Privacy Watch: When Killing Bugs Reveals Your Data
A world without software crashes. While it may not be a dream of Miss America contestants, many of us would love to see it. But are you willing to risk your privacy to get there?
Here's what I mean: Microsoft introduced a feature in Windows XP and Office XP called Application Error Reporting. It aims to give Microsoft engineers all the information they need to create fixes when bugs make computers crash.
If you use Windows XP and any application crashes, a dialog box will invite you to send Microsoft a bug report. (If you have Office XP only, you are limited to reporting Office application crashes.) The report includes a copy of a chunk of system memory, so engineers can see what was running on your system at the moment the bug struck.
On the surface, filing a bug report seems beneficial, even altruistic--maybe Microsoft will patch your bug, making Windows more stable for all users.
But if the duplicate piece of memory sent with the bug report contains a sensitive document or password, that data goes to Microsoft too. That's not ideal, especially if you happen to be a government attorney working on the Microsoft antitrust case.
While it's possible to see what data gets sent to the software giant, the process involves so much digging that you may need a backhoe. You must go through multiple layers of dialog boxes and root around in temp files. Microsoft's privacy policy doesn't elaborate on what happens to the data once the XP engineers are done with it.
A company spokesperson says the techs toss data that doesn't help them fix a bug, then delete all the data once the bug is fixed.
Microsoft is not the first software company to introduce error reporting, and other companies are certain to follow suit.
Such error logs are "a good way to make software better," says Marc Maiffret, an analyst with Internet security firm EEye Digital Security. "But people need to be able to look at [what they're sending]."
Do I believe that Bill Gates (or anyone else at Microsoft) is poring over the thousands of data files the company receives with bug reports? No. But the company could do a better job of informing us about the reporting process. We need to know what information the company will receive and what its minions will do with it.
When you're considering whether to click the Send button on a bug report to Microsoft, ultimately you have to decide if you trust Microsoft. But without all the facts, it's hard to feel very trusting.
Andrew Brandt a senior associate editor for PC World. He can be reached at consumerwatch@pcworld.com.