Ubuntu 12.10 met with some controversy before and after it’s launch. Initially it was about the inclusion of Amazon Ads and privacy in the latest edition of Ubuntu. Now, EFF, Electronic Frontier Foundation, has also raised concern around data leak and Amazon ads. Ubuntu founder Mark Shuttleworth earlier defended the inclusion of Amazon ads in Dash and stated:
We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root.
EFF doesn’t seem to fully agree. Mchah LEE of EFF writes:
Technically, when you search for something in Dash, your computer makes a secure HTTPS connection to productsearch.ubuntu.com, sending along your search query and your IP address. If it returns Amazon products to display, your computer then insecurely loads the product images from Amazon’s server over HTTP. This means that a passive eavesdropper, such as someone sharing a wireless network with you, will be able to get a good idea of what you’re searching for on your own computer based on Amazon product images.
A lot of users may not care about it, but anyone using his/her PC for something serious would be concerned. Your local search terms being sent to Ubuntu servers can pose many privacy related threats. The nature of the content sitting on your PC makes these searches even more dangerous. You could be an activist protesting against your repressive government and hold a lot of critical data on your PC and when you search such data the query will be send to Ubuntu servers.
EFF has a similar concern:
You could be searching for the latest version of your résumé at work because you’re considering leaving your job; you could be searching for a domestic abuse hotline PDF you downloaded, or legal documents about filing for divorce; maybe you’re looking for documents with file names that will gave away trade secrets or activism plans; or you could be searching for a file in your own local porn collection. There are many reasons why you wouldn’t want any of these search queries to leave your computer.
But I Trust Ubuntu!
It’s not just Ubuntu which gets access to this data. The legal notice added to Dash in 12.10 clearly states that by using Dash you agree to these terms and your search data along with your IP address will be send to third parties. So, all your keystrokes will be sent to Ubuntu servers and 3rd parties including, but not limited to Facebook, Twitter, BBC and Amazon. Now your data and usage is bound by the privacy policies or those 3rd parties and Ubuntu is not responsible for it. You will have to check the privacy policies of individual parties to get more information on how they handle your data.
EFF says that:
Canonical is not clear about which third parties it sends data to and when, but it appears that many of these third parties only get searched in certain circumstances. Ubuntu’s new Online Accounts feature lets you authorize Ubuntu to use your accounts from Facebook, Twitter, Google, Flickr and other services for Ubuntu apps. Dash will likely search these services for photos, documents, and other content only after you’ve authorized Ubuntu to use them.
After feedback from beta testers and the larger open source community, Canonical made the necessary changes and added an option to disable online searches of data. One can also remove the shopping lens from Ubuntu. But looking at Ubuntu’s core user-base many may not even be aware of such features or that they are giving away their keystrokes to 3rd parties and to Canonical. Online search should have been an opt-in option and not opt-out, many open source advocates like Jan Wildeboer suggest.
The father of the free software foundation Richard M Stallman also expressed concerns about Ubuntu’s Amazon move. This access to user’s search queries can create new risks for users. Governments may ask Canonical to hand over user data in cases like so called piracy or protest. The more access Canonical have over user’s data the more risk there is for it being asked to hand over such data.
The best thing for Ubuntu to do is to disable the ‘online search’ by default. A activist, sitting in Syria, downloads Ubuntu, thinking no one can see what he is doing on his PC, he could be putting his life at risk. Wikileaks people running Ubuntu will be putting their lives as risk since they may not know that a new feature has been added which is sending their search queries and information to 3rd parties.
So, here are a few things that EFF wants Ubuntu to do:
- Disable “Include online search results” by default. Users should be able to install Ubuntu and immediately start using it without having to worry about leaking search queries or sending potentially private information to third party companies. Since many users might find this feature useful, consider displaying a dialog the first time a user logs in that asks if they would like to opt-in.
- Explain in detail what you do with search queries and IP addresses, how long you store them, and in what circumstances you give them to third parties.
- Make the Search Results tab of the Privacy settings let users toggle on and off specific online search results. Some users might want Amazon products in their search results, but never anything from Facebook.
- We love that Ubuntu is bold enough to break new ground and compete directly with the large proprietary operating systems, but please make sure that you respect your users’ privacy and security while you’re doing it. Windows and Mac users are used to having their data sent to third parties without their express consent by software companies that are trying to maximize profits for their shareholders. Let’s make sure Ubuntu, like the GNU/Linux operating system at its heart, remains an exception to this.
Canonical is quite open to feed-back and always responds to such concerns so we can expect right moves from Canonical.