The perils of desktop tracking [LWN.net]

By Jonathan Corbet
April 18, 2012

One of the first things most of us learn about computers is that they are not particularly smart; they only do the things that they have been told to do. Sometimes telling a computer to do something can be a long and repetitive process, bringing into question the benefits of the whole exercise. As developers work to improve the experience of using computers, they find themselves trying to enable those computers to make more educated guesses about what the user may want to do. The technology to make those guesses is improving, but it brings risks as well as benefits. How much do we really want our computers to know - and tell - about what we are doing?

The Zeitgeist project aims to make desktop systems more helpful by keeping close track of what the user has been doing. Its developers describe it this way:

Zeitgeist is a service which logs the [user's] activities and events, anywhere from files opened to websites visited and conversations, and makes this information readily available for other applications to use.

Zeitgeist is ostensibly independent of any specific desktop, but it seems to be driven more from the GNOME side of the house than any other. The fact that it has recently been entirely rewritten in the Vala language and proposed as an official GNOME module tend to reinforce that impression. Canonical has been putting in some of the development effort and Unity makes use of Zeitgeist. Tools like the GNOME Activity Journal also obtain information from Zeitgeist.

The Zeitgeist use cases page makes it clear that the plan is to create a comprehensive mechanism for the tracking, analysis, and sharing of user activity. Some examples include:

Tim and Joe are doing research on dinosaurs for a school project. They both set their browser activities to shared and always know what pages the other one is looking at. Using IM they can easily talk about them without having to exchange links.

Daniel was at a conference a week ago and wants to remember what computer resources (files, websites, contacts, etc.) he used there. He opens the Journal, sets up a location filter and thanks to geolocation data gets a list of everything he wants.

Undoubtedly there are a lot of useful things that can be done with this kind of tracking data. But there is also a possible down side; what happens if a detailed log of a user's activities gets into the wrong hands? The Zeitgeist "about" page has a rather unsatisfactory response to this concern: don't run untrusted applications on your system. Certainly that is good advice, but it also misses part of the point.

One can easily imagine an untrusting employer routinely examining the activity logs on all of its computers; it would be a shame, after all, if an employee were to be doing something unproductive on the job. This kind of information would be even more useful to governments that, for good reasons or bad, seek to know what somebody has been up to. The activity log could be a gold mine for inquisitive spouses, concerned parents, or curious roommates. This log could also open up a victim's life to any sort of successful malware attack. The advice to avoid running untrusted applications really only addresses the last of those concerns, and it is a partial response at best.

A somewhat improved response can be seen in this post from Zeitgeist developer Seif Lotfy. He has been working on the Vala port of the "activity log manager" (ALM), a tool for controlling the information tracked by Zeitgeist. Using ALM, it is possible to configure the system to forget events after a specific period of time - or to disable logging entirely. It is also possible to turn off logging involving specific types of files (videos or email messages, say), directories, or applications. After a proper bit of configuration, one's boss can see that flurry of spreadsheet activity but will remain unaware of all the time spent in a web browser.

This kind of configurability is a step in the right direction, but it is still a partial response at best. There will undoubtedly be legions of users who are unaware that this logging is happening at all; they are unlikely to find the utility to fine-tune that logging. Even users who want the functionality provided by this logging may find themselves reconsidering after their activity is exposed to the wrong person.

For a certain class of user, the answer will be to simply turn off features like Zeitgeist altogether - once they become aware of such features. But even the most paranoid among us find ourselves, at times, wishing that our computers were a little smarter in their interaction with us. Many (probably most) of us want the computer to understand how we work and to make that work easier and less repetitive. So, increasingly, those computers will observe what we do and build their own models of who we are and how we work. Progress toward the creation of those models appears to be outpacing the work to protect them; experience suggests that this problem will only be addressed after some people have learned about the issue the hard way.

(Log in to post comments)

The perils of desktop tracking

Posted Apr 19, 2012 11:51 UTC (Thu) by drag (subscriber, #31333) [Link]

> Thank you for the great article and for drawing attention to the fact that Zeitgeist is being pushed down without that much thought about its downsides (i.e. even more collected private data sitting in one's computer) or whether most people actually need that.

I think that the downsides to having data collection software is fairly self-evident. I also think that people brought up the downsides the first time Zeitgeist was announced a couple years ago.

I hope that everybody keeps in mind that if a attacker wants to gather information on your Linux desktop activities there exists almost nothing to stop him if he is able to get into your user account. Zeitgeist may simplify things a bit, but only slightly. Not having it running or installed isn't really going to help you out much against malicious software tracking you, recording your activities, and finding historical data.

If the Linux desktop was secure against malicious or untrusted software then having Zeitgeist wouldn't be much of a problem, since it would be a simple thing to lock it's data away from prying eyes.

(although this is a bit of a stretch:) In the long run it may end up making things easier to secure because instead of having browsers and other applications keep track of their histories in various databases throughout your home directory then they can depend on Zeitgeist to keep track of it for them and thus you can harden your historical databases easier.

I am not saying that turning it off or not wanting it installed is a perfectly valid desire. It certainly is. So don't misunderstand me here. It's something that needs to be really thought out well before pushing it on everybody by default.

On a side note:
http://gurgeh.github.com/selfspy/

All sorts of fun stuff like that exist I suppose. If employers want to spy on employees on machines owned and operated by the employers I expect that there exists ample opportunity and lots of potential for software to allow that. Same as malicious software on vulnerable Linux desktops.

The perils of desktop tracking

Posted Apr 19, 2012 12:40 UTC (Thu) by nix (subscriber, #2304) [Link]

zeitgeist is terribly GNOME-specific and doesn't look too useful. But selfspy, ooooh. Modern disks are more than big enough to store every single key you press for your entire lifespan if you did nothing but type at top speed, so storing this for later analysis (by *you*, nobody else) seems incredibly useful.

The perils of desktop tracking

Posted Apr 19, 2012 12:44 UTC (Thu) by drag (subscriber, #31333) [Link]

yes. It's very interesting. Haven't had a chance to check it out yet, though. :(

The perils of desktop tracking

Posted Apr 19, 2012 13:26 UTC (Thu) by fuhchee (guest, #40059) [Link]

"storing [keystrokes] for later analysis [...] seems incredibly useful."

What sorts of incredible uses can you envision from this data?

The perils of desktop tracking

Posted Apr 19, 2012 14:14 UTC (Thu) by fb (subscriber, #53265) [Link]

>> "storing [keystrokes] for later analysis [...] seems incredibly useful."

> What sorts of incredible uses can you envision from this data?

I also can't see the point of it. Myself, I save all the keystrokes I care about inside 'files'.

The perils of desktop tracking

Posted Apr 19, 2012 16:05 UTC (Thu) by drag (subscriber, #31333) [Link]

Instead of saving what you remembered you wanted to save, it just saves everything.

I wouldn't mind a computer with photographic memory and instant recall. My PC nowadays is more or less just a overgrown terminal for most things I do nowadays anyways.

The perils of desktop tracking

Posted Apr 19, 2012 20:03 UTC (Thu) by fuhchee (guest, #40059) [Link]

"Instead of saving what you remembered you wanted to save, it just saves everything."

I'd love to have one with systemic undo capabilities, but that would need more than just keystroke recording.

The perils of desktop tracking

Posted Apr 20, 2012 8:42 UTC (Fri) by fb (subscriber, #53265) [Link]

> Instead of saving what you remembered you wanted to save, it just saves everything.

As I am sure you know, there is no point in having all the data in the planet if you can't make sense of it.

> I wouldn't mind a computer with photographic memory and instant recall. My PC nowadays is more or less just a overgrown terminal for most things I do nowadays anyways.

For me the 'best' current balance for (i) 'photographic memory', (ii) synchronization (between the 4 computers I use routinely -- make it 5 if you include the smart-phone), (iii) and keeping only relevant data is:

- GMail for mail and contacts
- Google Calendar
- RememberTheMilk for sharing notes with my boss (aka 'wife')

For managing/remembering/synchronizing/versioning anything else I just use Git and private repos at GitHub.

Actually the one thing I still need to improve is actually doing some form of 'transparent / easy' encryption so that I can also push sensitive data into GitHub (e.g. my Git 'tax info' repository).

The perils of desktop tracking

Posted Apr 19, 2012 19:11 UTC (Thu) by davide.del.vento (guest, #59196) [Link]

Time tracker?

The perils of desktop tracking

Posted Apr 20, 2012 8:20 UTC (Fri) by jezuch (subscriber, #52988) [Link]

> What sorts of incredible uses can you envision from this data?

http://www.ted.com/talks/jer_thorp_make_data_more_human.html (For a quasi-related example. You may see only a big blob of useless data and potential privacy risk; this guy sees much, much more.)

The perils of desktop tracking

Posted Apr 20, 2012 16:05 UTC (Fri) by nix (subscriber, #2304) [Link]

A substitute for a crappy memory, keyed by time and searchable. "I know I typed something about $foo last Thursday in the afternoon but I have no idea where I typed it.'

The perils of desktop tracking

Posted Apr 25, 2012 8:38 UTC (Wed) by man_ls (subscriber, #15091) [Link]

One possible use is for awesome blog posts.

The perils of desktop tracking

Posted Apr 19, 2012 23:07 UTC (Thu) by seif (subscriber, #73692) [Link]

---
(although this is a bit of a stretch:) In the long run it may end up making things easier to secure because instead of having browsers and other applications keep track of their histories in various databases throughout your home directory then they can depend on Zeitgeist to keep track of it for them and thus you can harden your historical databases easier.
---

Exactly my point. Having history at a central location and having a central tool to disable logging completely or partially should be considered as an improvement of the user security. The trick is to make the user aware of such options.

The perils of desktop tracking

Posted Apr 21, 2012 4:46 UTC (Sat) by sitaram (subscriber, #5959) [Link]

> Zeitgeist may simplify things a bit, but only slightly. Not having it running or installed isn't really going to help you out much against malicious software tracking you, recording your activities, and finding historical data.

Sorry but I'm not buying this. Zeitgeist makes it possible for malware that came in *later* to find everything that happened *already*.

I may go to a conference where I realise a few minutes after logging in that I am on an untrusted network or whatever. I quickly shutdown and stop using it (or switch to a live USB), till I can go home and clean up.

Without ZG the malware has those few minutes to trawl my $HOME and get whatever it can out of the mess there. With ZG it knows what is important to me, and can find it faster and pull only that out much more efficiently.

ZG gives me *yet* another reason to avoid Ubuntu.

Thank God for Fedora.

The perils of desktop tracking

Posted Apr 19, 2012 23:04 UTC (Thu) by seif (subscriber, #73692) [Link]

FWIW the activity log manager now is shipped with Ubuntu per default and can be found by just searching for privacy in the unity dash or settings manager. We are open for other ways of exposing the non-logging functionality. I was thinking for example exposing it during installation of Ubuntu and ask the user if he wants his activities to be logged or not. And the benefits and downsides.

The perils of desktop tracking

Posted Apr 26, 2012 5:20 UTC (Thu) by steffen780 (guest, #68142) [Link]

I think asking for this during install or after first boot is a very, very good idea. 100 bonus points if that also includes handling e.g. browser history and IM logging. It doesn't have to be complicated (to the user), just over the usual 4 options:
- Max logging
- Default (14 or 30 days browser history, no Zeitgeist)
- No logging
- Custom

I think the various smartphone and facebook scandals might be leading to increased awareness by normal users such as those targeted by Ubuntu.