MS Office XML Schema License: Lets give Microsoft some benefit of doubt, but not too much….

Analysis of Microsoft’s License

Andy Upgrove has a good analysis of Microsoft’s License Covenant for its office XML format. It covers most of the issue an rival to Microsoft Office product will be interested in.

I agree with the point that the covenant will have more bite if there is some enforcement procedures, such as ECMA or OASIS rules. He is also correct to say that it is dangerous to depend on a covenent for a format described by a company on a website completely under the company’s control (as oppose to a covenant for a format in a published standard). While these are important issues to bear in mind, lets not forget that at present, Microsoft is unable to meet this standard because its XML format is not accepted as a standard yet.

For the question on whether the Office XML format will be truly open, we will have to see what emerge from the ECMA process. I hope it is not something as predicted by David Courtsey predict it to be, i.e., simply a cloak for a proprietary format.

A risk with using Microsoft’s covenant at present, is that Microsoft can withdraw from ECMA process at any time. Sun did it with Java with the same standard body. This will mean that everyone that were sold based on the fact that Microsoft’s format will be opened will have eggs on their face. The chances of Microsoft doing this is small, because this will completely destroy their business reputation, especially if this is seen as a ruse to get their format accepted by government agencies. One just do not spike their customers this way without serious repercussion latter on.

Politics and OpenDocumentFormat

Yup, I know, this is old news now:

In this article, Senator Pacheco, the chair person of the committee that grilled Peter Quinn and Linda Hamel in Senate Hill said:

“If you have a product that’s going to be accepted in the international community, and they still exclude it here, then it’s really about restricting Microsoft and not about open standards,”

If there is any doubt whether Senator Pacheco is influenced by Microsoft, this clinch it.

Should we call Senator Pacheco clueless on what really matters in a open format? NO. Absolutely not. Unless one is in the industry, it is difficult to know that it is the small little details about published standards that actually matters.

However, the hearing he chaired show him to be totally clueless about the issue. For example, he cannot even differentiate between OpenDocumentFormat and OpenOffice. One would had thought that since he is the one who took the lead and make a fuss of the issue, he will first bother to get his fact straight. No chance there. That is my beef with him. Not that he has a different opinion from me, but he did not do his homework. The sad thing is, he may be the first, but he will not be the only one.

Peter Quinn and Linda Hamel may not be politically savvy, but when it comes to technology, they are very thorough. As long as they judge Microsoft’s XML schema with to the same evaluation criteria they spell out when selecting OpenOfficeFormat, and come out with a fair reason for rejecting/accepting Microsoft’s XML schema as open, we have to give them the benefit of doubt. Of course, their decision is going to be made more difficult with this move by Microsoft to submit their office format to ECMA.

MS submitting Office XML schema as Open Standard

Microsoft took the first step in the right direction to get itself used in Massachusetts with submission of Open Office XML as Open Standard to a standard body, the ECMA, and through ECMA’s fast track agreement with ISO, to ISO eventually.

ECMA is the same body that Microsoft used to submit its C# programming language and Common Runtime Language.

However, I would not go as far to say Microsoft is for open standard. First, its track records shows that it will open up only when forced to. I do not mean being forced by authorities such as the on going appeal of EC decision to force Microsoft to offer a version of Windows without media player, or the Korean Fair Trade Commission’s probe into the virtually the same subject. In fact, in those cases, Microsoft is either fighting tooth-and-nail (EC) or had threaten to withdraw its product, leaving its customer high and dry (Korea).

Instead, it takes the rise of serious competition for Microsoft to change its way. First we have Netscape (browser war 1), then Open Source (Share Source Initiative), Google (browser war 2) and now Open Document Format (leading to this decision).

Long live competition!

Second, it is necessary to review the licensing terms and conditions. This is not going to be published till Wednesday. Suspiciously, ECMA has a misleading clause called Random And Non-discriminatory (RAND), this allow proposers to collect a royalty. This, if elected to use, in effect, will torpedo open source effort in creating software to use Microsoft XML Schema. I believe one necessary quality of being open is not to use any tactic that will stop competitors, including potential competitors and especially known, major competitors.

Third and perhaps most importantly, open standard is about participation in setting the format. In Open Document Format specification via OASIS, we have different bodies with vastly different interests, including Sun Microsystem (and OpenOffice), IBM, Corel, Boeing, Society of Biblical Literature, National Archive of Australia and New York State Office of the Attorney General to name a few, all sitting down together to write a standard.

Constrast this with Microsoft’s XML standard approach where one person comes out with standard, and ask others to endorse it. Microsoft do get a lot of illuminaries to endorse it, including Apple, Intel, Barclays Bank PLC and the British Library. I wonder what input those companies have in defining the format. Did Microsoft promise a discount to them if they endorse it?

Nevertheless, lets have a look at the licensing conditions on Wednesday. I hope it is not like C# and CLR standardization process where it is very difficult to work around other patents held by Microsoft to implement alternative to their offering.

Ad-supported Microsoft software?

John Carroll and I both have tunnel vision. Mine is my blind support for Open Source Software, while Mr Carroll’s Microsoft’s Software.

The issue of contention this time, is ad-supported Microsoft Software. In John Carroll’s original post, the discussion seems to center on Microsoft Office. In Mr Carroll’s response to Phil Wainewright comments, the notion of Ad-support also encompass Microsoft Windows.

I certainly like to see more exploration in ad-supported software. John Carroll is right. The key with ad-supported software is that a way must be found to balance the need of consumers and advertisers. Ad-supported software’s potential is still be fully understood and largely untapped. Unfortunately, Microsoft’s track-record shows that it has so far failed to get it right: Just compare how intrusive the advertisement in Hotmail is compared to Google Mail (Gmail). Also compare how many unnecessary ad-sponsored pages you have to click through before setting up your new Hotmail account.

So far, all successful ad-supported software model concentrates on web-enabled software applications, like Opera Software, Google Software and Microsoft Live. This is the fatal flaw for ad-supported software: the need for the computers to be on-line. If being on-line is a requirement for ad-supported software, it will be very constraining. Even if the computers need not be online every time the ad-supported software is used, the need to be online periodically is still a constrain. I know because I do not have a online connection at home and do not want it, despite the fact that I live in a developed country and it is dirt easy to get access.

It is difficult to see how the ad money can be used to support off-line computers. However, Microsoft is one of the technology-savvy companies with very acute business sense. If anyone can come out with a workable model, I will put my money on Microsoft.

It is true that ad-support can reduce cost to the user. However, I do not agree with John Carroll that Microsoft can “retake” the low cost high ground in the developing world. As long as a company’s software cannot be distributed for “free” and used perpetually, it will cede the low cost high ground to open source software. As I said, existing ad-supported models require on-line connection, partly to “refresh” the advertisements. Online connections cost money, even in developing world and this is assuming that online connection is available. Hence, either a benevolent benefactor have to be found to foot the online bill, or the user have to cough up the money. For underdeveloped countries where people live hand-to-mouth, they simply cannot afford it. If a completely offline solution is found, it is likely that an advertiser (or a group of advertisers) must be found to sponsor the software upfront, as the adverts cannot be “refresh”ed. To achieve the “advertising” effect the sponsored software will have to reach a sizable number of people. This is difficult to achieve. In his reply to Mr Wainewright, he acknowledge that third world advertisers is needed to serve the third world computer user. The amount of money needed for sponsorship of offline solution probably put it out-of-reach of the majority of these advertisers. The amount can of course be lowered if the offline ad-supported software model relies on having an expire date on the software. This introduce the problem of maintenance, chiefly in the form of obtaining new copy of the software when it expires. and create uncertainty for the computer user on whether his access to the ad-supported software can be cut short by Microsoft’s inability to find a substitute sponsorship when current sponsorship expires.

Contrast this with open source software where the software can be preloaded for no cost and will work for as long as the computer is functioning. Open source software has other advantages, but however, since Mr Carroll concentrates on the cost component, I will reciprocate by restrict discussion here to cost.

Moreover, ad-supported software assumes that there is a market big enough to make it worthwhile for Microsoft (or other companies for that matter) to offer their software to advertisers. Without naming names, this is certainly not the case for a number of very underdeveloped countries. Who is then going to serve the needs of these people?

While John Carroll is rubbishing OpenOffice competition, the fact that he mention it in both his blog entries make me think I detect some hint that he is troubled. Before OpenOffice 2.0 I would agree with Mr Carroll that it is not a serious competitor. With the arrival of OpenOffice 2.0, I put my neck out and say that it is ready to replace Microsoft Office for at least 80% of users and I am one of them. In fact, despite the fact that I can get Microsoft Office Professional for less than GBP50 through University Licensing Agreement with Microsoft, my next computer will be devoid of Microsoft Office in favour of OpenOffice 2.0. Having only OpenOffice on my computer is no longer a problem.

One problem with John Carroll’s tunnel vision is that his view is too Microsoft centric that it is often easy to see how Microsoft benefits but difficult to see how the customer benefits. It is easy to see how Microsoft benefits from making their software ad-supported but how do consumers and advertisers benefits from it is far from clear. This is effectively Mr Wainewright’s central point in his article. My tunnel vision is that I do not care about companies and is only interested to see how consumer benefits from software. Both of us need to move to a more central ground by considering the other side. I am trying very hard to do this. Mr Carroll is certainly doing the same. His arguments on ad-support softwares and his calling a storage device a substitute for computer shows that he is trying hard.

Bad to Worse for First4Internet

The situation is getting from bad to worse (or worse to worst?) for First4Internet.

There are rumors on the net that First4Internet’s XCP program, the notorious rootkit DRM, violated the General Public License (GPL). Ironically, it is the VideoLAN code of DVD Jon that they violated. VideoLAN is one of the software that can bypass Apple DRM mechanism. Remember DVD Jon? He is the Norwegian nemesis for RIAA (Recording Industry Association of America). He is definitely on the top of their “Most watched” list. He was on the top of their “Most Wanted” list but they have to demote him back to the first list, after two unsuccessful attempts to prosecute him under Norwegian Law for the same offence. You got to take your hat off to this DVD Jon fellow. He managed to seriously upset the recording industry while standing at the correct side of the law. This is by no means a small feat.

There are other allegations that the XCP violated LAME’s and other softwares’ Lesser General Public License (LGPL). These allegations are relatively speaking, very minor. It evolves around allegely having source code from LAME but does not seems to be calling those code and failure to acknowledge using these LGPL code. The fact that one is not sure whether does using these code constitutes “mere linking” which is permissible under LGPL means we have to give First4Internet the benefit of doubt before saying that a major violation of LGPL occurs. With GPL-ed code, however, there is no ambiguity.

If it is true that XCP violated GPL code. The consequences for the company is dire. For a start, DVD Jon can bring a lawsuit forcing First4Internet to publish the source code to the XCP program or to withdraw the XCP software. First4Internet’s successor to XCP program will probably be affected as well, as it is unlikely that they write those program from scratch. They could in theory pay DVD Jon and other developers of the GPL-ed software they used to keep their source code out of open source. However, I do not think this is even worth considering this possibility, given DVD Jon’s track record. It only takes one person in the chain who disagree to scuffle the deal.

Most importantly, as far as I am concern, First4Internet credibility as a programming house is utterly destroyed. Dubious software practice (the DRM rootkit) is one thing, very bad programming (introducing vulnerability in the original DRM rootkit and then having a fix that introduce a bigger vulnerability) is another. Now, it seems that the company that creates DRM to protecting other people’s intellectual property is itself totally disregarding other people’s intellectual property. Perhaps I should not be surprised given its dubious software practice and bad programming. Now that there are three nails into their coffin, if it does not cause the company to collapse, hopefully a fourth nail will. Do I have sympathy for the company? Not a bit. In fact, I will pay for the chance to nail the fourth nail.

Returning to the issue that GPL requires downstream software to reveal its source code as well. Is it worthwhile forcing First4Internet to reveal their source code? As I am anti-DRM, any legal weapon that we can use to kill DRM, including forcing vendor to reveal their code, should be explored. But as an anti-DRM person, having the source code does not mean I will touch or use it, not even with a barge-pole. If the copyright holders of the GPL’ed software do indeed go down this route, the biggest benefit would be to show proprietary vendor that open source is not public domain software and they have to respect open source license as well.

Sony on the right path to fix DRM Debacle, more doubts on the competency of First4Internet

Finally, Sony is on the right path to limit the damage caused by the DRM Rootkit debacle. According to USA Today, Sony will pull all copies of the Rootkit-infected CDs from the shelves and swap these CDs if consumer ask them to. It also soften its tone from “There is no security threat” to “Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience”.

Dear Sony, what took you so long? That should had been the second logical step to take (The first step is to establish that the deployed DRM is doing something unacceptable to consumers.) Not the fifth or sixth step! Why go through the tortures, self-harming ritual of denying there was a problem in the first place? Not having the correct staff to evaluate the technical aspect of this problem? For god sake hire one then! May be your PR guru believe that this is “denial then fix it” strategy is the best overall PR damage control. Believe me, this is not a good strategy. It completely destroy trust. Next time if someone cries wolf, nobody will believe your denial anymore.

The biggest casualty in the whole saga is First4Internet, the company that supplied the DRM technology. First we have the negative publicity. Then, Sony’s denial that there is a problem reflects First4Internet’ view (since it does not bother to correct Sony). In an effort to provide a fix, (when read in conjunction to Sony’s denial, an unnecessary fix), it opens another security hole. It is alarming that this new security hole, i.e., not properly checking the source of a script download, thus allowing the infected computer to execute arbitrary program, is remarkably similar to the whole the Rootkit opened, i.e., allowing other programs to use it to hide their presence because of inadequate check on the name of the program to cloak from user. Two same problems in a row make one wonder whether First4Internet do the due-diligence check expected from them.

Most importantly, as a technology-oriented person, this cast doubt on the company’s business practice. It is going to take its toll on the company.

To be fair, SunnComm probably have a worse reputation for threatening to inappropriately use DMCA to sue a Princeton student for showing how to bypass its copy-protection system and now, its version of DRM insist of keeping active until you shutdown your computer even if you say “No” and abort the installation process. This means SunnComm has the potential to be the next target in the DRM war.

Raising questions on DRM practices is good for the consumer. It is still not a certainty whether consumer will accept DRM. DRM is still in its infancy. All these revealation about DRMs have positive effect. It might not be successful in achieving its ultimate aim: Removal of DRMs from the market place. Sometimes, revealation is a double-edge sword: By pointing out what is wrong with DRM, it allows DRM vendor to take corrective steps and thus, make newer versions of DRM more acceptable to Joe Consumer. However, at the minimum, it

1. Educate consumers on DRM
2. establish the line between protection of IP and intrusions (trespass) into computers
3. Keeps companies honest

Thus, I think we in the anti-DRM camp have a lot more to win than to lose.

DRM vendors gone too far!

Hot on the heels of Sony XCP debacle, another debacle is in the making. This time it is SunnComm’s. It is also used by Sony. The problem here is that they installed and run the most important bit of their software without your permission. The act of inserting the CD into your computer is extremely very likely to trigger this action. This modus operandi sounds familiar? Yes, virus writers use this technique.

Am I surprised that another Digital Restriction Management vendor is named this time? No. That it involves Sony again? No. That a DRM companies use dubious techniques? No. That big media companies like Sony does not think twice to deploy those dubious techniques Not a a single bit.

That is not the end, that piece of DRM phones home. “Phoning home” is the phrase used when computers transmit any information back to a server controlled by the person who provide you with the software. Companies seems to think that it is fine to transmit any information from your computer to their computers provided that they do not use the capture or use the information. That is wrong, as far as a consumer is concern, it is the act of transmitting information that counts, not what the companies do with that information.

Debacles after debacles all serves to confirm one thing. Companies had gone overboard in their quest to protect their intellectual property. DRM is particular bad in these cases because it penalize and hurt legitimate purchasers, not the pirates they intend to stop.

If DRM is to stand a a chance of public acceptance, such activities have to stop. Sony and other media companies MUST follow the straight and narrow. Any business is about trust. It cannot be taken for granted. Microsoft is finding it hard to recover from the perception that its software is insecure. Why? People lost trust in Microsoft software. Media companies should learn from Microsoft’s lesson.

What is the straight and narrow then? It is simply to follow standard industry practice when providing software

1. First and foremost, DO NO HARM
2. Never install anything on the computer before you get users’ consent and if user quit the installation process, clean up completely
3. For every installer, an uninstaller must be provided. It must do what an uninstaller do. Half-way uninistaller is a no-no.
4. Do not say you do not phone home if the software do phone home, even if it is simply to retrieve a advertisement banner. Phoning home means transmitting anything about the CD or the computer from the user’s computer. Whatever you do with the information is irrelevant. It is the ability to capture information about the CD and the computer that is the issue.

They will do well to listen to Secretary Baker when he said:

“It’s very important to remember that it’s your intellectual property — it’s not your computer.”

Best quote on Sony rootkit fiasco,… and I feel their pain!

This is by far, the best quote on the Sony rootkit fiasco,

[On the subject of Digital Right Management with clear reference to Sony Rootkit without directly mentioning it] “It’s very important to remember that it’s your intellectual property — it’s not your computer.” — Stewart Baker, U.S. Department of Homeland Security’s assistant secretary for policy.

What make this even more painful for Sony to bear is the fact that Secretary Baker made this comment at a U.S. Chamber of Commerce-sponsored event in downtown Washington on combating intellectual-property theft.

Sony, I feel your pain!

Sony got something right, at last!

Finally Sony gets something right in its damage control strategy for the Rootkit fiasco.

It basicallly says it is halting production of CD containing the controvesial technology. This is a good step, the next step must be to repair the computers they already damaged. They should do it sincerely, not the clumsy multistep process they had been imposing so far.

It is sad to say that what Sony is doing is probably no much different from what other media companies are doing.

Big companies always think that they can make you swallow anything if they can just get you to sign on the dotted line or click through their End User License Agreement (EULA). This time, the technology in question cross the line into trespass on computers. It is sad that no government officials, in the US or in Europe, see fit to prosecute Sony for trespass. I think a criminal prosecution is necessary here to set an example, and to push the question on the line between the IP Protection and Fair Use Rights on to the global stage.

Malware writers, what took you so long?

The threat of someone taking advantage of Sony’s Rootkit was never a doubt in everyone’s mind except Sony and the supplier of that piece of Malware, First 4 Internet. As such, the confirmation that virus writers take advantage of it to hide their viruses is itself not surprising. The only question is: What took them so long? Isn’t the game about zero-day exploits (exploiting security and other loopholes in less than 24 hours from its announcement)?

The are two possible reasons. First, the rootkit does compromise security by being capable of hiding malware, but luckily, this publicized vulnerability can only do that, thus reducing its attractiveness to virus writers. Second but most importantly, this attractiveness where greatly reduced by the fact that not a lot of computers were infected by Sony’s rootkit. Sony/First 4 Internet must count their blessing that the Rootkit is discovered early.

Of course Sony and First 4 Internet will see it differently. They will argue that if Mr Russinovich did not publicize his finding that everyone will be fine. This argument is flawed because if a malicious person discover this further down the road, the two companies will have a bigger debacle to deal with.

The saga is still evolving and Mr Russinovich blog is a must read if you are following this case. To date, Sony’s handling of the affair fail miserably in damage control. In particular,

1. They deny that the rootkit is a security vulnerability (and still do) despite evidence to the contrary, a good week before this virus appear.
2. (I particularly like this one)Have a top level officer going on the record saying, in his own voice, that users do not know what a rootkit is and therefore do not care.
3. Putting so many barriers for users to go through to get an uninstaller, and limit the uninstaller to one-time use whether you successfully uninstall or not, is a rather unnecessary step. This makes it looks like Sony is being dragged kicking and screaming into providing such a facility.