Ubuntu

Direct data leaking to Amazon

Reported by Etienne Perot on 2012-09-25
694
This bug affects 95 people
Affects Status Importance Assigned to Milestone
unity-lens-shopping
High
John Lenton
unity-lens-shopping (Ubuntu)
High
Unassigned

Bug Description

Despite claims from Mark Shuttleworth that data is not sent to Amazon (http://www.markshuttleworth.com/archives/1182), a quick look at Wireshark reveals that all images resulting from search results are downloaded directly from Amazon (see attached picture).

Worse still, the request are over plain HTTP, even though Amazon offers an SSL service for images (ssl-images-amazon.com).

So while it's technically true that the search terms are not sent to Amazon, the search results are, and that's just as bad. From this, Amazon and any third-party on the line (ISP etc.) gets the user's IP, date, time, and can deduce the search terms through correlation with recent searches or by looking at the name of the products in the result set.

Additionally, the requests contains a fairly unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests that would hit amazon.com with that user agent without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it, and how often.
The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' names have already been downloaded from productsearch.ubuntu.com.

How to reproduce:
- Open Wireshark, start capture
- Press the Windows/Meta key
- Type anything
- Check Wireshark output

Etienne Perot (etienneperot) wrote :
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status: New → Confirmed
Adolfo Jayme (fitoschido) wrote :

Related bug 1055649

Iain Lane (laney) on 2012-09-26
tags: added: rls-q-incoming
Etienne Perot (etienneperot) wrote :

Some suggestions (from https://perot.me/ubuntu-privacy-blunder-over-amazon-ads-continues) on how to fix the thumbnail downloading issue:

(One of the following)

- On the productsearch.ubuntu.com site, download the thumbnails directly and embed them into the JSON result sent to the client, using the data URI scheme (https://en.wikipedia.org/wiki/Data_URI_scheme), so that the entire result set can be sent back to the client in one shot (as opposed to the way it currently is where thumbnails take a while to load)

- Replace the URLs with ones pointing to productsearch.ubuntu.com and which, on request, proxy the request normally.

- Have the client side do manual HTTP proxying (using productsearch.ubuntu.com or another Canonical server as HTTP proxy) for all requests that would otherwise be sent to a non-Canonical server

- Use an SPDY server and use server push/server hint to make things faster (http://www.chromium.org/spdy/link-headers-and-server-hint)

Neil J. Patel (njpatel) on 2012-10-01
Changed in unity-lens-shopping:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → John Lenton (chipaca)
Omer Akram (om26er) on 2012-10-03
Changed in unity-lens-shopping (Ubuntu):
importance: Undecided → High
Tom Louwrier (tom-louwrier) wrote :

While I do understand the reasoning behind this 'feature' and I do think it would be good for Ubuntu, Linux and Open Source as a whole if more funding comes its way, the issues associated with the shopping lens are worrying me. Combine that with some unavoidable bugs in the new code and user disappointment is guaranteed.

Sorry for being sceptical and probably sarcastic, but I think that most users will find their quick and final solution in "sudo apt-get remove --purge unity-lens-shopping". I did it within minutes after upgrading to 12.10 beta2 last weekend.

cheers
Tom

tags: removed: rls-q-incoming
Changed in unity-lens-shopping:
milestone: none → 6.12.0
information type: Public → Public Security
d❤vid seaward (kwill) wrote :

Would it be possible to use Tor (or some other anonymising protocol) to send and receive each request? (Whether the request is to Canonical, Amazon or some other vendor.)

This way individual requests may be identifiable (IP address for sale of item X occurred shortly after anonymous query for X), but sequential requests would not be identifiable (cannot identify that anonymous query X and anonymous query Y were in fact from the same IP address, unless they happen to both result in sales).

I believe this would also address some of the concerns raised in https://bugs.launchpad.net/ubuntu/+source/unity-lens-shopping/+bug/1073114

Marius B. Kotsbak (mariusko) wrote :

Richard Stallman has commented on this: http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do

Richard's comments must be taken very seriously, and this issue *must* be adressed in the single only possible way : "Shopping lens" and every related unwanted online search packages must be removed from Ubuntu, by an urgent, security, bugfix.

TToft (ttoft) wrote :

Every IT site in the world: "Ubuntu with Spyware?"

Please release a fix. The Ubuntu brand is getting tarnished. No matter if it is indeed a security problem or not - that can be discussed if needed- but this *will* stick to Ubuntu forever if it isn't fixed quickly. Opt-in is the Linux way.

John Wang (johnwang) wrote :

David: Because of Tor's design its latency is far too high to use in a Dash context. Dash results are supposed to be near-instantaneous.

Kerem Hadımlı (keremhd) wrote :

It's not about Tor, or my IP address / who I am getting sent to remote servers. It is about "what" is being sent.

It sends my search term to the world outside my personal computer without my given consent (and without informing me that it assumes my consent), That search terms might contain information on "who I am" combined with "what I want to keep to my own".

I don't type generic terms like "doc files" or "music" in my dash, I type in names of my personal files, which by itself is enough to contain sensitive information I don't want anyone in Canonical (or men-in-the-middle on my network) to see.

This bug is not only related with "direct data leaking to amazon", it is also "direct data leaking to canonical".

+ 100 ! Well said.

Etienne Perot (etienneperot) wrote :

@keremhd: While I fully agree with your opinion about the privacy implications of the shopping lens towards Canonical and what data is being passed around to them, this is not what this bug is about.

This bug is about the fact that Shuttleworth's statement, "We are not telling Amazon what you are searching for. Your anonymity is preserved" is simply not true in the current shopping lens implementation.

What you describe ("data leaking to Canonical") is a conscious design decision made by Canonical. Shuttleworth acknowledges it as being the way it works ("we handle the query on your behalf", which is true).

tl;dr: what you are referring to is Canonical's intentional data gathering; what this bug is referring to is Amazon's unintentional data gathering. These are two separate issues.

Temporary solution is a remastering ISO image: http://www.helplinux.ru/wiki/en:kb:make-ubuntu-safe

JensLechtenboerger (lechten) wrote :

The bug is still present in Ubuntu 13.04 beta.
I'm a long-term Ubuntu user, but LTS 12.04 will be my last one if this does not get fixed.

papukaija (papukaija) on 2013-04-19
tags: added: raring

12.04 has been my last one for this very reason.

I'm now a happy ArchLinux user.

To put it very clearly : I just left Ubuntu because I was so pissed off by this commercial move (as well as the software library that doesn't make any difference between "freeware" and "free sofware".

Ubuntu seems not to have understood the reason why so many people left the Mandrake/Mandriva ship, well, let's the story reproduce until people understand : we want Free Software. We do not want Spyware nor adware. Thanks.

JaSauders (jasauders) wrote :

I installed 13.04 and set the privacy setting accordingly to disable the Amazon traffic. Despite this, it bothers me to know that Canonical made such a foolish move like this. If this was disabled by default, I would actually consider turning it on because I've always wanted to help Canonical in any way possible to support Ubuntu. But at this point, no thanks. This simply enrages me into a clouded state of wondering why I'm still on Ubuntu. I'm beginning to think that it's time to distro shop around and get something that is a little more logically aligned.

Since this bug:

- Is valid.
- Is well described.
- Is reported in the upstream project.
- Is ready to be worked on by a developer.

It's already triaged.

Changed in unity-lens-shopping (Ubuntu):
status: Confirmed → Triaged
D S (d-s) wrote :

I am immediately stopping my recommendations for using Ubuntu, and actively recommending against it based on this invasive and backhanded leaking of private information without an appropriate opt-in and explanation. Ubuntu, you failed, and now you pay the consequences.

papukaija (papukaija) wrote :

https://fixubuntu.com/ has a script which turns off remote search, uninstalls unity-lens-shopping, disables remote scopes and blocks connections to Ubuntu's ad server.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers