Microsoft's licensing changes on August 1, 2002, marked a moment in IT history. While the effect of the licensing changes on Microsoft's revenue, despite the modest take-up, was yet another demonstration of the huge economic power of the organisation’s world-wide franchise, the history that was made was more than just about a price rise or pulling forward revenue by forward billing. Microsoft's Software Assurance offers no promises of bug fixes, no warranties, no rights to any specific delivery of value. As reports come in suggesting the company will delay its next version of Windows, code-named Longhorn, into 2005, the new licensing regime raises the prospect of Microsoft taking the money and delivering no new version without any remedy for the customer.
However even this unique selling proposition of charging money while not promising to deliver anything is not the full story that history will record. Along with Software Assurance, Microsoft has introduced new licence terms.
The concepts of mandatory activation and digital rights management were introduced to customers when they clicked “Accept” as they upgraded by installing new versions of Microsoft software or installed service packs. What customers agreed to in the licence agreement on mandatory activation included: “...technological measures ... that are designed to prevent unlicensed or illegal use of the Product. (and that) You agree that we may use those measures.”
The customer is not told what constitutes illegal or an unlicensed use, what the technological measure are, nor how those technological measures could affect operation of a computer, nor what data is being sent back to Redmond when Microsoft's software decides that the customer is using the software illegally or in an unlicensed fashion.
The Mandatory Activation provision is one of the foundations of Microsoft's vendor-centric view of how it is going to dictate and control its customer relationships. The other foundations include Update, Internet Components and Digital Rights Management provisions built on the foundation of Mandatory Activation rights.
With Software Update the customer has now agreed, if the customer uses any of the update features, that: “...it is necessary to use certain computer system, hardware, and software information to implement the features.” And that: “By using these features, you explicitly authorise Microsoft or its designated agent to access and utilise the necessary information for ... updating purposes. Microsoft may use this information solely to improve our products or to provide customised services or technologies to you.” And that: “Microsoft may disclose this information to others...”
With Internet Components the customer has now agreed that it, the customer: “... acknowledge(s) and agree(s) that Microsoft may automatically check the version of the Product and/or its components that you are utilising and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.”
Finally with the oddly namely “Security Updates” clause the customer has now agreed that it has joined Microsoft's partnership for policing “secured content”. This clause introduces Microsoft's new rules on digital rights in the following terms:
“Content providers are using the digital rights management technology (‘Microsoft DRM’) contained in this Product to protect the integrity of their content ("Secure Content") so that their intellectual property, including copyright, in such content is not misappropriated. Owners of such Secure Content ("Secure Content Owners") may, from time to time, request Microsoft to provide security related updates to the Microsoft DRM components of the Product ("Security Updates") that may affect your ability to copy, display and/or play Secure Content through Microsoft software or third party applications that utilize Microsoft DRM. You therefore agree that, if you elect to download a licence from the internet which enables your use of Secure Content, Microsoft may, in conjunction with such license, also download onto your computer such Security Updates that a Secure Content Owner has requested that Microsoft distribute.”
If these provisions are new to you and you do not believe you or your organisation has agreed to them you are not alone in that view. However if your organisation has bought a new PC with Windows XP and you have that PC on your network or if you have updated any of your Microsoft software, your organisation will have agreed, when someone has clicked “Accept”, to these new licence terms.
These terms are just the foundation for Microsoft's vendor-centric view of customer rights. As part of its trusted computing initiative Microsoft is preparing customers for introduction of its patented DRM Palladium technology.
A single point of introduction to Palladium can be found on-line in Professor Ross Anderson's article "What on Earth is Palladium?",which has been published in several magazines and is available on the web from (www.cl.cam.ac.uk/~rja14/tcpa-faq.html) or at http://www.linuxformat.co.uk.
Professor Anderson is a recognised leader in the field of information security based at the Computer Laboratory at Cambridge University and is the chair of the UK Foundation for Information Policy Research. His article has been followed by further contributions to the debate from prestigious organisations including the standards and professional body, the IEEE (the Institute of Electrical and Electronic Engineers -- see http://www.ieee.org).
Notable is the recent article by Associate Professor Bill Arbaugh of the Institute for Advanced Computer Studies at the University of Maryland in the IEEE Computer Society's journal Computer in August 2002 titled "Improving the TCPA Specification". The TCPA stands for the Trusted Computing Platform Alliance founded by Microsoft. Professor Arbaugh concludes that the TCPA Specification has the potential to eliminate fair use rights and erode privacy.
The TCPA, which is fundamental to the DRM (remote, automated, digital-rights management), will enable vendors to exert new detailed control over the operation of their software on any computer it is installed on and theoretically any network to which a DRM controlled computer is attached. Palladium “Trust” will enable a workstation to determine whether another vendor’s application is “trusted” and if not cause its application to unload or not work so long as the other vendor’s application remains loaded.
Furthermore, the data matching and data sharing inherent in the TCPA concept of “federating identity” will enable data matching outside the New Zealand jurisdiction, thus circumventing the Privacy Principles in the Privacy Act.
We have no treaties that protect that information from abuse in the way we have in New Zealand. Furthermore, while there are many useful and attractive aspects to the TCPA “DRM” technology, we appear not to be part of the debate that has been referred to above and, for example, has led the FTC in August to sanction Microsoft over misrepresentations made in its version of federated identity, MS Passport.
In preparing for this article the policy views of the political parties were sought on the implications for New Zealand of DRM and federated identity. Only the National party demonstrated any awareness of the policy issues that lie ahead.
For the CIO these developments therefore will bring new challenges.
If the current political awareness is any gauge of future action and, given the lack of priority given in New Zealand by Parliament to issues such as exposure of industry to computer crime, CIOs can not at this point work on the assumption that our Parliament will act to protect against abuse of these very sweeping powers and rights that have been created by Microsoft. Furthermore as we have seen with the Microsoft case any abuse of our rights will not be followed by local remedies.
At the strategic level the issue for the New Zealand CIO is to understand the degree to which control of configuration and operation of each computer is to be given to the vendors.
If the CIO chooses a policy that includes the principle that configuration and operation of the computers and network must remain knowable, then Palladium, DRM, automated updates and federated identities all present unknown risks to that policy.
In short, the choice may be a stark one between vendor-controlled computing or customer-controlled computing. It is in this context that the battle between the use of open source software such a Linux and Open Office, etc, where the vendor cannot impose such controls, and proprietary software, such as Windows and MS Office, where the vendor has imposed such controls, will be fought out.
Craig Horrocks is an Auckland IT lawyer.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.