LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

Ubuntu, non-advertisements, and spyware

By Jonathan Corbet
December 12, 2012

Canonical's plan to raise revenue by advertising products sold by Amazon to Ubuntu users has been the source of persistent grumbles across the net for a few months. The volume of that grumbling increased considerably on December 7, though, when Richard Stallman criticized the company for this practice. In turn, Richard has been criticized as "childish" or as one trying to force his own morals on others. In truth, this situation brings forward a number of questions on how to pay for free software development and how users can "pay" for a free-of-charge service.

The service in question is tied to the Ubuntu "Dash" application that, in a default installation, is the user's window into the system as a whole. Both applications and local files can be found by way of a dash search. In the 12.10 release, the dash can be hooked into online service accounts, meaning that a search can find documents in network folders, web-hosted photographs, and more. There are potential privacy issues associated with such searches, of course, but these searches should only happen if the user has provided his or her login information to the Ubuntu system. It is an opt-in situation.

The Amazon searches are another story, though. By default, searches that would otherwise be local are reported back to an Ubuntu server, which then employs the user's search terms to locate products on Amazon that the user might just want to buy. The results are sent back to the user's system, which then proceeds to load the associated product images directly from Amazon and do its best to inspire a bit of retail activity — with Canonical getting a cut of the proceeds, naturally. See the image to the right for an example; the results can be surprisingly diverse.

Back in September, Canonical founder Mark Shuttleworth defended this behavior, claiming that the retail offers from Amazon "are not ads, they are results to your search." The idea that these results are not advertisements is justified by saying that there is no payment for their placement; the fact that Canonical only gets paid when a purchase is made apparently changes the situation somehow. But the real concern is not the obnoxiousness of being not-advertised at; it is the privacy implications. Mark addressed that worry this way:

We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already.

One can certainly argue that Mark has a point; if one does not trust Canonical, installing an operating system provided by Canonical would appear to be counterindicated. But he has also glossed over a couple of important issues:

The loading of images directly from Amazon will have the effect of associating searches with specific IP addresses. There is a reasonable chance that the user might connect directly to Amazon's web site at some point, enabling Amazon to associate searches and customers. Canonical may be reserving the search strings, but there is still a fair amount of information being leaked.
Canonical's "terms of service" allow it to send search terms to "selected third parties." Likely as not, those searches are also being archived — the terms allow both Canonical and the "selected third parties" to store the information. That gives Canonical (and others) a database of what their users are trying to find on their own computers. Even if Canonical flat-out refuses to exploit that database, and even if Canonical has somehow managed to put together a truly secure infrastructure for the management of that data, and even if all the "selected third parties" are somehow equally as virtuous, the simple fact is that such databases constitute attractive nuisances for governments. If that data exists, it will be subpoenaed and otherwise rifled through by the authorities.

Given those little problems, it seems possible that those who are concerned about the behavior of the Ubuntu Dash are not just in the thrall of unreasonable paranoia. Maybe, just maybe, there is a reason for more sober minds to be at least minimally concerned about what their operating system is telling others about them.

Richard Stallman's broadside was arguably neither sober nor minimally concerned; he called Ubuntu's code "spyware," described it as a violation of the user's privacy, and called for a boycott of Ubuntu in general. To do any less, he said, would be to legitimize this sort of "abuse" of Ubuntu's users and damage the good name of free software in general. And, besides, Ubuntu recommends non-free software and Richard, naturally, doesn't like that either.

It is not uncommon for people to disagree with Richard's missives; that was certainly the case this time around. Ubuntu community manager Jono Bacon fired back, describing Richard's views as "childish" and "FUD" (he has since apologized for the "childish" part). Phillip Van Hoof described Canonical's approach as simply "another ethic" and also tossed out the "childish" epithet. Richard's posting, it seems, was seen as a sort of tantrum.

One can agree with Richard or not (your editor often does not), but dismissing his concerns over the treatment of users' private data seems uncalled for. We as a community need to (continue to) have a discussion about a couple of related issues: how can we pay for free software development at all levels of the stack, and how do we guarantee our users' rights as the pendulum continues to swing toward centralized, highly-connected computing?

Whether or not one likes Canonical's specific approach, one has to give the company credit for trying to improve Linux and make it more attractive to a wide range of users. Ubuntu has raised the bar for usability for all distributions and, arguably, has brought Linux into settings where it was not used before. In the process, a lot of money has been spent and a lot of free software developers have been employed. That money needs to come from somewhere; even Mark's personal fortune will not sustain it forever. So Canonical needs to gain revenue from somewhere.

In these web-centric days, revenue seems to come from two sources: from the users directly, or from advertisements. Canonical has been trying both approaches in various ways. If the Amazon non-advertisements approach yields real revenue for Canonical, it would be hard not to conclude that some users, at least, are happy to be informed about how Amazon might have what they appear to be looking for. If nobody likes the feature, it will presumably go away. So, arguably, the real question is whether this behavior should be enabled by default (though Richard dislikes it even as an opt-in service). It is, it could be said, an easy way for users to help fund the creation of their distribution.

The counterpoint, obviously, is that Canonical's business model challenges are not anybody else's problem and that trying to resolve those challenges through the sale of users' private information is not appropriate. Perhaps that is true, but one can also certainly suggest that those wanting to have access to Ubuntu free of charge and who do not want to be a part of this kind of scheme could come up with a better idea for how the company should fund its operations.

In general, the proliferation of centralized network services presents a long list of privacy and freedom concerns. It often seems that many of the companies involved are fighting to control how we interact with the rest of the digital world. Systems that are built to be an intermediary between a user and networked services arguably fall into that category as well. One could easily point at recent Ubuntu distributions — nicely equipped to collect login credentials and intermediate between the user and multiple services — as an example of this type of system. But one could say the same about, say, an Android handset. As is so often the case, convenience encourages people to give up information that, otherwise, they would prefer to keep to themselves. The success of many privacy-compromising services demonstrates that clearly.

Members of the free software community like to think that, among other things, they are building systems that are designed to safeguard the interests of their users rather than those of some third party. Most of the time, that turns out to be true. Sometimes we find surprises — software that phones home with user information or otherwise fails to properly respect its users; such software tends to get fixed quickly, often by distributors before users ever encounter it. But software freedom is no guarantee of absence of user-hostile behavior; we still need to pay attention to what is going on. That is doubly true for software from any distributor (since distributors are in a position of special trust) or from company-controlled projects.

Whether the behavior of the Ubuntu Dash is user-hostile seems to be at least partly in the eyes of the beholder. Certainly it would have been more respectful to ask the user whether this behavior was desired before communicating back to the mothership. In this case, at least, the behavior is not hidden and is easily disabled at multiple levels (see this EFF posting from October for more details on how this service works and how to turn it off). The next example of questionable behavior may be more subtle and harder to detect; free software does not free us from the need to be vigilant.

(Log in to post comments)

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 4:29 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

The last sentence in our editor's article was very well said. Of course, as Free Software gains traction in all levels of computing, there'll be lots more people/organizations/companies trying to monetize/profit from FLOSS, but perhaps I'm just restating what our editor described.

I'm gonna have to get the latest Ubuntu, run Dash, and then search for "vib" just so I can find out what other kinky items the search may turn up! (Sorry, I just had to share an uproarious laughter moment.)

Ubuntu, non-advertisements, and spyware

Posted Dec 14, 2012 13:33 UTC (Fri) by simosx (subscriber, #24338) [Link]

Trying to run any of those old Xlib apps would make your session NSFW.

Seriously, I think this is an issue for slow typists, that type a letter at a time and confuses the partial searching.

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 9:22 UTC (Thu) by hummassa (subscriber, #307) [Link]

What baffles me about this whole thing is that the supposedly user-hostile behaviour is easily turned off, isn't it?

The defense team sometimes overreach, too: "not an ad?". It would be more honest to me if Shuttleworth just said:

"Hi. Amazon was so kind as to strike a contract with us, and we will search amazon online when you do a dash search. Yes, there would be ads for products selling from Amazon, but they are nice guys, and the money will help us make Ubutu a better OS. If you are concerned with privacy issues, turn it off by doing so and so. We rather prefer that you didn't, because, you know, we have to eat too, but ok!"

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 9:54 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

The privacy implications could be reduced by making everything go through Ubuntu's servers and only letting them communicate with Amazon and other third parties, and by Ubuntu agreeing not to save search results.

Personally I prefer not to see shopping results for unrelated things when I open a terminal (it is in effect highly non-targeted advertising, presumably on the off-chance that something Amazon sells with "ter" in the name will interest me). I could see some interest in it if they anonymised the searches as above and only did them when I explicitly asked for one - in effect that would let me search on Amazon without Amazon knowing about the details except for what I actually choose to buy, which would be genuine added value.

Ubuntu, non-advertisements, and spyware

Posted Dec 18, 2012 5:43 UTC (Tue) by gutschke (subscriber, #27910) [Link]

Your comment is sending somewhat mixed messages.

On the one hand you are complaining that the searches done through Dash are insufficiently targeted.

On the other hand you suggest that Ubuntu should anonymize queries.

This is somewhat contradictory. Anonymized queries generally suffer from being poorly targeted. The more the search engine knows about you, the better it can target its search results. So, in an ideal world, the search engine should have a pretty good profile about you, your interests, and your activities.

At the very least, it should probably know whether you are currently performing a commercial query, or whether you are just looking for a local file. IMHO, this is the biggest shortcoming in using something like Dash to do searches.

And of course, there is always a very legitimate concern that the search engine should also preserve your privacy.

Striking a good balance can be quite challenging.

Ubuntu, non-advertisements, and spyware

Posted Dec 20, 2012 12:17 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

gutschke wrote on Dec 18:
> On the one hand you are complaining that the searches done through Dash are insufficiently targeted.
>
> On the other hand you suggest that Ubuntu should anonymize queries.
[...]
> Striking a good balance can be quite challenging.
I think that this circle can be squared though. By having separate "search on hard disk" and "search on Amazon" functions, Ubuntu can target the searches enough to make me happy - namely that hard disk searches do not show Amazon results - without having to contact Amazon's servers, or indeed Canonical's, at all.

Ubuntu, non-advertisements, and spyware

Posted Dec 23, 2012 16:38 UTC (Sun) by markshuttle (subscriber, #22379) [Link]

Well, exactly. And you'll find Super-F searches on-disk files exclusively. The dash has had a network components to many searches from the start - notably in the music and video lenses, for example. It was including Amazon in the Home search that sent RMS into apoplexy. Perhaps he has an issue with Amazon at large.

At the end of the day, the core issue is a user experience one. What does the average user want when they search "everything". We think that is undoubtedly an expanding set, that will include, well, everything. RMS and others feel that the user should specify that exactly, search for search. We feel that will lead to an EMACS style user experience ;)

Ubuntu, non-advertisements, and spyware

Posted Dec 23, 2012 17:18 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Can you simply make a dialog that asks users "Your search is going to be sent to Amazon, do you want to continue?" the first time the global search is used.

It needs not to be very obtrusive, a simple band should suffice, like the one that FireFox shows during the first run.

Ubuntu, non-advertisements, and spyware

Posted Dec 20, 2012 13:08 UTC (Thu) by Otus (guest, #67685) [Link]

> On the one hand you are complaining that the searches done through Dash
> are insufficiently targeted.
>
> On the other hand you suggest that Ubuntu should anonymize queries.
>
> This is somewhat contradictory.

Only somewhat: anonymizing queries does not prevent you from doing targeting
on the user's computer, even such targeting that requires search history
(should of course come with opt in/out).

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 14:30 UTC (Thu) by wagerrard (subscriber, #87558) [Link]

I wonder if the mainstream community shares the worry prompted by things like Ubuntu's Amazon feature.

As the community labors to expand the use of Linux, something Ubuntu does more successfully than others, it's inevitable that many of those new users will not share, and will not want to share, or even be aware of, the values of "the community". They won't be concerned about Ubuntu's Amazon hook. For many (most?) people, the computing experience is almost entirely comprised of interaction with services like Amazon, Google, Facebook, etc., via browsers and assorted tablet and phone apps. People may or may not be aware of the data retained by these services. But, they certainly do not seem less inclined to use them. Just the opposite.

I think it is as unrealistic to expect people to avoid using services or software they like just because the data they generate is recorded by third parties as it is to expect people to stop using telephones because their provider tracks and records the numbers they call.

Privacy issues -- especially the creation of data pools potentially susceptible to future abuse by new actors -- are real. As Linux attracts new users, the percentage who worry about those issues enough to change how they use their software will shrink. I.e., the Linux community will be dominated by users with little or no interests in the ideological pursuits of the current "community", however relevant.

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 15:51 UTC (Thu) by seyman (subscriber, #1172) [Link]

> I wonder if the mainstream community shares the worry prompted by things like Ubuntu's Amazon feature.

I suspect the reaction will be the same one as with security issues. Nobody will care (and may even attack the people voicing their concerns) until it comes back to bite them in the leg, at which point it will become a critical issue which must be taken care of immediately.

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 16:05 UTC (Thu) by pboddie (subscriber, #50784) [Link]

The more interesting questions concern themselves with matters such as whether people who start to use something like Ubuntu should be made aware of the issues that brought about its development, and whether such projects should pander to the priorities of the indifferent masses.

However, it is very likely that the indifferent masses are only indifferent because they simply aren't aware of the issues in many situations. Once aware of the way their private data is treated or how their own property is considered an asset of their operating system vendor, it is also likely that many people do want to know more about things like software freedom, privacy, data preservation, and control over their own hardware.

If people don't want to know about ethical matters, there's nothing to stop them from using something like Ubuntu, but we shouldn't just assume that people don't or won't care about such things, nor should we be so intent on replicating the success of Apple or Microsoft that we end up becoming just like them. Those calling Stallman "childish" are probably amongst those who like thinking about "success" and "winning" (and blogging about it all the time), but if Ubuntu "wins" by being Microsoft by another name, the community and the public won't be among the winners.

(And claiming that Stallman tries to forbid people from doing things is all very well, but Microsoft more effectively forbids people from not being obliged to buy their products when buying a new computer. Maybe people making such claims should get their priorities straight.)

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 17:32 UTC (Thu) by wagerrard (subscriber, #87558) [Link]

I know plenty of people who are quite aware of what happens to the data they generate online and are not at all exercised by this issue. While they aren't about to start posting PIN's and bank account numbers, they don't care if Microsoft/Google/Amazon/Ubuntu/whoever knows that someone at their IP address bought something online. The potential downside loses to the actual upside. They use plastic to buy everything, loyalty cards at groceries, get photographed driving through intersections, know Google is trolling our email for ad placements, etc., etc. They aren't interested in the remedies RMS suggests, which amount to withdrawing from all of this activity. People are not interested in becoming the Virtual Amish.

Ubuntu, non-advertisements, and spyware

Posted Dec 13, 2012 18:10 UTC (Thu) by seyman (subscriber, #1172) [Link]

> They aren't interested in the remedies RMS suggests

I don't think we've read the same blog post. RMS clearly states that the appropriate remedy is to make the dash search local by default.

Ubuntu, non-advertisements, and spyware

Posted Dec 14, 2012 9:31 UTC (Fri) by SiB (subscriber, #4048) [Link]

> ... they don't care ...

That is the core of the problem.

Ubuntu, non-advertisements, and spyware

Posted Dec 14, 2012 9:42 UTC (Fri) by hugoroy (subscriber, #60577) [Link]

Maybe ignorance/transparency is the real problem. Canonical should be more informative about the "feature" when users install/update Ubuntu. There are ways to make Privacy policies understandable. Their current legal notice, see http://lwn.net/Articles/528810/ with the link to the lenghty Canonical privacy policy, is NOT helping users understand what the issue is.

Ubuntu, non-advertisements, and spyware

Posted Dec 17, 2012 0:04 UTC (Mon) by dirtyepic (subscriber, #30178) [Link]

Which problem would that be? Google knows I'm reading a book? My (or your) government knows I bought a movie last week? I honestly don't care. Letting businesses know what things I like means they're more likely to continue making them. If the government wants to know what you're up to they have far easier ways to do it than scraping together bits of Amazon data.

Ubuntu, non-advertisements, and spyware

Posted Dec 20, 2012 21:30 UTC (Thu) by JanC_ (guest, #34940) [Link]

I'm sure you would care more if you were one of the Syrian bloggers who got jailed & tortured because of what they read/wrote online...

Ubuntu, non-advertisements, and spyware

Posted Dec 21, 2012 22:30 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link]

Letting businesses know what things I like means they're more likely to continue making them.

A minor quibble: they know what you like because you bought it. They don't need to know it's you that bought it, though, to get the signal to keep making them.

my problem is with using the term "spyware"

Posted Dec 17, 2012 1:02 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

My biggest problem with this whole thing is the use of the term "spyware" to describe what's going on here.

This is definitely a privacy issue, and people who are worried about such information leakage should disable this functionality.

This is information leakage as a side effect of providing functionality. It's pretty much impossible to provide this functionality without leaking this information.

The term "Spyware" needs to be reserved for the cases where applications grab and report information that is not needed for the functionality they are providing.

Games that grab your address book and send it to the mothership would be a great example of Spyware.

We should not allow terms to be diluted by applying them to lesser situations. Once a term starts getting diluted, people stop considering it to be that bad because they think of the common lesser situations and see that they are not so bad, missing as a result, the more severe situations.

What the MPAA and friends are doing with the term 'piracy' is a perfect example. There are very few people who would agree that copying movies and music and then selling them while claiming that they are originals is a reasonable thing to do, but by using the term 'pirate' to refer to people who rip CDs that they own to put a copy of devices that they own (something that most people consider completely reasonable), or to refer to getting a group of people together to watch a football game on a screen that's an inch too large (thereby qualifying as "public performance" you end up with everyone being classified as a 'pirate' and nobody paying attention to it, and therefor excuse the real pirates that are copying and selling the material.

Don't play along with the game of taking words that currently refer to severe situations and applying them to less severe situations. You may feel justified in doing so for the shock value and calling attention to something you don't like, but the long term damage is drastic.

my problem is with using the term "spyware"

Posted Dec 17, 2012 5:52 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

> The term "Spyware" needs to be reserved for the cases where applications grab and report information that is not needed for the functionality they are providing.

Why?

my problem is with using the term "spyware"

Posted Dec 17, 2012 9:20 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

because using the term "spyware" to mean "any time the someone gets information that someone may not want them to have" makes the term apply to silly situations like "I want to search google, but I don't want google to know what I'm searching for"

Diluting a term to cover lesser problems means you now have no term to cover the severe problems.

There is a real problem with apps claiming to be for one purpose, but sending a lot of your information out. Since they actually do work for the purpose they claim, calling them "Trojans" doesn't really work, the term "malware" is so broad as to be meaningless. Spyware captures these programs perfectly.

but if you use "spyware" to cover cases where information gets sent that is needed for the functionality that's being provided, your browser is "spyware" because when you search for something it sends the query you are searching for to the search engine.

See also chicken little, the boy who cried wolf, etc.

Knowledge and consent

Posted Dec 17, 2012 14:29 UTC (Mon) by man_ls (subscriber, #15091) [Link]

I don't think your definition:

The term "Spyware" needs to be reserved for the cases where applications grab and report information that is not needed for the functionality they are providing

is good enough for your purpose. It would allow scammers get away, saying that the functionality they are providing (however bizarre) requires sending the address book to the mothership, e.g.: finding what your friends have visited to recommend similar products in ads.

I would rather say:

Spyware: software that grabs and uses private information without the knowledge of the user.

This fits nicely with what spyware actually does, and leaves Ubuntu out (since they don't hide that they are sending searches to Amazon servers).

But I am not sure if the "knowledge" of the user is enough, or a proper definition should use the "consent" of the user. Even more importantly, nobody requested that feature: Canonical enabled it just to make money out of their users' private information. The definition that Stallman seems to be using is the stronger:

Spyware: software that grabs and uses private information for the benefit of the maker and without the users' consent.

I can relate to it. Perhaps it is beneficial to spread this definition so other dubious uses of private data are also stigmatized, but it is probably too broad.

Knowledge and consent

Posted Dec 17, 2012 16:24 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

> The definition that Stallman seems to be using is the stronger:

> Spyware: software that grabs and uses private information for the benefit of the maker and without the users' consent.

> I can relate to it. Perhaps it is beneficial to spread this definition so other dubious uses of private data are also stigmatized, but it is probably too broad.

That is exactly my point, his definition is to broad, and it dilutes the term. Especially when he defines "submitting a search and being surprised what search engine you are submitting it to" as being "without the users consent"

Knowledge and consent

Posted Dec 17, 2012 19:41 UTC (Mon) by hummassa (subscriber, #307) [Link]

> he defines "submitting a search and being surprised what search engine you are submitting it to" as being "without the users consent"

Meh, actually he defines "submitting what seems to be a local search and being surprised when it is actually submitted to a remote, commercial, search engine when you have not previously signed up to that service" as being "without the users consent". And do you know what? It has some logic to it.

my problem is with using the term "spyware"

Posted Dec 17, 2012 15:48 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

Searching Google shows clear intent that you want to pass your data to Google. Does using the dash clear intent that you want to pass your data to Amazon? There's clearly a grey area where the user may or may not have been provided with sufficient information to have an informed understanding of which of their data is being transmitted and where, and asserting that something isn't spyware purely because it can be argued to fall into that grey area is unreasonable. Developers have responsibility to allow users to make rational choices, not just insist that it's not a problem because the code's working as intended.

my problem is with using the term "spyware"

Posted Dec 17, 2012 16:22 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

well, it's arguable that you are searching, and so the fact that various search providers will see your search term is not unexpected. Most people will have no idea what search tools they will end up using, but after the first time they use it (and get results back from Amazon), I don't think there will be any doubt that it includes sending the query to Amazon. I also don't think that any amount of labelling of this would noticeably change the number of people who are surprised by this the first time (people don't read documentation and release notes)

some people will like this, some will not. It's a discussion worth having on those grounds, but labelling it 'spyware' is going too far.

my problem is with using the term "spyware"

Posted Dec 17, 2012 16:29 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

You're searching using an interface that, in prior versions of the OS, only searched local files. The equivalent functionality in other environments and operating systems only searches local files. If people are justifiably surprised by that behaviour then I think there's certainly a legitimate argument for calling it spyware.

my problem is with using the term "spyware"

Posted Dec 17, 2012 16:35 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

If your definition is "you can find someone who was surprised by the feature" than you can label anything spyware.

It's becoming more and more common for search to include the Internet, Browser address bars didn't use to search the Internet, they used to only search your browser history. This is just one more search option that's becoming Internet enabled by default.

As I've said repeatedly, I'm fully open to a discussion on the subject of if this is a good thing or not (personally, I dislike it and won't use it), but I just don't see that doing searches and being surprised that your search term gets to search engines as rising to the level of "spyware", that term needs to be reserved for clear abuses where there is active deception involved.

my problem is with using the term "spyware"

Posted Dec 17, 2012 18:10 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

> that term needs to be reserved for clear abuses where there is active deception involved

Why?

my problem is with using the term "spyware"

Posted Dec 17, 2012 18:27 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

>> that term needs to be reserved for clear abuses where there is active deception involved

> Why?

See "Chicken Little" and "The Boy who cried Wolf"

my problem is with using the term "spyware"

Posted Dec 17, 2012 18:31 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

It's not crying wolf if it violates reasonable user expectations.

my problem is with using the term "spyware"

Posted Dec 17, 2012 18:58 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

'violating reasonable user expectations' is arguable in this case (the user is doing a search, the only point for confusion is how wide is the search)

This is a very different situation from what I consider "spyware", which is sending data elsewhere that's unrelated to the function being performed.

I see this as crying wolf because even if it is a privacy violation, it's nowhere close to the class of spyware that we really need to get people upset about.

my problem is with using the term "spyware"

Posted Dec 17, 2012 19:03 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

Your argument seems to be that this isn't as bad as this other thing that's unambiguously spyware, and therefore it's not spyware. It's not an inherently convincing argument. Sending my queries to Amazon is unrelated to the traditional function of the dash, and in the absence of sufficient user education associated with that change why would you expect a user to know that it's going to happen?

my problem is with using the term "spyware"

Posted Dec 17, 2012 19:57 UTC (Mon) by hummassa (subscriber, #307) [Link]

Let me intervene here: the fact is that this IS bad, but it is ANOTHER TYPE OF BAD, not "spyware" bad. One analogy could be if you correspond "spyware" (sending information unrelated to the function of the software) with theft and DashImbroglio with assault. Both are bad, VERY BAD. One is bad for one reason, and the other is bad for another reason.

Spyware is a class of malware that causes lot of trouble. It is usually used to get your home banking passwords and other stuff that generally cause lots of monetary damages.

The Dash Imbroglio is an instance of another class of malware -- that deceives the user, that AT THIS POINT IN TIME, unless you advise and ask for permission first, will reasonably expect it to be just a local search and instead will do an Amazon search in addition to it.

The solution is simple: before sending any data to amazon, the first time the dash is used for each user, it should show a simple dialog stating "hi! Amazon contributes for you to have this wonderfull and Free software! How about contributing back and letting it see your searches, in case it wants to show you some offers embedded in the results? [Ok] [No, thanks]". The default could even be "ok", but no one would be DECEIVED -- the operative word that makes RMS be at least partially right.

my problem is with using the term "spyware"

Posted Dec 17, 2012 20:10 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

Thanks for clarifying what I've been trying to say. I'm not saying that what Dash is doing is perfectly OK, I'm just saying that it's not "spyware".

That being said, while I am unlikely to ever use Dash (in spite of the fact that I do run Ubuntu, I use KDE not Unity), I don't see this as the end of the world that many people are making it out to be.

People are starting to expect that "search" doesn't just mean "search locally", it also means "search on the Internet". Many of the search tools that they interact with (Chrome and IE address bars for example) default to this already.

If I was doing the UI for Dash, I would have a toggle off to the side to switch between "local only" and "local + Internet" search modes (and I would be Ok with it defaulting to "Internet"). But I know from painful experience that I'm a lousy UI developer :-)

my problem is with using the term "spyware"

Posted Dec 17, 2012 23:31 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]

" People are starting to expect that "search" doesn't just mean "search locally", it also means "search on the Internet". Many of the search tools that they interact with (Chrome and IE address bars for example) default to this already."

The evidence you provide to support your assertion that is somehow people's expectation that search results will connect to internet automatically is very weak. Internet browsers may search the internet and that by itself is not very surprising but desktop interfaces in general do not connect to the internet to search things automatically by default. GNOME Shell for instance, used to provide link to wikipedia and google from the shell search interface but it did NOT search google and wikipedia by default. That would have been a surprising privacy violation.

The primary reason Canonical seems to be doing it is because of a commercial contract with Amazon. If you can point to any other OS search interface that connects to the internet by default to get search results, you might have a point. As it stands, I think this is very much a unprecedented move and not at all in line with what users expect.

my problem is with using the term "spyware"

Posted Dec 18, 2012 0:06 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]

Like I said, If this is a good thing or not is something that people can honestly disagree over.

I'm somewhere in the middle. It's not something I will choose to use, but I don't see it as being evil.

The only thing I really disagree with is applying the term "spyware" to it. It may be wrong for other privacy reasons, but "spyware" isn't "anything that can leak information"

my problem is with using the term "spyware"

Posted Dec 18, 2012 0:08 UTC (Tue) by hummassa (subscriber, #307) [Link]

> The primary reason Canonical seems to be doing it is because of a commercial contract with Amazon. If you can point to any other OS search interface that connects to the internet by default to get search results, you might have a point. As it stands, I think this is very much a unprecedented move and not at all in line with what users expect.

Well, actually... The new Android has a local+remote search enabled by default, and iOS also does some surprising searches. That was the main reason why I said "at the present time"...

my problem is with using the term "spyware"

Posted Dec 18, 2012 18:32 UTC (Tue) by pboddie (subscriber, #50784) [Link]

Aren't we looking at the classic slippery slope with this? At first, people claim that it isn't a problem because only one desktop function does it (and not even one which is explicitly Internet-oriented), and as more applications "dial home" as a matter of routine, people will still claim that it isn't a problem because only a minority of applications do it, and then because not all applications do it.

Ultimately, you have a free-for-all like in the smartphone "app" world where suddenly applications are uploading all sorts of things to the mothership. Even then, people will defend this sort of thing because "it's so convenient".

Integrating Internet services into applications isn't necessarily a bad thing, but if the business model of the month is all about keystrokes being remotely logged or whatever, people should be made very much aware that this is happening in advance so that they can avoid the product completely if they want. Mumbling that such behaviour can be turned off is not sufficient because most users will never be made aware of the situation in the first place.

my problem is with using the term "spyware"

Posted Dec 18, 2012 18:41 UTC (Tue) by pboddie (subscriber, #50784) [Link]

'violating reasonable user expectations' is arguable in this case

Just looking at the screenshot accompanying the article is enough to indicate that reasonable user expectations have been violated here. Would you like some "More suggestions" with your "Files & Folders"? Aside from perhaps wondering why the latter is title-capitalised and the former is not - maybe there's a retail brand about to be launched - someone who has had Ubuntu installed for them is likely to be slightly surprised and wonder what else was installed for them until they do a real Internet search and arrive at the wailing echo-chamber that is the Ubuntu Forums, only to eventually learn after pages of confused opinion what has really been going on.

my problem is with using the term "spyware"

Posted Dec 21, 2012 1:34 UTC (Fri) by heijo (guest, #88363) [Link]

Ubuntu could just periodically download an index containing all Amazon's products and do the search locally.

my problem is with using the term "spyware"

Posted Dec 21, 2012 1:51 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

they may also need to download the supercomputer cluster to search through that data in a reasonable time. It's not just a simple grep equivalent.

my problem is with using the term "spyware"

Posted Dec 21, 2012 4:36 UTC (Fri) by bronson (subscriber, #4806) [Link]

Plus, a continually updated list of all Amazon's products would be worth quite some money to certain competitors.

Correction

Posted Dec 21, 2012 7:56 UTC (Fri) by kragil (subscriber, #34373) [Link]

"even Mark's personal fortune will not sustain it forever."

Wrong, in a capitalist society being really rich (Mark seems to be a billionaire) can generate way more profits than he spends on Ubuntu .. I don't think Mark got any "poorer" in the last 8 years ..

Although you could say that such a society is doomed to fail, were you implying that?

Correction

Posted Dec 21, 2012 8:08 UTC (Fri) by apoelstra (subscriber, #75205) [Link]

> Although you could say that such a society is doomed to fail, were you implying that?

All societies are doomed to fail. I highly doubt that Jon intended to interrupt an article for such a mundane observation.

(If you were attempting to start a political fight, I ask that you go do it in some other community. This site covers technical, legal and human issues related to Linux and free software -- not the morality of investment.)

Correction

Posted May 1, 2013 0:09 UTC (Wed) by kragil (subscriber, #34373) [Link]

Yadda, I was just pointing out that Marks fortune can sustain Canonical for a long long time without hurting him the slightest. No reason to think otherwise. He became way richer after he sold Thawte and founded Canonical. Mark is way better at investing than at building a distro (and he is quite good at that).

I have read many times that Mark doesn't want to fund Ubuntu forever. He might be dreaming that it would be cool if it would fund itself, but he has no kids and if he must he will probably give an Ubuntu foundation more money than it needs to work for a long time.