Is Microsoft Licensing Forcing Banks to Break The Law?

Lester Warby is the kind of guy who reads the fine print. And the fine print for the latest updates to Microsoft Windows has him worried.

Warby — who is the chief information officer at Seattle Metropolitan Credit Union — believes that the terms for the end user license agreement (EULA) for Microsoft’s Windows 2000 Service Pack 3 (SP3) and XP Service Pack 1, might well put the credit union in violation of new federal privacy laws.

At issue is Microsoft’s “automatic update” feature, which allows users to automatically get upgrades and patches to their systems. To get the updates, users must agree to give Microsoft access to information on their systems.

That, says Warby, conflicts with federal regulations for financial institutions, such as the Gramm-Leach-Bliley Act of 2001. The new law, which goes into effect next May, forbids financial service companies from giving third parties access to customer data without express consent from the customer. European countries generally have even stricter data privacy laws.

“We’re forced into a position where we’re either out of compliance with Microsoft’s licensing, which is not acceptable, or we’re out of compliance with the law, which is not acceptable either. Under these circumstances, we’ll probably change our operating system,” says Warby.

Warby is considering shifting his servers to another operating system like Novell or Linux, if Microsoft doesn’t change its policy.

What — exactly — is software?

To use the “auto update” feature, according to the Microsoft Windows 2000 SP3 license, “it is necessary to use certain computer system, hardware, and software information…” By using these features, users authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes.”

The problem with that language, says industry analyst Joshua Greenbaum, of Enterprise Applications Consulting, in Daly City, Calif., is that the phrase “software information” is vague.

The term could include “information about proprietary systems, or about data,” he says. “Does a stored procedure — which could contain proprietary algorithms — constitute software? Does the term include information about competitor’s products, or about the use of software from a company with whom Microsoft might have a legal dispute?”

Microsoft does provide users with a high level of control over the auto update feature. Windows XP ships with the feature turned off, for example, so users must choose to activate it. And Microsoft notifies users of any updates, requiring them to agree to install them.

“Most home and small office users don’t like to apply patches and updates,” says Warby — who describes himself as “pro-Microsoft” in general — “so having Microsoft do this automatically for them would be a real value-added service.” Microsoft is not the only company that offers such a service: Apple Computer’s latest operating system, OS X, offers a similar feature called Software Update.

But what works for home users is not necessarily suitable for financial institutions, with their high level of security concerns, says Warby. And Warby says Microsoft has told him that it plans eventually to eliminate users’ ability to disable Microsoft’s access to their systems.

Microsoft had no comment on this issue, but if true, it is likely motivated by Redmond’s concern about illegal copies of its software. Microsoft’s license for Windows XP SP1 says:

Solely for the purpose of preventing unlicensed use of the applicable OS Software, the OS Components will include installation on your computer of technological measures that
are designed to prevent unlicensed use, and Microsoft may use this technology to confirm that you have a licensed copy of the OS Software.

This is done through a product key that is sent to Microsoft over the Internet. That means Microsoft must send an authorization back to your system, says Warby, requiring it to have access to your system.

That makes Warby nervous. “Microsoft is definitely not known for their internal security,” he says, citing undocumented macros in some Microsoft programs, which can be accessed by those who know the right combination of keystrokes. “The idea of Microsoft coming into a server, creates a potentially huge security risk,” he says.

Of equal concern, says Warby, is that by agreeing to the Windows 2000 SP3 licensing terms, the credit union is potentially granting access not just to Microsoft, but to its “designated agents” The Microsoft license offers no assurances about who those companies might be, says Warby. “What if the designated agent is some small company overseas,” he says, “in a country with a lax legal system?”

Financial institutions generally require background checks and assurances such as bonding before giving any outsider access to their systems. Oxford Global Technologies, for example, a Beverly, Mass.-based systems integrator, went through extensive security checks before it was allowed to provide remote Oracle database administration to financial industry clients. “One of our clients is a major brokerage house,” says Paul Campbell, the firm’s CTO. “They not only did background checks on our employees, but reviewed our software systems, and insisted that the security company which guards our building be approved as well.”