WGA Notifications and download and install telemetry


We’ve gotten a few questions recently about the fact that our latest WGA Notifications package sends install telemetry when installed or canceled. Given past concerns about data WGA sends out I wanted to take a moment to explain what is happening with this latest release and why.


First, all downloads that flow through Windows Update return success/failure telemetry.  This is because of the large scale of distributions over Windows Update. When sending out an update package to potentially millions of customers it’s important to gather basic data on successful installations, install failures and user rejections or cancelations at any point in the process. Second, this event is one time only. Also, if the system isn’t connected to the internet nothing will be sent nor will it be if an attempt to send fails.


By learning at what point in the install process some users decide to abandon, we can put more effort into the right places in the installation wizard.  Remember our goal with the wizard is to give more information so customers will be better informed.  We heard from customers that they wanted more information about what the software was and how it worked so we created the install wizard to provide that greater context. Knowing this kind of information about the install wizard installations is critical for us to continue to improve the customer experience of WGA. If we are not hitting that mark, we can use this method to improve.


Just to allay any fears that Microsoft is using any personal information, here an example of the actual XML that is returned when a user cancels an installation. We’ve also added a data type and detailed description of each field. This XML schema is common to a number of products so some fields are not used in this case.


 table


For completeness (and for our lawyers) I’d like to point out that disclosure of this type of install telemetry is made in the Windows Update privacy statement.  All the information that is sent as a result of WGA Notifications being installed is covered by WGA-specific disclosures such as the EULA presented in the installation wizard and our privacy statements.   Our commitment on privacy is oft-stated and we do not use any of the information collected through WGA to identify or contact any user. For more info on WGA Notifications see these pages.


 

Comments (19)

  1. Kurzbeschreibung: (Noch) optionales Update, welches die "Legalitt" der installierten Windows-Version berprft. Wird die Windows-Version bzw. dessen Produktschlssel als illegal erkannt, erscheint nach der Anmeldung ein Popup/Balloon-Fenster im Infotray

  2. Rosyna says:

    Out of curiosity, why is the hashed Security Identifier, the hashed User Security Identifier, and the hashed Volume Serial sent?

    If its for identifying clients uniquely for update statistics (and not to identify a specific user) why not just send a persistent randomized GUID? It’d uniquely identify a person without giving any personal information. Granted, that phrase may be hard to explain to people.

    Also, why does it send Partial Product key if it isn’t using WGA? I mean, it seems like the product key would be something for WGA to check. Especially considering the hashed volume ID and other stuff.

    Of course, I assume all these hashes are one-way and non reversible, correct? I’d also assume they’re something like MD5 with a very low chance of collisions?

  3. Oxdeadbeef says:

    First of all, this is not all that is sent, is it? I don’t have an English link to base this on, but according to http://www.heise.de/security/news/meldung/85884 (article in German, and from what I can tell a trustworthy source), WGA also transmits "some undecipherable, apparently encrypted data".

    That out of the way, the issue here really isn’t only what is transmitted. The issue also is that anything is transmitted at all, and that the user has no control and no knowledge over it, and that the whole package is labeled in a…well, I’m hard pressed not to call it a fraudulent manner. I understand Microsoft’s interest in preventing piracy, eve though I think the notion that a company can play police like that is morally questionable at best. But quite frankly, Windows Genuine Advantage is not, as implied, an advantage for the user. In fact, it is quite the opposite, and this variety of OS behavior is precisely the reason why I don’t use a Windows version more recent than Windows 2000.

    The operating system is the basis of all that I do on my computer. I can understand that Microsoft is not willing to trust every Windows out there to be genuine, but trust is a two-way road. If I cannot be certain what my OS tells whom and when, then how can I trust it to keep my private data private? Then how can I even use it?

    Simple answer: I cannot. That is how you, for the most part, lost me to Linux. And if you ever want me to even consider buying another version of Windows, you’d better

    1. Lay the card on the table from the start

    2. Find a less obtrusive way to check for genuineness and

    3. Find a sensible privacy policy that excludes data mining without my consent

  4. MSDN Archive says:

    I wanted to let everyone know I will be deleting a couple of comments from this posting and from a couple of others.

    This blog is not the right place to speculate on legal issues nor issue legal threats and I am not qualified to engage in that kind of  discussion anyway.

    For this reason I will be deleting comments in this thread and ones posted to previous posts that are similar. In this particular case all of the comments were posted by the same individual in the last twenty four hours to numerous blog entries going back a while.

    I would encourage the individual, if they would like to continue participate in the blog, to repost their comments leaving out discussion of legal issues.

    Thanks

  5. If you hadn’t realized it in your zeal of USA DST patching, we won’t have any security patches next week.

  6. DaveK says:

     Alex, at least one of the statements you have made is a logical nonsense:

    "  All the information that is sent as a result of WGA Notifications being installed is covered by WGA-specific disclosures such as the EULA presented in the installation wizard  [ … ]"

     Now you hang on just a cotton-picking minute there.  

     You say this is covered by the EULA, yes?

     The same EULA that is presented in the installation wizard, yes?

     The same EULA ****THAT I JUST REJECTED BY CLICKING CANCEL****, yes?

     Doh!  It is NOT covered by that EULA because I DID NOT ACCEPT THE EULA.  You cannot invoke the conditions of the EULA if I have rejected it because I AM NOT BOUND BY IT.

     You went wrong right at the start of the sentence, where you refer to "the information that is sent as a result of WGA Notifications being installed".  This *entire* discussion is all about the information that is sent as a result of WGA notifications being *NOT* installed, remember?

     Or are you just trying to avoid the issue because you know you’re (or rather, your firm is) in the wrong?

  7. MSDN Archive says:

    DaveK, thanks for you comment and question. Perhaps I could have been more clear about my statement. What I was saying was that the telemetry sent AFTER the EULA screen and the rest of the installation is covered by that EULA. The telemetry that occurs before that screen is consistent with the standard Windows Update install or cancel telemetry. That’s what I meant to say.

    Hope that clears it up!

  8. mhornyak says:

    Alex,

    Are you going to be talking about the unlimited rearm stuff on the blog? (Since you are the gracious host, I’m being polite and not linking to it and I’m trying to be spare in my description.  So if I’m being too vague, let me know and I’ll send some links.)  It’s interesting that it’s trivial for technically-inclined users (professional software pirates I imagine would be included in that set) to build a Vista install that won’t require activation–or at least won’t require it for several months.  Yet home users–those who aren’t technically inclined–are unlikely to know about rearm.  So the users who are least likely to be actively pirating windows are also the least likely to be able to workaround a false positive, but the users who are most likely to pirate have a trivially exploited intentional backdoor.  

    Given this, I’m not sure what WGA is accomplishing–it seems to frustrate only casual users, not professional pirates.  That can’t be your objective, right?

  9. mihnita@yahoo.com says:

    <<Just to allay any fears that Microsoft is using any personal information>>

    I don’t feel like showing several hash strings can "allay any fears."

    It can very well be encrypted personal information.

    I had several problems with the activation lately, and it looks like a lot of things can invalidate the activation: serial number of the hdd, partition table (changed by installing another OS in another partition), memory size.

    Also, there is no way to get info on how many activations my upgrades destroyed.

    Why don’t just come clean and give a list of things that mess up activation, an activation count, and so on?

    At least we can plan the upgrades in such a way that we consume the minimum number of activations.

  10. rdamiani says:

    mhornyak:

    "Given this, I’m not sure what WGA is accomplishing–it seems to frustrate only casual users, not professional pirates.  That can’t be your objective, right?"

    That’s what DRM pretty much always accomplishes. The folks willing to pay for value received get to deal with problems that the real criminals work around.

  11. airlag says:

    I have generally no problems with microsoft trying to eliminate illegal copies. If they handle the transmitted data with care everything is fine.

    BUT

    the EULA tells us that microsoft claims the right to give away the data to other companies. Even if I trust microsoft, I do not agree to this data transfer to unnamed companies.

    Now, if I decide to protect my privacy, I am excluded from a lot of updates.

    In addition, if I replace my motherboard or harddisk, I make myself suspect because several checksums change.

    WGA is a perfect example of ill-conceived software products.

  12. Kurzbeschreibung: (Noch) optionales Update, welches die "Legalitt" der installierten Windows-Version berprft. Wird die Windows-Version bzw. dessen Produktschlssel als illegal erkannt, erscheint nach der Anmeldung ein Popup/Balloon-Fenster im Infotray

  13. Someone Else says:

    Is the point passing just over the heads of the WGA team bloggers at Microsoft. In a post last month

  14. netvance says:

    Network sniffer Wireshark casts some light on the matter: the update rats on users who do not want to install the software to the server at http://genuine.microsoft.com/. Users are not informed of this on a standard Windows installation, however.

    The data transmitted are partially encrypted, while other values are found in the registry.

    In addition to some confusing, apparently encrypted data, the WGA Update Installer also uses the XML tag UGD to transmit the value stored in the registry as a string for SusClientID under the Windows Update branch. In addition, the data transmitted contain information about the version of the WGA Notification Tool, Windows, and the language of the operating system. Furthermore, a cookie containing a GUID is also used to contact the server. It may be possible to identify individual computers by these means.

    When asked by heise Security, Microsoft merely stated that it collected data to improve the quality of the WGA for users. Part of that process, the vendor said, was knowing where the user cancelled setup. To count reliably, the GUID is used, though Microsoft says the user is not identified. Microsoft says that the other data transmitted to Redmond contain information about the version of Windows used and the language and whether the machine is registered in a domain.

    Microsoft did not explain why setup does not inform the user that data are being sent, much less get the user’s consent. It is also not clear whether there will be a future update after this one that does without communication with Microsoft concerning cancellations. Those who want to protect themselves from unsolicited data transfers can do so, for instance, by using an application-based firewall that detects and blocks the attempted contact. Whereas independent software developers (as http://www.netvance.at) are forced to follow high level standards and software signitaures, this doesnt seem to apply for all…

  15. Kurzbeschreibung: (Noch) optionales Update, welches die "Legalität" der installierten Windows-Version überprüft. Wird die Windows-Version bzw. dessen Produktschlüssel als illegal erkannt, erscheint nach der Anmeldung ein Popup/Balloon-Fenster im Infotr

  16. ricccc5355 says:

    I bought a Computer and recent found it not having an authentic copy of XP with SP2.

    So I am attending a computer course at college and bought an copy of XP with SP2, from the school.

    It has an autentication code. I worry that if I install this new XP with this new authentic version it may affect some of my existing programs not to run. Is there any way to just use the code with my existing xp with my old loaded XP. I only ask because I already purchased a replacement.

  17. Kurzbeschreibung: (Noch) optionales Update, welches die "Legalität" der installierten Windows-Version überprüft. Wird die Windows-Version bzw. dessen Produktschlüssel als illegal erkannt, erscheint nach der Anmeldung ein Popup/Balloon-Fenster im Infotr

  18. Kurzbeschreibung: (Noch) optionales Update, welches die "Legalität" der installierten Windows-Version überprüft. Wird die Windows-Version bzw. dessen Produktschlüssel als illegal erkannt, erscheint nach der Anmeldung ein Popup/Balloon-Fenster im Infotr