[nycbug-talk] Scary Ubuntu privacy junk

George Rosamond george at ceetonetechnology.com
Thu Nov 1 13:52:24 EDT 2012

On 11/01/12 13:04, Pete Wright wrote:
> On 10/31/12 10:10 PM, George Rosamond wrote:
>> On 11/01/12 00:42, David Lawson wrote:
>>> On Nov 1, 2012, at 12:16 AM, George Rosamond
>>> <george at ceetonetechnology.com>  wrote:
>>>> This isn't a linux discussion list, but think this is relevant:
>>>> is.gd/sgZsW7
>>>> It goes to an ArsTechnica link.
>>>> But basically, the new Ubuntu has a default feature with Dash
>>>> searches that sends them to Amazon, and (unencrypted) ads come
>>>> back.
>>> The Quantal release version of the Amazon lens encrypts the queries,
>>> though the beta version did not.  It also anonymizes the queries
>>> prior to Amazon seeing them, which has always been the case to the
>>> best of my knowledge.  Mark has addressed both of those points on his
>>> blog.
>> Oh, he certainly does address it.
>> markshuttleworth.com/archives/1182
>> I especially like replies to "Why are you telling Amazon what I am
>> searching for?"
>> ..."Ern, we have root."
>> Great way to inspire people to use OSS, aint it?  "I have root on your
>> box so screw you."
>> "Preserving anonymity" by trusting that project is laughable, at best.
>> Anonymity is not preserved by trust or policy, it's preserved *by
>> design*.  Look at Tor, GPG, etc.
>> And it takes little statistical hacking to deanonymize data like that.
>> Give an Amazon your IP and queries, and it's not anonymous.  Remember
>> the "anonymized" AOL data a few years back?
> this whole debacle was pretty interesting to me - esp the initial
> reaction/disregard for privacy from shuttleworth.
> regarding anonymizing data that is actively being mined - it really is a
> loaded term.  In Germany for example, you can't store IP addresses and

More on the AOL issue, if anyone doesn't remember:


Hey, there's even a wikipedia page about it.


> associate them with cookies(1) if the user requests so.  Yet once an
> adnetwork has dropped a cookie on your system the IP is almost a moot

aka zombie cookie, flash LSO, supercookie, whatever, right?

> point, they can deduce your geolocation and mine your browsing habbits
> w/o a full IP address.  Once a UUID/cookie is installed on your system
> that is all that matters frankly.  And believe me - there is active work
> happening to correlate these UID's b/w multiple devices.

Definitely.  Give an inch and a mile can be grabbed.

Add that to ISPs tagging packets with user zip code, and you have a
wealth of information.

> gathering/mining and analyzing all of this data is *very* expensive and
> it would not be happening if there was monetary value in it.  the fact

Is it really *that* expensive?  Of course Amazon is doing it for a
reason, and it's worthwhile, but aggregating data and storing on itself
isn't.  Having the mechanism to analyze is higher cost, but with any
group's search data, I'm sure it's worth it.

> that a company backed by OSS developers is leveraging their user base
> (and good will) for financial gain is pretty appalling IMHO.  not that
> they shouldn't seek novel ways to monetize their product, but the way
> they are going about it is so one sided in favor of amazon is what i
> really have problems with.

Yeah, this is why I am speaking so, er, sharply, about the issue.

I don't think Ubuntun has funding issues like other projects, first of all.

But to act like it's in the user base's interest is a joke.  Then make
it a f'g package, and not default.

But I just can't get rid of this "I have root on your box" attitude.  Woah.

Arrogance + a complete misunderstanding of OSS


> -pete
> (1)http://www.huntonprivacyblog.com/2011/09/articles/use-of-google-analytics-now-lawful-in-germany-subject-to-certain-guidelines/

More information about the talk mailing list