WINDOWS 7/MICROSOFT & RIPA – Where do they stand?

What signs have you seen whilst using your software in regards to monitoring your personal habbits/information?
What signs have you seen whilst using your software in regards to monitoring your personal habbits/information?

This article is meant more as “food for thought” than as any sort of definative word on what MS’s policy and or implementation is of DRM when Windows 7 is finally released (this post was inspired by a strange claim on MSwatch that implied Windows 7 users would be reported on if they were believed to be pirates).  We have already seen the allegations of China’s computer users getting targetted by MS software because they were believed to be running a pirate copy of Windows.  Rightly or wrongly that matter is in the past, but where are Microsoft heading with their software? What lengths is Microsoft prepared to go to “safegaurd its investment” (which according to MS, their products are doing very well, so I fail to see why they would be considering any DRM or copy protection methods)

In the UK there exists a policy.  Its called RIPA and stands for Regulation of Investigatory Powers Act (2000) this policy governs the use of covert observation on individual(s) and makes them comply with a set of procedures and best practice.  Whilst breaches of this are not an offense in itself, its argued that failure to comply, may “prejudice” an investigation and also leave a body open to an allegation of breaches of the Human Rights Act.

So why do I mention this in the same post as Microsoft?  Well, we are not sure what/if Microsoft montiors peoples activities on their platforms.  There are plenty of allegations and IF they were true, AND no permission by the end user was given, wouldnt Microsoft be atleast going against RIPA guidelines, if not breaching Human rights?

In the UK even traffic enforcement “play by the rules” by having signs clearing indicating speed cameras.  Highstreets have signs indicating the use of CCTV and even shops have the sign on the door, alerting customers to the use of CCTV, effectively entering the customer into an agreement that they will be recorded as part of a “condition of entry”.   Football matches are another example.  A steward has the ability to search a fan prior to entry, as its a condition of entry into the football ground.  If a fan doesnt like that then they dont enter.

Now before all the Microsoft supporters jump on and say MS can make you aware, I understand that a MS product EULA can inform you of these methods and effectively make it a “condition of entry”, but am I the only one who would like to know exactly what and how Microsoft monitors its users?  I believe whilst ignorance is no excuse, I also believe Microsoft will not be exactly “clear and open” when it comes to any software/policy/technique it employs to monitor your computer use.

Let me quote a little of RIPA which is from a PDF from ELMBRIDGE BOROUGH COUNCIL:

“The purpose of the Regulation Of Investigatory Powers act 2000 (RIPA) is to
provide a comprehensive regulatory structure governing interception of
communications, surveillance and associated activities. Whilst non-compliance
with the legislation is not in itself an offence failure to comply with it may
prejudice the success of any investigation and might provide the basis for a
challenge under Human Rights legislation. It is, in any case, good practice to
comply with this legislation and any codes of practice.”

and it goes on to say:

“The policy does not refer to Intrusive Surveillance, which the Borough Council is
not authorised to use. The definitions of each term used may be found at section
7. and guidance to assist in determining the need for authorisation together with
examples may be found at section 8.”

So when a commercial firm can monitor your activities remotely and record what packages you are using and/or installing, is that not intrusive, regardless of what has been put on a EULA which a company knows alot of people wont read, let alone understand?

On the other side of the coin, I am very supportive of online observation by Government bodies.  There are many evils on the net, and I believe monitoring by government agencies is required, until we reach a time when people can be trusted to behave correctly.  I am not saying for one minute that Government bodies do not make mistakes or are sometimes “too enthusiastic” but in light of no viable alternatives, its the best we have got.

I dont particularly want this article to get into a debate regarding the rights and wrongs of observation, but IF Microsoft does monitor its users, what gives it the right to be “gaurdian of our morals” when Microsoft themselves are at the recieving end of some very serious allegations concerning integrity and behaviour?

Now lets move on to look at the section 7 and 8 of the PDF, mentioned above.  Section 7 explains the definition:

“Surveillance is covert if it is carried out in a manner calculated to ensure that the subject
of the surveillance is unaware that it is or may be taking place. Covert surveillance can
be either Directed or Intrusive.”

7.1.3 Directed Surveillance:

“Covert but not intrusive
Carried out for the purposes of a specific investigation
Likely to produce private information about a person
NOT an immediate response to events or circumstances the nature of which
means it would not be reasonably practicable to get an authorisation under
the Act for carrying out the surveillance”

7.1.4 Intrusive Surveillance:

“Covert
Relates to anything that is taking place on residential premises (including
hotel rooms and prison cells) or in any private vehicle;
AND which involves the presence of a person on the premises or in the
vehicle or is carried out by means of a surveillance device (e.g. potentially a
sound level meter, tape recorder).”

I would like to see some clarification by Microsoft and any author of software as to what (if anything) they are using to monitor users.  I would like to see a more comprehensive and accessable EULA for users who simply want to have an unfudged text on what exactly is the policy.

As always, my opinions.  Id love to hear yours.

If you are interested to read the PDF in context from the Council site in question please click here!

3 Comments Add yours

  1. Rob says:

    I believe that RIPA only relates to government bodies. For example, if your local council wishes to put up a CCTV camera then they need to consider RIPA. But if you go outside with a video camera you do not.

    The data protection act would probably be more relevant in this case.

  2. openbytes says:

    Thanks for posting!
    Yeah, thats what I believed, and I always thought it wrong that a member of public can go out with a camera for whatever intention they wish, yet a government body needs permission.
    However when shops have a “good practice” to display signs about CCTV in stores, and average “Joe Bloggs” when he/she goes on the streets with a camera is a little different to a covert and instrusive examination of your computing habbits/software.

    Maybe this is more of a human rights issue aswell. I dont believe a data protection act is an issue as Im sure the EULA will have that well covered.

    Maybe there is an anti-trust issue here, IF Microsoft is able to monitor your computing habits, does that not give it unfair advantage when developing software/products for particular markets?

    Great talking with you.

    Thanks for posting.

  3. Rob says:

    You are right – there is a huge difference between joe bloggs on the street and MS intruding in your computer, I was the example using, rather bluntly, to show the difference between a member of a public (which MS is) and a government body.

    Human Rights Act has certainly got something to say on the subject, e.g Article 8, right to privacy. But, as you quite rightly stated the EULA will effectively give permission to the MS action. One could argue better argue that the MS would be breaching the Computer Misuse Act as it is interfering with computer systems.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s