new location code allows anyone to set anyone else's location

I believe this was implemented as designed.

[1] Including keeping a log of who last messed with the record, so we can tell you who changed your location. I don't think it is visible in the UI though.

On Thu, 2008-08-28 at 11:45 +0000, Stuart Bishop wrote:
> I believe this was implemented as designed.
>

That's true.

> [1] Including keeping a log of who last messed with the record, so we
> can tell you who changed your location. I don't think it is visible in
> the UI though.

Whenever someone else sets your location you should receive an email
notification. It's probably a good idea to show it on the UI as well;
I'll report a bug for that.

BTW, you didn't get a notification yet because we haven't started
running the script which will pick the notifications from the queue and
actually send them.

Is this still a problem if we send you a notification at the time (of a
few minutes later) someone changes your location? Also, note that one
can change your location only until you do change it yourself -- from
there on you're the only one allowed to change it. Not to mention that
you can mark your location as hidden in case you don't want others to
know about it.

Guilherme Salgado <email address hidden> writes:

> Is this still a problem if we send you a notification at the time
> (of a few minutes later) someone changes your location?

Yes, I believe it is. Location information when combined with the
other information we have for people (specifically name and email
address) constitutes 'personal data'. As such, allowing random people
to add personal data for other people is not a good idea, for several
reasons:

 * It's creepy when people that you don't even know add location
   information for you (and though this didn't happen to me, it is
   happening to other people I've talked to).

 * It shifts the burden of correctness (in a Data Protection
   legislation sense) onto us.

 * It's missing from and runs counter to parts of Launchpad's own
   published privacy policy.

 * The 'you can hide your location' argument implies that users have
   an obligation to monitor email from Launchpad in case Joe Random
   decides to publish their location information to the world. That's
   not a reasonable requirement, IMO.

--
James

This is considered in the realm of personal information and therefore is covered under privacy acts that we must abide by. Therefore, our code must be changed to only allow the user to edit this (or their delegate, which we have no capacity for inside LP at this time).

First I thought this behavior of launchpad is a bug. I don't really see why it is desirable that anybody can set the location of others. Is it so important to know the location of other users? If users want to set their location, they will do so, or not?

I agree with Oliver Sauder. A user should be able to pick a location or pick not to pick a location.

Sorry let me clarify that, a user should only be able to set their location. Another use should not be able to if a user has selected not to be located or has already picked a location. This i think is a flaw, how can another know the more accurate location of a user than the user themselves ?

This is not only a bug but a nice legal minefield. I had my location set my some random user. This is disturbing to me as I have had people actively try to harm myself and my kids, and these people are stalkers (Causing myself to have to move multiple times). They know my name, and can use google to find my launchpad page, and from there the location to start searching in again.

I'm placed myself on a pacific island now. I'm not impressed, and I feel this misfeature should be corrected asap.

Now - what would happen if something bad were to happen to a user or their family because someone other than the user set their location details on launchpad, and that was used to track down that user and/or their family to cause the bad thing to happen ? I'd suspect legal proceedings would be occuring quite quickly after such an incident.

To reiterate in my original bug.

1) No one should ever under any circumstances ever, for any reason, be able to edit my profile except for myself.
2) I do not want any location at all listed for my account. I want that restored to the previous unset setting, and for it to remain that way.

We do send mail when someone sets this information. Saying "nobody should provide information about me" is tantamount to saying "nobody should edit a wikipedia page about me". The system is designed to encourage people to organise teams both virtually and physically, and hence we allow people to say who they have in a team and where those people are. We do specifically recommend that folks not disclose home addresses, but simply approximate location accurately enough to get time zones right. More importantly, we lock the data when the user provides it themselves.

Mark, I agree with the notion of team organization that you are describing; however, your last sentence, "More importantly, we lock the data when the user provides it themselves," is incorrect. And I personally believe that is the real bug here.

My initial report of this bug was a duplicate (and rightfully so chronologically), but I reported exactly the opposite behavior of your last sentence (a piece of information that is not captured in this bug report). If a user has already set their location, another user can still change it. I tested this on staging.launchpad.net when I submitted the bug, and I tested it again just now to verify that the behavior is still the same.

> We do send mail when someone sets this information.

This is not good enough Mark. People should NOT be able to change MY profile. I registered, I set what information I want to disclose, that I feel is required. NOT some random stranger.

> Saying "nobody should provide information about me" is tantamount to saying "nobody should edit a wikipedia page about me".

No - I'm saying no one but the owner of the profile can edit it. This is not a wikipedia page, it is a registered users profile. Why not let random strangers upload a pgp/gpg key claiming it is the account holders ? You allowed them to edit the account holders profile. How about editing memberships ? email addresses ? - Why is it ok for random strangers to able able to edit parts of my profile at all ?

> The system is designed to encourage people to organise teams both virtually and physically, and hence we allow people to say who they have in a team and where those people are.

I provide more than enough information to contact me virtually should people need to. It has never stopped anyone from working with me. A select few of your employees and MOTU also know my phone number and how to contact me in person. The difference is I chose to provide that information to those people.

I did not choose for someone else to edit my profile.

> We do specifically recommend that folks not disclose home addresses, but simply approximate location accurately enough to get time zones right.

So ? How is allowing a complete stranger to edit my profile a good thing ?

> More importantly, we lock the data when the user provides it themselves.

I never choose to provide that data. locking it after the fact is a moot point. It should not have been able to be modified by someone other than the launchpad account holder..

Frankly, given how I feel about this bug, and with references to how I've contributed to Ubuntu in the past, I'll start you off on how I think you should treat this.

===========================================================
Ubuntu Security Notice USN-670-1 November 12, 2008
Launchpad Information Disclosure Vulnerability
https://bugs.launchpad.net/bugs/262193
===========================================================
A flaw has been discovered in the launchpad bug tracking system, where unauthorised third parties
may edit portions of a registered users profile without their consent. This affects all users that have
not chosen to display their location on their profile.

When contacted about this vulnerability, Canonical claimed that was by design. Users are advised to
discontinue use until the vendor rectifies this vulnerability.

Users that must continue to use launchpad have been advised a workaround exists by setting a
false location, or by selecting a setting announcing that you wish to hide that information.

On Tue, 2008-11-11 at 22:35 +0000, Matt Layman wrote:
> Mark, I agree with the notion of team organization that you are
> describing; however, your last sentence, "More importantly, we lock the
> data when the user provides it themselves," is incorrect. And I
> personally believe that is the real bug here.
>
> My initial report of this bug was a duplicate (and rightfully so
> chronologically), but I reported exactly the opposite behavior of your
> last sentence (a piece of information that is not captured in this bug
> report). If a user has already set their location, another user can
> still change it. I tested this on staging.launchpad.net when I submitted
> the bug, and I tested it again just now to verify that the behavior is
> still the same.

I can't reproduce that. Can you show me the user who's set his own
location and yet you were still able to change it?

I see you've set yours and I don't see the option to edit your location
on your profile page. I'm also forbidden to access your +editlocation
page (when I manually craft it).

I've set my location too, so you can try changing it and you'll see the
option is not there and you should not have access to
https://launchpad.net/~salgado/+editlocation since I've set it myself.

Guilherme, the user was Paul Hummer (https://launchpad.net/~rockstar), someone I work with on the Entertainer Media Center. It looks like I could still edit his location if I wanted to, but I did notice that yours is not editable.

Maybe someone else set Paul's location and I just thought that he set it himself. I guess there could be other reasons too. Paul and I are on some of the same teams. Paul is also on some lp teams and is a Canonical employee so maybe his account has different access (but I'm totally guessing about that).

On Wed, 2008-11-12 at 21:58 +0000, Matt Layman wrote:
> Guilherme, the user was Paul Hummer (https://launchpad.net/~rockstar),
> someone I work with on the Entertainer Media Center. It looks like I
> could still edit his location if I wanted to, but I did notice that
> yours is not editable.
>

> Maybe someone else set Paul's location and I just thought that he set it
> himself. I guess there could be other reasons too. Paul and I are on

That's correct; you can set Paul's location because it was not Paul
himself who's set his. If he'd set his location like I did for myself,
you'd not be able to change it.

> some of the same teams. Paul is also on some lp teams and is a Canonical
> employee so maybe his account has different access (but I'm totally
> guessing about that).
>

That's not the case.

> is tantamount to saying "nobody should edit a wikipedia page about me"

Well, I'm not a notable person by Wikipedia's standards... so actually that's right, nobody should edit a Wikipedia page about me :)

Wikipedia isn't a clearly similar case. Wikipedia has a lot of policies regarding information about living people on top of its usual policies about notability etc. These policies include not publishing information about material not relevant to a persons notability — so even Wikipedia would generally disallow including home location details in a biography. See the rather large http://en.wikipedia.org/wiki/Biographies_of_living_persons for the precise policies.

Wikipedia also has a community and processes that seem to be fairly effective at regularly checking and enforcing those policies.

A more analogous system might be Facebook, which like Launchpad has pages for many unnotable people that are users of Facebook. Facebook lets those users specify exactly how much personal information they want to share (modulo the occasional bug).

> We do specifically recommend that folks not disclose home addresses, but
> simply approximate location accurately enough to get time zones right.

There's a separate drop-down for selecting the time zone already, so by this argument the location map is completely redundant.

Part of the problem might be due to the overly-precise nature of a point on a google map. You can't just say "I live in this city", you have to give a very precise location, precise enough that it indicates a specific street or block.

I'm setting this low because it is still uncertain as to whether this feature should be disabled after 4 months of discussion.

This is not a feature - it is a bug. This misfeature allowed an unknown third party to edit my profile - and it has clearly happened to others here. This is a misfeature that is dear to Mark's heart - so it's obvious it won't be fixed. I don't really care if the account holder wants to set their location on a map. They can choose to do so. I did not choose to do so. Someone else set it for me without my consent.

I'd offer a patch - but it's not like one can apt-get source launchpad to fix it. This should be reset back to high - it is important, and Mark really needs to have a long think about whether or not it really is such an important feature to have unknown third parties editing launchpad user profiles in any way.

Yagisian, note that it will soon be possible for you to fix Launchpad; it is being open sourced. See https://dev.launchpad.net/OpenSourcing for more.

By "fix Launchpad", I mean patch the code, and get that patch on a path to be deployed on Launchpad.net assuming it's acceptable. Obviously, we're not proposing that the world will have code-deployment ability on a hosted service :-).

The problem isn't developing the patch, the problem is that the patch will never be deployed on Launchpad.net unless Mark changes his mind. If he does, then I'd imagine that the paid devs could implement this with no trouble. It's a policy thing, not an implementation one.

Exactly. It's clear that this issue will not be fixed until Mark changes his mind. At this stage it doesn't appear that it will happen any time soon. Mark sees it as people providing information on "contributors". I see it as people editing my account. To me this is a serious issue.

Serious enough that I immediately removed myself from all Ubuntu groups, and no longer contribute to Ubuntu in any way. I don't send in reports of security issues I find, I don't send bug fixes, I don't propose new packages, I don't offer advice, I don't advocate it. Other people can edit my account on here, so quite frankly, it may not be me people think they are dealing with. I don't find it acceptable that my account can in any way be edited by third parties.

To get an idea of how unlikely this is to change - do you see Mark subscribed to this bug ? I don't.

No one can edit your account except you. They could only change your map location, until you set it yourself.
So you just set it to a location (any you feel like) and choose the "Hide my location details from others." if you don't want it shown.

Terence, you do not get the point that "change your map location, until you set it yourself" is editing their account.

Having to set any location just to protect one's location from being set by others is simply wrong.

I was 'hit' by this issue yesterday and didn't realise there was a bug report for it until pointed to this by MPT.

As has been said, this is spooky. Getting a launchpad account with the various 'privileges' to interact with projects and teams and bugs and so forth clearly makes this a very personal account.

That being the case, it is just plain wrong that some anonymous unverified account can edit an established user profile - an account operated by someone who hasn't signed the terms of conduct, has no relationship to Ubuntu or the launchpad project, and could even be a script.

I don't think there's a Right Answer here. But I'd like to offer one thought:

The difference between a Wikipedia entry and a Launchpad user profile is reader expectations.

When someone reads a Wikipedia entry about Jane Random, they have no expectation that the content there is produced by or endorsed by Jane. But when someone reads her Launchpad profile, they usually assume that the information there comes from Jane Random herself. Launchpad user account information is "attributable" in a way that Wikipedia and other random assertions on the Net are not.

We should take such attribution assumptions into account when thinking about this issue.

While I am not among them there are friends of mine who are not even okay with Canonical having their information. It is my opinion that this is reasonable to some degree.

If you can bother to keep metadata in the database regarding who set the location then you can afford to have a field regarding whether the user has approved it. and a) not display it until they have approved it and b) delete it if they specifically disapprove it.

The logic should go roughly like this:

someone has set the location of user foo:
   is the setter foo? set location, set approved to true, set visible
   else:
       store location and set approved and visible to false
       send an email with links to approve or disapprove the location:
             user approves: set approved to true, set visible.
             user disapproves: keep approved at false, CLEAR location data, and possibly make it no longer setable.

This behavior is being encoded in the privacy policy, so it looks like it is not changing.

I believe Matthew Revell's recent change to the privacy policy was merely to make the privacy policy reflect current reality. It was not intended to influence the behavior, just to describe it. If the behavior is changed, the privacy policy can change too.

This behaviour is no longer useful (I presume the original purpose was to allow lots of people's locations to be set quickly). I suspect that when the hole in the privacy policy was noticed, it was just decided that it would be much quicker to amend the policy than to adjust the code. I don't think closing this is useful.

I've put the status back to "Triaged" (undoing change 27). The privacy policy edit was not meant to influence this bug one way or the other, so it shouldn't have any effect here.

As it stands, there is no bug here and this is blocked - the system is working as designed.

Assigning to the design team's Launchpad contact so they can wontfix this personally or change the design.

This feature request will not be closed until it is completed as long as I do the triage of the Launchpad Registry. The most pragmatic way to see Launchpad changed is to understand if this feature is a success. Do users map other users? is the number significant?

I think this feature is a bad idea, because it's not really intuitive that other people can set your location. Other websites have user profiles as well but I've never seen one where other users can edit your personal information.
With regard to "organizing teams", if you can't reach your team members by chat or mail and ask them to set their location, it doesn't seem to be much of a team anyway.

On Fri, Jul 3, 2009 at 8:34 PM, Curtis Hovey<email address hidden> wrote:
> This feature request will not be closed until it is completed as long as
> I do the triage of the Launchpad Registry. The most pragmatic way to see
> Launchpad changed is to understand if this feature is a success. Do
> users map other users? is the number significant?

53 thousand users have set their own location.

1 thousand users have had their location set by others.

--
Stuart Bishop <email address hidden>
http://www.stuartbishop.net/

Wow.Thank you very must for these numbers. I really do not see the need for this feature, users are quite skilled at setting their own location. I will keep these numbers in mind when we update the user and team profile pages this release.

The update should come from Curtis' work.

Does that mean this is going to be corrected?

Not necessarily. My team will be implementing the redesign the of the profile page and it is an opportunity to look at the value and popularity of this feature. So far it has proven to be cause of performance problems and user grievance. It is used by less that two percent of users and we do not know how many users set the location of the 1000 users.

On Thu, Jul 16, 2009 at 5:41 AM, Curtis Hovey<email address hidden> wrote:
> Not necessarily. My team will be implementing the redesign the of the
> profile page and it is an opportunity to look at the value and
> popularity of this feature. So far it has proven to be cause of
> performance problems and  user grievance. It is used by less that two
> percent of users and we do not know how many users set the location of
> the 1000 users.

745 individual users have set someone else's location.

102 individual users have set the location for two or more people.

1 user has set the locations for 27 people.

Fixed in launchpad devel r9884.

Fixed released in launchpad-project 3.1.11.