Ubuntu "phones home" to Amazon etc !!!

I don't know how I could have missed this!

I just saw it in "Canonical asks desktop users to 'pay what you think Ubuntu is worth'" https://www.wilderssecurity.com/showthread.php?p=2129134#post2129134 .

The Unity Dash forwards your searches to Amazon! Packets to Canonical's servers are not encrypted. Although Canonical supposedly doesn't share your identity with Amazon, Amazon does see the search terms, which might include sensitive information.

There will reportedly be a kill switch for such searching in the 12.10 release.

For now, you must run "sudo apt-get purge unity-lens-shopping". But that doesn't stop searches to their online One store.

I may stop using Ubuntu over this. At least, Unity must go. I am gobsmacked!

Here are some links:

Mark Shuttleworth Explains Ubuntu’s New ‘Amazon Suggestions’ Feature
-http://www.omgubuntu.co.uk/2012/09/mark-shuttleworth-explains-ubuntus-new-amazon-adware-feature-

Ubuntu privacy blunder over Amazon ads continues
-https://perot.me/ubuntu-privacy-blunder-over-amazon-ads-continues-

Ubuntu Adds ‘Amazon Results’ Off Switch, Fixes NSFW Issues
-http://www.omgubuntu.co.uk//2012/10/ubuntu-adds-amazon-results-off-switch-fixes-nsfw-issues-

 

Well I hope you weren't one of those who, without realizing it, had local/private searches shared with both Canonical and Amazon.

I don't think an OS vendor injecting themselves as an affiliate in merchant searches/transactions is a desirable model.

 

Yeah it's sad they have to do this. It just shows you they need the revenue.

 

I don't care about the advertising angle. It's just mind boggling that such a huge privacy hole made it so close to the 12.10 release before someone caught it.

Dash searches in Unity have always gone to the Canonical store. But, as Mark Shuttleworth noted, they have root anyway, so I might as well trust them.

 

Disabling this is as easy as disabling any other logging feature. Open Dash and type "privacy" - you get to control everything.

Remember - anything typed in the Dash already goes to Canonical to search for relevant applications.

I don't think this is sketchy at all. Frankly, it's one of the most overhyped situations I've seen in recent history.

 

Just money hungry, we must squeeze as much revenue as possible out of every consumer.

 

Sharing information with third parties should always be opt-in.

 

While I generally agree with that, and while I agree that it's a bit questionable how this new feature is implemented (although changes might be coming, and a legal disclaimer has been added), calling this "phoning home" is pure sensationalism implying that this is equivalent to adware under Windows.

Hungry is right in saying that this is "one of the most overhyped situations I've seen in recent history".

 

Not everything in life is free!!!

 

I posted in anger, I admit. However, communicating users' Dash searches to third parties, without warning, would be "phoning home" to them. I don't get how you can say that it wouldn't be. I'm not saying that it was malicious. It's just that they obviously weren't thinking about privacy when they designed it.

The best approach, I think, would be making Dash searches purely local by default, with options of adding other sources (Canonical, Google, Amazon, etc). If I use the Software Center, I expect that it will query Canonical, because I'm looking for something that I don't already have. And I use a browser to search the Web. Why does Dash need to replicate all that, in addition to finding stuff locally?

 

All they should really do is assign each user a random nonidentifying address and have the searches go through Canonical.

This eliminates any privacy concern that might be there.

I'm pretty sure they've already stated no private information is sent, just the search terms.

 

I wasn't sure how to interpret that, so I pulled out the 11.10 and 12.04.1 discs I created for the rare occasion I want to boot with an alternate OS when doing (offline) troubleshooting. When searching via the Home Lens I only got local files and local applications. I had a sniffer inline and verified there was no network traffic. Even when searching via the Applications Lens I saw no network lookups (somewhere I saw someone say there was a local cache of available apps). There were online lookups when using the Music Lens. I didn't bother testing the Video Lens.

The obvious concern would be the default lens... the Home Lens... in default configuration sending something off the local machine. I didn't see that happen with those previous versions. If you think it can and I somehow failed to trigger it, I would appreciate you telling me so.

 

@TheWindBringeth

I haven't checked with Wireshark etc. In 11.10 I see non-local results in Apps and Music. I don't see anything non-local in the Home Lens.

It's good to know that Music searches aren't done until you open the Lens

 

@mirimir: Someone wanted my sniffing box so I made the testing brief. Can you search for local music OK with just the Home Lens or do you have to use the Music Lens to search for some things (artist tag for example)?

 

@TheWindBringeth

I'm not the one to ask. I only use Dash to open apps.

 

As a very privacy conscious person, I don't see a big deal with this. Canonical needs revenue, so I am willing to tolerate Amazon searches. If this were M$ or Apple, yeah I might be a bit outraged. But Canonical gives everyone an OS for free.

If you don't like it, you are always welcome to send Canonical a donation, or buy music from their store or sign up for a premium Ubuntu One account. Besides, you can turn this functionality off completely.