In last month's Windows 2000 Magazine UPDATE Special Edition, I explained what I knew about the new Windows Product Activation feature built into Windows XP Professional, Windows XP Home Edition, and the various flavors of Windows 2002 Server. (In case you missed the fanfare—Microsoft has revealed the product name of what we've been calling "Whistler Server"—Windows 2002 Server.) Many of you—hundreds of you—responded with interesting and helpful insights. A particularly interesting response came from one of the Microsoft folks working on product activation, Allen Nieman. Nieman is a product manager in the Licensing Technologies group. He was kind enough to spend about an hour and a half with me on the phone to fill in more details about how product activation works, and I can't thank him enough for his help. Because I didn't have all of the information about the Windows activation process last month, I had to speculate a bit, so this month I'll pass along what he told me.

I'll begin with more specifics about what product activation does. When you install a product that requires activation, it asks that you activate it within 30 days (or that's what the final product will do; it's 14 days in the beta). During the activation process, the OS inventories your hardware and summarizes it as a single 50-digit string. The hash is, I'm told, a one-way function, meaning that although a particular set of hardware will generate a particular set of digits, reversing it isn't easy, so merely knowing the 50 digits about your system wouldn't tell me what size and type of hard disk you owned. But do you believe that's all that Microsoft is gathering? A capture of the transaction shows that a very small amount of data going over the wire to Microsoft, so it doesn't look as if Bill is uploading your portfolio.

Additionally, you can choose to activate your OS by calling Microsoft and reading the 50-digit number to a carbon-based life form (rather than sending it to a silicon-based server). The recipient will then read a 42-digit number to you, which you key in to complete your activation. Unfortunately, that's a one-time-only 42-digit value; should you need to reinstall the OS on that system, you must call Microsoft to get another code.

As I explained last month, a Microsoft server then stores your 50-digit code and your product key in a database. If someone tries to activate a different machine using your product key, the database will see that someone's tried to install the same copy of the OS on two different machines and will refuse to authorize the activation. Additionally, every time you boot that system, the system recomputes the 50-digit value and, if it's too different from the one used to activate the system in the first place, the OS will demand that you once more connect to the Internet to reactivate your copy. Small hardware changes won't require reactivation. If, however, you lend your neighbor your Windows XP CD-ROM and product key and he installs it on his system and tries to activate it, the Microsoft server will see a radically different set of hardware trying to activate an already activated copy of Windows XP, and will tell your neighbor's system not to activate itself.

But how much hardware difference is "too much"? Nieman wouldn't say because (1) Microsoft hasn't finished Windows XP yet, so anything he'd say might change, and (2) he didn't want to make life easier for pirates. A reasonable answer, but I argued that a determined bunch of people with a closet full of hardware and a day or two to play around could (and would) soon figure that out, so why not just release the information anyway? He demurred, but told me to stay tuned, because Microsoft might publish that information come shipping time anyway.

But what about when I buy a new machine, FDISK the old one, and put my copy of Windows XP on it—won't Microsoft refuse to activate Windows XP on that new system, thinking that I'm already running it on my old system? No, Nieman said—Microsoft will trust you and approve activating Windows XP on the new system, deactivating it on the old.

Rampant piracy among American small businesses and home users motivates the whole approach, according to Nieman. Microsoft believes that on the average, those folks use four copies of a given piece of software but pay for only one. (The company reckons the ratio outside of the United States to be even higher.) Microsoft acquired those numbers from the Business Software Alliance (BSA), an organization that finds and fines software pirates. I've never seen the methodology that led the BSA to those numbers (which have been floating around for some time), and I personally don't believe them. That 75 percent of the small office/home office (SOHO) software is pirated seems a bit farfetched and, I think, insulting. And if Microsoft truly believes that its home users—you know, the evening and weekend versions of the people who use its commercial products by day—are stealing 75 percent of the Microsoft products they use, that degree of piracy would be pretty important news to Microsoft's stockholders, wouldn't you think? "Here at Microsoft, we have great products, but before you invest, you really ought to know that three out of four people who use our products don't actually pay for them." Shouldn't that information be in the company's annual report or Securities and Exchange Commission (SEC) filings?

Actually, beyond what you or I think, it's a matter of law: If Microsoft believes in those piracy figures, the company must disclose that information in its SEC filings. But other than one vague reference to piracy in its 10-K filing for 2000, Microsoft is silent about piracy—no numbers, percentages, or damages to the bottom line are cited.

No, I'm not suggesting that Microsoft's in violation of investment regulations for not writing "The Prospectus of Penzance"—because I believe that the four-to-one ratio is no more than an exaggeration that provides a convenient bit of self-justification for some industry pundits. But we are talking legal issues here. After all, I pay for all of my software because the law tells me to, not necessarily because I want to. And if the irritation of activation will become part of my life because of a wave of piracy of that supposed magnitude, surely Microsoft should alert its investors to that piracy, by law.

And thinking about finances led to another question: What happens if Microsoft goes out of business? No one could activate copies of Windows XP. If Microsoft disappeared, so would your ability to use its software during the inevitable reinstalls. And no, I don't think Microsoft is going belly-up any time soon (unless it keeps up this product activation stuff), but Nieman said that he hoped that this product-activation approach would turn out to be an effective way to protect software companies of all kinds, including many not as sturdy as Microsoft. I'd hate to think that if Intuit disappeared, all of a sudden I wouldn't be able to get to my checkbook or portfolio information!

Despite the many other things to consider, I'm about out of space. I don't want to sign off, however, without answering a frequent reader question generated by last month's column. I explained last month that product activation wouldn't apply to those using Open, Select, or Enterprise copies, but many of you disagreed, telling me that your Open, Select, or Enterprise Beta 2 copies require it. According to Microsoft, that's an issue with the beta only. Nieman said that the final copies of Windows XP and Windows Server 2002 won't require activation—so scripts, Ghost, Remote Installation Services (RIS), and the other rollout tools that we know and love will work without a hitch in Windows NT's latest incarnation. And when asked whether Windows XP would target SOHOs as a preparatory step to visiting the activation process on bigger customers next time, Nieman STRONGLY maintained that Microsoft had no intention of doing that. The company feels that it has the piracy issues pretty much under control in large organizations.

I repeat in closing that I fully agree that Microsoft has a right to defend its copyrighted works; and I hope that the company will continue to do so. But placing a burden of annoyance on its existing customers seems unreasonable, particularly when the only reason that Microsoft can impose product activation is its pre-eminence in the market. As I said last month, could Microsoft have made such a move when Windows 3.1 came out? Sure. But we'd have all bought OS/2 instead. And that's the point: when you've got competition, then you can do a lot of things that you CAN'T—or at least shouldn't—do once you're a monopoly.