I’ve been vocal about my hatred of Ubuntu Unity. I liked Ubuntu before Unity was introduced, but afterwards it just sucked horribly.
The latest news that Ubuntu Unity is including Amazon search results directly in the Lens has a lot of users raging! Most are concerned that by offering these search results, regardless of whether the user wants them or not, is a violation of trust and a security issue.
There are many things that comprise a successful Linux distribution, but there may be none more important than trust. Before you build a production Linux system, you have to trust that the distribution isn’t going to contain malicious code or back doors or any number of other potentially major problems.
After users got all up in arms about this new feature, Shuttleworth released another statement trying to quell anxiety. Unfortunately, the already suspicious Ubuntu users picked apart and analyzed his words, and decided that he wasn’t being entirely truthful.
Shuttleworth said, “We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf.” That first statement is a blatant lie! They are definitely passing your query terms on to Amazon; they’re just masking the originating IP address.
This by itself is a problem because nobody intends to search Amazon for sensitive personal information. For instance, someone might search for a file with a social security number, or with a specific text string that is in no way intended to be read by anyone else. They’re ostensibly searching through their own local file system, after all, and the thought that by default that search string will be sent out to not one or two, but 25 third parties is extremely disturbing.
This, however, IS the bulk of the problem. Think about the what the “Home” lens was originally used for: searching for files on your hard drive. These files are personal, and searches for things inside these files are personal. Even the filenames may speak volumes. You could be searching for the latest version of your resume at work because you’re considering leaving your job; you could be searching for a domestic abuse hotline PDF you downloaded or legal documents about filing for divorce; maybe you’re looking for documents with file names that will give away trade secrets or activism plans; or you could be searching for a file in your own local porn collection.
But now, Amazon knows what you search for. And if you make extremely specific searches that go inside a file, who knows what you might expose to the public eye (specific names and passwords).
The search terms used reveal a lot about the users making those searches. Users are going to be searching for files in the Home lens, because this is what they have always done. But now, they are sending their sensitive search terms over plain HTTP! This means it is visible to your local sysadmin, your boss, your ISP, Canonical sees it, and now so does Amazon, and any other person who manages to jump in the middle! The only thing Canonical is doing is masking your IP address from Amazon.
After this original problem was exposed, Canonical released an update to the Amazon search process.
A problem that Canonical refuses to address is that Amazon (and other third party members) are still able to get your IP and correlate it with what you are searching for. Canonical did change the servers to send search queries via secure HTTPS. But even when Amazon product images are loaded over HTTPS instead of HTTP, the fact that they are loaded directly from Amazon’s servers instead of from Canonical’s means that Amazon has the ability to correlate search queries with IP addresses.
So in the normal Canonical way, they loudly released a patch for a security flaw, but they didn’t fix the problem. Or at least, they didn’t really fix the main problem.
Giving users an opt-out is not a fix. “Include online search results” should be disabled by default, and third-party search should be opt-in ONLY. New users to Ubuntu should not have to worry about security leaks on a new install.
So Canonical has all the IP’s and your search terms, and any one of Canonical’s 25 3rd party content providers, now including Amazon, has all your search terms and possibly your IP as well! All you need now is a proactive government to subpoena both of them and link up who searches for what.
And Shuttleworth answered complaints by responding to users like an emperor completely out of touch with his user base. “Don’t trust us? Erm, we have root.”
While you can turn this “feature” off, the real problem is the erosion in trust due to blithely selling users out. It’s no longer so far-fetched that there will be more features like this in the future and that they won’t have an off switch. Stepping back a bit, I’m disappointed in Ubuntu because I don’t trust Microsoft or Apple to do the Right Thing™ regarding privacy but I thought Ubuntu would. I’m no longer so sure about that.
I personally am never going back to Ubuntu. I have used Ubuntu for 9 years, but have in recent years grown very disillusioned with it. I have tried 12.04, and I previewed 12.10 and I think it sucks. Windows and Mac users are already accustomed to having their data sent to third parties without their express consent. Ubuntu, which should respect user privacy and hold to the ideals that are at the heart of the GNU/Linux operating system, remains an exception to this.
Interestingly, one Slashdot blogger called hairyfeet is calling this the final nail in Canonical’s coffin, and expects the company to fold long before Shuttleworth reaches the end of his thesaurus.
In a fascinating comment, he connects Shuttleworth’s announcement 2 years ago that he would not sink any more money into Canonical with a long line of events leading to today.
“Shuttleworth announced he would sink no more millions into Canonical that it was over and now we have the final nail. Look at their history since the Shuttleworth announcement…Ubuntu Netbook (trying to get into the netbook craze after the ship had sailed), selling search results to Yahoo, selling MP3s through Amazon, trying to get into the server business after Shuttleworth talking about how Ubuntu was gonna be “the desktop Linux” for the masses, trying to come up with Ubuntu Phone and Ubuntu TV…their entire history since that announcement has been that of a desperate company trying to find SOME way, any way, to stem the flow of red ink and find a positive revenue stream… Final prediction? Canonical joins the other dead Linux desktops in a year and a half, maybe sooner. All those based on Ubuntu better be switching to Debian as a base NOW because it won’t be much longer before Shuttleworth pulls the plug and hits the lights on his way out. I wouldn’t be surprised to read in a month or two he has it up for sale just to try to recoup some of the money, doubt there will be any takers though, just no money in desktops.”
I agree with hairyfeet!
Canonical has compromised GNU/Linux ideals and the privacy of thousands of users. Ubuntu needs to be recognized for the crap it has become. I am looking forward to the downfall of Canonical.