Windows XP Product Activation: Whistler's Poison Pill?

In the past few weeks, I've spent time with Beta 2 of the next version of Windows NT in its business desktop, home, and server versions. As you know, Professional (business) and Personal (home) editions are called Windows XP, whereas the server is still called "Whistler." All three are jam-packed with a surprising number of great features. In all of its forms, Whistler is more than just a "version 1.1" of Windows 2000.

Unfortunately, one of those "features" is a poison pill called Windows Product Activation. And no matter HOW good Windows XP/Whistler is, Activation might be sufficiently pernicious to make you decide to give Whistler a miss. We still don't know a number of things about how Activation works, but you should understand what we DO know about it—to make your own decisions about Windows XP and Whistler.

The Activation Process
Here's how Activation works. You install Windows XP Professional, Windows XP Personal, or Whistler Server on a system, and it runs without restrictions from the first time that it boots up. But you soon notice a little "balloon" message that pops out of the system tray telling you that you have only 13 days left to "activate" your system. If you click where the message tells you to click, as long as you're connected to the Internet, the system basically comes right back and says, "Thanks, you're activated." No registration, no prying questions.

What happened is that your system contacted a Microsoft server and transmitted both your system's 25-digit product key as well as some information about your hardware—probably things such as the CPU ID that appeared with the Pentium III and the media access control (MAC) address on any NICs in the system. (Sorry I'm being vague, but I don't have any more specifics from Microsoft yet.) That information then goes into a database on a Microsoft server that asks itself, "Has this product key appeared before on different hardware that someone else activated?" If that product key has shown up on too many other systems (again, Microsoft offers no specifics about what that number is), the database server doesn't tell your copy of Windows XP or Whistler to activate itself, and you can't use the computer. Otherwise, the database server tells the system to activate itself, and all's well.

As Windows XP activates, Microsoft says that the process doesn't gather any personal information—not your name or data about your hard disk (nothing like that). Activation has one purpose: to limit the number of machines on which someone installs a given copy of Windows XP/Whistler. And in case you wonder, you can activate a system that's not connected to the Internet by calling a phone number at Microsoft; I've not seen how it works, but I'm told that a human can take the proper information and give you a code that lets you activate a system by hand. (Anyone who's ever done an over-the-phone activation of Citrix's Metaframe product can only hope that Microsoft created a better way.)

I understand Microsoft's concern about piracy, and I recognize the company's right to enforce its copyrights. (I don't feel that software licenses are or should be enforceable, but that's another column.) I'd even go so far as to say that as copy protection goes, this method seems fairly painless.

Until you start thinking about it.

Reinstallation and Reactivation

If I never had to reinstall an OS, I would have little objection. Unfortunately, the two most effective troubleshooting techniques for Microsoft OSs are still the "two Rs"—reboot and reinstall. So suppose I buy a computer in December of 2001 that comes with a consumer version of Windows XP on it. In April 2002, I install a service pack that bluescreens the system (not an impossibility; I've seen NT service packs do it), so I must reinstall Windows XP from scratch. But when I try to activate the copy of Windows XP, it refuses to activate—because between December and April, I've added more memory, installed a new hard disk, and upgraded the processor. Microsoft's database thinks that I'm trying to put the software on a new computer, and demurs.

At this point, Microsoft says, I'd call the company (a toll-free number) and talk to a human, who would unlock my copy of Windows XP presuming that I offer some bona fides. (Hold the hologram up to the NetMeeting camera?) Now, let's be generous and presume that the phone number is staffed 24 x 7 and that enough operators are available, so I don't wait more than a minute or two to get connected to the human. Still, I'm troubled.

First, having to essentially ask Microsoft's permission to reinstall my OS—which is what this matter boils down to—rankles. I don't want to reinstall an OS at all; I do it solely because of defects in it or in drivers and applications. If I buy a book, read it, and decide to reread it in a different chair, I don't have to call the publisher for permission, no matter how many chairs I sit in as I read that book. Yes, Microsoft will allow a "certain number" of reinstallations on "different" hardware, but it's a fixed number. (Too bad consumers can't force Microsoft to hold system-crashing bugs to a "certain number.")

Second, I presume that Microsoft would—or could—choose to stop authorizing reactivations on an OS a few years down the road on the grounds that the company no longer supports the OS—or something like that. This notion isn't fanciful by any means because virtually every software company would love to stop selling software—and start RENTING it to you.

Third, Activation feels very much like the "camel's nose under the tent" sort of ploy. Is it hard to imagine Microsoft in 5 years telling us that just too many of us are reinstalling systems and that the company's phone support costs are going through the roof, so it'll have to charge a modest $25 reactivation fee? At that point, it will be a little late for consumers to say "Well, in that case, I'll go back to Windows 2000, which doesn't require Activation." The hook will be well set by then.

Fourth, the whole activation process assumes that Microsoft's database servers on the Internet are up and running all the time. And although they're pretty good, 100 percent uptime's just not a reality.

Fifth, a network trace of Activation seems to show that it's just a secure HTTPS transaction. So what happens when a firewall product inadvertently keeps the "okay to activate" message from getting from the Microsoft server to your machine? Must everyone in a company make the call to Microsoft for Activation help? (If one could "undo" or "transfer" an activation, this situation wouldn't be quite as bad. But I can't see how that's possible, given the way that this particular copy-protection scheme works.)

Activation: Not Everyone's Affected

What's that you say? People won't stand for this, so it'll never happen? Well, get ready for the clever part: You'll have to activate only those copies of Windows XP Pro, Windows XP Personal, or Whistler Server purchased through retail channels. CD-ROMs purchased though Open, Select, or Enterprise licenses won't require activation.

In other words, divide and conquer.

You see, if Microsoft told big corporate and government customers that they must do this Activation stuff, making automated rollouts all the more difficult, big customers might well just say "no." (Just ask any IT professional if she'd be interested in a new OS version that is actually HARDER to roll out, and see what answer you get.) But large, medium, and some small business customers don't (or needn't, anyway) get their OS licenses retail—most businesses can benefit from one of the licensing programs. The Activation process really affects only home and very small business users, so Microsoft's high-revenue clients won't have reason to squawk. The camel's nose appears again: If Microsoft gets away with this with Whistler for the really little guys, then why not extend the reach with Blackcomb (the NT after Whistler), extend it further with the next NT, and so on? I'd hate to see a world 10 years from now, in which every organization had to install and maintain an "activation server" that Microsoft owned but was sited on that organization's local intranet, policing licenses and activations—but not collecting any personal data, of course.

I feel strongly that copyright law is important and must be enforced, particularly in light of the importance of intellectual property in the US economy. And, to be honest, because I make much of my income from intellectual property, I completely understand the frustration that Microsoft's bottom-line watchers must feel over the immeasurable number of pirated copies of Microsoft products and the lost revenues. And I own Microsoft stock, so in a sense I personally lose from piracy as well. But it's bad business practice to irritate your existing customers in hopes of finding new ones, to first establish a monopoly (remember, the courts said it) and then exploit it to the customers' detriment. Because that's the most odious part about this scenario: Microsoft wouldn't have dared anything like this move without that monopoly. If that seems unreasonable, ask yourself whether you can imagine DOS, Windows, or NT succeeding had they required something like this?