Canonical Privacy Policy for Zeitgeist is Insufficient


Sometime ago I opened Bug #965596 and further I sent a e-mail to Canonical’s Legal Team informing them of my concerns regarding the lack of clarity as to how Canonical collects and handles data that is obtained from Ubuntu End-Users. I never heard anything back from Canonical and further the bug has yet to be responded to by anyone who handles the Ubuntu.com site.

 

The problem is pretty simple and that is the that Privacy Panel in Ubuntu (pictured below) directs users to this Privacy Policy indicating that it covers how information is collected and used but in reality the privacy policy does not disclose how data is collected or used at all when it comes to collecting information from “Zeitgeist” through the Activity Log Manager.

Untitled 300x229 Canonical Privacy Policy for Zeitgeist is Insufficient

I’m sure that Canonical takes great efforts to ensure data is handled responsibly but at the same time they should be transparent about how that data is used and collected especially if they direct users to a special privacy policy which they claim covers such data.

Edit: Since some are still not gathering the purpose of this post I will re-iterate that I am not concerned about mishandling of data by Canonical or Zeigeist spying on users or anything of that nature in fact thats all tin foil hat talk. My concern is only the lack of any actual coverage of how “any” data collected is used and handled since it is not at all described in the privacy policy linked from the Privacy Panel. Matthew Paul Thomas has clarified in that the reason for the lacking policy seems to be a delay from lawyers.

 

 

  • http://twitter.com/RateMySpiceRack Rate My Spice Rack

    does any of that data actually leave the computer though?

    • http://benjaminkerensa.com/ Benjamin Kerensa

      Yes that’s what you can tick or untick send errors to Canonical. I’m sure most of the data is anonymous in nature but to what extent is data collected? Is it analyzed for passwords etc? None of this is covered since the privacy policy s inadequate.

      • dholbach

        Data bits known to contain passwords are often replaced with XXXXXXXX by apport scripts. (See https://code.launchpad.net/~rcart/ubuntu/precise/mpd/fix-947551/+merge/96496 as an example.)

        Core dumps from crashes which might contain sensitive information are 1) retraced and the dump is removed, 2) stay ‘private bugs’ until a developer manually confirms they don’t contain private data.

        • http://benjaminkerensa.com/ Benjamin Kerensa

          Does that apply to data from privacy panel diagnostics or apport? I know our practices for bug reports

  • http://twitter.com/andreagrandi Andrea Grandi

    What you mean with “collected” ?! Is any of my data (the history in the Dash for example) trasmitted to Canonical servers?!

    • http://benjaminkerensa.com/ Benjamin Kerensa

      It is unclear what data but I imagine it would only be logs pertinent to errors and bugs. Notably the privacy panel does let you log a lot so clarity in a privacy policy would be nice.

    • http://benjaminkerensa.com/ Benjamin Kerensa

      Have you ran netstat lately?

      • dholbach

        This sounds a bit too conspiratorial for my taste. Did you find anything running netstat?

        • http://benjaminkerensa.com/ Benjamin Kerensa

          Just pings to U1

          • dholbach

            I’m no expert, but they might probably be part of the U1 syncing protocol?

  • Stephan Adig

    do you mean the apport report sending functionality?

    • http://benjaminkerensa.com/ Benjamin Kerensa

      No. Privacy Panel has a diagnostics pane… see above this indicates automated sending while rapport prompts you.

      • dholbach

        I think what happened here is that this dialogue bundles both the preferences for:
        – zeitgeist, ie: “don’t let zeitgeist log that I browsed porn and embarrass me when friends use my computer”
        – apport, ie: “something crashed, maybe Séb can fix it if he has the relevant info”
        This might be a confusing, but is nothing to worry about.

        • Stephan Adig

          @dholbach:disqus so it’s the apport piece in this dialog :)

        • http://benjaminkerensa.com/ Benjamin Kerensa

          No worries at all on that my only concern was the privacy policy is an utter failure since it talks about data collected from websites such as cookies and makes no mention of the privacy panel etc.

          • dholbach

            I’m sure the policy was kept fairly generic because it is likely linked to and used in other settings as well. This does not solve your problem, but might be a reason why.

    • dholbach

      I don’t necessarily see what zeitgeist and apport have to do with each other. Maybe this could be clearer in the UI, but let’s not get hysterical. :-)

  • Stephan Adig

    well, running quantal, it’s actually turned off for me (could be that i turned it off after installing precise, or it’s actually turned off in a stable release)

    • http://benjaminkerensa.com/ Benjamin Kerensa

      Its opt-in

  • http://www.facebook.com/people/Mike-Occupylexky-Vaughn/100002523662492 Mike Occupylexky Vaughn

    I’m 99% sure (and this is all but confirmed by a proper reading of the screenshot) that the only data which may be transmitted to Canonical is information on program crashes that could be useful to developers in fixing the problem (debugging symbols, backtraces, etc.). I’ve *never* heard of Zeitgeist doing anything like transmitting collected user data remotely (I wouldn’t say I’m an expert on Zeitgeist, but I have done a fair amount of reading about it). Furthermore, as is plainly shown in the screenshot, the option to send crash reports is *disabled* by default.

    You really should approach this topic more delicately, given the huge concern for privacy that many users (rightfully) have. I could see a post like this turning off potential users from checking out Ubuntu (and/or Linux in general).

    • http://benjaminkerensa.com/ Benjamin Kerensa

      I clearly stated in the post that “I’m sure Canonal takes great efforts to handle data responsibly” the post is intended to clarify a privacy policy linked in the privacy panel which does not address this. The issue is not concern of privacy but instead clearly outlining a privacy policy for diagnostics data.

  • http://twitter.com/seiflotfy Sf Ltfy

    Hey guys,
    I am one of the core Zeitgeist developers and one of the Privacy Panel developers.
    @bkerensa:disqus : Thanks a lot for this mail and I will look into improving the Privacy Panel more.
    Zeitgeist does NOT send anything over the internet. NOTHING…. What you are seeing is U1 pushing stuff around but has nothing to do with Zeitgeist, so no history is being pushed or anything… NOTHING

    • dobey

      This has nothing to do with U1. It’s only about crash reporting AFAICS.

      • http://twitter.com/seiflotfy Sf Ltfy

        He is complaining about U1 traffic…

        • http://benjaminkerensa.com/ Benjamin Kerensa

          I am not actually complaining about Zeitgeist nor U1… If my blog post were read my complaint is actually in the sorry excuse of a privacy policy. Mpt had already posted and said that there is a new privacy policy he reviewed but Canonical’s lawyers are dragging their feet on uploading it.

          • dholbach

            “sorry excuse”? I don’t get why you are so angry. It was acknowledged that it can be improved and there are people working on it. I’m sure that it’s not just a matter of “uploading it”. They will likely have to make sure that the text works in many different jurisdictions, etc.

            This blog post and its comments will have confused a lot of people, because in the beginning it was about Zeitgeist, then about apport/whoopsie, then about netstat, then about Ubuntu One.

            • http://benjaminkerensa.com/ Benjamin Kerensa

              I am not angry… “Sorry excuse for a privacy policy” is a figure of speech it implies the Privacy Policy is greatly lacking. And yes it is very confusing and in reality were talking about https://launchpad.net/activity-log-manager/ which is the “Activity Log Manager for Zeitgeist” this is the package that has the diagnostics panel and desktop file for the Privacy Panel? So if Zeitgeist is not collecting the data then what application is? What does the sending because the panel clearly implies opt-in of sending errors and that is a part of the “Activity Log Manager for Zeitgeist” (http://bazaar.launchpad.net/~activity-log-manager/activity-log-manager/vala/view/head:/src/diagnostics-widget.c)

              And I mean as mpt of the Canonical Design Team said “The “Recent Items”, “Files”, and “Applications” tabs of the Privacy panel are poorly designed in general, and in particular they do not make clear how the data is used.”

              Yet Seif of the Zeitgeist Team says “Zeitgeist does NOT send anything over the internet. NOTHING”

              Well the Active Log Manager implies a totally different story.

              • dobey

                Granted the name of the binary “activity-log-manager” is perhaps slightly confusing in this respect, it does not “imply a totally different story” at all. If you read the code, it clearly shows that it is all about whoopsie errors reporting, and has nothing to do with zeitgeist. Also, as I understand it, that code is a general “privacy settings” UI, and not specific to ZG at all, though ZG is one of the things that it provides UI to configure. Even in your screenshot, there is absolutely nothing to lead that this privacy policy, nor any data uploaded, have any relation whatsoever to Zeitgeist.

  • Randall

    Clearer privacy statements help, but only if people read them.

    Technically though, isn’t the source available for Zeitgeist? Should be fairly simple to examine it for those that understand programming.

  • http://benjaminkerensa.com/ Benjamin Kerensa

    I was not concerned about the regularity of any data sent when opting-in my concern was more on the total lack of coverage of how data is used and collected in the privacy policy linked from the privacy panel as the privacy policy currently there is just a very basic privacy policy for websites and does not cover “software”.

  • http://benjaminkerensa.com/ Benjamin Kerensa

    Well then why would these settings be in the package “Activity Log Manager for Zeitgeist”? Why not in apport? or whatever application is actually doing to collecting/reporting/sending?

    • http://twitter.com/mpt Matthew Paul Thomas

      I don’t understand what you mean by “settings be in the package”. This is a System Settings panel.

  • pt3

    that looks like a mess

  • pt3

    The fact you can’t remove an item from the list directly is worrying