Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday February 20 2018, @12:38PM   Printer-friendly
from the fool-me-once... dept.

The Register spotted Ubuntu behaving badly again with respect to users' privacy. In their article "Ubuntu wants to slurp PCs' vital statistics – even location – with new desktop installs: Data harvest notice will be checked by default", they note that in addition to installing popcon and apport by default, Canonical seeks much deeper data mining (without using the word "telemetry"):

[...] "We want to be able to focus our engineering efforts on the things that matter most to our users, and in order to do that we need to get some more data about sort of setups our users have and which software they are running on it," explained Will Cooke, the director of Ubuntu Desktop at Canonical.

[...] Data Canonical seeks "would include" the following: Ubuntu Flavour, Ubuntu Version, Network connectivity or not, CPU family, RAM, Disk(s) size, Screen(s) resolution, GPU vendor and model, OEM Manufacturer, Location (based on the location selection made by the user at install). No IP information would be gathered, Installation duration (time taken), Auto login enabled or not, Disk layout selected, Third party software selected or not, Download updates during install or not, [and] LivePatch enabled or not.

The system plans to leverage the power of the default setting by making the choice opt-out, not opt-in as popcon has been in the past: Cooke explained to the ubuntu-devel audience that "Any user can simply opt out by unchecking the box, which triggers one simple POST stating, 'diagnostics=false'. There will be a corresponding checkbox in the Privacy panel of GNOME Settings to toggle the state of this."

El Reg also noted Ubuntu's plan to address user privacy concerns:

"The Ubuntu privacy policy would be updated to reflect this change."

This seems less egregious than Ubuntu's past invasions of privacy, but much more invasive and Windows 10-like.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by janrinok on Tuesday February 20 2018, @01:14PM (13 children)

    by janrinok (52) Subscriber Badge on Tuesday February 20 2018, @01:14PM (#640614) Journal

    As the only thing to do to prevent this is untick one box at installation time then I think that I can cope with that. I'd prefer that it were opt-in rather than opt-out, but I'm not going to get excited. I'd also want the data that is sent to be in a format that is easily readable - not encrypted or obfuscated which will only create distrust.

    Most of the data is available to Ubuntu at the time of installation - CPU, GPU, hardware etc. And at the time of installation it is hardly likely to contain any information that I would consider private. The location is based upon your timezone, and if that is as close as it gets then it hardly compromises my identity. It might narrow it down to a country, but that doesn't worry me. Third party software installation? Well, I'd be pleased if they would notice that I always install Pale Moon, and if they would let me do that instead of Firefox or Chromium I would be delighted. And letting me install my VPN at installation time would also be nice too, but it isn't too much effort to add it later.

    There again, I have always opted in to popcorn (which, for those who do not know, simply lets Ubuntu know which packages/programs you install.) This seems to me to be a sensible thing to do - there is no point in putting effort into supporting a program that nobody uses, and allows the devs the ability to concentrate on those things that the users find important/useful.

    Sure, if they start wanting to collect every URL that I access, or recording username/passwords, then I will certainly object loudly, strongly and with my feet. But I am prepared to wait and see.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 1, Interesting) by Anonymous Coward on Tuesday February 20 2018, @01:22PM (2 children)

    by Anonymous Coward on Tuesday February 20 2018, @01:22PM (#640620)

    But certainly would like the application itself to be easily straced/run in debug mode/open source with verifiable build binaries so it can be clear what is being sent.

    Having the data sent in plaintext with current 5 eyes surveillance is actually MORE damaging than sending this information to Ubuntu itself, since in the former they also get your IP address and related details for free and are in a far better position to leverage other intelligence to identify the system running Ubuntu directly, based on your probable credit card purchase of the hardware, name on the ISP bill, census data on your family, etc.

    • (Score: 2) by Spamalope on Tuesday February 20 2018, @02:15PM

      by Spamalope (5233) on Tuesday February 20 2018, @02:15PM (#640635) Homepage

      And this will let them tie MAC address and any other processor/hardware serial numbers to an individual as well. Say goodbye to an anonymous free press as long as total surveillance prevails.

      So far poisoning the well with addition false information to slurp seems to be the only counter tactic for the data vacuum cleaners.

    • (Score: 0) by Anonymous Coward on Tuesday February 20 2018, @02:28PM

      by Anonymous Coward on Tuesday February 20 2018, @02:28PM (#640641)

      Most of what they're asking to collect looks benign to me. Even location, isn't that only accurate to the closest timezone? But still, I'd prefer if it's simply not sent, regardless of encryption.

      If encrypted, then how can we trust it's sending what it says it's sending? Maybe this argument applies more to the MS-style closed-source slurping, since in theory, one can read the source code of what Ubuntu is trying to do - hopefully this is available. But even so, how many people will actually do this?

      If not encrypted, then as pointed out others in the position to intercept that data can also consume it.

      I expect it's probably easier to send poisoned data as well if it's not encrypted, or if the source code of the telemetry programs are available. Is the stuff digitally signed when transmitted, in a trustworthy manner to the collector, so the collector knows it's not fake?

      The only paranioc solution is to not allow such data to be sent regardless of method. I suppose data poisoning is also an option for those upset enough and so inclined.

  • (Score: 2) by Bot on Tuesday February 20 2018, @03:46PM (2 children)

    by Bot (3902) on Tuesday February 20 2018, @03:46PM (#640680) Journal

    > I have always opted in to popcorn
    damn autocorrect, I guess you have never said no to popcorn anyway.
    For those interested in googling, it's "popcon" POPularity CONtest, a debian thing which ubuntu and others use too.

    --
    Account abandoned.
    • (Score: 2) by janrinok on Tuesday February 20 2018, @03:53PM

      by janrinok (52) Subscriber Badge on Tuesday February 20 2018, @03:53PM (#640688) Journal
      yep - fingers typing what they want again .....
    • (Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:31AM

      by Anonymous Coward on Wednesday February 21 2018, @09:31AM (#641089)

      So, con as in con man?

  • (Score: 5, Interesting) by requerdanos on Tuesday February 20 2018, @04:36PM

    by requerdanos (5997) Subscriber Badge on Tuesday February 20 2018, @04:36PM (#640712) Journal

    I have always opted in to popcorn (which, for those who do not know, simply lets Ubuntu know which packages/programs you install.)

    Not quite simply that. popcon also reports what programs you run and approximately how often by checking the atime on the binaries.

    Quoting popcon's official site [debian.org]:

    This package sends every week the list of packages installed and the access time of relevant files to the server

    I, too, choose to run popcon on several machines, but when someone chooses to do so, it's better if they know what's in the report rather than thinking that it's simply a sterile report of installed packages. popcon reports the usage stats in order to track what gets run the most frequently. Nothing nefarious, but not "just a list" either.

  • (Score: 0) by Anonymous Coward on Tuesday February 20 2018, @06:04PM (1 child)

    by Anonymous Coward on Tuesday February 20 2018, @06:04PM (#640758)

    if it's a check box during install then this doesn't fit the normal params of opt in/opt out and is largely click bait/fud. normally, when people say "opt out" they mean you do something without asking them then they have to go find it and unset it once they find out you did it. big difference.

    now, if canonical didn't learn their lesson from last time about not using tls to transmit this data then some moron should be fired. They're just too fucking stupid to have a job. also, if they haven't automated apport then that annoying SOB needs to be opt in, not opt out. regular ubuntu users don't want to learn all about bug reporting, FFS. report the bug yourself with permission, using encryption or leave the user alone.

    • (Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:35AM

      by Anonymous Coward on Wednesday February 21 2018, @09:35AM (#641090)

      If it's already checked then it absolutely is opt out.

      It's the same kind of opt out that get your grandmothers Firefox replaced with Chrome every time her bank requires that she updates Java.

      - Which makes Ubuntu just as much malware as Java - both install unauthorized software. Not doing anything is not authorization, so as long as the user doesn't touch the checkbox, there can be no authorization and thus the checkbox being checked by default results in the installation of unauthorized software.

  • (Score: 3, Insightful) by NotSanguine on Tuesday February 20 2018, @09:08PM (2 children)

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Tuesday February 20 2018, @09:08PM (#640851) Homepage Journal

    As one of the many things (use one of dozens of other distributions, among other things) to do to prevent this is untick one box at installation time then I think that I can cope with that. I'd prefer that it were opt-in rather than opt-out, but I'm not going to get excited. I'd also want the data that is sent to be in a format that is easily readable - not encrypted or obfuscated which will only create distrust.

    There. FTFY.

    Opting out isn't the only thing. It's been my experience that voting with your feet/wallet is one of the more effective ways to limit that kind of crap.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 2) by digitalaudiorock on Tuesday February 20 2018, @09:52PM (1 child)

      by digitalaudiorock (688) on Tuesday February 20 2018, @09:52PM (#640871) Journal

      There. FTFY.

      Opting out isn't the only thing. It's been my experience that voting with your feet/wallet is one of the more effective ways to limit that kind of crap.

      Amen to that. I think Canonical is taking a cue from Redhat, who clearly believes they're powerful enough to turn Linux into their Windows with the whole systemd cluster-fuck. Opt-out? Yea, they clearly think they've got the clout to act like MS. Vote with your feet indeed...tell them to go fuck themselves. I'm using all Gentoo here, and my company moved from CentOS 6 to Devuan. These scumbags will only take your Linux away if you let them.

      • (Score: 2) by janrinok on Wednesday February 21 2018, @12:20PM

        by janrinok (52) Subscriber Badge on Wednesday February 21 2018, @12:20PM (#641135) Journal

        Perhaps, like Redhat, you are not the person Ubuntu is aiming their distro at?

  • (Score: 2) by FatPhil on Wednesday February 21 2018, @10:40AM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 21 2018, @10:40AM (#641109) Homepage
    > untick one box at installation time

    The tickbox that you should selecting should appear before installation time, before even download time.

    [ ] I wish to run a distro which has insane defaults that I need to opt out of, and may not even know about.
    [ ] I wish to run a distro which has sane defauls

    Pick wisely.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves