Microsoft Vista: The EULA
This appendix was written by Scott Granneman, a monthly columnist for both SecurityFocus and Linux Magazine. He comments on various problematic clauses in Vista’s EULA that he first addressed in his column titled “Surprises Inside Microsoft Vista’s EULA,” which he wrote for SecurityFocus in October 2006. He also addresses the Vista EULA’s restrictions on benchmark testing, virtualization, and Digital Rights Management (DRM).
Introduction
Even though precious few users actually read it, Microsoft’s End User License Agreement (EULA) has actually always been both incredibly important and problematic at the same time. Important because it governs what users may and may not do with the operating system (OS) that so many people around the world buy … uh, license, and problematic because many of the stipulations in the EULA are troublesome in the powers they grant Microsoft.
Anyone who’s familiar with Microsoft’s past EULAs knows about the controversial clauses present long before Vista, and Vista’s EULAs contain them as well. The piece of the EULA promising that if you disagree with the license, just go ahead and return it to the retailer for a refund—a fruitless process that ends up leading the person seeking the refund on an endless round of phone calls between computer manufacturers and Microsoft, each insisting that it is the responsibility of the other party to pay up—is right in the beginning, just as in past EULAs. Mandatory activation, guaranteeing that at least some people will get stuck when their copy of Windows mysteriously “forgets” it’s been activated already, is there. The statement that Microsoft is in no way liable for any failures of its OS, with damages limited to the actual cost of the software? Oh yeah. It’s there.
That said, Microsoft—or the lawyers writing the EULA—should be given credit, because the EULAs for Vista are the clearest and easiest ever to come out of the company. Oh, there’s still legalese to be found in there—“The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort”—but it’s at a lower percentage when compared with any other EULA to come out of Redmond. That’s good for consumers, and Microsoft is to be commended for that action.
Criticism and Change
When drafts of the Vista EULA first began circulating, there were several problematic clauses that raised quite a hue and cry. I wrote a column for SecurityFocus in October 2006 titled “Surprises Inside Microsoft Vista’s EULA” that covered several of the more egregious legal claims upon which Microsoft was insisting. In particular, I called out clause 15 in the EULA—“REASSIGN TO ANOTHER DEVICE”— which originally read as follows:
Software Other than Windows Anytime Upgrade. The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the “licensed device.”
This seemed to me egregious and unfair to exactly those users who support Microsoft by paying for licenses in the store instead of just acquiring them with new machines. As I wrote in my column:
As I read this, you go to the store and buy a copy of Vista, which you install on a PC you had in your office. A year later, another PC becomes available that's a bit more up-to-date, so you decide to transfer your Vista license to that machine.
You're now finished with that Vista license. Done. Game over, man. Whether you shelled out $199 for Home Basic or broke the bank with the $399 Ultimate makes no difference. You've reassigned the license twice, and that's all that Microsoft allows.”
My column was reprinted in The Register, and picked up by both Slashdot and Digg, resulting in quite a lot of discussion and debate. Several other individuals, in both articles and blogs, were making the same points, and it seems that Microsoft actually listened. A few days after my column came out, links to the Vista EULA disappeared from Microsoft’s Web site. When they returned, the wording that I had protested had changed:
Software Other than Windows Anytime Upgrade. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.
This is much clearer, and it’s also in accord with what most users understand and expect. It was good of Microsoft—both for itself and for users—to clarify this issue.
Unfortunately, two other clauses in the Vista EULA still contain troubling language, language that serves no purpose except to help Microsoft at the expense of customers and competitors. These two clauses cover benchmark testing and the use of Vista in virtualized environments, and anyone who signs on to the EULA should give them serious thought.
Benchmark Testing
Microsoft is releasing several different versions of Vista, which definitely complicates any discussion of the EULA, because the first question one must ask about a clause is “Which version of Vista has this condition in its license?” In the case of the benchmarking limitations, look in the software licenses for Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Business, and Windows Vista Ultimate. Together, those cover a huge percentage of Vista users, whose software will now be bound by the following restrictions:
MICROSOFT .NET BENCHMARK TESTING. The software includes one or more components of the .NET Framework 3.0 (“.NET Components”). You may conduct internal benchmark testing of those components. You may disclose the results of any benchmark test of those components, provided that you comply with the conditions set forth at http://go.microsoft.com/fwlink/?LinkID=66406. Notwithstanding any other agreement you may have with Microsoft, if you disclose such benchmark test results, Microsoft shall have the right to disclose the results of benchmark tests it conducts of your products that compete with the applicable .NET Component, provided it complies with the same conditions set forth at http://go.microsoft.com/fwlink/?LinkID=66406.
The problem with the preceding words is not that end users will have to go to a Microsoft Web site before conducting benchmarks; indeed, you’d be hard-pressed to find any end users who do perform benchmarking tests. Instead, this is a problem because those who do conduct benchmarking—reviewers in magazines and on Web sites, in particular—will be hamstrung.
To put this situation in terms of cars, it’s as though Ford insisted that any tests of its automobiles had to be governed by rules that it set in place—rules that Ford could change at any time! Would that be bad for your average car buyer? Yes, but not because Joe Carbuyer would be out testing Fords, but rather because Consumer Reports and the myriad other organizations and publications that do examine cars— tests that Joe uses to know which cars are safe and which are deathtraps, for instance—would have to work under rigged and unreal conditions.
Rigging the Tests
It’s bad enough that benchmark testers first have to stick to a Web page that Microsoft can change at any time—how’d you like to find out that the month of work you just went through has been invalidated thanks to a new change on that Web page?—but the actual language at http://go.microsoft.com/fwlink/?LinkID=66406 should give one pause. At the time of this writing, the terms say this:
(3) your benchmark testing was performed using all performance tuning and best practice guidance set forth in the product documentation and/or on Microsoft's support Web sites, and uses the latest updates, patches, and fixes available for the .NET Component and the relevant Microsoft operating system.
This might seem fairly innocuous, but it’s not. Microsoft is ensuring that if you run its products through a trial, you must first tweak those products exactly according to Microsoft’s specifications … which, coincidentally enough, will undoubtedly most favor Microsoft. Worse, there can sometimes be an enormous gap between the way Microsoft wants admins to configure systems and the actual configurations admins use. What would you rather read: the results of studies conducted in a spotlessly idealistic setup or those conducted in the real world? Which would give you more insight into how the product actually works?
And what about the demand that analysts must use the “latest updates, patches, and fixes”? How in the world are we going to know whether the latest version is actually better than the last one—or the one before that—if assessments are forbidden from comparing and contrasting the two versions without running afoul of the EULA?
The result of Microsoft’s language in the EULA pertaining to benchmarking? Results that can be incorrect, unreal, or distorted. Is that what we want in the studies and reviews we read? Are limitations on benchmarking and the publishing of results ever a good idea? In this case, when we’re working with the software that powers more than 90 percent of the world’s desktops, it seems a disastrously unfortunate limitation, and one that should be abandoned as soon as possible.
Virtualization
The technology of virtualization has been around for more than 40 years in one form or another, but in the past five years or so, as desktops have become faster and more powerful, it’s finally reached the point where even those machines can reap the advantages of virtualization. For those who don’t know, the process of virtualization on a PC goes something like this (assuming you already have Windows installed and running):
1. Install virtualization software such as VMware (the market leader), Parallels (the market leader on Macs, with a fine product for computers running Windows as well), or Microsoft’s own Virtual PC.
2. Open the virtualization software and create a new virtual machine (VM)—essentially, a large, multigigabyte (8? 10? bigger?) file that will contain the contents of the next step.
3. Within the new VM, install and configure the OS of your choice:Windows 2000, Windows XP, another copy of Windows Vista (with a different license than the machine containing your virtualized environment), Linux (I recommend Ubuntu), or pretty much any OS that you can install on Intel-compatible hardware.
4. Repeat steps 2 and 3 for any other OSes you want to install, and you’re finished.
Let’s say you installed a copy of Windows XP to use for testing in step 3. To use it, you’d open VMware (or whatever virtualization software you decided to use) and then select the VM you want to run—in this case, Windows XP. A few moments later, a window will open—a window like any other on your computer—showing Windows XP booting really fast. Once the booting process completes, you will be staring at a Windows XP desktop running in a window surrounded by your Windows Vista desktop. This is really Windows XP, not a fake or gutted version of the OS. You may notice a 5 percent or so decrease in performance, but that’s it, and many tasks will actually be far faster within the virtualized environment than they would be running on the bare metal of the machine (there is one exception: software, such as games, that requires 3D acceleration of the video card, but that’s normally not an issue for most users of virtualization).
That’s virtualization in a nutshell, and hopefully your mind is spinning with ideas now that you know how easy it is to set up and use. Is there a piece of software that refuses to run on Vista, but still works great on XP? Need to test Web sites with different versions of Internet Explorer? Want to verify that a new piece of software won’t break on production machines? How about creating a virtual network on your machine so that you can examine network security software? Or would you like to run Internet Explorer and other potentially risky software on the Net without the risk of infecting your main OS? Switched to an Intel-based MacBook Pro running Mac OS X but still want to run Vista? In every case, virtualization to the rescue!
Sounds great, doesn’t it? Then why is Microsoft hurting users of its OS who want to take advantage of this fantastic technology?
Virtualization Controls
To understand what I mean by that, let’s take a quick look at the versions of Vista that Microsoft will be selling, along with the prices for each edition:
■ Home Basic (
199, or 99 upgrade)
■ Home Premium (239, or 159 upgrade)
■ Business (299, or 199 upgrade)
■ Enterprise (OEM pricing only)
■ Ultimate (399, or 259 upgrade)
Got that? Now, let’s look at a particular clause tucked away in the Vista EULA for Home Basic and Home Premium:
USE WITH VIRTUALIZATION TECHNOLOGIES. You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system.
What’s that mean? Quite simply, you cannot create a virtualized environment on any computer and then install Home Basic or Home Premium within it. This proscription is not found in the EULAs for Business and Ultimate, however. For those editions, the EULA instead lacks one little word that carries with it a great meaning: “not”.
USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system on the licensed device.
There is no technology in place actually preventing you from installing Home Basic or Home Premium inside VMware or any other virtualization software.
Instead, Microsoft is using licensing and the withholding of support as its hammer. If you call Microsoft to request help with Home Premium, and the person on the other end of the phone finds out that you’re running it inside Virtual PC, the support session is over.
This is a naked attempt to force people interested in taking advantage of virtualization to spend more money on Vista. If I’m a Web developer who just wants to test Internet Explorer 7 by installing Vista inside a virtual machine on my XP box, why can’t I be allowed to simply pay for Home Basic and use that? From Microsoft’s perspective, I shouldn’t, when I can be forced to pay the company an additional 100 for Vista Business edition.
If you ask Microsoft, the company’s spokespersons will give you some twaddle about how virtualization is “not yet mature enough for broad consumer adoption” and that “consumers don’t understand the risks of running virtual machines.” That’s complete bunkum, as the technology most definitely is “mature,” but logically, these are ridiculous statements: If virtualization was in fact not yet mature, forcing people to spend an additional 100 clams to try it out sure ain’t gonna help it become mature! Even more ludicrous is the idea that a VM introduces risk; if anything, it actually reduces risk by allowing knowledgeable users to insulate their main OS from the dangers of the Internet. Microsoft is simply making feeble excuses for a business decision designed to rake in more cash from the public. Apparently, if something costs 299 instead of 199, Microsoft no longer cares about the “maturity” or “risks” of a technology, or maybe those problems just magically melt away.
It may be pointed out that if you’re a subscriber to the Microsoft Developer Network (MSDN), then yes, you are allowed to use Home Basic or Home Premium in a VM. Again, notice that there is clearly nothing technical that prevents users from installing those OSes in Parallels or even Virtual PC; it’s just Microsoft’s whim. This might sound like a solution for some of the problems I posited earlier, but an MSDN subscription isn’t cheap, and will be onerous to small Web developers testing Internet Explorer and other folks who just want to make limited use of Vista.
DRM and Virtualization
Even in Business and Ultimate, however, Microsoft still put into place restrictions on use of those OSes. The full wording of the virtualization clause in those EULAs reads as follows:
USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If you do so, you may not play or access content or use applications protected by any Microsoft digital, information or enterprise rights management technology or other Microsoft rights management services or use BitLocker. We advise against playing or accessing content or using applications protected by other digital, information or enterprise rights management technology or other rights management services or using full volume disk drive encryption.
So, you can use Business and Ultimate inside virtual environments, but you cannot use or view any content locked up using DRM. This ends up covering a lot of potential territory, as Microsoft’s DRM is spreading, tentacle-like, into more and more applications and files, especially Windows Audio and Office documents. This is less onerous than simply prohibiting the use of an entire OS for virtualization, but this restriction still unfairly limits what users can do with the software they bought.
Let’s say a Mac or Linux user decides to honor Microsoft’s wishes about which OS to run inside a VM, and so goes ahead and ponies up for Vista Business or Ultimate. That user may decide to run Microsoft’s Office 2007 inside his Vista VM, so he can read and create documents in the new Office 2007 XML formats. If that user should receive a document that is “protected” by Microsoft’s DRM, too bad. The EULA says no—again, not for technical reasons, as Microsoft’s DRM will work just as well in a virtual environment as it does on a version of Vista installed directly on a machine—and so the user ends up suffering because of Microsoft’s business decisions. Now he’s required to buy a new PC. This is both unfair and unreasonable.
We haven’t really talked much about Vista Enterprise, which is unique in the Vista family when it comes to virtualization. Windows journalist Paul Thurrott explains how it works:
Windows Vista Enterprise is a special case. With that version of Vista, which will be made available only to volume license customers, users will be able to install a single licensed copy of Vista on one physical PC and up to four VMs, simultaneously. Those four VMs, however, must all be installed on the same Vista Enterprise-based PC, and they must be used by the same user.
Again we see Microsoft favoring one class of customer over another and putting dollars instead of technology first. Virtualization is one of the most exciting and useful tools available to computer users today, and it holds the potential to solve many important problems in the areas of security, testing, and reliability. Microsoft should be promoting its use instead of attempting to stifle and control its growth. The wording in the Vista EULA that shamelessly attempts to limit what users can do in virtualized environments with Vista is bad for users, bad for the technology industry, and bad for Microsoft. It should be removed.
Notes and Sources
Interested readers may want to follow up the events and statements recorded in this appendix by checking out the following sources.
EULA Overview
You can read the EULAs for Vista by going to the official “Find License Terms for Software Licensed from Microsoft” page at www.microsoft.com/about/legal/useterms and searching for Vista from the pull-down menu.
My SecurityFocus article, “Surprises Inside Microsoft Vista’s EULA,” can be found at www.securityfocus.com/columnists/420. The reprint at The Register is located at www.theregister.co.uk/2006/10/29/microsoft_vista_eula_analysis. The Slashdot discussion, which generated 382 comments, can be followed at http://yro.slashdot.org/article.pl?sid=06/11/02/1751222, and the Digg postings (904 of them) are on http://digg.com/tech_news/Surprises_Inside_Microsoft_Vista_s_EULA_2.
Benchmarking
Ed Foster, in his excellent Gripelog, wrote a piece titled “A Vista of Licensed Censorship” (www.gripe2ed.com/scoop/story/2006/10/24/0456/5625) that looks at several aspects of the Vista EULA. In particular, he covers the benchmarking problem with his usual brio and intelligence.
If you want to read Microsoft’s “.NET Framework Benchmark Testing Terms,” head to http://msdn2.microsoft.com/en-us/library/ms973265.aspx.
Virtualization
If you’re interested in learning more about virtualization, check out Wikipedia’s article on the subject at http://en.wikipedia.org/wiki/Virtual_machine, or read the explanation offered by VMware, one of the leading software companies in this arena, at www.vmware.com/virtualization. In the area of security, a column I wrote for SecurityFocus—”Virtualization for security” (www.securityfocus.com/columnists/397)—may interest you.
More about VMware is at www.vmware.com, and you can read about Parallels at www.parallels.com/en/products/workstation. Microsoft’s Virtual PC can be found at www.microsoft.com/windows/virtualpc/default.mspx.
In my list of OSes you can install in a virtualized environment, I mentioned Ubuntu, an excellent version of Linux, which you can read about and acquire for free at www.ubuntu.com.
I wrote a column for SecurityFocus a few years ago that looks at the DRM Microsoft is injecting into its Office suite: “Learning to Love Big Brother” (www.securityfocus.com/columnists/165). Sadly, it’s still relevant today.
Paul Thurrott’s “Licensing Changes to Windows Vista” explains Microsoft’s policies regarding Vista Enterprise and virtualization at www.winsupersite.com/show-case/winvista_licensing.asp.
Summary
In some ways—principally ease of reading and clarifying that users may uninstall a copy of Vista on one machine to reinstall the same copy on another computer—the EULA for Vista is a marked improvement over previous Windows EULAs. Unfortunately, Microsoft’s EULA for Vista still contains within it two problematic clauses: one governing the ways in which benchmarking tests must be run, and one tightly constricting how users may install Vista inside virtualization environments. None of these restrictions benefits consumers, and it would be in Microsoft’s best interests to change those limitations in future EULAs.