Ubuntu

Comment 0 for bug 1055952

Etienne Perot (etienneperot) wrote :

Despite claims from Mark Shuttleworth that data is not sent to Amazon (http://www.markshuttleworth.com/archives/1182), a quick look at Wireshark reveals that all images resulting from search results are downloaded directly from Amazon (see attached picture).

Worse still, the request are over plain HTTP, even though Amazon offers an SSL service for images (ssl-images-amazon.com).

So while it's technically true that the search terms are not sent to Amazon, the search results are, and that's just as bad. From this, Amazon and any third-party on the line (ISP etc.) gets the user's IP, date, time, and can deduce the search terms through correlation with recent searches or by looking at the name of the products in the result set.

Additionally, the requests contains a failr unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests with that user-agent that would hit amazon.com without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it.
The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' title language has already been downloaded from productsearch.ubuntu.com

How to reproduce:
- Open Wireshark, start capture
- Press the Windows/Meta key
- Type anything
- Check Wireshark output