|
|
Log in / Subscribe / Register

Stallman: Ubuntu Spyware: What to Do?

[Posted December 7, 2012 by corbet]

Richard Stallman has come out against Ubuntu's Amazon partnership on the Free Software Foundation's site. "But there's more at stake here than whether some of us have to eat some words. What's at stake is whether our community can effectively use the argument based on proprietary spyware. If we can only say, 'free software won't spy on you, unless it's Ubuntu,' that's much less powerful than saying, 'free software won't spy on you.' It behooves us to give Canonical whatever rebuff is needed to make it stop this. Any excuse Canonical offers is inadequate; even if it used all the money it gets from Amazon to develop free software, that can hardly overcome what free software will lose if it ceases to offer an effective way to avoid abuse of the users."
to post comments

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 21:24 UTC (Fri) by smoogen (subscriber, #97) [Link] (34 responses)

I think that is yet another Sisyphus task ahead of RMS... everyone knows already that free software spies on you... otherwise why would it be free.

Yes this is a play on Free vs free... but the majority of users out there can't see the difference because the word free is covered by things like Angry Birds with Commercials and other software.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 21:49 UTC (Fri) by oever (guest, #987) [Link] (33 responses)

It is very hard to find good terminology that accurately captures the difference between Free Software and proprietary software. Especially now that web services are in play. The code that sends information to Amazon might be GPLv3, the server side software might be too.

In that light it is hard to call the code spyware. The user can turn off the spying functionality, just like she can turn off the autocompletion in the Google search field in the browser.

Services that send information to a server should be opt-in, not opt-out. The feature in Ubuntu that sends this information is akin to tab-autocompletion on the command-line on a NFS volume; Amazon is added to your search space. It is less traffic to send your queries to Amazon then it is to send the Amazon search index to your machine. There was a time when dead tree catalogs were delivered to every house. It would be better for privacy if the entire catalog could be downloaded and browsed offline.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 22:37 UTC (Fri) by coriordan (guest, #7544) [Link] (27 responses)

> In that light it is hard to call the code spyware.

Huh? And if a video player is free software, is it hard to call it a video player??

Free or proprietary, spyware is spyware. Until now, the amount of spyware in free software was insignificant, and we could always say "free software doesn't contain spyware because taking it out is easy and the upstream developer would just lose face". Ubuntu might change this.

> the autocompletion in the Google search field in the browser.

I don't know much about this functionality, but it might be harmless. If you're trying to do a web search for "get mail folders", and your browser sends "g", then "ge", then "get" etc. to the server before you manage to type the whole string, then you're sending the server *less* info than if your browser waited for you to type the string.

(I agree with your other points, but wanted to point out these details.)

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 22:53 UTC (Fri) by apoelstra (subscriber, #75205) [Link]

> I don't know much about this functionality, but it might be harmless. If you're trying to do a web search for "get mail folders", and your browser sends "g", then "ge", then "get" etc. to the server before you manage to type the whole string, then you're sending the server *less* info than if your browser waited for you to type the string.

Not only is it physically telling the server more information (since "g", "ge", "get", ..., "get mail folders" totals roughly the square as many characters as just "get mail folders"), but you are also telling the server how fast you type, what kind of typos you make (and therefore your keyboard layout and whether you are human). If you are typing in the wrong field, it could obtain passwords or other personal information, or at least determine what other programs you're running.

Plus, by sending information every keystroke, you're sending highly-correlated information that can be matched up if you are connecting through some sort of darknet that uses multiple paths.

Not to mention, if you spend a significant amount of time at a keyboard, there is a tendency to use any text-entry mechanism as an extension of your immediate-term memory. So if this leaves your system, the remote server is literally reading your thoughts.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 22:56 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] (1 responses)

The auto-completion feature in Google or Bing search sends characters to Google or Bing as soon as you type them, but the user is fully aware that he/she is sending a query to a search engine. But Ubuntu sends the query to Amazon even when you thought that you were only searching your local computer, or that you were searching Ubuntu's package list for a program. At the very least, this should be opt-in, not opt-out.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 11:49 UTC (Mon) by coriordan (guest, #7544) [Link]

Exactly. The two are not to be confused.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 1:18 UTC (Sat) by Lennie (subscriber, #49641) [Link] (16 responses)

It is one of several reasons why I use Firefox and not Chromium/Chrome.

Chrome will send everything you type in the address bar to Google (is there a prefered search engine setting ? I've have never checked).

Firefox will only send something to your prefered search engine when you type it in the search box.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 6:34 UTC (Sat) by mathstuf (subscriber, #69389) [Link] (15 responses)

Yeah, I set DuckDuckGo as my search provider in Chromium. DDG has a link to do that on their page. If you still want Google, at least change it to HTTPS.

Unfortunately, the Android Chrome only offers Google, Bing, and Yahoo! as search providers. I've set the browser icon on my launcher to instead just use DDG instead of using the stock New Tab page.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 10:28 UTC (Sat) by Lennie (subscriber, #49641) [Link] (12 responses)

Yes, that is the other problem, by default it is also a security leak.

If I start typing:

https://slashdot.org

It will look up over HTTP:

https slashdot.org

Slashdot

Posted Dec 8, 2012 18:17 UTC (Sat) by tialaramex (subscriber, #21167) [Link] (9 responses)

Of course when you hit enter:

* The fact that you're connecting to that specific site is revealed to anyone handling your DNS traffic, or your IP traffic, or to anyone doing transit.

* Slashdot redirects you to their non-SSL page anyway

But yes, in theory this particular auto-complete feature betrays things you might wish not to make public.

Slashdot

Posted Dec 8, 2012 18:26 UTC (Sat) by mathstuf (subscriber, #69389) [Link] (8 responses)

> The fact that you're connecting to that specific site is revealed to anyone handling your DNS traffic, or your IP traffic, or to anyone doing transit.

The DNS traffic can be minimized with a caching DNS server. The external request(s) then go out every so often, not every time you try to access the site. And if you have an array of computers using the caching server, things should be hard to correlate. Of course, a proxy can be inserted which does additional DNS requests for any site referenced on downloaded pages as well to help add some "plausible noise" into the streams.

> Slashdot redirects you to their non-SSL page anyway

That's…yet another reason to avoid slashdot? I kid, I kid. Only half. Maybe.

Slashdot

Posted Dec 9, 2012 1:48 UTC (Sun) by paulj (subscriber, #341) [Link] (7 responses)

A local, caching, fully capable recursive resolver (e.g. an actual nameserver) should be a default install on all machines really. Better for privacy, better for DNS-Sec (who is ever going to configure a stub-resolver with TSIG, and DNS-Sec validating stub resolver has to do all the work of a fully functioning recursive server), better for avoiding poisoning attacks on shared recursive nameservers.

yum install caching-namserver + beat NM into leaving resolv.conf alone somehow. +1

Slashdot

Posted Dec 9, 2012 2:37 UTC (Sun) by Lennie (subscriber, #49641) [Link] (3 responses)

If everyone did that, then I hope you mean: local, caching, fully capable, forwarding recursor.

Because we really don't want every desktop talking to the root or top level domain servers.

Slashdot

Posted Dec 9, 2012 6:45 UTC (Sun) by paulj (subscriber, #341) [Link] (2 responses)

Forwarding would just add latency and fragility. The .'s are a fixed set (in terms of the IPs), both the . and TLDs are quite a large set in terms of # of servers. The commonly contacted ones would be cached. Also, I've seen scribblings in the IETF journal once that questioned whether hierarchy of caching achieved much in the way of gains. Finally, the .'s and TLDs can handle the additional load - anycast is a powerful tool.

Slashdot

Posted Dec 9, 2012 14:24 UTC (Sun) by Lennie (subscriber, #49641) [Link] (1 responses)

The average website has 14 domains linked from the first website people visit: http://httparchive.org/trends.php

You really want every device with a browser to talk to the TLD servers for each of these domains ? (yes many are the same domain: so let's say 7 per website you visit).

That's doesn't add up.

Slashdot

Posted Dec 9, 2012 18:12 UTC (Sun) by paulj (subscriber, #341) [Link]

The roots and TLDs are *more* than capable of handling requests from every device on the internet, without caching. There is a simple proof for this: They *did so* - users will regularly make typos in their browsers, queries for these non-existent domains will go out to the "." and (if the TLD is valid) to the TLDs.

Perhaps this decreased a little since browsers started diverting things typed into the address bar to search engines.

However, the fact remains that the roots and TLDs *already* get hit by queries from *every* device with an interactive user, as well as any which happen to query for some misconfigured or no longer valid hostname. The . and TLDs are *already* setup to handle this kind of load, cause they already get it.

What the intermediate caches do is:

a) Not provide effective caching (distribution of queries is very long tailed) - see e.g. http://dl.acm.org/citation.cfm?id=581877 (and I think there's a more recent ISOC article that found the same thing)

b) Potentially add latency - it may take longer for your computer to get its answer.

c) Provide a huge, juicy target for attackers - a DNS poisoning attack is so much more efficient if you poison a widely shared cache.

Slashdot

Posted Dec 9, 2012 10:19 UTC (Sun) by tzafrir (subscriber, #11501) [Link] (2 responses)

You man: Beat NM into not using dnsmasq for this? (At least in Debian. Not sure about other distributions).

Slashdot

Posted Dec 9, 2012 12:57 UTC (Sun) by hummassa (guest, #307) [Link]

Ubuntu, too. I was asking myself the same thing.

Slashdot

Posted Dec 9, 2012 16:37 UTC (Sun) by cortana (subscriber, #24596) [Link]

AFAIK dnsmasq is used for the connection sharing feature. I'm using NM on my machines and it merely writes the DHCP- or user-specified name servers into /etc/resolv.conf.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 21:28 UTC (Sat) by geofft (subscriber, #59789) [Link] (1 responses)

Is that actually true? I recall hearing that it will stop sending as soon as you type "https", for exactly that reason.

(I do avoid Chrome because I dislike Google's corporate policies in general, but I think the individuals comprising the Chrome team are generally quite great about privacy issues like this.)

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 21:32 UTC (Sat) by Lennie (subscriber, #49641) [Link]

It really does do that.

Just checked now, with an updated version on Windows which I hardly use (so I assume that is the default setting).

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 20:03 UTC (Sun) by literfizzer (subscriber, #31274) [Link] (1 responses)

The browser in CyanogenMod supports DuckDuckGo as a search engine choice out of the box.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 21:56 UTC (Sun) by mathstuf (subscriber, #69389) [Link]

That's good news, but what should really happen is that search providers are used instead. IIRC, Firefox on Android stopped doing so sometime after 12 or so. The DDG add-on even stopped working too (though about:config still works, which is…less than ideal).

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 11:30 UTC (Sat) by oever (guest, #987) [Link] (6 responses)

> > In that light it is hard to call the code spyware.

> Huh? And if a video player is free software, is it hard to call it a video player??

The source code is readable. It is not a secret that the software sends your keypresses to the amazon server. Spyware is secret.

An interesting point is how one can confirm that the binaries that Ubuntu ships are unadulterated results of the source code. There may be some binaries published by Ubunty, Debian, or any other distribution, but it is very hard to show that they are the result of compiling the exact published source code.

So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.

There's latent checking and spot checks

Posted Dec 8, 2012 18:37 UTC (Sat) by coriordan (guest, #7544) [Link] (2 responses)

> So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.

There's lots of latent checking. When people look at the code for any reason, they might spot the spyware (if there is spyware).

And there are spot checks when there's a suspicion. Someone accused me last year of running a site which sent info to a third-party server. I checked the code (it was WordPress) and found that the person was wrong.

The risks are pretty high since one person can remove the spyware and distribute a spyware-free version, so the original developer will lose face and will cease to be the upstream source of the software. With risks that high, latent checking and spot checks are generally enough to dissuade developers from putting in spyware in the first place.

There's latent checking and spot checks

Posted Dec 8, 2012 20:10 UTC (Sat) by ikm (guest, #493) [Link] (1 responses)

I believe OP meant that binary packages may not correspond to the sources they were supposed to be built from, and it's hard to check whether they actually do.

There's latent checking and spot checks

Posted Dec 8, 2012 21:22 UTC (Sat) by oever (guest, #987) [Link]

Yes, I meant that it is hard to match binary to source. Publishing a binary with spyware and claiming that it corresponds to source code which has no spyware can go undetected.

In the above example of WordPress, I assume OP checked the production PHP code. Since WordPress is shipped only as source (as far as I know), this would rule out the presence of spyware in the site.

If the site was running a compiled CGI plugin, finding that the source code has no spyware, does not mean that the binary has no spyware. The spyware might even be in the apache binary.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 11:52 UTC (Mon) by coriordan (guest, #7544) [Link] (2 responses)

Software that spies on you is spyware. It doesn't matter if it's free or prorietary.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 15:33 UTC (Mon) by dlang (guest, #313) [Link] (1 responses)

> Software that spies on you is spyware. It doesn't matter if it's free or prorietary.

True, but is this really spying on you?

For me, Spyware is when the software claims to be doing one thing and is sending your information out to someone. They key here is being deceptive about it.

It's hard to argue that this is doing so without your knowledge, at least after the very first time that you use it and get results back from Amazon.

They are not being deceptive about this, they are advertizing the Amazon results as a feature.

If this was scanning your system to gather information and sending it out over the Internet while claiming to do something else, I would be up in arms about this as well, but sending something that you are searching for to a search engine is not being deceptive.

Calling this "spyware" dilutes the term and weakens fighting real spyware.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 22:06 UTC (Mon) by hummassa (guest, #307) [Link]

> Calling this "spyware" dilutes the term and weakens fighting real spyware.

I tend to agree with this. But it *is* adware. But, just like android adware, it's simple to turn it off.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 23:50 UTC (Fri) by wagerrard (guest, #87558) [Link] (4 responses)

I find the Amazon search returns in Amazon to be really annoying, but not at all a violation of some kind of ethical code.

It's the internet. Your packets aren't private.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 1:42 UTC (Sat) by rsidd (subscriber, #2582) [Link] (2 responses)

But in this case users aren't aware it's the internet. They think they are doing a local filesystem search.

True, the first time they see an Amazon result they may do a wtf, learn about this misfeature, and perhaps turn it off.

OT - I just stripped off all the bloat from my two ubuntu computers - gnome, unity, kde, xfce. Only gtk and some very basic gnome libraries remain, with software like libreoffice, evince, inkscape, gimp, and of course latex/emacs/compilers etc remain. I'm using the i3 window manager. It feels so much faster and I'm so much happier.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 15:00 UTC (Mon) by KSteffensen (guest, #68295) [Link] (1 responses)

>OT - I just stripped off all the bloat from my two ubuntu computers - gnome, unity, kde, xfce. Only gtk and some very basic gnome libraries remain, with software like libreoffice, evince, inkscape, gimp, and of course latex/emacs/compilers etc remain. I'm using the i3 window manager. It feels so much faster and I'm so much happier.

Why install Ubuntu in the first place? Allow me to recommend Debian and Gentoo.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 15:29 UTC (Mon) by rsidd (subscriber, #2582) [Link]

Because I don't see the need to wipe and reinstall? I already use gentoo on another computer. Perhaps it wasn't obvious from what I wrote, but I'm not totally ignorant of the various flavours of linux.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 12:48 UTC (Sat) by Wol (subscriber, #4433) [Link]

Given that my biggest annoyance with search is the pollution of my results by sales sites, I think returning Amazon results - UNASKED FOR - in *any* search of mine would be infuriating in the extreme.

Okay, I don't like deb systems anyway, but I wouldn't bother turning off that misfeature - I would just trash / and replace the entire distro with something else.

The ONLY time I want sales results is usually when I go directly to a shop site and use their local search engine. Going via Google all too often finds me in maze of nasty little aggregation sites, all alike. Google search is polluted enough already without all these shop / sales-aggregation sites moaning that they don't get enough prominence in the results!

Cheers,
Wol

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 22:22 UTC (Fri) by el_presidente (guest, #87621) [Link] (16 responses)

> when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches

He seems to be out of touch with reality. If a person is going to search for something it's usually something on the network. Getting results from Amazon every time you search sounds incredibly annoying but I imagine most people understand that Amazon's servers aren't running on their system.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 22:59 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] (4 responses)

No, you're flaming RMS without even understanding what he is objecting to. Ubuntu is sending the results of local searches, and searches of the package database to Amazon as well. There's no reason for that other than to raise money, the user is not expecting it. The EFF has also objected to the scheme.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 1:49 UTC (Sat) by el_presidente (guest, #87621) [Link] (3 responses)

askubuntu.com/questions/38772/what-lenses-for-unity-are-available

The amazon thing has been implemented badly, but their search feature is clearly meant to be universal. In fact, they're advertising it as something that doesn't do only local searches.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 14:20 UTC (Sat) by Wol (subscriber, #4433) [Link] (2 responses)

Yeah, but the point is, BY DEFAULT you CANNOT DO a local search!

If I'm looking for a document that *I* wrote, and is stored on *MY* computer, then if that computer is Ubuntu *by* *default* searching for it will try and find it on Amazon. NASTY!

Talk about a security risk! What if that's your doctor looking for a medical letter and using personally identifiable information along with the illness? Now Amazon know what illnesses you suffer from!

Cheers,
Wol

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 19:14 UTC (Sat) by tajyrink (subscriber, #2750) [Link]

Files lens (Super+F) is what you'd probably want to use if you want to do local document searches on your computer but don't want to disable online results completely from the settings. The Dash Home search is a global search for all the lenses, and some of the lenses like music/movies(/shopping) are more naturally online oriented nowadays since that's from where people generally get content.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 21:50 UTC (Sat) by mdeslaur (subscriber, #55004) [Link]

Of course you can do a local search. Click on the third tab in the dash, or open the local search in the dash directly with super-f.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 7, 2012 23:07 UTC (Fri) by pboddie (guest, #50784) [Link] (10 responses)

He seems to be out of touch with reality. If a person is going to search for something it's usually something on the network.

I don't think you should be so eager to point the finger, either about who may or may not be in touch with reality, or whether it is normal to search the network or not if you are searching for something.

Certainly, if I use locate to search for something, I don't expect it to run off to Amazon, Google, or some "App Store" to give me "helpful" advice about programs or files I might want to buy or download, if all I need to know is where a certain file is on my system, and I don't see how a "desktop search" function should be any different.

In fact, Ubuntu 12.10 already gives hints about uninstalled programs at the command line (and here was I thinking that the "spoof" bug reports about this controversy were joking about some future feature), but this might well be based on a locally installed index inverted over the dpkg -S data, but I foresee a time when it too queries some "App Store" or other to be more "helpful".

Personally, I think the Ubuntu people should just focus on delivering a reliable product instead of trying to "monetize" every click and key-press.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 0:35 UTC (Sat) by raven667 (subscriber, #5198) [Link] (3 responses)

> Personally, I think the Ubuntu people should just focus on delivering a reliable product instead of trying to "monetize" every click and key-press.

They have to survive to do that and it is difficult to survive without money, in some form or another. Even volunteer effort is paid for by a "day job" and so indirectly by an employeer.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 6:15 UTC (Sat) by allesfresser (guest, #216) [Link] (2 responses)

Hmm, Debian seems to have survived without this kind of nonsense, and survived quite nicely.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 16:37 UTC (Sat) by Wol (subscriber, #4433) [Link] (1 responses)

Are you saying all the Debian developers are unemployed? Or are you misunderstanding the previous comment.

Okay, I'm unemployed :-( but people can't work for nothing at all. They'd starve. And I strongly suspect that, even if the Debian developers aren't paid to write for Debian (and many probably are), they ARE paid to develop software.

Cheers,
Wol

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 12:03 UTC (Mon) by pboddie (guest, #50784) [Link]

There's a difference between being paid by a sustainable business model that respects the customer and one that monetizes every click and key-press, however.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 3:02 UTC (Sat) by imgx64 (guest, #78590) [Link] (5 responses)

> In fact, Ubuntu 12.10 already gives hints about uninstalled programs at the command line (and here was I thinking that the "spoof" bug reports about this controversy were joking about some future feature), but this might well be based on a locally installed index inverted over the dpkg -S data, but I foresee a time when it too queries some "App Store" or other to be more "helpful".

You mean this: http://packages.debian.org/stable/main/command-not-found ?

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 5:39 UTC (Sat) by deepfire (guest, #26138) [Link] (2 responses)

Yes, this is another example, and guess what -- it is opt-in in Debian, and yes, opt-out in Ubuntu.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 5:42 UTC (Sat) by deepfire (guest, #26138) [Link] (1 responses)

I wish I wasn't in such a hurry to reply..

As it stands, there's no effective privacy-related difference between Debian and Ubuntu here. It seems.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 11, 2012 13:42 UTC (Tue) by micka (subscriber, #38720) [Link]

In my opinion, opt-in v.s. opt-out is privacy related, and is quite effective.

command-not-found

Posted Dec 8, 2012 18:22 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

... and similar software is included in Fedora, again by default in newer versions. You can uninstall the package, or if it bothers you but not other users on the same machine you can tell bash not to run the handler.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 11:04 UTC (Sun) by misc (subscriber, #73730) [Link]

For now, the system use the local indexes of apt/yum/whatever to tell you where is the package you tried to use. There is so far no privacy issue, as this doesn't leave your computer.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 0:06 UTC (Sat) by neilbrown (subscriber, #359) [Link] (4 responses)

I guess we need to add another freedom to the 4 freedoms:

"The freedom to trust that the program will not report any detail of you activity to a remote site without explicit permission".

The right to not be reported

Posted Dec 8, 2012 17:21 UTC (Sat) by man_ls (guest, #15091) [Link] (1 responses)

Expressing it as a "freedom" does not make it clearer. I think it is better left as a trust: "The trust that the program will not report any detail of you activity to a remote site without explicit permission". Obviously, any program that violates that trust can be changed using freedom 1 (and distributed using freedom 3) without the annoyance. The trust you mention is like the community around software: not a freedom but something additional.

Perhaps as a right it works:

The right to keep your activity private without explicit, opt-in permission.

The right to not be reported

Posted Dec 10, 2012 5:55 UTC (Mon) by davidescott (guest, #58580) [Link]

> The right to keep your activity private without explicit, opt-in permission.

Firefox ships with "do not track" set to a default "off" state, requiring that users turn it on in order for it to be effective. In other words Firefox is operating under and opt-out model.

Furthermore Firefox requires that you install add-ins like Adblock manually instead of incorporating them into the browser.

Firefox even supports Cookies a known means of monitoring and tracking user behavior.

Almost all Linux distributions ship TOR as an optional package and one has to "opt-out" of the larger government and corporate monitored internet.

Somehow none of those seem as bad, presumably because we draw a distinction between actively participating in an activity that detracts from privacy, than simply turning ones back on a third parties violation of ones privacy, but given a number of comments in RMS' letter I don't think that turning ones back is an acceptable moral position to RMS. Among his comments:

> To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time.
> A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.
> If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.
> If we can only say, "free software won't spy on you, unless it's Ubuntu," that's much less powerful than saying, "free software won't spy on you."

That said GNU has its own fork of Firefox that does more to protect privacy, so he could point to that and say "I don't advocate for the use of Firefox," but if that is the case it would be more fair to bring that up instead of focusing on Canonical.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 22:43 UTC (Sat) by cyanit (guest, #86671) [Link] (1 responses)

The issue here is the lack of a requirement to make trademarks free as well.

This allows Ubuntu to abuse his trademark power to give more visibility to his crippled distribution compared to variants lacking the antifeature in question.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 15:39 UTC (Sun) by vonbrand (guest, #4458) [Link]

I, for one, am fine with $DISTRIBUTION being the only one to be able to use their trademarks to advertise their (mis)features...

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 3:14 UTC (Sat) by Lou57 (guest, #12083) [Link]

Choose.

No big deal, just choose. I agree with RMS that this is an error in judgement on their part. Canonical is now very likely tied up with a legal contract with Amazon, and there may not be a great deal that they can do at this point. What a shame. Just the same, I choose not to get involved in their new venture. Appreciation to the community for the heads up.

OK folks, nothing more to see here. Move along.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 6:16 UTC (Sat) by wblew (subscriber, #39088) [Link] (2 responses)

What case is there to be made? The client-side Ubuntu software is freely available, right? If you don't like it, CHANGE IT.

That is the only real freedom that open software offers.

If you want the convenience of not changing it for yourself, well then, decide to use it, or not, also your choice.

Open, or Free, software is about empowering users to make their own choices.

Guess what? Some of those users will make choices that you, or me, might not make for ourself. That is yet another aspect of that 'freedom' and thus the ability to make choices.

I really wish the 'you are doing it wrong, shame on you!' aspects of the community would be more quiet, and leave others to make their own choices.

That said, I personally opt-out of any, and all, advertising that I can, without sacrificing either: a) my convenience, or b) my inherent laziness.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 23:16 UTC (Sat) by Company (guest, #57006) [Link] (1 responses)

See, and this is where people like you piss me off. They claim to be defending freedom, but all they do is defend the freedom of others to be assholes.

Which is what brought us lots of wars, the current laws, Wall Street and a whole bunch of other things.

Yes, I would defend any of your freedoms, but I won't defend that.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 15:34 UTC (Sun) by pboddie (guest, #50784) [Link]

Indeed. Frequently, the people who shout "let the consumer choose" or "the consumers have spoken" most loudly are the last to admit that much has been done to keep the consumer ignorant of any choices they may have.

So when it is claimed that "there is no demand for anything other than Windows" or "people like Amazon links in their search results", you have to question whether those people really know that things could be different.

On the practical end...

Posted Dec 8, 2012 8:50 UTC (Sat) by frazier (guest, #3060) [Link] (1 responses)

I ran 'sudo dpkg --purge unity-lens-shopping' on my netbook running Ubuntu 12.10 and the annoying Amazon spam disappeared.

On the practical end...

Posted Dec 8, 2012 20:55 UTC (Sat) by did447 (guest, #49454) [Link]

You see that's the 'Window experience', have to remove a bunch of crapwares after install.

What's next? Norton antivirus?

They already have: regularly reboot the computer to fix it after whatever undocumented badly written code stop doing ... something.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 23:16 UTC (Sat) by jwarnica (subscriber, #27492) [Link] (7 responses)

It seems that the well crafted utopia that RMS designed in 1984 doesn't actually reflect real peoples use of computers. RMS very carefully crafted a definition of Free Software, which is very much a developer centric view of the world.

A developer, or any reasonably clued in user, can really deal with this specific problem fairly easily, with some host file fixes. I mean, who has used a computer for more than a couple of years and not done that at least once, to get around some e.g. license server BS? You don't need the source code, and you don't need the right to modify the source code. Source would help, but it might not be the easiest way to actually solve this problem. It being Free Software or not is irrelevant; it being controlled by a corporation is irrelevant. Its not hard to find examples of community (or individual) projects that have tried to do the same.

I'm reminded of some email thread from years ago that RMS was shocked - shocked! - that anyone would buy a gaming console; why would you want a computer you couldn't program? He wasn't talking about hacking up the kernel, but just not being able to interface with it with something akin to the programming power of /bin/sh. That such a device doesn't have a GPL'd bash makes it evil, that it doesn't have any shell makes it useless, or so his logic goes.

I'm also reminded that RMS was shocked - shocked! - at the explosion of ASP's in the 21st century, delivering software as a service, and the (arduous) scramble to put together a new version of the GPL to address this evil. How could he of predicted that? I mean, there isn't any way he couldn't of known about 1965 Multics, or 1975 Compuserve is there? Developers! Developers! Developers! No other view was consulted, and no other view is relevant to the vision that RMS has.

The issue is that most people, and developers most of the time, do not interact with their computers as developers did in 1983.

Trying to apply that vision to modern problems is just stupid.

Reasoning backwards

Posted Dec 9, 2012 1:10 UTC (Sun) by man_ls (guest, #15091) [Link] (4 responses)

There are plenty of people who watch what is around them and draw short-lived conclusions that apply just to the specific situation. There are a few who try to reason from general principles so their arguments apply to any situation. Stallman is one of the latter; his four freedoms apply just as well to a world of PDP-11's as to the current generation of smartphones.

People nowadays complain that their smartphones are outdated and vendors don't upgrade them, just as 10 years ago they complained that their consoles didn't let them run independent (or unlicensed) games; and 50 years ago that IBM was ripping them off with their outrageous charges for software (that others were ready to provide quite cheaper). All symptoms of a deeper malady which is the lack of freedom, as correctly identified by Stallman about thirty years ago.

Many people are happy to live in walled gardens; the mainframes of yesterday, the iPhones of today. Stallman is shocked about it every time afresh. Reasonably clueful users can deal with problems that the unwashed masses suffer in silence; Stallman is willing to give everyone a safe computing experience.

On the other hand you have many specialized fields today where sharing software is commonplace, licenses are not needed and modifying code to one's needs is allowed and even encouraged. From supercomputers to cloud servers to trendy HTML5 javascript libraries, whole ecosystems that would not exist without Free software (with all four freedoms). Yes, many packages are BSD-licensed, but this does not detract from the argument.

You are correct that it is mostly developers who take advantage of these ideas; it is only logical that those who know how to write code would benefit from the freedom to modify a program's code. But let me remind you that millions of people can change the OS on their smartphones thanks to the GPLed Linux kernel, between others. There are also separate movements such as Creative Commons and Open Access which are based on the same principles and that reach a much wider and diverse segment of the population.

There are many holes in Richard's original reasonings, the biggest one being cryptographic jails (aka Tivoization), but to be fair it didn't exist back in the 1980s. The problems caused by the lack of this particular freedom (the "freedom to run modified versions", we might call it, which Stallman took for granted) are far reaching. And yet Stallman and the FSF have adapted to the situation, while others (prominently Torvalds and other kernel developers) have stuck with the old license -- and ideas.

Reasoning backwards

Posted Dec 10, 2012 19:33 UTC (Mon) by jimparis (guest, #38647) [Link] (2 responses)

> The problems caused by the lack of this particular freedom (the "freedom to run modified versions", we might call it, which Stallman took for granted) are far reaching.

I don't think that was taken for granted. It seems reasonably well covered by "The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1)". It can only do your computing if you're able to run it.

Reasoning backwards

Posted Dec 11, 2012 9:32 UTC (Tue) by dgm (subscriber, #49227) [Link] (1 responses)

The freedom to modify a copy of your phone's software is clearly insufficient, you also need to be able to run your modified version on the phone. You can argue that this is not about software but hardware freedom, and I would agree, but it doesn't make it any less important.

Reasoning backwards

Posted Dec 11, 2012 14:51 UTC (Tue) by jimparis (guest, #38647) [Link]

I completely agree; I just don't think Stallman took running it for granted or that running it wasn't covered by the "four freedoms".

Running modified code

Posted Dec 12, 2012 3:52 UTC (Wed) by bjartur (guest, #67801) [Link]

Let's define freedom 4 then.
4. The freedom to run modified versions of your program, for any purpose.

Note that, just as RMS has clearly stated already, this is not the right to run modified versions of your program. Vendors are free to distribute software on ROM. They must not expressly restrict owners' writing to memory.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 17:31 UTC (Sun) by khim (subscriber, #9252) [Link]

I'm also reminded that RMS was shocked - shocked! - at the explosion of ASP's in the 21st century, delivering software as a service, and the (arduous) scramble to put together a new version of the GPL to address this evil.

This one completely misses the mark. RMS is perfectly Ok with "software as service" concept - that's why even GPLv3 does not forbid that. He is very much not Ok with tivoization which is quite novel phenomenon: Multics or Compuserve (or indeed any Unix out there) does not permit modification by just about anybody, but, of course, they are free to hack on for the owners of said system.

AGPL does exist, it does address needs of anti-SAS people, but these are not RMS's concern. He was ready to change GPLv3 to make it compatible with AGPLv3, but he was not ready to push it as a default.

That such a device doesn't have a GPL'd bash makes it evil, that it doesn't have any shell makes it useless, or so his logic goes.

The fact that it does have bash is not a big deal, the fact that it does not have a means to run bash is the problem. The fact that there are plethora of people who try to make it possible to run bash (well, usually not bash but something like XMBC but it's the same thing for this discussion) on game consoles shows that RMS is not loony. Note that most of these guys don't give a damn about GPL or RMS, but they are peeved by the fact that they paid good money for a piece of hardware which they can not actually use as they please.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 12:59 UTC (Mon) by dakas (guest, #88146) [Link]

It seems that the well crafted utopia that RMS designed in 1984 doesn't actually reflect real peoples use of computers.
If it did, he would be out of a job. I wish he were. As it stands, he is slowing down the progressive loss of computer users' freedoms. Not bad for a one-man show, but not good enough either.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 22:22 UTC (Sun) by SilverWave (guest, #55000) [Link] (1 responses)

So... if I am using Xubuntu I avoid any spyware issues, but retain the benefits of a large repository of update packages and a great community?

That is, the problem identified here is Ubuntu and Unity specific?

Restated:
Q: Ubuntu Spyware: What to Do?
A: Xubuntu

Or am I being naive?

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 9, 2012 23:36 UTC (Sun) by raven667 (subscriber, #5198) [Link]

As stated in the article the problem isn't that the feature exists or that you can't disable it (you can) it's that it's the default and any users who aren't savvy about it could leak information unintentionally. It would be better if the feature was opt-in or the result of explicit user action that was clear you were doing a network search and not a local search. The fact that Canonical proxies and anonymizes the requests somewhat may help but this requires an ongoing trust relationship that they won't misuse the data they gather that wouldn't be necessary if the feature was opt-in or explicit.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 13, 2012 2:54 UTC (Thu) by drdabbles (guest, #48755) [Link] (3 responses)

Having the opt-in vs. opt-out discussion is worth while. But calling this feature "spyware" is total FUD and only serves to alienate the hard-line Free software proponents from the rest of Free software society. To be frank, I stopped listening to anything Stallman had to say a long time ago. because to RMS and people in his camp, this is a religious issue.

To those of us living in 2012, though, there's a real discussion to be had. I thoroughly enjoy, though rarely use, the Amazon Unity lens. I would find a Google lens significantly more useful, in fact. Because hitting the menu key, and typing in a Google query would save me from opening a browser, clicking CTRL+K, and doing the same basic thing. The utility of offering me music, books, and merchandise when I type something into my search bar is extremely useful.

Now, as to the "spyware" claim...that's total BS. The term you've typed in your Unity bar is sent to Canonical and then to Amazon. I would like to know what the difference is between that, and simply searching Amazon? Because either way, I have an IP address to tie your search back to. But, since we live in a world where it takes some work to discern if there are multiple devices behind a single public IP, or who is actually behind a public IP, the utility of the "spy" data is of serious question here. Great, so Canonical knows you searched for "term..." several times a day. Or, heaven forbid, they know you searched for "Kanye West" while looking for an admittedly poor musical choice. This is data that Amazon already collects. As well as Google, and whomever else may be selling you musical tracks or providing search functionality.

The fact that the feature is on by default is probably due to the fact that Ubuntu tries to accommodate the "average" computer user. This user is not like the "average" LWN subscriber. They find a serious utility in making things easier to access, and they put serious stock in the idea that the entire Internet isn't so far away from them. Yes, to you and I, we know that a browser window is almost certainly open somewhere, and we can go directly to the source of our content and search. But my mom has literally no idea what the difference between a browser window and her desktop area is. And Ubuntu has made serious strides in getting people like my mom onto a far superior platform than Windows.

If you don't like it, disable the lens. If you do like it, keep it enabled. If you believe strongly that after a user's first login they should be prompted to enable things like the Amazon lens, then suggest that to the Ubuntu developers.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 13, 2012 16:26 UTC (Thu) by raven667 (subscriber, #5198) [Link] (2 responses)

> Having the opt-in vs. opt-out discussion is worth while.

Agreed. It might be best if it was opt-in and/or continued integration with the music/video or other lenses which are more explicitly about network searches.

> I stopped listening to anything Stallman had to say a long time ago

I think that's unfortunate, what he actually says, instead of whatever crazy crackpot notions are often mis-attributed to him by poorly-informed commenters on the Internet, usually makes real sense.

> I would find a Google lens significantly more useful

Yeah an explicit network search that covers search engines, amazon, etc. might be cool

> I would like to know what the difference is between that, and simply searching Amazon?

Canonical explicitly proxies and traffic to anonymize it due to privacy issues. You are only exposed to Amazon if you navigate to it, which would link your search to your identity. Searches for "Terminal" are probably not that interesting, searches for private medical or financial data stored on your machine. Many people are very private when it comes to medical and financial data, you shouldn't have to be constantly on-guard when using your own machine to not leak this data, by searching for key words in it, to third parties.

> The fact that the feature is on by default is probably due to the fact that Ubuntu tries to accommodate the "average" computer user.
...
> If you don't like it, disable the lens.

That's the rub, since it's not opt-in there is a greater chance of unintended disclosure , especially from the "average" user crowd who is unlikely to poke around in the settings and disable the feature unless they are highly motivated and well informed. Privacy shouldn't be a luxury only extended to those who fight for it, privacy should be the default.

Of course, considering how much data is collected by (marketing) intelligence firms these days just based on your ambient network footprint, this is like throwing a grain of sand to block a raging river, but it's probably the right thing to do in any event. I guess Stallman is Ned Stark 8-)

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 13, 2012 17:32 UTC (Thu) by drdabbles (guest, #48755) [Link] (1 responses)

I understand what you're saying completely. But my counter point would be, "How many people store documents with names like 'Embezzled money from the Cayman Islands.xls'"? Or, for that matter, "Super embarrassing or identifying medical diagnosis.pdf"?

The content of these documents and files is not being leaked. The term someone is searching for documents with might be. So, I may search for "2012 Taxes.pdf" (which is a real document title on my personal laptop) exposes nothing except the fact that I have filed tax forms. It exposes no more data than "2012 Disability forms.pdf".

To the point that I've stopped listening to RMS, it's not because of rabid anti-RMS Internet trolls. I used to read his rants and raves first hand. And while I agree with the philosophy that Information should be free, I also find room for things like copyright (when exercised in sane measures). I firmly believe there is more than enough room in the world for GPLvX, BSD, MIT, CDDL licenses, as well as any other license type. I choose GPLv2 most of the time, because that's where I stand. But my employer may not always choose GPL because there are things we write that give us advantage over competitors. And I'm a capitalist-ish. :)

RMS' statements started slipping from "Freedom for all" to "Conspiracy against freedom" a long time ago, and I just don't have the time or desire to get wrapped up in that nonsense. I respect what he does, but he methods and ideology need to catch up to the times.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 13, 2012 19:24 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

> I understand what you're saying completely. But my counter point would be, "How many people store documents with names like 'Embezzled money from the Cayman Islands.xls'"? Or, for that matter, "Super embarrassing or identifying medical diagnosis.pdf"?

And you can guarantee that users will never want to search based on a document's contents?

> I also find room for things like copyright (when exercised in sane measures).

He does as well (after all, the GPL doesn't work without it). He has mentioned that 5 year limits are acceptable[1].

[1]https://www.gnu.org/philosophy/pirate-party


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds