Apologies for the non KDE post on PlanetKDE. I’ve recently read so much stuff about Ubuntu’s “spying”, that I feel it’s worth clearing the air.
Ubuntu’s File Search
This is Ubuntu’s file search. It searches files.
So does this send data to the internet?
No, not at all. It searches your files.
So what’s the fuss?
The fuss lies in something else, the Ubuntu Dash. There is a lot of confusion about this.
Ubuntu Lenses are a way of searching multiple sources. If we look at the list of available sources it includes web searches such as
Google Books, Reddit, Wikipedia, Youtube, Amazon as well as combining local sources such as applications, local files and menubars. The idea behind it seems to be to create a single unified search bar, abstracting sources from the user. You can search for a song, and not care if the results are local or remote. Pretty neat.
It’s quite hard to combine results from the internet, without using the internet, so your search ends up online. Whilst this is encrypted, the results back are not. This is no worse than a search query with Google or Yahoo or any other search engine, and arguably considerably better as you are not later tracked round the web.
Adding Amazon searches by default
In all the search lenses, Amazon is added by default, this gives Canonical money which is fed back into Ubuntu. This is akin to how Mozilla Firefox set the default search provider to Google.
Mozilla earn over $96 million per year for this. KDE Has similar partnerships with enabling DuckDuckGo searches to be manually activated from krunner for a lot lot less.
It’s not unheard of in open source communities to make money this way, and whilst I don’t think as a user I would like these ads I can’t really hold it against them.
So how bad is it?
Canonical does not have your file contents, they don’t even have a list of your files, nor do they track all key presses.
At best, there is a record of a search term linked to an IP address, which may of may not be part of a file name. It’s not a lot of private data, and it’s not linked to you as a named individual.
The claim by the EFF, is not about the possibility of Canonical ‘spying’ on you. The claim is that a hacker sniffing your network traffic could infer from the from the images returned from Amazon what you are searching for.
Personally I consider this a very weak claim, if someone is sniffing your network traffic your are more likely to give away personal information in other ways, such as any browsing. It’s the EFF’s job to err on the side of extreme caution and to provide information. It’s up to us as the wider community to balance this with pragmatism and to keep things within proportion.
Edit: And this potential issue has since been addressed for 13.10, all data back is also encrypted, addressing the main point from the EFF. Thanks to Michael Hall for the updated information.
So why is it called spyware by some people?
There is a traditional gap between web and local applications, people ignorant of what the dash search does, mistakenly take this for a simple file search. For a file search to use the web would clearly be wrong. The majority of the complaints and criticisms I have read do not come from Ubuntu users who have seen the Ubuntu bar. To any user of the Ubuntu search bar, it should be obvious that it includes internet results due to the high visibility of the internet results within moments of usage.
If we always try to pander to the notion of treating web and local data as two completely separate distinct entities desktop Linux will always be held behind the web applications that are able to employ much richer content. I don’t want to have to be at a point where Firefox has to provide a prompt to explicitly state that it will use a network connection.
Spies (with the exception of James Bond) are also secretive. The Ubuntu dash makes no effort to hide exactly what it is doing. Whilst it may not be the world’s greatest or most useful feature, this isn’t something that spies.
To call it spyware is a blatant lie, to call it a privacy invasion I think is a massive exaggeration of a rather minor concern that misunderstands the goals of the dash.