Share via


WGA Notifications and download and install telemetry

We’ve gotten a few questions recently about the fact that our latest WGA Notifications package sends install telemetry when installed or canceled. Given past concerns about data WGA sends out I wanted to take a moment to explain what is happening with this latest release and why.

First, all downloads that flow through Windows Update return success/failure telemetry. This is because of the large scale of distributions over Windows Update. When sending out an update package to potentially millions of customers it’s important to gather basic data on successful installations, install failures and user rejections or cancelations at any point in the process. Second, this event is one time only. Also, if the system isn’t connected to the internet nothing will be sent nor will it be if an attempt to send fails.

By learning at what point in the install process some users decide to abandon, we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to give more information so customers will be better informed. We heard from customers that they wanted more information about what the software was and how it worked so we created the install wizard to provide that greater context. Knowing this kind of information about the install wizard installations is critical for us to continue to improve the customer experience of WGA. If we are not hitting that mark, we can use this method to improve.

Just to allay any fears that Microsoft is using any personal information, here an example of the actual XML that is returned when a user cancels an installation. We’ve also added a data type and detailed description of each field. This XML schema is common to a number of products so some fields are not used in this case.

 table

For completeness (and for our lawyers) I’d like to point out that disclosure of this type of install telemetry is made in the Windows Update privacy statement. All the information that is sent as a result of WGA Notifications being installed is covered by WGA-specific disclosures such as the EULA presented in the installation wizard and our privacy statements. Our commitment on privacy is oft-stated and we do not use any of the information collected through WGA to identify or contact any user. For more info on WGA Notifications see these pages.

Comments

  • Anonymous
    March 07, 2007
    PingBack from http://www.pcdoctor-guide.com/wordpress/?p=4064

  • Anonymous
    March 07, 2007
    The comment has been removed

  • Anonymous
    March 08, 2007
    Out of curiosity, why is the hashed Security Identifier, the hashed User Security Identifier, and the hashed Volume Serial sent? If its for identifying clients uniquely for update statistics (and not to identify a specific user) why not just send a persistent randomized GUID? It'd uniquely identify a person without giving any personal information. Granted, that phrase may be hard to explain to people. Also, why does it send Partial Product key if it isn't using WGA? I mean, it seems like the product key would be something for WGA to check. Especially considering the hashed volume ID and other stuff. Of course, I assume all these hashes are one-way and non reversible, correct? I'd also assume they're something like MD5 with a very low chance of collisions?

  • Anonymous
    March 08, 2007
    The comment has been removed

  • Anonymous
    March 09, 2007
    I wanted to let everyone know I will be deleting a couple of comments from this posting and from a couple of others. This blog is not the right place to speculate on legal issues nor issue legal threats and I am not qualified to engage in that kind of  discussion anyway. For this reason I will be deleting comments in this thread and ones posted to previous posts that are similar. In this particular case all of the comments were posted by the same individual in the last twenty four hours to numerous blog entries going back a while. I would encourage the individual, if they would like to continue participate in the blog, to repost their comments leaving out discussion of legal issues. Thanks

  • Anonymous
    March 10, 2007
    If you hadn't realized it in your zeal of USA DST patching, we won't have any security patches next week.

  • Anonymous
    March 13, 2007
     Alex, at least one of the statements you have made is a logical nonsense: "  All the information that is sent as a result of WGA Notifications being installed is covered by WGA-specific disclosures such as the EULA presented in the installation wizard  [ ... ]"  Now you hang on just a cotton-picking minute there.    You say this is covered by the EULA, yes?  The same EULA that is presented in the installation wizard, yes?  The same EULA THAT I JUST REJECTED BY CLICKING CANCEL, yes?  Doh!  It is NOT covered by that EULA because I DID NOT ACCEPT THE EULA.  You cannot invoke the conditions of the EULA if I have rejected it because I AM NOT BOUND BY IT.  You went wrong right at the start of the sentence, where you refer to "the information that is sent as a result of WGA Notifications being installed".  This entire discussion is all about the information that is sent as a result of WGA notifications being NOT installed, remember?  Or are you just trying to avoid the issue because you know you're (or rather, your firm is) in the wrong?

  • Anonymous
    March 13, 2007
    DaveK, thanks for you comment and question. Perhaps I could have been more clear about my statement. What I was saying was that the telemetry sent AFTER the EULA screen and the rest of the installation is covered by that EULA. The telemetry that occurs before that screen is consistent with the standard Windows Update install or cancel telemetry. That's what I meant to say. Hope that clears it up!

  • Anonymous
    March 19, 2007
    The comment has been removed

  • Anonymous
    March 21, 2007
    The comment has been removed

  • Anonymous
    March 23, 2007
    mhornyak: "Given this, I'm not sure what WGA is accomplishing--it seems to frustrate only casual users, not professional pirates.  That can't be your objective, right?" That's what DRM pretty much always accomplishes. The folks willing to pay for value received get to deal with problems that the real criminals work around.

  • Anonymous
    March 28, 2007
    I have generally no problems with microsoft trying to eliminate illegal copies. If they handle the transmitted data with care everything is fine. BUT the EULA tells us that microsoft claims the right to give away the data to other companies. Even if I trust microsoft, I do not agree to this data transfer to unnamed companies. Now, if I decide to protect my privacy, I am excluded from a lot of updates. In addition, if I replace my motherboard or harddisk, I make myself suspect because several checksums change. WGA is a perfect example of ill-conceived software products.

  • Anonymous
    April 03, 2007
    The comment has been removed

  • Anonymous
    April 12, 2007
    Is the point passing just over the heads of the WGA team bloggers at Microsoft. In a post last month

  • Anonymous
    April 12, 2007
    The comment has been removed

  • Anonymous
    March 09, 2008
    The comment has been removed

  • Anonymous
    March 13, 2008
    I bought a Computer and recent found it not having an authentic copy of XP with SP2. So I am attending a computer course at college and bought an copy of XP with SP2, from the school. It has an autentication code. I worry that if I install this new XP with this new authentic version it may affect some of my existing programs not to run. Is there any way to just use the code with my existing xp with my old loaded XP. I only ask because I already purchased a replacement.

  • Anonymous
    September 23, 2008
    The comment has been removed

  • Anonymous
    March 24, 2009
    The comment has been removed