Sophos Cloud Optix
Ubuntu has been everyone’s favorite dark horse operating system since it first debuted eight years ago. But a new release has riled the Linux variant’s once loyal fan base: piping search queries from Ubuntu’s built-in search engine to the mega retailer Amazon.com and other “third parties.”
Ubuntu’s privacy-conscious users call it a massive breach of trust. Now online privacy group the Electronic Frontier Foundation has joined the chorus: calling the design change a “major privacy problem” that could expose Ubuntu users to everything from wireless snooping to unwanted entreaties from advertisers.
Ubuntu users concerned about privacy might consider switching to another Linux desktop environment like KDE, GNOME 3 or Cinnamon, the EFF advised.
The firestorm concerns features in the latest version of Ubuntu, dubbed “Quantal Quetzal” by Ubuntu’s parent firm, Canonical, in a great tradition of bizarrely alliterative distribution names.
Released on October 18, Quetzal displayed results from Amazon’s search engine interspersed with other results from searches using the integrated Unity Dash search engine. Dash is used to search both local resources and the internet, and Amazon search results are grouped in a section called “More Suggestions” on the search results page.
The effect of the integration is disquieting.
Even innocuous search results are spiced with a variety of product-related results courtesy of Amazon.
In one example, posted to Reddit, a local search of an Ubuntu system for the Shotwell Linux-based photo organizer returns links to Amazon offerings like a DVD of the 1976 Broadway production of “The Taming of the Shrew”, featuring actress Sandra Shotwell as Bianca.
For searches that result in purchases, Ubuntu gets a percentage of the sale as an affiliate.
In a blog post on Monday, EFF Web developer and Linux guru Micah Lee says the feature is a major privacy breach.
“It’s a major privacy problem if you can’t find things on your own computer without broadcasting what you’re looking for to the world,” he wrote.
Exposing searches for local content to third party advertisers exposes a whole range of previously private thought and action to prying eyes. “There are many reasons why you wouldn’t want any of these search queries to leave your computer,” Lee continued.
The feature has a number of other serious downsides for Ubuntu users, also.
Because search results piped from Amazon are not encrypted, they’re susceptible to being snooped by others, potentially giving clues as to the content of user searches on Dash (which are encrypted).
The integration gives Amazon an insight into what a particular user is interested in, along with an IP address to identify them.
Some search results – such as for DVDs – may be deemed “not safe for work.” And, finally, Amazon isn’t the only third party that gets access to search results.
Ubuntu said it will share the searches with other partners, including Google, ABC, the BBC, Facebook and music site 7digital. However, the company hasn’t said what data it will share with each, or under what circumstances.
The outcry prompted a spirited response from Canonical CEO Mark Shuttleworth, who wrote in a blog post that the Amazon integration was just the first step in an expansion designed to make the Dash search engine “smarter.”
The Amazon results are just search results – not ads, Shuttleworth argued. And users can choose not to search Amazon if they want, while future releases will make it easier to opt-out of searching across third party services, he said.
“What we have in 12.10 isn’t the full experience, so those who leap to judgement are at maximum risk of having to eat their words later. Chill out,” he wrote.
In the meantime, the company is making changes to secure the new feature: filtering out NSFW search results and fetching images from Amazon using secure HTTP.
Lee of EFF says that Ubuntu Quetzal users have a number of options to turn off the feature. They can uninstall the Amazon integration by removing a package called unity-lens-shopping from their computer (sudo apt-get remove unity-lens-shopping from the command line interface).
Alternatively, they can open the Ubuntu Privacy application and change the option “Include online search results” from on to off.
Good luck out there!
I might just be showing my ignorance here but….
"Ubuntu users concerned about privacy might consider switching to another Linux distribution like KDE, GNOME 3 or Cinnamon, the EFF advised."
Aren't KDE and GNOME just GUIs not distributions? I know when I have setup Slackware in the past I have played with using both KDE and Gnome both under my Slackware installation..
That was actually my initial impression too, but I think the search is integrated into the Unity desktop and not Ubuntu as a whole. Certainly the command to stop it by uninstalling a Unity element (sudo apt-get remove unity-lens-shopping) seems to suggest that much.
So theoretically, you could avoid this by switching off of the Unity interface, thereby cutting the plugin out of your search. If Canonical is willing to pipe your searches to Amazon, though, I’m not sure how much further I would trust them.
KDE and GNOME are not Linux distributions, they are desktop environments.
Debian, RedHat, Knoppix, Fedora, Gentoo etc.. those are Linux distributions.
Hang on, so Mac OS 8 (aka ubuntu) looks like this?
It looks horrid.
Why are people still using it.
Sad to see Shuttleworth get this so wrong; sadder still to see him respond defensively and cavalierly. Epic mis-step.
As always, "opt-in" rather than "opt-out" SHOULD be a vendor's first thought when offering features involving connectedness to all and sundry.
Unfortunately the thought process almost always seems to be "money-in" after which very little else appears to matter.
Not impressed, Canonical!
– Gavin
Beside's the above being worrying, when Shuttleworth makes comments that I read in another article about the same issue's that "We have root, we already have access to user's systems", is more of a concern. And if you've every installed Ubuntu you'll notice that it doesn't ask for a root username or password, it only asks for user accounts setup. It's parent distro. Debian, does however ask the installer to enter a root username and password. This make me questions what Canonical are up too. After all Ubuntu, even though they've taken efforts to add features to make the system easier to use, at the end of the day it's just bleeding edge Debian.
I would advise those wishing to use Ubuntu in whatever form, to open a terminal and change your root password.
Damnit…..
I finally got to the point where I was beginning to like Unity.
So long Ubuntu…..
Just uninstall the package and continue on.