[liberationtech] Fwd: [greg at pryzby.org: Ubuntu, Dash, Shuttleworth and privacy]

Fri Mar 15 06:13:11 PDT 2013

On Fri, Feb 22, 2013 at 02:30:17PM -0800, Micah Lee wrote:
> I think it's possible to create the kind of usability they want to
> create and also protect privacy.

You're correct, AFAIK, but I think that the issue is much larger.

A lot of the discussion about this has focused on things like the
fact that *at the moment* a mechanism exists to allegedly turn
this off.  Some of it has focused on how it will supposedly "improve"
the user experience. [1]  Some of it has focused on which data will
get sent to which entities.  Some of it has focused on how that
data will/might be sanitized/anonymized.  And so on.

But while all of these things are interesting, they're kinda sorta
mostly irrelevant, I think.

Here's what's I think is relevant: Canonical's "privacy notice" for Dash
(and I'm quoting that term because I find it dripping with irony) reserves
the right to share keystrokes, search terms and IP addresses with a number
of third parties, including Facebook, Twitter, Amazon and the BBC.
(h/t to Wikipedia)

Keystrokes.  Forget the rest for a moment: keystrokes.

That's spyware.  (h/t to Stallman)  It doesn't matter how much happytalk
BS they spew about the UI, it doesn't matter how much they claim they
need to do it, it doesn't matter whether it complies with EU privacy
directives, NONE OF IT MATTERS because it's spyware.  Period.  Done.
Finito.  I don't care if it sings and dances and cures cancer, *it's spyware*.

So the problem here is not the implementation details.  The problem is
the existence of the mechanism in the first place.  Whoever brought this
up in a meeting and suggested that they do it should have been
interrupted...with a freight train to the face.

Because now that Canonical has committed to shipping spyware, what is
to stop them from introducing it elsewhere in the distribution?  What is
to stop them from issuing an update/patch that disables the user's ability
to turn this off?  What is to stop them from expanding the scope of the
information captured and sent?  What is to stop them from sending it
to more third parties?  And what's to stop those third parties from
mining it, correlating/augmenting it, and selling it?

*sound of tumbleweeds blowing across the dusty and barren prairie*

Absolutely nothing. [2]

The consequences of this are huge, and they go way beyond Canonical.

They're not just shipping spyware, they're shipping it *in a Linux
distribution*.  This is going to have negative repercussions for Linux
and for all of open source, because one of the things that has been a
useful talking point about both is that they come with no backdoors,
no spyware, no adware, no built-in-by-design security compromises.

And yet here we have one of the most prominent entities in the space
doing exactly that.  The fallout from this is going to impact all kinds
of projects and people who had nothing to do with it.

It's also (obviously) going to affect people using Linux -- not just end
users, but people running operations with it.  For example, I'm aware of
an operation that is in the middle of debating a switch from Windows to
Linux on its desktops, with Ubuntu as one of the possibilities they've
been evaluating.  But they can't possibly install it now: otherwise
they're setting themselves up for future conversations like this:

	CSO: You do know that we handle PHI (Protected Health Information)?
	Sysadmins: Yes.
	CSO: And you know that it's covered by federal law?
	Sysadmins: Yes.
	CSO: And you know that it's covered by state law?
	Sysadmins: Yes.
	CSO: And you know that it's covered by contractual agreements?
	Sysadmins: Yes.
	CSO: And yet you installed Ubuntu, with baked-in spyware, on
		every desktop in the building.
	Sysadmin: Well...we turned off the spyware part.

Those sysadmins would be *lucky* if they were merely fired and not subject
to civil or criminal legal consequences.  (I am not an attorney, this
is not legal advice, close cover before striking, your mileage may vary.)

The cold bitter sad reality is that Ubuntu needs to die.  The community
needs to eliminate it; everyone currently running it needs to choose
something else.  Nobody should install it on new systems.  The word
needs to be spread, far and wide, that Ubuntu IS spyware, and that
it must be ruthlessly exterminated.

Because if we allow this to succeed, then we'll get more of it.  Lots more.

Alarmist?  Yeah.  Okay.  Fine.  That's what people like me and including me
said about the spam problem 20+ years ago too.  But because it wasn't crushed
out of existence, look at what we have now.  I've seen this movie many,
many times and it always ends the same way.  The best time and most
likely the ONLY time to kill this is *right now*: no negotiations,
no wait-and-see, no compromises, just kill it with fire and move on.

After all: it's expendable.  We don't actually need it.  We have plenty
of alternatives already and if Ubuntu went *poof* out of existence five
minutes from now, more would quickly emerge to fill the space.

This may have already happened.

---rsk

[1] To borrow from Douglas Adams, this is obviously a new meaning of
"improve" that I wasn't previously aware of.

[2] Please don't tell me that some governmental entity will intervene.
Even if they do, and that's a slim chance, then Canonical will stall,
obfuscate, negotiate, etc., and the whole thing will drag on for years.
At some point down the road, an anemic settlement of some kind will be
agreed on and there will be some minor adjustments, the government in
question will declare the problem solved and Canonical will do pretty
much whatever they feel like doing.  This is, after all, how things
are done.