Vista Licence For Lawyers
Survival Guide to Microsoft Windows Vista Licensing
(c) Copyright Dan Shearer, email@example.com (see end for terms)
Document version 1.7, last updated January 25th 2007
Get the Licence
Download a representative license from http://www.microsoft.com/about/legal/useterms/, selecting product “Windows Vista”, version “Business” (the Go button doesn't appear until you select “English”). A link will appear to a file called Windows Vista_Business_English.pdf , which contains a very clear plain-English licence with the main points that appear in all the Vista family licences.
About the licence:
- This licence is only representative, because it may not be the precise version your client agreed to. In addition the licence evolves over time so you can't be sure that the terms you downloaded yesterday are the terms available today. Nevertheless it is a very good guide.
- The true PDF file name is not as displayed to you on the web page, there are an additional 36 characters of numbers and letters embedded in it. This is tracking data for Microsoft. You should record this number.
- There is no version or date in the content of the PDF, so make sure you record the date and time of the download. Together with the tracking number this is the only way you have of referring to a particular representative agreement from Microsoft's website.
- While this may not be the precise licence your clients have, it is a window into the Vista licensing regime at Microsoft and will help you establish terminology and intent at a particular point in time. If this is likely to affect your advice to clients you should consider regularly downloading the licence.
Check Which Licence Actually Applies
- Large companies are usually Microsoft Volume Licensing customers. A slightly different licence applies, and Mandatory Activation and Validation are handled differently. Volume licensees generally can buy licences for obsolete versions of Windows for years to come.
- Outwith Volume Licensing, new computers are usually supplied with an OEM licence that is slightly different from the Windows Vista Business licence studied in this talk.
- Normally update or supplements are applied at least several times a year. Vista licences specify that the terms of any update replace the original terms (§22) and Microsoft has used this in the past to change restrictions relating to use of software. You cannot know precisely which Vista licence your clients have unless your client records every licence from every software update, which based on XP will be between four and ten times per year.
Possible Contradictory Terms
Contracts common in certain industries cut across the Vista licence.
The Vista licence embodies technical surprises that may contradict your clients' existing contracts:
- Vista has the right in the licence to automatically disable the computer based on Microsoft's belief of licence validity (§5 c) or opinion of installed software (§6). Service availability guarantees, especially in safety-critical industries, might be broken if your client knowingly deploys software that a third party can disable at any time. Experience with Windows XP shows that validly licensed computers are often mistakenly flagged as invalid; the difference is that Vista shuts down.
- The Vista licence restricts what software a user may be run when Vista is running under a virtual machine, e.g. media viewing or disk encryption (§3 f). Organisations who are required to implement secure desktops often use virtual machines to isolate the network from potential risks. The user does not see the virtual machine, so to them there is no difference between the circumstances in which it is legal to view media or encrypt files and those where it is prohibited.
The Vista licence requires particular kinds of information disclosure that may contradict existing contracts. Contracts in some sectors commonly prohibit activity that tends to release identifying details, or runs counter to laws governing sectors such as gene research, military manufacturing or medical diagnosis. The Vista licence may trigger problems in such contracts, because every Vista computer is tracked (§4, §5 a & b, §7 a) as follows:
- In space, by the explicit and implicit geographic data listed in the Vista licence
- In time, by the explicit and implicit temporal data listed in the Vista licence
- By software installed, both Vista itself and other applications, as described in the licence
- By the licensing entity, whose identity is not disclosed (Microsoft or it's representatives)
- When the user launches certain kinds of software for the first time, as described in the licence
According to the licence (§7 b) this data is held on an unspecified number of databases held by unspecified companies. The exception is Activation data, which is possibly limited to Microsoft (§4).
If your client has existing contracts that bear on the known level of risk to confidentiality (eg terms such as “where reasonable possibility exists”) there may be issues relating to this data in when matched against other data Microsoft is known to gather.
This other data is gathered through Microsoft's online search activities, through partnerships with online web tracking companies such as doubleclick.net, and via the data legally collected from users running application programs that Microsoft also sells. This other data is already accessible by Microsoft for hundreds of millions of individuals, almost certainly including your clients and their employees, customers and associates.
While on the one hand it would be a breach of the Vista licence to do this data matching (§5 b, §7 a), the amount of effort involved would be small, as would the chances of knowing it had occurred. Because the barrier is so low (a “reasonable possibility”) simple mistakes inside Microsoft could lead to the data matching taking place without Microsoft even noticing.
Addendum: The Tracking is for Real
There is nothing alarmist or hysterical in stating that Microsoft has this tracking data.
A straight-forward technical reading of the licence shows that this tracking is implied by the nature of the data sent and the frequency with which it is sent. The key factor is not so much the specifics of any individual data transfer but the cumulative effect of access to all this data being concentrated over time in one company. All large online revenue streams are associated with exactly this sort of tracking, except that no other online company is also the dominant collector of data from desktop computers.
Here are some highlights of a technical overview:
- Every time a computer touches a server on the Internet it transfers other information besides the explicitly intended data. This other information includes a unique PC fingerprint, and access information such as the time of day the transfer happened, how long it took, the network path it took to get there and the point of origin. Taken together, this is a much more comprehensive tracking than the licence discloses will happen. This omission is arguably justifiable on the grounds that every use of the Internet involves disclosing similar data.
- The Licence prescribes hundreds of contacts per year with Microsoft-controlled servers (§5 a, §7), and allows for the possibility of thousands (§7). Transferring information as in (1) above at frequent intervals builds a comprehensive activity and movement profile.
- Some of the contacts listed in (2) above are very specific in nature: only triggered by a particular activity (such as a user launching a Windows program, or an organisation adopting a new form of computer networking, §7). These give data points that allow particular activities of the customer to be deduced.
- The individual fingerprint of the PC will not change even when every other parameter changes such as most hardware components, software, or if an operating system other than Vista is installed (eg Windows XP) and the user uses the new operating system to access a Microsoft website or service. Thus a PC can be tracked by Microsoft through its lifetime without explicit permission or illegality on behalf of Microsoft. In the case of a laptop, the travels of its user are also tracked.
Many individuals state they do not care if they are tracked, and cannot see that it does harm. This document does not dispute that point of view. These suggestions take the point of view exclusively that there are some companies with agreements already in place for whom this tracking is an issue. Tracking cuts across some kinds of commercial and government-mandated contract terms, and should be evaluated as a possible commercial risk to these contracts.
| || This content is licensed under the Creative Commons|
Attribution ShareAlike License v. 2.5:
|GFDL: Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". (shearer.org uses but does not currently recommend the GDFL and here's the explanation why. )|