Two class action lawsuits are targeting Windows Genuine Advantage, one of Microsoft’s initiatives to stem the massive piracy of its applications. Both suits claim that WGA, which is just a year old, functions essentially as spyware on licensed Microsoft users’ PCs in violation of California and Washington’s consumer protection and anti-spyware laws.
WGA is an application Microsoft introduced last year that determines whether users have a valid license — that is, whether the application is a counterfeit or not — for the Microsoft products on a PC. It does this by regularly gathering data on the PC’s hardware and software that is then sent to Microsoft.
Overzealous but Not Illegal?
The plaintiffs claim that Microsoft has misled consumers as to how often the application reported data to the servers, sometimes as frequently as once a day. Microsoft has signaled that it may have been overzealous in its development of the application. It has since scaled back its reach in some areas. Even so, it is not clear that the company’s behavior constituted a violation of the anti-spyware laws.
Microsoft’s WGA probably is not what California or Washington legislators had in mind when they wrote the anti-spyware laws, contends Charles Kennedy, a partner in the Washington, D.C., office of Morrison & Foerster. “In fact, the laws specifically state one can use programs that might work surreptitiously to protect the unlawful use of software,” he told TechNewsWorld.
It is true that Washington’s anti-spyware legislation, in particular, is somewhat untested. Only a few cases have been filed under the statute, the first by the Washington State Attorney General in January 2006, noted Michele Johnson, an attorney with the Florida firm of Fowler White Boggs Banker.
However, the suits against Microsoft are in the very early stages of the legal process, Johnson cautioned.
“This is a big deal because, obviously, it is a class action and because it is Microsoft,” she told TechNewsWorld, “but whether the courts feel it is valid it remains to be seen.”
No Harm, No Foul
No one has claimed that the WGA caused damage, Kennedy pointed out. “You have to keep in mind Microsoft is not alleged to have harmed anyone’s computer or [to have] actually collected personal data,” he said. “I have seen nothing to suggest that WGA has collected anything more than IP addresses and hardware information, which is not personal information under the spyware legislation.”
The plaintiffs might find more success under the consumer protection statutes because those are more vague, Kennedy suggested. “The plaintiffs could argue that Microsoft did not sufficiently disclose what it was doing — something Microsoft itself admits it could have handled better. So charges of deception might stick.”
Pushing the Legal Envelope
While Microsoft’s WGA might have pushed the envelope somewhat, the argument that the company did not act illegally appears to have weight in security circles. “The consensus here is that this is not spyware,” Ron O’Brien, senior security consultant for Sophos, told TechNewsWorld.
Even if Microsoft were guilty of tracking more information than necessary, WGA could only be considered “borderline” spyware, at most, added O’Brien.
That said, “Microsoft should have disclosed all of the information they are collecting upfront,” he acknowledged.
By revamping some of the methodologies supporting the WGA, Microsoft has taken the first steps toward mitigating any damage it might have caused with its customers.
For instance, the Microsoft server was pinged daily with reports, and that now has been stretched to 14 day intervals, O’Brien noted.
“I think these problems have all stemmed from an overzealous software developer,” he observed. “Microsoft has a problem with piracy, and WGA’s concept is a valid one.”