Microsoft’s Audit Process Raising Questions on Data Security and Privacy

Over the last few years in the industry, handling several medium and large scale projects have given me ample opportunities to interact with customers as well as observe interesting aspects of business processes and practices in client organizations. At times I have been astonished by violation of certain best practices done due to ignorance, some other instances left me baffled at the non-compliances of partners and OEMs of top tech leaders in our country.

This reminds me of a recent incident regarding which Microsoft is investigating the methods partner KPMG uses to crack down on the illegal use of its software in India, after a complaint last month from Vinit Goenka, technology adviser to the government, that a KPMG employee ‘barged in’ to his Mumbai recruitment firm without an appointment to check its software, according to emails reviewed by Reuters.

Rajiv Sodhi, a senior Microsoft India executive, told Vinit in a March 20 email that the company was looking at the issue with ‘utmost seriousness’. ‘We are also getting an assessment agency to carry out an audit of the process delivery at KPMG to identify and correct gaps, if any,’ Rajiv wrote in the email reviewed by Reuters. However, Rajiv did not respond to a request for comment. Microsoft told Reuters its SAM program is run as per global standards, while KPMG said it follows ‘appropriate procedures agreed in our engagement with clients’. Both Microsoft and KPMG declined to comment on the alleged incident and probe.

Microsoft runs a global Software Asset Management (SAM) program to ensure compliance, under which it partners global consultants, such as KPMG in India, which seek permission from business owners to check for the use of unlicensed software.

According to advocacy group Business Software Alliance report in 2016, India is one of the US technology firm’s biggest markets in Asia, yet over half of all software installed on computers in the country is unlicensed. A pirated compact disc of Microsoft’s Windows 10 can be purchased for around $2 in New Delhi, as compared to $130 required to buy the operating system from Microsoft online.

I have witnessed a few SAM audits conducted by Microsoft in client organizations. The level of interactions between so-called representatives of Microsoft and Indian Client companies reveal the pathetic state of piracy prevalent. Also, prove complete loss of Microsoft's control on its so-called representatives and process compliance.

It is fine if an authorized representative of Microsoft, contacts business owner to propose SAM audit to assist on software compliance. But it is an utter harassment if multiple representatives contact business owner with different proposals of SAM audits. Many of the client organizations of mine have undergone this bitter experience. The language and tone used by the representatives at times are objectionable. There seems to be complete lack of internal coordination. Multiple so-called auditors ask for same computer / software usage details from the business owner, not bothered to verify if the same has already been collected by one of them from the business owner.

All these so-called authorized representatives of Microsoft have access to past details of SAM audit, computer, software usage of business owner, etc., which are to be kept confidential, by binding as well as by practice. How can Microsoft share highly confidential and sensitive details to non-Microsoft employed persons without consent of business owner?

Some of these Microsoft authorized representatives attempt to contradict and nullify their own claims. Not sure if Microsoft is aware of such manipulations, but here are a few instances.

Based on computer or software details submitted by business owner, Microsoft representative sends Invoice to indicate the gap and fulfill the gap. I have seen that after business owner procures all items suggested in the Invoice, in few days, another so-called representative will call and deny the validity of the previous Invoice He will claim that the earlier Invoice was erroneous and useless, and compel to purchase higher versions of the product.

The representatives explain difference between OEM and paper licenses. According to them paper licenses are hardware-independent unlike OEM licenses which are bound with hardware. They will push business owner to buy paper licenses. After few months, another representative will contact the same business owner and force another SAM audit. If they find new hardware loaded with paper license key, they will manipulate the fact and explain nod-lock policy of Microsoft. They will say that paper licenses cannot be installed on new hardware. It sounds strange when one representative disqualifies what another representative (maybe belonging to a different agency) is saying. To add to the dilemma, all are authorized by Microsoft.

Most of the branded computer manufacturers like Dell, Lenovo, HP, Wipro sell desktops and laptops preloaded with windows single language. They sell this hardware to companies too. When the so-called Microsoft representatives find such Operating System preloaded computers, they tell that it is not allowed to be used for business purpose, one must buy professional OS.

Even they deny to sell single language windows for peer to peer network. You know, professional OS is more than thrice the cost of single language. Is this not outright manipulation and malpractice?  

Manipulation and concealing of the facts are serious offence. Denial of sales of a product with an intention to compel buyer to buy much more expensive product is example of monopolistic and restrictive trade practice.

These representatives at times, walk into client premise without appointment and intimation. They become aggressive and try to encroach inside without any authorisation letters, search warrants or even identity cards. Microsoft may not know, but they say that they are from Microsoft. They even carry their pen drives with some exe files and pressurize business owners to run those exe files on their computers without any non-disclosure agreement (NDA), privacy assurance, IP protection guarantee. They even do not care about explaining after effects of injecting such software. Client organizations succumb to the pressure most of the times and there have been reported incidents when pen drive was carrying ransomware which encrypted all files in network. Is this not unethical and unacceptable practice?

There are instances where in client companies have been threatened of criminal proceedings, confiscation of assets and huge penalty. I am sure they are neither empowered, nor authorized to do so. They even reveal that since they have visited, they are expecting some revenue. They even promise to relieve pressure if some business is given to them. They start negotiating, and even insist to purchase some software for a couple of lakhs. Well not to specify, it's another agency's turn after few months to carry on with the ordeal. Is this part of Audit or Sales? Well, neither is acceptable.

In some cases the representatives claim that the client company’s computer activities are monitored by Microsoft and the tech giant knows their software usage in precise manner. Is it not breach of Data Security and Privacy?

These representatives communicate using the email ids under Microsoft domain, which will not allow Microsoft decline its involvement or liability, a noteworthy point.

The biggest question: Is data safe on any software that is prone to piracy? First of all, Microsoft needs to secure its software so that it cannot be copied, pirated or produced in any duplicate form. Also, the tech leader needs to plan, investigate and come up with firm steps to improve its Audit Process, so that reported incidents of impeachment, security breaches, manipulation and malpractices can be averted.