The weekend saw even more activity with a posting late on Friday on ZDNet by David 
, another post on Slashdot and a piece posted on Groklaw. I spent some time over the last couple of days reading through much of what has been posted and want to make a few specific comments about the Groklaw piece. The central concern in most of the pieces posted still seems to be around the fact that a feature in the pre-release version of the WGA Notifications feature will check with Microsoft for an updated configurations file. As I said in my last post all this check does is see whether new configuration settings are available. It doesn't pass any additional information or talk to any other software or component of Windows.

The Groklaw analysis (which is linked in the the Slashdot posting) implies that the information collected in the validation process is sent up to MS every time the system is booted. I think it's important for people to understand that the WGA Notifications tool does not do this, the check that WGA Notifications does periodically does not pass or re-pass any info of this kind, it simply is checking to see if there are any new configuration settings for itself. The config settings specify whether the notifications feature displays any messages at all and how frequently. It doesn't and can't do anything else.

A few other things I would like to clarify that were mentioned in the Groklaw posting.

In the posting the issue of the 'configuration check' is brought up and it was frankly an oversight for us to not have included it in earlier disclosure. Frankly, we were focused on disclosing the information that is collected for the purpose of detecting counterfeit or pirated copies of Windows. So to be clear, no information about the PC is transmitted during the configuration check .

Also the issue of IP address is brought up and an implication is made that IP address is sensitive information. Yes, the machine's IP address is transmitted but that's part of all web traffic and the IP address is handled per Microsoft's standard policy for dealing with IIS logs. The privacy policy dis ucsses how Microsoft uses this information and that's all it's used for. With respect to how WGA Noitifications has worked, the IIS logs are kept for a short period of time per standard policy then are purged.

The point is also made that the Notification feature checking for current config settings is analagous to validating every day and that this is at odds with how often we say the validation information is sent. The validation on a given system is good for some period of time, typically about 90 days or until we release a new version of the WGA Validation control. This is true and stays true when the WGA Notifications feature is installed. The only thing that Notifications feature does when checking with Microsoft is check on the frequency the messages are to be displayed on a non-genuine system if at all. There isn't any additional validations that take place where information of the kind documented for the Validation event is collected and sent to Microsoft. This issue is raised again when the question is asked "Does the user need to know its license is valid every single day?" and the answer again is that there are no messages every day for a user who's copy of Windows is genuine and validation itself does not happen every day as the writer suggests. A concern is raised as well about us reducing or eliminating (in the final released version) the check for configuration settings. The reason we wouldn't need the configuration check is that we will be comfortable with the end-to-end experience of our customers after having the opportunity to hear from them in this pilot phase.

There is also an issue of consent that is raised and the question is asked why isn't there a EULA that is presented for the WGA Validation tool but only for WGA Notifications? The answer is that the validation tool on it's own is installed when a user takes an explicit action to visit a Microsoft website and download something, whether it's at the site or at the Microsoft Download Center there is information in the privacy statements or directly in the user experience that indicate that information is collected from a PC and that the information is used to ensure that only genuine and licensed copies of Windows are used to access that download or site.

Later in the posting the writer questions a claim made in one of the Microsoft statements, to paraphrase Microsoft indicated that the purpose of WGA Notifications is to notify a user if a proper license is not in place. The Groklaw writer asks "Why would the user care if they are running a validly licensed copy of the software?" I can say from personal experience that we receive frequent contact from customers who do care if the software they paid for is genuine or not. There are many many users who have unwittingly become victims of counterfeit and having paid money expect the product they thought they purchased to be the one that was installed.

In the posting the question is raised 'what if someone says 'no' to the Notification installation' and the answer is simple, nothing happens. Potentially in the future the customer may be presented with the option to install again but there are no consequences to not installing the WGA Notificatoins feature.

Lastly, the writer makes a number of comments referring to the license and how this equates to a new world where software will be a service. He even refers to it as "Microsoft's Brave New World". There's nothing new about our EULAs or the requirements in them. They are common in commercial EULAs and the practice of licensing software or other intellectual property is certainly not new. I for one am appreciative of the commercial licensing of intellectual property as should anyone who works for a software company, media company or who is a writer or musician that publishes or records. The truth is that intellectual property and its commercial use is the chief export of the US and protecting its with licenses or technologies is necessary and appropriate.