What happens if your product key is stolen?

The first part of a series on some concerns about Microsoft’s anti-piracy measures as they apply to Microsoft Office 2007 and Windows Vista.

This is the first part of a series on some concerns about Microsoft’s anti-piracy measures as they apply to Microsoft Office 2007 and Windows Vista.

Both these products can be disabled by Microsoft after they have been initially activated – Windows Vista has that now and Office 2007 could have the ‘kill switch’ implemented at any time Microsoft wishes.

We’re going to deal with these issues in-depth as Office Watch has done from time to time over the last decade. It’s important to keep in mind that the problems we highlight probably won’t happen to you, but even rare occurrences (in percentage terms) with MS Office will happen to many people. The level of concern is raised, not reduced, by the responses we’ve received from Microsoft.

Software Activation – then and now

For Office 2000, XP and 2003 you need to ‘activate’ your software after installation. The technology works fine. In short, it links a particular computer to a software product key. Activation checks with Microsoft to see if the product key has been used before on other hardware. Depending on the license attached to that key (ie number of computers that software license was sold for) the software will be activated on that computer for ongoing use.

We’re not concerned about the activation technology which, aside from some glitches and misunderstandings, works tolerably.

The important point is that once activated the software (Windows or Office) will continue to run even if Microsoft discovers later that the product key used was illegal. An invalid product key can stop you from getting later major updates and add-ins but the software itself will always work and there’s nothing Microsoft can do about that.

Now – with Windows Vista and potentially Office 2007 that changes – the activation system will occasionally check if the product key is still ‘legal’. If Microsoft decides that the product key for your software has been stolen and misused then your copy of Vista or possibly Office 2007 can be disabled remotely (after a warning period).

If your Product Key is stolen?

Disabling software is reasonable if you’re using a stolen product key but what if you’re the victim of theft?

In other words, what if your Vista or Office 2007 product key was stolen and used on other computers?

If that happens, eventually your legally purchased software could be disabled by Microsoft remotely. As we’ll see this can happen at any time, with no reason given and no proper recourse or avenue of appeal.

You could lose up to US$400 for Vista or US$680 for Office 2007 at the judgment of Microsoft – as a customer you’d have little idea of why your money has been lost.

All it takes is someone to merely take and use the product key for your Vista or Office 2007, and as we’ll see that’s absurdly easy.

Getting the software itself is a trivial matter – copies of the Office 2007 CD are already available for download from many unofficial sources. All that’s needed is a stolen product key to activate the software.

Firstly let us give you some examples of what could happen:

What could happen to you

You buy a copy of Windows Vista, install it and it’s been running happily. Someone who has access to your computer, your desk or bookshelves, makes a copy of the 25 character product key, then uses it on their own computer or worse, makes it available to many other people.

That’s not so farfetched – perhaps a friend of your children is using your computer and ‘needs’ a product key? Anyone who uses your computer could do it, and that’s not forgetting the sticker that has the product key in the first place – if that’s left lying around your home or office it could be copied.

Corporate users are even more at risk, with copies of their licensed software on laptops and perhaps computers at home there has always been trouble with product keys ‘escaping’. Microsoft acknowledges that this happens and says they ‘work with customers’ – which could mean anything and probably does.

Because enterprise product keys can apply to hundreds or thousands of installations the risk of misuse is greater. However we are concerned that the ability to disable software remotely can affect all customers – big and small. It’s the small, retail and OEM customers who are more likely to be left with disabled software and with no recourse.

If the product key is used to activate on one unauthorized installation it may work (depending on the number of computers the key is valid for) but it means that you won’t be able to use the additional activations you paid for (for example on a desktop and laptop computer or three installations with the ‘Home and Student’ license).

If the product key is published more widely (via email or on a web site), Microsoft can detect additional attempts to use that product key and could deem the product key as ‘stolen’. Once that happens the ‘kill switch’ could severely reduce the features available on your copy of Vista or possibly Office 2007.

There seems no way for Microsoft to differentiate between the initial (and presumably legitimate user) of a software license and others who steal and misuse that product key. Everyone who uses that product key can have their software disabled.

Microsoft has the ability to ‘disable’ a legally purchased copy of Windows Vista at any time, even after activation – if they believe that the product key has been stolen and pirated. While Office 2007 lacks the ongoing ‘kill switch’ that’s in Vista – the technology is there and Microsoft could start disabling ‘pirated’ Office 2007’s at any time.

Safeguard your Product Key – how?

According to Microsoft it is the customer’s responsibility to keep their product key secret. It’s a comforting argument for Microsoft, for it imposes all the responsibility on the customer and absolves Microsoft of any blame.

But Microsoft doesn’t make it easy for you to protect your product key – in fact Microsoft leaves an absurdly open door for thieves.

There are many pieces of software that will quickly reveal the Windows and Office product keys, anyone with access could download and run such a tool or carry it on a USB ‘key’.

Product key disclosure software already exists for Vista and Office 2007, let alone for earlier versions of Windows and Office.

What does Microsoft say?

We’ve tried to get a response from Microsoft but it has been difficult. The company is extremely reluctant to answer questions about their anti-piracy measures, even when it applies to legitimate customers.

For example, when we asked about the theft of product keys from retail customers we’re told “we do not see those keys widely used in piracy or counterfeit”. In other words since, in Microsoft’s opinion it doesn’t happen much so it’s not a problem.

Next week we’ll continue this feature with some advice on what you can do to protect yourself from product key theft and other thoughts on problems you could have with Microsoft’s anti-piracy measures.