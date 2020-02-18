from the fool-me-once... dept.
The Register spotted Ubuntu behaving badly again with respect to users' privacy. In their article "Ubuntu wants to slurp PCs' vital statistics – even location – with new desktop installs: Data harvest notice will be checked by default", they note that in addition to installing popcon and apport by default, Canonical seeks much deeper data mining (without using the word "telemetry"):
[...] "We want to be able to focus our engineering efforts on the things that matter most to our users, and in order to do that we need to get some more data about sort of setups our users have and which software they are running on it," explained Will Cooke, the director of Ubuntu Desktop at Canonical.
[...] Data Canonical seeks "would include" the following: Ubuntu Flavour, Ubuntu Version, Network connectivity or not, CPU family, RAM, Disk(s) size, Screen(s) resolution, GPU vendor and model, OEM Manufacturer, Location (based on the location selection made by the user at install). No IP information would be gathered, Installation duration (time taken), Auto login enabled or not, Disk layout selected, Third party software selected or not, Download updates during install or not, [and] LivePatch enabled or not.
The system plans to leverage the power of the default setting by making the choice opt-out, not opt-in as popcon has been in the past: Cooke explained to the ubuntu-devel audience that "Any user can simply opt out by unchecking the box, which triggers one simple POST stating, 'diagnostics=false'. There will be a corresponding checkbox in the Privacy panel of GNOME Settings to toggle the state of this."
El Reg also noted Ubuntu's plan to address user privacy concerns:
"The Ubuntu privacy policy would be updated to reflect this change."
This seems less egregious than Ubuntu's past invasions of privacy, but much more invasive and Windows 10-like.
(Score: 3, Insightful) by AndyTheAbsurd on Tuesday February 20, @12:52PM (2 children)
It's enough to make a user install Gentoo or Arch Linux (or maybe Linux From Scratch) just to be sure that nothing "extra" is running.
Of course, someone will probably come along and point out something shady that those distros have done, too...

(Score: 0) by Anonymous Coward on Tuesday February 20, @01:16PM (1 child)
What about computer name/hostname?
If not, then it looks like less intrusive feedback than Mozilla has been vacuuming up, and most of it looks like data that provides important feedback for usability related issues, a number of which I have discovered recently, especially in newer kernel versions (The biggest being HGST USB 3.0 enclosures hanging due to the uas drive in any kernel after 3.13 or so, and at least some RV8xx series gpus displays getting corrupted/over white with the 4.14 kernel under debian/devuan and the open source 2016 linux-firmware dpkg instead of the proprietary 2017 package.) These sorts of showstopped bugs for some users have been becoming more and more frequent. Worst yet, many of them *ARE* documented online, even in the right bugtrackers, but developers either don't have the devices or ability to reproduce the issues and thus they never get fixed.
FYI, also a gentoo user, but sometimes you need packages installed *NOW*, not in the 15 minutes to 72+ hours it takes to compile the particular package and all its prerequisites :D Devuan is a lot faster to install and update with fewer interdependency issues on average than gentoo as well.
(Score: 2) by Bot on Tuesday February 20, @03:38PM
If, as you say, bugs get reported anyway, what's the point of the whole drill.
Back to topic, which bugs are triggered by a different geographical location of the hardware? 1 in 10000000? So why report that?
(Score: 1, Informative) by Anonymous Coward on Tuesday February 20, @01:09PM (2 children)
I remember when Linux was the OS that just did what the user told it and never spied on the user. It was YOUR computer and Linux respected that. (Back in the days of Slackware and early Red Hat)
But that was considered normal and expected behavior then. Even Windows acted that way! (Windows 95, 98, NT)
(Score: 3, Informative) by janrinok on Tuesday February 20, @01:19PM
It still is - the user decides whether to activate this feature or not. This differs significantly from the Microsoft option where it is next to impossible to remove the telemetry feature and, if you do, it will probably get reinstalled at the next update. It would be better to be opt-in rather than opt-out but, if you are capable of installing your own OS, you should be able to deselect the appropriate option at installation time.

(Score: 3, Informative) by Runaway1956 on Tuesday February 20, @02:50PM
Linux isn't collecting your data. Canonical / *buntu is collecting data. People commonly make a similar mistake with telephones. "My phone is spying on me - Android is terrible!" In actuality, Android doesn't spy on you - your phone provider configured the phone to spy on you. Linux is very different from *buntu. *Buntu is a customer of Linux, Linux is not dependent on *buntu.

(Score: 4, Insightful) by The Mighty Buzzard on Tuesday February 20, @01:13PM (4 children)
And how, pray tell, do they plan on transmitting the "not" back to themselves?
Now with #freearistarchus! Not 10% off. Not 50% off. Not even 90% off. Free!
(Score: 2) by janrinok on Tuesday February 20, @01:20PM (1 child)

(Score: 2) by Spamalope on Tuesday February 20, @02:07PM
or Windows/Facebook like install opted in, slurp and cache the data they'd like to take and then send that based on the 'opt in' at install whether the user opts out before the first network connect or not.
(Score: 2) by KritonK on Tuesday February 20, @02:53PM
This is probably an excuse to stop supporting installations that are not connected to the network and cannot be spied upon. (100% of the surveyed machines had network connectivity, therefore...)
(Score: 2) by Bot on Tuesday February 20, @03:43PM
To nitpick, that is "Data Canonical seeks" not "Data Canonical gets reported back", so the absence of network connectivity can be desumed or reported when connectivity resumes.
Canonical is getting too canonical for my tastes.
(Score: 2) by janrinok on Tuesday February 20, @01:14PM (6 children)
As the only thing to do to prevent this is untick one box at installation time then I think that I can cope with that. I'd prefer that it were opt-in rather than opt-out, but I'm not going to get excited. I'd also want the data that is sent to be in a format that is easily readable - not encrypted or obfuscated which will only create distrust.
Most of the data is available to Ubuntu at the time of installation - CPU, GPU, hardware etc. And at the time of installation it is hardly likely to contain any information that I would consider private. The location is based upon your timezone, and if that is as close as it gets then it hardly compromises my identity. It might narrow it down to a country, but that doesn't worry me. Third party software installation? Well, I'd be pleased if they would notice that I always install Pale Moon, and if they would let me do that instead of Firefox or Chromium I would be delighted. And letting me install my VPN at installation time would also be nice too, but it isn't too much effort to add it later.
There again, I have always opted in to popcorn (which, for those who do not know, simply lets Ubuntu know which packages/programs you install.) This seems to me to be a sensible thing to do - there is no point in putting effort into supporting a program that nobody uses, and allows the devs the ability to concentrate on those things that the users find important/useful.
Sure, if they start wanting to collect every URL that I access, or recording username/passwords, then I will certainly object loudly, strongly and with my feet. But I am prepared to wait and see.

(Score: 0) by Anonymous Coward on Tuesday February 20, @01:22PM (2 children)
But certainly would like the application itself to be easily straced/run in debug mode/open source with verifiable build binaries so it can be clear what is being sent.
Having the data sent in plaintext with current 5 eyes surveillance is actually MORE damaging than sending this information to Ubuntu itself, since in the former they also get your IP address and related details for free and are in a far better position to leverage other intelligence to identify the system running Ubuntu directly, based on your probable credit card purchase of the hardware, name on the ISP bill, census data on your family, etc.
(Score: 2) by Spamalope on Tuesday February 20, @02:15PM
And this will let them tie MAC address and any other processor/hardware serial numbers to an individual as well. Say goodbye to an anonymous free press as long as total surveillance prevails.
So far poisoning the well with addition false information to slurp seems to be the only counter tactic for the data vacuum cleaners.
(Score: 0) by Anonymous Coward on Tuesday February 20, @02:28PM
Most of what they're asking to collect looks benign to me. Even location, isn't that only accurate to the closest timezone? But still, I'd prefer if it's simply not sent, regardless of encryption.
If encrypted, then how can we trust it's sending what it says it's sending? Maybe this argument applies more to the MS-style closed-source slurping, since in theory, one can read the source code of what Ubuntu is trying to do - hopefully this is available. But even so, how many people will actually do this?
If not encrypted, then as pointed out others in the position to intercept that data can also consume it.
I expect it's probably easier to send poisoned data as well if it's not encrypted, or if the source code of the telemetry programs are available. Is the stuff digitally signed when transmitted, in a trustworthy manner to the collector, so the collector knows it's not fake?
The only paranioc solution is to not allow such data to be sent regardless of method. I suppose data poisoning is also an option for those upset enough and so inclined.
(Score: 2) by Bot on Tuesday February 20, @03:46PM (1 child)
> I have always opted in to popcorn
damn autocorrect, I guess you have never said no to popcorn anyway.
For those interested in googling, it's "popcon" POPularity CONtest, a debian thing which ubuntu and others use too.
(Score: 2) by janrinok on Tuesday February 20, @03:53PM

(Score: 2) by requerdanos on Tuesday February 20, @04:36PM
Not quite simply that. popcon also reports what programs you run and approximately how often by checking the atime on the binaries.
Quoting popcon's official site [debian.org]:
I, too, choose to run popcon on several machines, but when someone chooses to do so, it's better if they know what's in the report rather than thinking that it's simply a sterile report of installed packages. popcon reports the usage stats in order to track what gets run the most frequently. Nothing nefarious, but not "just a list" either.
(Score: 3, Insightful) by Hyperturtle on Tuesday February 20, @02:37PM
They are supposed to update the policy BEFORE MAKING CHANGES TO THE PRODUCT and reference the changes are coming soon.
Having the info there prior to making the change lets a user know what is being agreed to! They can even post it the very moment the new version and updates become available -- so that anyone interested can find out what they are actually agreeing to.
Further, I should not have to go on-line to visit the policy for the first install. Include this on the distribution. It is a text file. It is not large and numerous copies of everything ever stated as policy that one could agree to can be stored locally -- with references to go on-line for updated info. None of that crap about it changes and local storage is hard; if you introduce code into a new install that changes the policy, then force that privacy info up on the user when those updates go in.
Having an outdated privacy policy is almost as bad as having no policy at all! Promising to update it comes across as a "oh man we better do this even though we put 100% of our efforts into making the exploitation as seamless as possible based on seeing the success and limited user pushback with other operating systems because personalized tracking benefits users because ads!"
Sometimes, people choose an alternate because it's not the same as the others, you know? People are not choosing to install Ubutuntu to get more of the worst aspects of the other options!
(Score: 1) by whatevs on Tuesday February 20, @02:57PM (6 children)
I carefully read through the explanation before making my typical knee-jerk reaction, and I'm glad I did. I can understand why they would want to do this, and why they would want to make it the default action. And I fully support them in choosing to do this with their distribution. It's not the direction I would take it if it were mine, but I see what they're trying to accomplish, and their motives don't seem nefarious. I assume they understand the law of unintended consequences, and they still felt it was worth doing, and I support that.
I'm also not going to use Ubuntu anymore. Combined with other decisions they have made over the years, they're just not the distribution for me anymore, and that's okay. I'm just not their target user, nor are the people whose computers I maintain.
Back when I switched from Gentoo to Ubuntu (back when Ubuntu thought nudity was appropriate in the artwork for their distribution) I did it because of the wide range of available packages and being able to install them right away. It turns out, I don't actually need any more than what Debian is able to provide. I don't fully agree with the decisions Debian has made, so I'm not going to use their distribution, either. But Devuan has been working well since the beta, even for the few Steam games I play, so I'm going to keep using that and putting that on family members' machines. I've been using that since before 1.0 at home and work. I do spin up Ubuntu VMs for testing, which is unfortunate, as I have to make sure my stuff is still compatible, but I definitely don't use them for day to stuff anymore.
Who knows what direction Ubuntu will take in the future, but unless the new distro makes similar choices, I don't imagine I'll be going back.
(Score: 2) by Gaaark on Tuesday February 20, @03:33PM (4 children)
I stopped using ubuntu mainly because it seemed to get slower and slower. The same with plain debian (though not as bad as ubuntu).
I switched to Arch (Manjaro) because of speed, but then learned they switched to systemd.
If i had the time and a faster/better machine i'd try distro hopping in a VM, but that's not really an option right now.
I think i'm going to try void and gentoo (used gentoo for a while, but kind of opted out when the whole shit-stain happened with (Daniel??) the lead developer being tossed and the upheaval....).
I dunno: void, gentoo, calculate, maybe some others. But damn, Manjaro is sooooooo nice: except systemd.

(Score: 0) by Anonymous Coward on Tuesday February 20, @03:49PM (1 child)
You could look at nosh, http://jdebp.eu/Softwares/nosh/, [jdebp.eu] it's able to convert systemd unit files to it's own style and provides shims to allow usage of sysv, bsd or systemd syntax to manage services. It also seems to have a superset of functionality while not making the most egregious errors in design found in systemd and without the mission creap.
(Score: 2) by Bot on Tuesday February 20, @03:57PM
nosh sherlock, interesting- remove the , from the link to get to its homepage.
(Score: 2) by Bot on Tuesday February 20, @03:50PM
antix mxlinux, you still get .debs and systemd optional
(Score: 0) by Anonymous Coward on Tuesday February 20, @04:23PM
For desktops, I use PCLinuxOS, no systemd, and, on the whole, it just works™..
For servers, *BSDs I'm afraid (migrated from the last systemd-free Debian distro).
Firewall, I'm conflicted, I've a seriously 'fucked with' PCLinuxOS box doing the job at present (only the base packages, development and kernel are from the distro, the rest are compiled from source and local hackery) which is either going to be replaced with a Devuan box (the easy option) or another *BSD one.
(Score: 2) by requerdanos on Tuesday February 20, @04:37PM
I assumed this for a long time, but their nutty responses to the Amazon-search-lens issue absolved me of that notion in a heartbeat.
They have utterly no concept of said law.
(Score: 2) by jmorris on Tuesday February 20, @03:58PM
If it is like Fedora's old attempt with smolt or Debian's popcon there isn't an issue here. The problem is the nutters obsessing over privacy to the point it is creating anti-information. What hardware is most used? Really important information when deciding what to buy, what to expend development effort into, etc. But because of the nutters that information is intentionally suppressed.
We demand 100% Free Software and at the same time put unreasonable demands on the people providing it. Then most of the same nutters give Zuckersperg and Jack every last intimate detail of their life.