Microsoft has confirmed that its OneCare consumer security software modifies Windows' overall patch options during installation.
"When you first install Windows Live OneCare, setup informs you that if you choose to proceed, your computer settings will be changed to automatically download and install important updates from Microsoft Update," an unidentified member of the OneCare team blogged late last Thursday.
The company said in a blog that the tool tells people that their settings may be changed.
Earlier that same day, a popular Windows newsletter reported that OneCare altered Automatic Updates (AU) in Windows XP and Vista without telling users or getting their approval. According to Scott Dunn, an editor of the Windows Secrets newsletter, OneCare sets AU to full-automatic mode and even switches a pair of services back on if they have been manually disabled by the user. Dunn speculated that the behaviour might explain two-week-old reports of patches being installed and systems rebooting without permission.
"This behaviour is by design and is not unique to the latest version of OneCare," the Microsoft blog post continued. "It helps ensure that your computer continues to receive important updates as soon as possible after they are released."
The post included a screenshot of the first installation dialogue that users see. Text in that dialog reads, "By using OneCare you agree to let Microsoft make changes to your system, such as enabling features that keep your system up to date and make it safer for you to browse the Internet." The disclaimer does not specifically say that AU's settings will be changed and, contrary to the statement in the OneCare blog post, it does not mention the Microsoft Update patch service.
A researcher noted for his work in dissecting questionable install disclosures said that OneCare fumbles when it comes to adequately informing users. "Microsoft uses a lengthy multi-paragraph statement in an installer screen, and the affirmative button is labelled simply 'Next' (not 'I agree' or similar)," said Harvard Business School assistant professor Ben Edelman, who has investigated adware installation disclosure policies and language. "This design means some users will inevitably 'consent' and receive updates without fairly understanding what will occur."
Edelman called on Microsoft to clearly state what it will do to users' PCs before it installs OneCare. "[They] ought to do more to alert users to the significance of the text on that screen, both by emphasising what's most important and by assuring that the continue-install button alerts users to the fact that they're not just going on to the screen, but that they're actually indicating agreement to have their computer modified as Microsoft sees fit," he said.
The OneCare team hinted that it might do just that but stopped short of promising changes. "We are evaluating user feedback and will be revisiting how we communicate the installation details of Windows Live OneCare," the blog said.
A OneCare user commenting to the Microsoft blog called for more information during installation. "I see no practical reason you cannot post a warning label on that same initial notice that all updates for the OS on which OneCare is being installed will be set to 'Install updates automatically,' and give an opt-out option," said someone identified as Uncfudd.
Dunn, the Windows Secrets editor who first reported on OneCare's AU changes, reacted Monday to Microsoft's rebuttal. "It isn't apparent that this [disclosure] refers to updating your entire system via AU or just updating virus definitions," he said in an email. "A better way to go would be to ask a question as part of the installer, with the default being to not change the user's current settings.
"Microsoft used to be an innovator in user interface research," he added. "Surely this isn't too hard for them to figure out."