Lawsuit Labels Windows Genuine Advantage as Spyware

Even as Microsoft has agreed to remove one of the more controversial aspects of its Windows anti-piracy feature, one end user has filed a class action lawsuit in Seattle claiming that the firm unfairly misled consumers over WGA's implications.

A California man has filed a class action lawsuit against Microsoft that charges the company with violating spyware laws with its Windows Genuine Advantage anti-piracy features.

Filed in the U.S. District Court in Seattle by Los Angeles resident Brian Johnson on June 26, the suit claims that Microsoft failed to properly disclose all the details of WGA when the technology, meant to help stop the widespread pirating of Microsofts Windows operating system, was upgraded in April.

While WGA was first introduced in 2004, the suit alleges that the feature became akin to a form of spyware when it was expanded to include a system that made contact with Microsofts servers to help the company identify people who may be using pirated versions of its market-leading operating system.

The updated version of the WGA tool included two separate components, WGA Validation and WGA Notifications, which, respectively, promised to determine whether a copy of Windows is pirated or not and alert users who Microsoft believes are running illegal copies of its software. However, WGAs notification aspect was discovered to have been "phoning home" to Microsofts servers on a daily basis, touching off a wave of controversy among those who believe the feature could be used by Microsoft to keep tabs on people using its software.

On June 27, Microsoft agreed to remove the controversial notification component from WGA, announcing an updated version of the tool that is being delivered to millions of Windows XP users via Automatic Updates with one major change. Previously, a PC that had installed WGA Notifications checked a server-side configuration setting upon each log-in to determine if WGA Notifications should run or not. This daily configuration file check has been removed in the updated WGA Notifications package.

The company said WGA Validation still will check periodically to determine whether the version of Windows is genuine.

In the lawsuit, Johnson contends that Microsoft violated the terms of California and Washington spyware laws by failing to adequately inform users that the controversial elements of WGA were being installed as part of one of the software makers periodical security updates. Although the company could be subject to some fines if found liable on those claims, the suit primarily seeks to demand that Microsoft be barred from following a similar strategy in the future and that the company thoroughly inform users of all the details of its updates.

/zimages/6/28571.gifA "Blue Pill" prototype is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems. Click here to read more.

Microsoft officials denied that the details of WGA Notifications were not adequately spelled out in the user licensing agreement bundled with the security update that carried the feature.

"These allegations are without merit, and this distorts the real objectives of the [WGA] program and obscures the real issue, which is the harm to consumers posed by software piracy," said Jim Desler, a Microsoft spokesperson. "As with all of our programs weve gotten constructive customer feedback, the program has evolved and weve made improvements; Microsoft continues its efforts to foster better communications with its customers."

Johnsons attorney, Scott Kamber, of New York-based Kamber & Associates, said his client isnt seeking fame or fortune through his lawsuit, but rather he wants to ensure that Microsoft is forced to improve its disclosure policies. The lawyer said the suit does not seek to link WGA Notifications with more popular forms of malicious spyware that often seek to steal users personal information but merely to get Microsoft to better detail its product updates.

"Our client was concerned that what was being installed as part of a security update was actually something for piracy protection; we have no issue with Microsofts ability to protect its intellectual property, but if that involves installing software on a users computer, it must be done with full disclosure," Kamber said. "We think that the validity of the claim has already been proven with Microsofts decision to release an update."

Kamber, who previously was involved in litigation brought against Sony for its use of so-called rootkit spyware technology, said customers must be fully informed of product details and allowed to opt out of any features they do not want to install. He said Johnsons overarching concern is that users will be scared to download future security updates out of fear of being saddled with hidden technologies such as WGA Notifications.

"Our greatest concern is that this could have a chilling effect on peoples willingness to install security updates," said Kamber. "This countrys computing base could be impacted heavily by something like that, which could eventually put people at greater risk; passing WGA off as a security update is a major violation of end users trust in Microsoft."

/zimages/6/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.