July 10, 2001 12:15 PM PDT
Windows XP activation technology revealed
"We contribute technical facts to a discussion that is currently characterized by uncertainty and speculation about XP," Thomas Lopatic, chief technology officer for the company and an active member of the security community, said in a statement.
Microsoft's product-activation technology--included in the new Office XP software package and slated to appear in the new Windows XP operating system--requires people to activate their PC online or by telephone to continue using the software. It has attracted criticism from both privacy advocates and customers.
Many have worried that minor changes to a PC's configuration may require people to reactivate their copy of Windows XP, while others have been concerned about the amount of information Microsoft could collect on customers.
In a paper published on the Web on Monday, start-up company Fully Licensed found there's little to fear.
The paper discloses that Windows XP activation uses the IDs of 10 different hardware components to form the basis of a PC's fingerprint and proves that such fingerprints cannot be used to identify individuals.
Among the components that make up the hardware ID are a hard drive's volume serial number, the network card's MAC address and the identification string for the CD-ROM drive, the graphics card, and the microprocessor.
While the paper reveals details of the product-activation process Microsoft had sought to keep secret, it seems to support the company's assertions that product activation does not threaten privacy and will not be a burden to consumers when they upgrade a computer.
"Since our analysis proves that the transmitted information is completely innocuous, we are surprised that Microsoft has been that vague about the inner workings of WPA for all these months," Matthias Kunze, managing director of Fully Licensed, said in a statement.
A Microsoft representative said that Fully Licensed let the company see the report before publication, and that while it had some errors, the paper was largely technically correct.
"The conclusions in fact support many of the statements we have made already about product activation: We respect users' privacy, and the vast majority of users will never have to reactivate once they activate initially," the representative said.
Microsoft also did not worry that the published details may lead hackers to find a way around the activation process.
"There is no security issue here," the representative said. "Companies and individuals research, decompile and review our code all the time. There is nothing in the report that can aid hackers."