In Defence of Microsoft Product Activation
Giants always make for bigger targets. So it’s no surprise that Microsoft wears the biggest bullseye in the technology industry. From government regulators to competitors to website reviewers to ordinary end-users, it seems that everyone wants to legislate against, sue, criticise or just yell at the Beast of Redmond. And the brickbats are often justified. Microsoft has done some pretty daft things, from the crash-prone Windows Millenium Edition through to the absurdly named Windows Genuine Advantage (which offers absolutely no advantage, genuine or otherwise). And this site recently bashed Microsoft’s UMPC platform at some length.
But from time-to-time, the critics get it wrong. Whether they’re motivated by a zealous hatred of Microsoft and all its works or simply misinformed, some allegations just don’t stand up to scrutiny. And so it is with Microsoft Product Activation (MPA)
Microsoft has endured a lot of criticism since it first introduced MPA with some editions of Office 2000. MPA is now used on most Microsoft software, including its two cash-cows: Windows and Office. MPA requires the user to enter a unique code (usually printed on the CD packaging) during software installation. This code is then automatically compared against a list of codes on the Microsoft servers which then permit the use of the software (if it’s a legitimate code) or block use of the software (if Microsoft deems that the software has been pirated or installed too many times).
In order to mount a defence of such an unpopular copy-protection mechanism, it’s first necessary to examine the case against it. Criticisms of MPA can be broadly divided into three main arguments:
1. It is inconvenient.
- It requires the user to have their installation disc packaging handy when the software is first installed. If the hard disc is reformatted or replaced, the code needs to be entered again when the software is reinstalled.
- Online reactivation may be impossible if a PC is rebuilt with several new components (including a new motherboard), or if a user simply wants to migrate from an old PC to a new PC. In these circumstances, reactivation may only be possible via a phonecall to the MPA hotline. This issue can affect computer hardware enthusiasts who like to tinker with their PCs’ innards, or regular home users who have simply replaced an old machine with a new one.
2. It is an invasion of privacy.
- During product activation, information about the user’s PC is collected and sent back to Microsoft. The user cannot stipulate what information is collected, cannot see what information is collected, and cannot activate the product without allowing the information to be collected.
3. It doesn’t work. MPA does not prevent software piracy.
- None of the products supposedly protected by MPA – from Office 2000 through to Windows Vista – have survived determined attempts by technical experts to break the protection.
- There are a variety of methods for getting around MPA, from emulation tools to registry hacks, to downloadable key generators. Although the ease with which MPA can be circumvented varies from product to product, it is invariably possible assuming a determined and technically knowledgable user.
This article addresses each of these points. However, it is necessary to work from the premise that Microsoft’s desire to protect its software is legitimate in principle, even if its methods for doing so are disagreeable in practice. If one rejects that premise, then all other arguments regarding MPA are irrelevant.
Starting with the allegation that it is inconvenient. Most software packages from most software companies require the user to enter a security code when the program is first installed. As there are few complaints about entering codes for most non-Microsoft products, there must be something special about the way that Microsoft does it. And indeed there is. On most non-Microsoft programs, the software installer hashes the security code locally (i.e. on the user’s own PC) to ensure its validity. MPA works differently, in that it connects to Microsoft’s servers to check the validity of the code and ensure that the same code has not been used too many times.
Consequently, if the software is installed on a replacement PC or the motherboard is switched, the user might have to call the Microsoft hotline for a replacement code. This is the thing that critics complain about. Indeed an article on The Inquirer rages against the injustice of it…
“Mr and Mrs Hardworkingperson have an old PC with XP and Office 2003 installed. They’ve had it for five years. Junior Hardworkingperson wants to run a new game that only works under Vista, so Mr and Mrs H pop down to PCs R Us for a new machine. This comes with Vista pre-installed, but without Office… Any attempt to reinstall it will result in a message telling them they’ve exceed the maximum number of installs and force them to phone up for a new product code. They’re branded as criminals for buying a new machine.”
That kind of article – on one of most-read IT news sites – is typical of the hysterical attitude of many MPA critics. The family in the story are not being branded as criminals. They’re simply being asked to call a Microsoft hotline – which is available 24/7 – so that they can be given a new code. Indeed, even the article’s author then admits…
“To be fair, the MS product activation call centre appears to be staffed by halfway-decent, intelligent people, but that’s not the point.”
Actually, it is the point. Microsoft are protecting their software and doing it in a pretty painless way. One phonecall is a fairly trivial requirement compared to the rest of the onerous process of configuring a new PC. And crucially, the author conveniently omits the long grace period – during which the software can be used as normal – before it has to be reactivated. Reactivation does not have to be done immediately. In fact, the software can be used 50 times before activation.
Moreover, it is worth considering that this issue only affects the tiny proportion of consumers who upgrade their motherboard – an activity which is beyond the capacity of all but the most expert users; and those users who upgrade to a new PC and then want to reinstall the old software. Microsoft’s own research indicates that activation requests due to modified or new hardware account for just 2% of the total. And the chances of having to call the hotline are now even lower, as the new Office 2007 Home & Student edition permits installation on 3 different PCs.
Moving on to the allegation that MPA is an invasion of privacy. This criticism would be easier to take seriously if it wasn’t so patently untrue. MPA sends two pieces of data to Microsoft: the activation code, and a hardware ‘hash’ code.
- The activation code is simply the line of digits printed on the CD packaging.
- The ‘hash’ code is a non-unique number generated by the specific hardware configuration inside the user’s PC. It cannot be ‘reverse-engineered’ i.e. it is impossible for Microsoft to know the make or model of your PC – nor indeed anything about it at all – by looking at the hash code.
Neither the activation code, nor the hash code is linked to a specific person. No personal information is collected. No information about about any aspect of the PC is collected. Microsoft knows nothing at all about the user or the user’s PC. There is simply no invasion of privacy.
The final allegation is undoubtedly the most serious. If MPA fails to prevent piracy, then what’s the point of having it at all? As noted above, with sufficient determination and expertise there are a variety of ways to ‘crack’ MPA. In fact, Microsoft recently commented on a BIOS hack that breaks MPA on specific editions of Windows Vista.
However, it is misleading to conclude that MPA is a failure just because it’s vulnerable to sophisticated attacks. Indeed, criticising MPA because it can be broken with a BIOS hack, is analagous to criticising a door lock for failing to resist a master safecracker. MPA is not designed to prevent circumvention by individual users with sufficent expertise, motivation and time to spare. Rather, it is intended to hamper organised counterfeiters, and casual piracy amongst friends and relatives. In reference to the BIOS hack, a Microsoft Senior Product Manager commented…
“Our goal isn’t to stop every “mad scientist” that’s on a mission to hack Windows.”
On every form of digitial media, from DVDs to iTunes, all copy-protection mechanisms have eventually been broken. Does anyone really think that Microsoft engineers thought that MPA would be different? Does anyone suspect that it was a galloping shock when MPA turned out not to be impregnable? Of course not. MPA may not prevent the most knowledgable and determined users from pirating software, but it certainly prevents enough to make it worthwhile.
So, what can be concluded about MPA? It is of little or no inconvenience to at least 98% of users. It does not breach anyone’s privacy. And, rather like a door lock, while it’s not unbreakable, it does a good enough job in most circumstances to make it worth having. Who could argue with that?
