[PLUG] Why I will NOT use Windows XP (1)

guy1656 guy1656 at ados.com
Mon Jul 1 16:01:48 UTC 2002


http://theregister.co.uk/content/archive/24815.html

Win-XP Search Assistant silently downloads files
By Thomas C Greene in Washington
Posted: 11/04/2002 at 20:47 GMT

Just over a week ago, while searching for a file on a Windows-XP machine, I 
was surprised to see the Search Assistant attempting to activate my Internet 
connection. It puzzled me because I wasn't searching the Internet, only my 
local drive. I was busy with other things at the time, but I made a mental 
note to look into it soon, which I promptly forgot to do. 

This morning, Reg reader Jody Melbourne rattled my cage, fresh from having 
made the same discovery. He'd noticed that the Assistant was establishing a 
connection with a machine at Microsoft. 

"I did not give Microsoft permission to know what files I am searching for on 
my local hard-drive," Jody wrote. 

Indeed, and neither had I. So I connected an XP box to my ISP, started a 
packet sniffer, and launched the Search Assistant. Sure enough, it 
immediately connected to http://sa.windows.com/ and fetched a number of 
files. But it didn't attempt to send any data to the site, beyond comparing 
my locally-stored versions of those files to the ones on the server. 

But when I performed an Internet search, the Assistant sent my search terms 
to the Microsoft site, and also dropped a session cookie on my machine. 

Phoning home? 
One of the files the Assistant fetches is the MS Search Companion privacy 
statement. This is done for P3P compliance. According to the statement, MS 
doesn't collect information about local searches. "No information is ever 
collected by Search Companion when you search your local system, LAN, or 
intranet for any reason." 

I certainly didn't pick up anything to contradict that. But there is some 
obvious collecting when SA is used to search the Internet. 

"When you search the Internet using the Search Companion, the following 
information is collected regarding your use of the service: your IP address, 
the text of your Internet search query, grammatical information about the 
query, the list of tasks which the Search Companion Web service recommends, 
and any tasks you select from the recommendation list." 

"Search Companion does not record your choice of Internet search engine, and 
does not collect or request any personal or demographic information. 
Information collected by the Search Companion cannot be used to identify you 
individually, and is never used in conjunction with other data sources that 
may contain personal data." 

Hopefully there aren't too many loopholes in that, though I rather think the 
user's IP can be considered personally identifying. However, MS tells us that 
the policy statement is out of date. IPs were logged for testing purposes 
during the XP beta period; but since the product launch, there has been no IP 
logging. 

In addition to the privacy statement, the remaining files fetched are XSL 
(Extensible Stylesheet Language) stylesheets: 
transform.xsl 
balloon.xsl 
prevectr.xsl 
vector.xsl 
boolean.xsl 
pretrans.xsl 
transform.xsl 

Users curious to know exactly what they contain can quite easily locate them 
on their local machine and have a peek. According to MS, they're simply used 
to maintain up-to-date associations between file extensions and file types, 
to make searching more productive. 

I'm not acquainted with XSL, so I'm in no position to affirm that or to argue 
with it, but I'd be pleased to hear from readers who can shed additional 
light on the subject. 

For now it appears that there's nothing here for users to worry about. But 
there is a question about MS playing fast and loose with people's Internet 
connections. Certainly, the minute one ventures onto the Web, one starts 
bleeding information all over the place, fetching images and ads and taking 
cookies from secondary and tertiary sources too numerous to mention. 

But when we run an application for some local business like a file search, we 
don't expect it to connect silently to the Net, even for a good reason. When 
we discover something like this, it feels like someone else is in control of 
our computer, and that is definitely not a good feeling. 

If Trustworthy Computing is going to mean anything, it's going to have to 
mean that actions like file downloads aren't going to happen without the 
user's knowledge and consent. A simple popup asking if one wants the latest 
XSL files with the options to decline, to be asked each time, or to grant 
permission to go ahead without further consultation is all that would be 
needed.

Related Story 
Small MS DVD privacy invasion, not many dead 
http://www.theregister.co.uk/content/4/24152.html




More information about the PLUG mailing list