[uylug-varios] Ubuntu Spyware: What to Do?

Sun Dec 9 01:59:52 PST 2012

http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do

  One of the major advantages of free software is that the community 
protects users from malicious software. Now Ubuntu GNU/Linux has become 
a counterexample. What should we do?

Proprietary software is associated with malicious treatment of the user: 
surveillance code, digital handcuffs (DRM or Digital Restrictions 
Management) to restrict users, and back doors that can do nasty things 
under remote control. Programs that do any of these things are malware 
and should be treated as such. Widely used examples include Windows, the 
iThings, and the Amazon "Kindle" product for virtual book burning, which 
do all three; Macintosh and the Playstation III which impose DRM; most 
portable phones, which do spying and have back doors; Adobe Flash 
Player, which does spying and enforces DRM; and plenty of apps for 
iThings and Android, which are guilty of one or more of these nasty 
practices.

Free software gives users a chance to protect themselves from malicious 
software behaviors. Even better, usually the community protects 
everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has 
malicious code. Generally the next thing they do is release a corrected 
version of the program; with the four freedoms that define free software 
(see http://www.gnu.org/philosophy/free-sw.html), they are free to do 
this. This is called a "fork" of the program. Soon the community 
switches to the corrected fork, and the malicious version is rejected. 
The prospect of ignominious rejection is not very tempting; thus, most 
of the time, even those who are not stopped by their consciences and 
social pressure refrain from putting malfeatures in free software.

But not always. Ubuntu, a widely used and influential GNU/Linux 
distribution, has installed surveillance code. When the user searches 
her own local files for a string using the Ubuntu desktop, Ubuntu sends 
that string to one of Canonical's servers. (Canonical is the company 
that develops Ubuntu.)

This is just like the first surveillance practice I learned about in 
Windows. My late friend Fravia told me that when he searched for a 
string in the files of his Windows system, it sent a packet to some 
server, which was detected by his firewall. Given that first example I 
paid attention and learned about the propensity of "reputable" 
proprietary software to be malware. Perhaps it is no coincidence that 
Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy 
various things from Amazon. Amazon commits many wrongs (see 
http://stallman.org/amazon.html); by promoting Amazon, Canonical 
contributes to them. However, the ads are not the core of the problem. 
The main issue is the spying. Canonical says it does not tell Amazon who 
searched for what. However, it is just as bad for Canonical to collect 
your personal information as it would have been for Amazon to collect it.

People will certainly make a modified version of Ubuntu without this 
surveillance. In fact, several GNU/Linux distros are modified versions 
of Ubuntu. When those update to the latest Ubuntu as a base, I expect 
they will remove this. Canonical surely expects that too.

Most free software developers would abandon such a plan given the 
prospect of a mass switch to someone else's corrected version. But 
Canonical has not abandoned the Ubuntu spyware. Perhaps Canonical 
figures that the name "Ubuntu" has so much momentum and influence that 
it can avoid the usual consequences and get away with surveillance.

Canonical says this feature searches the Internet in other ways. 
Depending on the details, that might or might not make the problem 
bigger, but not smaller.

Ubuntu allows users to switch the surveillance off. Clearly Canonical 
thinks that many Ubuntu users will leave this setting in the default 
state (on). And many may do so, because it doesn't occur to them to try 
to do anything about it. Thus, the existence of that switch does not 
make the surveillance feature ok.

Even if it were disabled by default, the feature would still be 
dangerous: "opt in, once and for all" for a risky practice, where the 
risk varies depending on details, invites carelessness. To protect 
users' privacy, systems should make prudence easy: when a local search 
program has a network search feature, it should be up to the user to 
choose network search explicitly each time. This is easy: all it takes 
is to have separate buttons for network searches and local searches, as 
earlier versions of Ubuntu did. A network search feature should also 
inform the user clearly and concretely about who will get what personal 
information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue 
in personal terms only, if they switch the surveillance off for 
themselves and continue to promote Ubuntu, Canonical might get away with 
it. That would be a great loss to the free software community.

We who present free software as a defense against malware do not say it 
is a perfect defense. No perfect defense is known. We don't say the 
community will deter malware without fail. Thus, strictly speaking, the 
Ubuntu spyware example doesn't mean we have to eat our words.

But there's more at stake here than whether some of us have to eat some 
words. What's at stake is whether our community can effectively use the 
argument based on proprietary spyware. If we can only say, "free 
software won't spy on you, unless it's Ubuntu," that's much less 
powerful than saying, "free software won't spy on you."

It behooves us to give Canonical whatever rebuff is needed to make it 
stop this. Any excuse Canonical offers is inadequate; even if it used 
all the money it gets from Amazon to develop free software, that can 
hardly overcome what free software will lose if it ceases to offer an 
effective way to avoid abuse of the users.

If you ever recommend or redistribute GNU/Linux, please remove Ubuntu 
from the distros you recommend or redistribute. If its practice of 
installing and recommending nonfree software didn't convince you to 
stop, let this convince you. In your install fests, in your Software 
Freedom Day events, in your FLISOL events, don't install or recommend 
Ubuntu. Instead, tell people that Ubuntu is shunned for spying.

While you're at it, you can also tell them that Ubuntu contains nonfree 
programs and suggests other nonfree programs. (See 
http://www.gnu.org/distros/common-distros.html.) That will counteract 
the other form of negative influence that Ubuntu exerts in the free 
software community: legitimizing nonfree software.

Copyright 2012 Richard Stallman
Released under the Creative Commons Attribution Noderivatives 3.0 license