EFF Raises Questions on Privacy Leaks in Ubuntu

The EFF is warning users of Ubuntu’s latest release that the open-source operating system sends their search queries to third parties, including Amazon, by default, and that some of their search results may be viewable by other users on the same network. The privacy leaks are present in Ubuntu 12.10 and the group says that Canonical, which runs the Ubuntu project, should disable the inclusion of online search results by default and make it clearer to users what is being done with their search queries and IP addresses. 

EFF UbuntuThe EFF is warning users of Ubuntu’s latest release that the open-source operating system sends their search queries to third parties, including Amazon, by default, and that some of their search results may be viewable by other users on the same network. The privacy leaks are present in Ubuntu 12.10 and the group says that Canonical, which runs the Ubuntu project, should disable the inclusion of online search results by default and make it clearer to users what is being done with their search queries and IP addresses. 

The issues that the EFF is raising are related to a feature called Dash in the Ubuntu Unity desktop that is designed to be a central search mechanism for documents, files and other information both on the local machine and online. When a user searches for a given term, the query is sent to a Ubuntu server, and the query also includes your IP address. The search results, depending upon the query, may include products from Amazon related to the search term. This is one of the main things that has drawn the ire of EFF staffers.

“Technically, when you search for something in Dash, your computer makes a secure HTTPS connection to productsearch.ubuntu.com, sending along your search query and your IP address. If it returns Amazon products to display, your computer then insecurely loads the product images from Amazon’s server over HTTP. This means that a passive eavesdropper, such as someone sharing a wireless network with you, will be able to get a good idea of what you’re searching for on your own computer based on Amazon product images,” Micah Lee of the EFF wrote in an analysis of the Ubuntu Unity issues.

It’s a major privacy problem if you can’t find things on your own computer without broadcasting what you’re looking for to the world. You could be searching for the latest version of your résumé at work because you’re considering leaving your job.”

Lee also says that Canonical sends some data to third parties, but is not clear about which companies those are and what data goes to them. He said that the company is responding to some of the criticism about the Dash search feature and is working on a feature that will load image results from Amazon over SSL.

Canonical has been listening to feedback from Ubuntu users and they are working on improvements to Dash, such as loading Amazon images over HTTPS to prevent eavesdroppers from learning what users search for, and NSFW filters so that pornography doesn’t appear in Dash. These changes are great, but it doesn’t change the fact that users’ search queries automatically get sent to third party companies without giving users a chance to opt-in,” Lee wrote.

“Even loading Amazon product images over HTTPS instead of HTTP, the fact that they are loaded directly from Amazon’s servers instead of from Canonical’s means that Amazon has the ability to correlate search queries with IP addresses. One way to fix this would be if Canonical proxied all third party images and other content for Ubuntu users.”

Users have the ability to turn off the online search results feature in Ubuntu 12.10, but it is enabled by default. Mark Shuttleworth, the creator of Ubuntu and a lead product designer at Canonical, said in a blog post that the Amazon results are not paid ads and that users have choices all along the way.

“We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update,” Shuttleworth wrote.

Suggested articles

Discussion

  • Benjamin Kerensa on

    I think Mark's blog post has been taken out of context.... When he was talking about root and trusting them it was along the lines of making clear that in open source there is a level of "trust" that exists between projects and the end users.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.