whether the version of Windows it is installed on is genuine or pirated. If it determines that your copy of Windows is not genuine, it apparently starts displaying intermittent nag-screens to that effect, and blocks you downloading further updates from Microsoft other than critical security fixes. It is this behaviour that is disclosed in the EULA.

Microsoft’s explanation for the failure to inform the user about the daily phone-home behaviour is given in the article as:

The company said the undisclosed daily check is a safety measure designed to allow the tool, called Windows Genuine Advantage, to quickly shut down in case of a malfunction. For example, if the company suddenly started seeing a rash of reports that Windows copies were pirated, it might want to shut down the program to make sure it wasn’t delivering false results.

“It’s kind of a safety switch,” said David Lazar, who directs the Windows Genuine Advantage program.

Lazar said the company added the safety measure because the piracy check, despite widespread distribution, is still a pilot program. He said the company was worried that it might have an unforeseen emergency that would require the program to terminate quickly.

So it seems like a genuine, inadvertent mistake. But I wonder whether it has any implications under New South Wales law? Let’s have a quick-n-dirty look at the relevant legislation.

Section 308H(1) of the Crimes Act 1900 (NSW) provides that:

A person:
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification,
is guilty of an offence.

The offence is a summary one (meaning it is tried by a judge alone, and has various other consequences), and the maximum penalty is imprisonment for 2 years. Section 4 (the definitions section) expressly provides that “‘Person’, ‘Master’, and ‘Employer’ severally include any society, company, or corporation.”

Section 308H(3) defines “restricted data” to mean “data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.”

Not such great wording, but presumably data protected by a login/password combination might be “restricted data”.

Section 308 defines “data” to include:

(a) information in any form, or
(b) any program (or part of a program).

It also defines “data held in a computer” to include data stored on a hard disk. So the definition of “restricted data” includes a program stored on a disk, and part of a program stored on disk.

The main work is then done by section 308A, which provides:

(1) In this Part, “access”to data held in a computer means:
(a) the display of the data by the computer or any other output of the data from the computer, or
(b) the copying or moving of the data to any other place in the computer or to a data storage device, or
(c) in the case of a program—the execution of the program.

and then continues: “(4) A reference in this Part to any such access, modification or impairment is limited to access, modification or impairment caused (whether directly or indirectly) by the execution of a function of a computer.” Again, not great wording in defining “running” as a form of “access”, but it does the job.

Hence, any person who causes any unauthorised execution of a program stored on a hard disk, knowing it is unauthorised, and intending to do so, is guilty of the offence.

Is what Microsoft did unauthorised execution of a program? This is where it gets a little unclear. First, it’s not clear how the program works – but they are perhaps running part of a program (I assume probably a subroutine) which phones home, as opposed to the subroutines that perform the functions disclosed in the EULA. If so, the section might apply.

Secondly, are they running it without authorisation — to make this out, one would have to say that the user assents to the program doing what it discloses in the EULA, but does not assent to what the EULA (or documentation) does not disclose. (Leaving aside for the moment EULAs that are misleading or otherwise problematic, so they do not fairly disclose an activity). At what level does the user “authorise” the activities, given that they will probably know nothing about how the program will perform its function? Arguably, phoning home is different enough from “checking my installed version of Windows” to be considered something to which assent has not been given when installing the program.

Thirdly, it’s semantic, but section 308A(1)(c) refers to execution of “a program”, but not a “part of a program” as defined in section 308(b) — perhaps intentional, perhaps a flaw, or perhaps it would be read to include “part of a program” so it doesn’t matter.

So on this quick and dirty analysis, which I have not had time to verify (so don’t rely on it!!) perhaps this mistake could conceivably be legally problematic. I’d love to hear any thoughts or comments, or whether I’ve missed something obvious.

Further note: once installed, you cannot remove Windows Genuine Advantage from the Add/Remove Programs control panel. There are some posts on the web about how to remove it, but since it involves registry hacking, it’s not recommended. Presumably Microsoft will fix this asap. (The whole episode adds a little more perspective to this narrative from 2003, too.)