Microsoft says Windows Genuine Spyware NOT Spyware

From our Yeah, Sure department… Microsoft has posted its official denial that Windows Genuine Spyware is, uh, spyware. It’s well worth reading.

Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found… [T]his operation is limited to the download of the new settings file. No additional information is sent to Microsoft.

There’s still a great deal of confusion about whether WGA phones home daily, on reboot, or when a user logs on to Windows XP. I haven’t seen a detailed analysis of the information that WGA sends, but this much is clear. The fact that WGA “phones home” – much like the “Web beacons” of yore – means that Microsoft is capable, at a minimum, of collecting your IP address. If you have an always-on Internet connection, as is the case with cable or DSL, that IP address effectively identifies you uniquely. And if you’ve ever logged on to Hotmail or any Windows “Live” site from the computer running Windows Genuine Spyware, Microsoft also knows your email address, and possibly your physical address. It’s as simple as comparing IP addresses.

Yeah, there’s some wiggle room – the IP address, to a first approximation, uniquely identifies your house or business, not you – but when you look behind Microsoft’s PR agency’s batting eyes and aw-shucks attitude, the fact is that Microsoft has collected personally identifiable information as part of its WGA program.

How do I know? This PowerPoint slide from a presentation by ‘Softie Andrew Forsyth, posted on the Windows Observer Web site two months ago, shows the precise location of all of the people in the US who failed WGA authentication earlier this year.

Microsoft’s press release goes on to say:

Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware.

To my mind, broadly speaking, Windows Genuine Spyware is deceptive software that was pushed onto millions (tens? hundreds of millions?) of Windows customers’ machines, masquerading as an out-of-cycle “critical update” to Windows XP. In 99+% of all cases, it was installed without the user’s knowledge or consent. WGS sends information to Microsoft, without the user’s knowledge or consent. I have no idea how Microsoft uses the collected information, but the fact that it’s personally identifiable – and that Microsoft has used that same identifiable information in the past to pinpoint people geographically – should certainly qualify Windows Genuine Spyware as, er, Spyware.

I repeat: Microsoft can call Windows Genuine Spyware a pilot program, a test version, a work in progress, a beta, an experiment, a boon to the suffering software industry, or the secret to Life, the Universe and Everything. But the minute Microsoft pushes a pirate-sniffing piece of scumware onto your PC, in the guise of a “critical” update – and they use the software to phone home, without your knowledge or consent – they’ve gone way over the line.