Follow-Up: Microsoft EULA May Conflict With More Federal Privacy Laws

October 24th, 2002 at 3:00 PM - News by Brad Smith

We reported yesterday on Microsoftis new end user license agreement (EULA) that may cause financial institutions such as the Seattle Metropolitan Credit Union to violate federal laws set to go into effect sometime next year. The EULA, included with Windows 2000 Service Pack 3 and Windows XP Service Pack 1, grants Microsoft, or its "designated agents," the right to search your hard drive for "necessary" information required for performing software updates automatically. In response to our article, we received several notes of concern about what the EULA may mean for their organization. Observer Steven Ludwig had this to say:

As a librarian and a Mac user in a Windows environment, I wonder if there is any conflict with this EULA and the privacy restrictions that we work under.

Another Observer shared similar concerns regarding the medical professions:

Most people are unaware of HIPAA ( Health Insurance Portability and Accountability Act of 1996) and the upcoming changes mandated for 2003. In brief, HIPAA is an attempted standardization for information and ELECTRONIC TRANSMITTAL therein. For example, all patient names now are recacted/covered, medical information is hard to obtain from offices/labs, etc. I am a cardiologist in private practice in Tampa, FL and am immersed with these details. I donit think anyone has asked the question vis a vis Windows software updates and HIPAA, but I suspect Microsoftis practices conflict with the Federal law (at least as found in HIPAA).

The Health Insurance Portability & Accountability Act does, in fact, present another situation where the Windowis EULA may violate federal law. The bill, going into effect in updated form in April of 2003, covers all healthcare organizations small and large, life insurance companies, public health authorities, billing agencies, universities, and even information system vendors. These organizations must standardize their information systems and implement necessary means to protect the confidentiality of the information contained within the system. If they do not comply, the fine is $25,000 and/or imprisonment.

The text of the Microsoft EULA from Windows XP Service Pack 1 and 2000 Service Pack 3 reveals the offending material:

By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.

The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

In short, this agreement gives Microsoft permission to scan your hard drive for information, "fix" security holes or other bugs via updates to your system, and while the company is there, it would effectively have access to other data on the system, which is where the conflict comes in. Better yet, the company can even let "designated agents" do this, an even more nebulous term that leaves Windows users with even less control over who is accessing their system, and what they might do when there. All of this occurs without the useris permission.

While it appears that financial institutions and health care organizations will be greatly affected by the new EULA, other types of organizations with similar privacy policies may be in trouble as well. More information on Microsoftis quiet EULA updates can be found in yesterdayis TMO coverage. You can also find some discussion on some of these issues in a recent Infoworld article.