Ubuntu pipes search queries to Amazon, worrying privacy experts

Ubuntu pipes search results to Amazon

UbuntuUbuntu has been everyone’s favorite dark horse operating system since it first debuted eight years ago. But a new release has riled the Linux variant’s once loyal fan base: piping search queries from Ubuntu’s built-in search engine to the mega retailer Amazon.com and other “third parties.”

Ubuntu’s privacy-conscious users call it a massive breach of trust. Now online privacy group the Electronic Frontier Foundation has joined the chorus: calling the design change a “major privacy problem” that could expose Ubuntu users to everything from wireless snooping to unwanted entreaties from advertisers.

Ubuntu users concerned about privacy might consider switching to another Linux desktop environment like KDE, GNOME 3 or Cinnamon, the EFF advised.

The firestorm concerns features in the latest version of Ubuntu, dubbed “Quantal Quetzal” by Ubuntu’s parent firm, Canonical, in a great tradition of bizarrely alliterative distribution names.

Released on October 18, Quetzal displayed results from Amazon’s search engine interspersed with other results from searches using the integrated Unity Dash search engine. Dash is used to search both local resources and the internet, and Amazon search results are grouped in a section called “More Suggestions” on the search results page.

More suggestions in search results

The effect of the integration is disquieting.

Even innocuous search results are spiced with a variety of product-related results courtesy of Amazon.

In one example, posted to Reddit, a local search of an Ubuntu system for the Shotwell Linux-based photo organizer returns links to Amazon offerings like a DVD of the 1976 Broadway production of “The Taming of the Shrew”, featuring actress Sandra Shotwell as Bianca.

Searching for Shotwell. Click for larger version

For searches that result in purchases, Ubuntu gets a percentage of the sale as an affiliate.

In a blog post on Monday, EFF Web developer and Linux guru Micah Lee says the feature is a major privacy breach.

“It’s a major privacy problem if you can’t find things on your own computer without broadcasting what you’re looking for to the world,” he wrote.

Exposing searches for local content to third party advertisers exposes a whole range of previously private thought and action to prying eyes. “There are many reasons why you wouldn’t want any of these search queries to leave your computer,” Lee continued.

The feature has a number of other serious downsides for Ubuntu users, also.

Because search results piped from Amazon are not encrypted, they’re susceptible to being snooped by others, potentially giving clues as to the content of user searches on Dash (which are encrypted).

The integration gives Amazon an insight into what a particular user is interested in, along with an IP address to identify them.

Some search results – such as for DVDs – may be deemed “not safe for work.” And, finally, Amazon isn’t the only third party that gets access to search results.

Ubuntu said it will share the searches with other partners, including Google, ABC, the BBC, Facebook and music site 7digital. However, the company hasn’t said what data it will share with each, or under what circumstances.

The outcry prompted a spirited response from Canonical CEO Mark Shuttleworth, who wrote in a blog post that the Amazon integration was just the first step in an expansion designed to make the Dash search engine “smarter.”

The Amazon results are just search results – not ads, Shuttleworth argued. And users can choose not to search Amazon if they want, while future releases will make it easier to opt-out of searching across third party services, he said.

“What we have in 12.10 isn’t the full experience, so those who leap to judgement are at maximum risk of having to eat their words later. Chill out,” he wrote.

Part of blog post by Mark Shuttleworth

In the meantime, the company is making changes to secure the new feature: filtering out NSFW search results and fetching images from Amazon using secure HTTP.

Lee of EFF says that Ubuntu Quetzal users have a number of options to turn off the feature. They can uninstall the Amazon integration by removing a package called unity-lens-shopping from their computer (sudo apt-get remove unity-lens-shopping from the command line interface).

Alternatively, they can open the Ubuntu Privacy application and change the option “Include online search results” from on to off.

Good luck out there!