Number 225 - February 2002
FUD Over WPA
by Ken Blake, T.C.S.
    If the title of this article confuses you, let me explain. "FUD" is an acronym, standing for "fear, uncertainty, and doubt"; it refers to the spreading of misinformation by those means. "WPA" is not an acronym, but just an ordinary abbreviation; it stands for "Windows Product Activation."

    Windows Product Activation is Microsoft's new security measure, designed to decrease the pirating of Windows. There is more misinformation, more FUD, promulgated about WPA than almost anything else I've seen in a long time. Some people are even refusing to buy Windows XP because of fears about WPA invading their privacy, or its making Windows more difficult to use.

    Their fears are unwarranted, and exist almost exclusively because of their not understanding what WPA is, and because of the widespread FUD over it; you see FUD in magazine articles, you read it in newsgroups, you hear it in person from your friends. But for the vast majority of people, WPA will hardly be noticed, and will represent no problem at all to them.

    First of all, something about what WPA is not: it's not registration. Activation and registration are two different things. Activation is completely anonymous, and you can do it without registering.

    Microsoft was concerned about people installing a single copy of Windows on more than one computer. Some people think that the requirement not to put one copy on multiple computers is new with XP, but that's not at all true; doing this has always been against the licensing agreement in all previous versions of Windows. What's new in Windows XP is only that it's now harder to do it and get away with it.

    Enter WPA, the means that Microsoft instituted to enforce the one-operating-system-for-each-computer rule. What WPA does is inventory the hardware in your computer, calculate a hash number (i.e. code -ed) based on it, and send that number over the Internet to Microsoft, along with your unique Windows Product ID. It also records that calculated hash number on your hard drive and checks it against your hardware at each boot to ensure that nothing has changed. As long as your hardware stays the same, everything is fine (more about that later).

    Note that it does not send any personal information about you; it doesn't know or care what your name or E-mail address is.

    By the way, you get to control when to perform this activation--the calculation of the number and sending to Microsoft. If you want to experiment with different hardware components before you activate, that's fine, as long as you do it within thirty days after installation of Windows XP. If you don't activate within thirty days, Windows will stop working, except in safe mode.

    Suppose you're dishonest and want to install the same copy on a second computer. It goes through the same process of calculating the number (which will be different this time) and sends it to Microsoft along with your Product ID. It checks against that product ID in its database and finds that it's already recorded a different has number for that Product ID. You're caught! Microsoft concludes that you're trying to install the same copy on a second computer and activation fails; windows will stop working (it will only boot to Safe Mode).

    Unfair! Some people cry. They have several computers, one for each family member, or perhaps a desktop and a laptop. They think they should be able to install the same copy on all their computers. After all, they used to be able to do that.

    But this was always against the licensing agreement. Nothing is new here except Microsoft's enforcing of the rules. Those who complain that WPA is unfair didn't complain about the rule when they could easily get away with it; they complain only when they can't get away with the ignoring the rule. That's simply hypocrisy, as far as I'm concerned. People like this sound to me like a burglar complaining about a homeowner installing a burglar alarm system.
    In my view, Microsoft (or any other vendor--of software, or anything else) offers a product for sale under its rules. If you like the product and you like the rules, buy it; if you're unhappy with either, then don't buy it. It's a clear choice you have. There's nothing unfair about it. Microsoft has the right to protect its property and enforce its rules, just as the homeowner has to protect his property.

    Some people think that if they have two identical computers, each with exactly the same components, they can fool WPA and install the same copy on both computers. Nope! Even two identical products have different things like serial numbers that WPA will use to calculate the hash number; the result will be different.

    The big question, and the one over which there's perhaps the most FUD, is this: what happens if the hardware in your computer changes--if a component fails, for example, and gets replaced or if you add or upgrade hardware?

    In most cases, nothing happens. Windows continues to work just as it did before. Microsoft recognizes, of course, that these things happen, and didn't want WPA to make it harder for people to use their computer. A minor change or two is perfectly acceptable. But if there are too many changes, if those changes are big enough, or if you reformat and re-install Windows (which wipes out the stored hash number) you will have to reactivate Windows XP. You boot to Safe Mode, and will get instructions to call Microsoft, who will issue you a 42-digit number which you have to manually enter to accomplish the reactivation.

    Is that reactivation a nuisance? Perhaps. But it's nowhere near as bad as it's made out to be. Most people will never have to do it (see below). If you do need to do it, it normally takes only a few minutes, worst case; you might be on hold for a short time to speak with someone at Microsoft. Is it an invasion of privacy? Not at all; you don't even have to tell Microsoft your name when you call.

    That last point is worth stating one more time: you don't have to tell Microsoft who you are, neither when you activate nor if you ever have to reactivate. WPA is not registration. You can also register and tell Microsoft who you are, but that's entirely optional. Whatever the merits of WPA or whatever the problems you may have with it, there is no invasion of privacy involved at all.

    Now, the part that many people don't know: after being activated for 120 days, you can upgrade anything you want. The slate is wiped clean and you effectively start from scratch.

    If you replace your computer entirely, you can remove Windows XP from the old one, and reinstall it on the new one. However re-registration (and explanation of what you did) has to be by a voice call.

    Here are some more examples of FUD over WPA: WPA doesn't phone Microsoft every day to check on you; Microsoft doesn't use WPA turn off your machine or damage your data if you're not properly activated; WPA doesn't require more payments after two years; your license to use XP lasts forever.

    All of the above apply to the full and upgrade versions of XP, as well as the regular OEM versions. There are, however, two exceptions--two kinds of XP versions that require no activation at all: these are the corporate version, where many licenses are sold to a single company, and some OEM versions sold by large mail-order OEM vendors. These latter OEM versions are sometimes BIOS-locked to a particular computer and WPA is not used on them.

    An excellent link to the full story about WPA is http://www.aumha.org/ a/ wpa.htm.

    TOGGLE Editor's Note:
    Not all reports are so positive. See Fred Langa's column at www.langa.com/ newsletters/ 2002/ 2002-01-24.htm#1
  Number 225 - February 2002