--- Chris Gehlker <
chris@GCCodeFactory.biz> wrote:
>
> On Jan 21, 2004, at 10:33 PM, der.hans wrote:
>
> > Am 21. Jan, 2004 schwätzte Chris Gehlker so:
> >
> >> All I could find in the various MS EULA's available was the
> following:
> >>
> >> "CONSENT TO USE OF DATA. You agree that
> >> Microsoft and its affiliates may collect and use technical
> >> information gathered as part of the product support
> >> services provided to you, if any, related to the Software.
> >> Microsoft may use this information solely to improve our
> >> products or to provide customized services or technologies
> >> to you and will not disclose this information in a form
> >> that personally identifies you."
> >
> > There was a section allowing m$ to break into the computer or
> otherwise
> > inspect it anytime they demand in order to do a license audit. m$
> > determines
> > if the software is being used in compliance with licensing and
> > reserves the
> > right to collect data as well as shut off and disable software.
> >
> > Maybe that part got pulled. Maybe it was a proposed license that
> never
> > got
> > used. Maybe I'm remembering incorrectly or getting mixed up with
> > UCITA. I
> > don't know.
> >
> > I believe the wording I'm referring to is in the XP EULA and in the
> > licensing changes that came with one of the service packs in the
> last
> > couple
> > of years. That's another issue. Requiring acceptance of new
> licensing
> > terms
> > in order to get security fixes is a pretty underhanded trick.
>
> Except that the new licensing terms seem to be related to the method
> used to deliver the security fix. I'm sure people would have jumped
> on
> them either way.
>
> Maybe this is language that you are concerned about. It's from the
> Windows media player license:
>
> "Solely for the purpose of preventing unlicensed use of the
> applicable
> OS Software, the OS Components may install on your computer
> technological measures that are designed to prevent unlicensed use,
> and
> Microsoft may use this technology to confirm that you have a licensed
>
> copy of the OS Software. The update of these technological measures
> only occurs through the installation of these OS Components. The OS
> Components will not install on unlicensed copies of the OS Software.
>
> If you are not using a licensed copy of the OS Software, you are not
> allowed to install the OS Components or future OS Software updates.
> Microsoft will not collect any personally identifiable information
> from
> your computer during this process.
>
> "The OS Components may include the Microsoft .NET Framework. You may
>
> not disclose the results of any benchmark test of the .NET Framework
> to
> any third party without Microsofts prior written approval.
>
> "Content providers are using the digital rights management technology
>
> contained in the OS Components ("DRM") to protect the integrity of
> their content ("Secure Content") so that their intellectual property,
>
> including copyright, in such content is not misappropriated.
> Portions
> of the OS Components and third party applications such as media
> players
> use DRM to play Secure Content ("DRM Software"). If the DRM
> Softwares
> security has been compromised, owners of Secure Content ("Secure
> Content Owners") may request that Microsoft revoke the DRM Softwares
>
> right to copy, display and/or play Secure Content. Revocation does
> not
> alter the DRM Softwares ability to play unprotected content. A list
>
> of revoked DRM Software is sent to your computer whenever you
> download
> a license for Secure Content from the Internet. You therefore agree
> that Microsoft may, in conjunction with such license, also download
> revocation lists onto your computer on behalf of Secure Content
> Owners.
> Microsoft will not retrieve any personally identifiable
> information,
> or any other information, from your computer by downloading such
> revocation lists. Secure Content Owners may also require you to
> upgrade
> some of the DRM components in the OS Components ("DRM Upgrades")
> before
> accessing their content. When you attempt to play such content,
> Microsoft DRM Software will notify you that a DRM Upgrade is required
>
> and then ask for your consent before the DRM Upgrade is downloaded.
>
> Third party DRM Software may do the same. If you decline the
> upgrade,
> you will not be able to access content that requires the DRM Upgrade;
>
> however, you will still be able to access unprotected content and
> Secure Content that does not require the upgrade."
>
> I think that thing about "you may not disclose the results of any
> benchmarks" is a laugh riot. But note that the license checking "will
>
> not collect any personally identifiable information" and and the DRM
> thingee works by downloading a revocation list, not by uploading
> content.
>
> After all the criticism that I have taken from Craig for 'Microsoft
> Bashing' it's sort of ironic that I seem to be defending them here.
> I'm
> really not. I would *love* to be able to make an argument to my
> clients that they can't use MS software without running afoul of
> HIPPA
> or any of the requirements that they have to maintain
> confidentiality.
> I'm just unwilling to do that without solid evidence.
*********
WARNING: The following requires scrutiny by one or more lawyer(s)
before being used for business decisions. It all appears to hinge on
the phrase "reasonably anticipated".
*********
I remember that one of the MS EULA concerns from a HIPAA security rule
point of view is this section, the second bullet of Part 11,
"DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS" from the EULA of an
enterprise install of Win2KSP3 (I believe it is the same or similar in
WinXP):
* Internet-Based Services Components. The Product contains
components that enable and facilitate the use of certain
Internet-based services. You acknowledge and agree that
Microsoft may automatically check the version of the
Product and/or its components that you are utilizing
and may provide upgrades or fixes to the Product that
will be automatically downloaded to your Workstation
Computer.
That is, you agree that Microsoft may install un-audited
Internet-enabled software on what may be an audited machine. Note that
"upgrade" is as designated by Microsoft - if _they_ consider the
addition of a spyware component to be an "upgrade" to, say, Internet
Explorer, Media Player (it uses the Internet to get CDDB data and is
considered an OS component), etc., then you have, in fact, authorized
MS to install said spyware on your system. Will they? Can you say with
certainty that they won't, or in fact haven't? What about upgrades that
are just buggy to the point of exploitability?
MS has no obligation to notify you of such changes, either.
I am not a lawyer, nor a HIPAA auditor nor consultant. I don't know
enough about HIPAA security requirements to know if this is a real
problem or not for HIPAA compliance. I have read claims that it is. In
particular, I have seen claims that based on MS history of exploitable
bugs in Internet-enabled software, such bugs in automatically installed
upgrades are a reasonably anticipated threat or hazard to information
security and integrity, hence giving the above right to MS violates
HIPAA in 45 CFR 164.306(a)(2) [0]:
(a) General requirements. Covered
entities must do the following:
(1) Ensure the confidentiality,
integrity, and availability of all
electronic protected health information
the covered entity creates, receives,
maintains, or transmits.
(2) Protect against any reasonably
anticipated threats or hazards to the
security or integrity of such information.
There may also be an issue with 45 CFR 164.312(b), as MS is not
obligated to provide notification of this change:
(b) Standard: Audit controls.
Implement hardware, software, and/or
procedural mechanisms that record and
examine activity in information systems
that contain or use electronic protected
health information.
However, this second issue could presumably be addressed with a
network-level audit/monitoring solution.
As I understand HIPAA, the main requirement is documentation. Perhaps
this is an issue which, sufficiently documented, does not prohibit the
use of newer MS OSs (Win2KSP2 has been reported as the last MS OS not
to include the EULA bullet in question). Perhaps not. Since there's no
such thing as too many disclaimers, do not use this information without
proper review by your legal counsel.
-A
[0]
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
(text/plain)