Follow-Up: Microsoft EULA May Conflict With More Federal Privacy Laws

by , 9:00 AM EDT, October 25th, 2002

We reported yesterday on Microsoft's new end user license agreement (EULA) that may cause financial institutions such as the Seattle Metropolitan Credit Union to violate federal laws set to go into effect sometime next year. The EULA, included with Windows 2000 Service Pack 3 and Windows XP Service Pack 1, grants Microsoft, or its "designated agents," the right to search your hard drive for "necessary" information required for performing software updates automatically. In response to our article, we received several notes of concern about what the EULA may mean for their organization. Observer Steven Ludwig had this to say:

As a librarian and a Mac user in a Windows environment, I wonder if there is any conflict with this EULA and the privacy restrictions that we work under.

Another Observer shared similar concerns regarding the medical professions:

Most people are unaware of HIPAA ( Health Insurance Portability and Accountability Act of 1996) and the upcoming changes mandated for 2003. In brief, HIPAA is an attempted standardization for information and ELECTRONIC TRANSMITTAL therein. For example, all patient names now are recacted/covered, medical information is hard to obtain from offices/labs, etc. I am a cardiologist in private practice in Tampa, FL and am immersed with these details. I don't think anyone has asked the question vis a vis Windows software updates and HIPAA, but I suspect Microsoft's practices conflict with the Federal law (at least as found in HIPAA).

The Health Insurance Portability & Accountability Act does, in fact, present another situation where the Window's EULA may violate federal law. The bill, going into effect in updated form in April of 2003, covers all healthcare organizations small and large, life insurance companies, public health authorities, billing agencies, universities, and even information system vendors. These organizations must standardize their information systems and implement necessary means to protect the confidentiality of the information contained within the system. If they do not comply, the fine is $25,000 and/or imprisonment.

The text of the Microsoft EULA from Windows XP Service Pack 1 and 2000 Service Pack 3 reveals the offending material:

By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.

The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

In short, this agreement gives Microsoft permission to scan your hard drive for information, "fix" security holes or other bugs via updates to your system, and while the company is there, it would effectively have access to other data on the system, which is where the conflict comes in. Better yet, the company can even let "designated agents" do this, an even more nebulous term that leaves Windows users with even less control over who is accessing their system, and what they might do when there. All of this occurs without the user's permission.

While it appears that financial institutions and health care organizations will be greatly affected by the new EULA, other types of organizations with similar privacy policies may be in trouble as well. More information on Microsoft's quiet EULA updates can be found in yesterday's TMO coverage. You can also find some discussion on some of these issues in a recent Infoworld article.

The Mac Observer Spin:

Yesterday's TMO story revealed the possible legal effects the new EULA may have on financial institutions, but today we are just beginning to realize the scope of such a "quiet change" to the agreement included with Microsoft's OS software. Financial institutions and health care providers are just two of the types of organizations that will be facing possible legal trouble due to the new EULA. Any and every organization with privacy and security concerns will be facing similar problems, even if there are no legal consequences. The fact remains that Microsoft has granted itself the right and ability to do anything they darn well please with a machine while utilizing the guise of an "update" or a "bug fix." This doesn't even take into account the possibility of introducing new security holes and bugs into the software.

How many organizations will notice? How many consumers will notice? Those two questions may very well determine what "rights" like these MS can grant to themselves in the future. A solution may be worked out with financial institutions and health care providers in the short term, but as long as the EULA language remains the same, the problem will remain. MS will continue to provide "updates" while the average user continues unaware. This is a Very Bad Thing™.