Nathan Heafner

Linux, Networking & Security

By

Ubuntu Dash Search Is Not Anonymous

I threw together this post because I felt the need to clarify my stance, and some general knowledge about how your Dash search results in Ubuntu are not anonymous, no matter how much others may want you to believe.

The reason for this post is an short blerp on /. (Slashdot) which states “The Dash Is Now Anonymized In Ubuntu 13.10″. It’s not. The post on Slashdot links to a discussion that I participated in on Google + from  who originally posted;

“The smart scopes server now anonymizes images before serving them to your Dash. :-) #ubuntu #privacy“.

That post is found here for reference.

First let me explain that I have not personally researched or deeply analyzed any code regarding Unity, or Dash search (smart scopes) etc. I can however make some general assumptions and point to some documents that further prove my claim with ease. I think you will agree.

1. Search results are sent to Canonical, and then to the third parties. Rather that data is “anonymized” when its received by Canonical is irrelevant. Canonical knows where the search originated as it has to send the results back to that same device. Could this be circumvented, possibly if they routed the search’s through TOR, or utilize some technology for onion/garlic routing or some other darknet/deepweb. But I can assure you Canonical is not doing this.

2. I believe that Canonical is making the search anonymous to the third parties, however, this doesn’t mean that Canonical could not be forced or compelled to identify those users to either law enforcement, or the third parties themself. This is also stated by Canonical in their Privacy Policy, and is common knowledge.

3. The privacy policy, Canonical’s stance, and legal requirements (data retention for example) could change at any moment, or Canonical could be sold/bought etc.

4. You can verify this by viewing the Privacy Policy, and nothing more. http://www.ubuntu.com/privacy-policy

  • Searching in the dash

    When you enter a search term into the dash Ubuntu will search your Ubuntu computer and will record the search terms locally. Unless you have opted out (see the “Online Search” section below), we will also send your keystrokes as a search term to productsearch.ubuntu.com and selected third parties so that we may complement your search results with online search results from such third parties including: Facebook, Twitter, BBC and Amazon. Canonical and these selected third parties will collect your search terms and use them to provide you with search results while using Ubuntu.

    By searching in the dash you consent to:

    1. the collection and use of your search terms and IP address in this way; and
    2. the storage of your search terms and IP address by Canonical and such selected third parties (if applicable).

    Canonical will only use your search terms and IP address in accordance with this Privacy Policy. For information on how our selected third parties may use your information, please see their privacy policies.

    You may restrict your dash so that we don’t send searches to third parties and you don’t receive online search results. To do this go to the Privacy panel and toggle the ‘Include online search results’ option to off. The Privacy panel can be found in your System Settings or via a dash search. For a current list of our selected third parties, please see the third party privacy policies.

What do we do with the information we collect

We may use your information in the following ways:

  • To authenticate access to certain features of our websites.
  • To contact you to respond to enquiries or to provide notices to you regarding your use of our websites or the provision of our services.
  • To provide services, products, process payment, and authenticate access (where required).
  • To analyse the performance or the appropriateness of products or services.
  • To comply with legal and regulatory requirements (including responding to court orders, subpoenas and to prevent crime). These special circumstances may require us to disclose personal information.
  • To contact you if your actions violate your agreement with us (if any).
  • To fix errors and analyse trends.
  • To study how anonymous users interact with our websites and services.
  • To market our products or services to you.

The definition of Anonymous
made or done by someone unknown. not named or identified
The search may be anonymized by Canonical before it’s sent to any third parties, however Canonical still knows (or has the ability to know) who and what you are searching for.

Expected responses
1. It can be turned off. Yes, we know….
2. This information is only handed over when legally required. Except, as we have seen post Snowden, the legal requirements are vague, issued by secret courts, served with gag orders, and occur sometimes with a rubber stamp.
3. It can be turned off. Yes, we know…
4. FUD. I don’t think so.

I’m interested in your comments.

Related Links:
Richard Stallman: Canonical will be forced to hand over data to various governments
RMS Speaks Out Against Ubuntu
Amazon search results in the Dash

 

  • Jim

    Doesn’t the following imply they (Canonical) still gets the searched text even if you disable it and they simply don’t pass it on? Maybe it is just a context issue.

    “You may restrict your dash so that we don’t send searches to third parties and you don’t receive online search results.”

    • http://www.mhall119.com/ Michael Hall

      If you disable Smart Scopes then nothing is sent to Canonical, and you won’t use anything but the “default, local” scopes unless you explicitly enable them for each search you make.

  • Santosh

    Jim that’d be serious violation of good faith if so. Turning off the online feature of dash implies on good faith that your search never leaves your local machine, not that Canonical still recieves it but simply sits on it.

    • dholbach

      You can very easily analyse the traffic that leaves your machine if you don’t believe the engineers working on Unity, or read the code that runs on your machine – it’s all open source.

      • http://benjaminkerensa.com/ Benjamin Kerensa

        How long does Canonical retain server logs with users IP’s, Queries and other tidbits that result from them searching in the dash? This is not covered in Canonical’s privacy policy.

        • http://www.mhall119.com/ Michael Hall

          It is kept only as long as UK law requires, whatever that happens to be currently I don’t know.

          • http://benjaminkerensa.com/ Benjamin Kerensa

            UK law does not require retention of logs for a service like searching on a desktop. The European Union’s Data Retention Directive which is the only retention law covering the UK only requires retention of E-mail and Phone Call Data and it only applies to Telcos and ISP’s.

            Are you just making assumptions now? Also why was it when this originally came out and was discussed on the air that Jono said Canonical did not keep logs at all then a blog post later clarified that logs were kept http://www.jonobacon.org/2012/09/25/more-information-about-online-dash-search-privacy/

            and now your saying they are kept only as UK law requires when in fact UK law does not require considering this kind of a feature is new and not something covered by any localities.

            If anything both EU and UK law has strong privacy protections and limits the kind of data that can be retained.

          • http://www.mhall119.com/ Michael Hall

            I am not a lawyer, and neither are you. I asked how long our HTTP logs were stored and that was the answer I was given. If you don’t like my answer, you can ask for yourself.

            There was initially some confusion about what was being discussed when it came to data retention. The Smart Scope Service and it’s database do not store IP address information, or any other user-identifiable information, and that was what was initially being discussed in the live hangout where Smart Scopes were introduced. What this didn’t cover was the HTTPD logs that are produced by the Apache servers that sit in front of the Smart Scope Service, which are separate from the Smart Scopes Server data, but which do contain the user’s IP address.

            It is these Apache server logs, which record web access to Canonical’s servers, which are being retained under UK law. As far as I am aware, these logs contain the user’s IP address and access date&time, but not the content of the query itself.

          • Carsten Agger

            I don’t understand this. Like Benjamin, I don’t think UK law requires you to store such HTTPD logs for a service as specialized as a desktop service.

            And if it doesn’t, Canonical would seem to be overreaching by storing them for the authorities (storing them for its own data analysis is of course a different matter, but even then the IP adresses might be cleared after a while).

            As for opt-in vs opt-out: Defaults are powerful. As everyone who studies users’ behaviour knows, the vast majority of users leave all settings at their defaults without thinking about it. This means that Ubuntu is delivered with a default setting that violates the vast majority of users’ privacy without telling them and without their knowing. All behavioural research supports this thesis on the power of defaults.

            I strongly feel that the default should be changed to opt-in (which would solve the problem as far as I’m concerned) and I also strongly feel that Ubuntu is tarnishing its brand and making it difficult for free software advocates like myself to recommend it to anyone. And that’s sad, because there’s so many good forces behind it, and I spent several years advocating it.

          • Carsten Agger

            It now occurs to me that one way to do it might be to ask the user doing the installation process.

            The user might be informed that it’s possible to opt-in to Amazon search result (or to the whole concept of online Dash searches), that enabling it will help Canonical, and that it’s always possible to opt-out, with a link to the privacy policy.

            That would be true opt-in AND still give Canonical the numbers to actually make money from this (which is, I imagine, why the functionality is currently opt-out).

          • http://www.mhall119.com/ Michael Hall

            How many Windows users do you think have seen the Windows install process? Any option there would be missed by a large majority of Ubuntu users.

            And as you pointed out, the defaults are usually not changed. It makes no sense for us to developer these Smart Scopes and other enhancements to the desktop user experience, only to leave them off for the majority of users. Any feature worth developing is worth enabling by default.

          • http://www.mhall119.com/ Michael Hall

            Just to add, the purpose of the Amazon scope wasn’t to make money for Canonical, Amazon’s referal fees are ridiculously small. The purpose was to start building the infrastructure for 100 scopes/smart scopes that would allow a wider mix[1] of online and offline results in the dash. Nearly all of the current online scopes provide no possible revenue, either for Canonical or the online source itself. This is and always way about improving the desktop experience for the user.

            [1] We already had a mix of online and offline search in the Music and Photos lenses, well before the Amazon search as added to the Home lens.

          • Carsten Agger

            This is all well and good, but when you can ask people if they want to install extra codecs etc during the installation process, you could do the same for online search at first boot of a default user’s setup.

            I don’t see why you’d want to violate users’ trust by enabling online search by default without asking.

          • Carsten Agger

            Not if it has serious privacy issues, and it does. If I search something on Google, I expect my computer to contact Google over the Internet – I chose to do so.

            But if I use my desktop to locate a file on my own computer, I don’t expect my search to be broadcast over the Internet unless I specifically want it to. I.e., this violates the users’ good faith if it’s enabled by default.

            And desktop searches might be, e.g., of certain phrases in private letters. They are almost buy definition highly sensitive. I stand by my statement that Canonical is tarnishing Ubuntu’s reputation and making it difficult for long-term supporters (my own first advocacy blog post on Ubuntu was in 2005, http://www.modspil.dk/itogtech/ubuntu___linux_made_easy.html) to hang on. I think the path taken is ill-adviced.

  • http://gkn.me.uk Greg K Nicholson

    The only way to know for sure is to see the server’s source code. Unfortunately, the server is closed-source, so it comes down to whether you trust Canonical.

    • http://www.mhall119.com/ Michael Hall

      It would come down to that even if you did have the source code, because you wouldn’t have access to the server running it.

      • http://gkn.me.uk Greg K Nicholson

        True. However, you’d also be able to replace the server software with your own server (or choose to trust some other server).

        Any good-faith mistake in the server code would be easier to find with more eyes. You could choose to appoint (and trust) anyone you wish to security-review the code.

        • http://www.mhall119.com/ Michael Hall

          You can make your own server software already, the wire protocol is reasonably well documented here: https://wiki.ubuntu.com/SmartScopes1304Spec#The_Smart_Scopes_service_and_API

          • http://www.facebook.com/joerlend.schinstad Jo-Erlend Schinstad

            It’s still difficult to understand where thumbnails come from. Do I get an URL that I connect to in order to download image from a third-party server, such as amazon.com? Because in that case, I’m still telling them my IP, and my search query can still be guessed.

          • http://www.mhall119.com/ Michael Hall

            You get a URL to Canonical’s servers with a parameter telling our servers where to get the image from. The image goes through us, so your IP never reaches the 3rd party

  • terryinindy

    S’ok. Kinda gave up on Ubuntu, not nearly as “user friendly” as claimed and the more ‘advanced” they make it, the more buggy it runs on an older machine(that was until recently quite happy running Windows 7)
    Went to Mint instead.

  • Pingback: Ubuntu Dash Search Is Still Not Anonymous - Benjamin Kerensa dot Com

  • http://benjaminkerensa.com/ Benjamin Kerensa

    Great post Nathan…. This deserves a plug!

  • Jamie Pietarinen

    I don’t understand what the big deal is. There is a way of turning it off. I’m fine with it on and welcome the additional functionality it provides. I want additional integrated services on my devices!

  • Pedro Tancredo

    I just can’t see how it’s different from searching on google or any other online engine

    • Stefanauss

      Mainly one: you won’t be searching for you local file on Google. Instead, you would probably use the Unity function paired with the Zeitgeist backend that let you (quite efficiently, actually) search through recent and local files. And even that string is sent to Canonical.

      My only grasp with this is that Canonical still doesn’t let you fine-tune which scope have access to online services and which doesn’t. There’s nothing technical to prevent such a thing, and the related settings would be simple enough.

      • http://www.mhall119.com/ Michael Hall

        You can enable or disable scopes individually, right from within the Dash itself.

        • Stefanauss

          https://bugs.launchpad.net/unity-lens-applications/+bug/1198554

          Are you referring to this?

          I’m on Ubuntu 13.04, am I out of luck?

          • http://www.mhall119.com/ Michael Hall

            You’re not out of luck, you just need to upgrade :)

          • Stefanauss

            Ok, thank you, I’m sorry I wasn’t aware of this development. :)
            Last question: does this include the home lens as well? Will you be able to include/exclude what kind of sources are included in the result of the Home lens, including Amazon results?

          • http://www.mhall119.com/ Michael Hall

            It’s up to the scope whether it displays in the home lens or not, but if you disable the Amazon scope it will be called anywhere

          • http://www.facebook.com/joerlend.schinstad Jo-Erlend Schinstad

            Ehm. “It will be called anywhere”? :)

          • http://www.mhall119.com/ Michael Hall

            Sorry, should have been “not called anywhere”, fixed now

        • http://benjaminkerensa.com/ Benjamin Kerensa

          Or you could just you know give people their privacy which is the choice to enable such a feature if they want it.

          • http://www.mhall119.com/ Michael Hall

            Users have all kinds of choices, don’t confuse disagreement on default values with lack of choice.

          • http://benjaminkerensa.com/ Benjamin Kerensa

            Does Canonical even have a person who heads up privacy? Mozilla does and considers features that share data and require opt-out to be a lack of privacy and user choice.

            This is why Mozilla does not enable anonymous sharing of browser statistics by default.

            There are a lot of privacy articles that assert the same from professors and lawyers and I would encourage you to have a look. Santa Clara University and Harvard Law have some nice ones.

          • http://www.mhall119.com/ Michael Hall

            Good for Mozilla

          • http://benjaminkerensa.com/ Benjamin Kerensa

            Its not just Mozilla who cares about user privacy and choice and unfortunately your response seems to suggest that Canonical does not care.

            I mean if Canonical cared they would be using privacy best practices and would care that groups like the EFF and FSF considers their software to violate user privacy.

            The disregard for user privacy and choice is quite saddening.

          • http://www.mhall119.com/ Michael Hall

            The fact that we don’t do the same things that “Mozilla does”, doesn’t mean we don’t care about the same things Mozilla cares about. Canonical is not Mozilla, and Ubuntu is not a Mozilla product, we are different and we do things different, and there’s nothing wrong with that.

          • http://benjaminkerensa.com/ Benjamin Kerensa

            Seems like you are dancing around the fact that users are not given choice to opt-in but instead must disable a feature which violates their privacy.

            Its not about doing the same thing as Mozilla but instead following the same sound privacy respecting principles. These are not principles that Mozilla created but instead industry driven best practices.

          • http://www.mhall119.com/ Michael Hall

            “users are not given choice to opt-in”

            Users have full choice, they can fine-tune it to exactly their liking. They can disable any individual scopes they want. They can enable any individual scope they want. They can install scopes, even those provided by 3rd parties. They can uninstall scopes, even those provided by Canonical. They can disable sending queries to the Smart Scope Server. They can enable sending queries to the Smart Scope Server. They can activate additional scopes when using the Smart Scope Server. They can deactivate additional scopes when using the Smart Scope Server. They can activate local scopes when not using the Smart Scope Server. They can deactivate local scopes when not using the Smart Scope Server.

            Our users can choose from *every* possible combination of scopes or not scopes, all with very little effort.

          • http://benjaminkerensa.com/ Benjamin Kerensa

            After the fact yes they can choose. If they are unaware about the way the home portion of the dash now works then they queries will be sent by default.

            This is not a good practice and as has been suggested even by at least one core developer Canonical could be dilligent by adding a notice in the installer but chose not to keep users informed.

          • http://www.mhall119.com/ Michael Hall

            A notice in the installer would be inadequate for reasons that have previously been discussed

          • http://benjaminkerensa.com/ Benjamin Kerensa

            Yep and a small desktop notification upon install or upgrade would also be inadequate or would it just be that more people would disable it?

            Why doesn’t Canonical survey users as to how many use it?

          • http://www.mhall119.com/ Michael Hall

            We ran an initiative to get user feedback a couple weeks ago. If I recall correctly you blogged very negatively about the idea back then, though your post on the topic appears to have been taken down.

          • http://benjaminkerensa.com/ Benjamin Kerensa

            The user feedback is not geared at important topics like whether current features are useful but instead if geared towards future features.

            If I remember correctly when the scope feature was implemented the design team used non-community members to test it. Also in the past Canonical has used Windows and Mac users for testing the desktop.

            I do not think the feedback initiative is serious in nature. If you wanted serious feedback you could add a link to the shutdown menu on the desktop and have a general feedback form much like other open source projects add to their applications.

            And yes the blog post was taken down because people from your team left angry blog posts and fanboys started spamming and insulting.

          • http://www.mhall119.com/ Michael Hall

            The scopes feature dates back to the origins of Unity itself, when they were called “Places”. I wasn’t working at Canonical at the time, so I have no idea what was being done.

          • me

            I just suggested a compromise that could solve the issue: https://bugs.launchpad.net/dash-privacy-interface/+bug/1245908

            I would be very interested in what you or Michael think about this approach.

          • Joel Hruska

            The reason Canonical won’t turn this off is because of the well-known psychological tendency: We select default behavior.

            http://faculty.chicagobooth.edu/emir.kamenica/documents/behavioralIncentives.pdf

            If you want something to be common, make it default.

          • DenjinJ

            That’s great for people who already know the ins and outs of an OS they just installed before they see it for the first time. For the others who have to figure it out because it’s brand new, I don’t believe you offer a way to not have searched for what they searched for before they figured out how to disable the feature? That’s why opt-in is essential – especially for a tool that’s necessary to find most of the apps on the system!

    • Pedro Tancredo

      Doesn’t Win8.1 has a similar feature?

      • http://benjaminkerensa.com/ Benjamin Kerensa

        By default no.

        • Joel Hruska

          In Win 8.1, this behavior defaults to on. You have to turn it off.

      • https://www.youtube.com/user/fatriff Fatriff

        Well I’d imagine Win 8.whatever is much worse since you can’t even log in without it connecting to MS servers.

    • http://benjaminkerensa.com/ Benjamin Kerensa

      Because if you search on a website your expectation is that you are searching on the web. While on your desktop the expectancy is it is private.

  • Schwejk

    I’ve been using 13.10 for a couple of months now, and I like the new smart scopes a lot. Some people say this feature should be opt in at best. I feel that Unity as an interface really starts to shine now with this tight integration of global and local search. In my opinion it simply makes no sense a all to have the feature that is arguably one of the most useful ones in Unity turned off by default. I guess my stance is if one doesn’t like the interaction model proposed by Unity, one would probably be better served by choosing a different DE. It’s not like there aren’t enough options out there.

  • http://salmanpk.com/ salman

    that’s why I always real linux geeks hate Unity