On Calling Others Childish FUD Spreaders


31498063 On Calling Others Childish FUD Spreaders

Jono Bacon blogged yesterday in a response to Richard Stallman’s recent post on the Free Software Foundation’s website in which Stallman suggested Ubuntu has spyware. I do not personally think that Ubuntu has spyware (I think calling it spyware is a stretch) but I do think the shopping lens poses security and privacy concerns which Canonical appears to be ignoring.

I’m a bit flabbergasted by Jono’s response to Stallman since it didn’t seem to defend at all against Stallman’s claims. It was like Jono was trying to claim Stallman was utterly wrong without providing even the smallest bit of evidence to his readers and Ubuntu Users.

The post became popular and over one hundred comments had been posted within hours. Most readers who commented claiming to be Ubuntu Users totally disagreed with Jono’s post and stated they felt the feature was either totally negative or implemented in a poor way.

One thing that has concerned me since this feature came out, is the repeated posts and statements from Canonical employees who seek to reassure Ubuntu Users that privacy is a key value to Canonical. However, when the EFF, an Ubuntu Developer and former Canonical employee, and heck, even myself point out privacy and security issues with the feature, the only thing we get is ignored or told we are spreading FUD.

Now, I still think the Unity Shopping Lens can be a valuable feature to users. However, until it becomes opt-in and the ability to switch it off occurs, well it’s not very valuable and seems like more of a liability to users and the community.

Let’s be clear that Ubuntu is the only Linux Distro that currently does anything like this. Personally, I do not know of any proprietary operating systems that do anything like this without it being opt-in or at the very least giving users significant warning of the feature.

A list of bugs related to shopping lens that are confirmed but not fixed:
#1054741, #1073114, #1054776, #1055952, #1053678, #1068028, #1070598

“As a leader… I have always endeavored to listen to what each and every person in a discussion had to say before venturing my own opinion. Oftentimes, my own opinion will simply represent a con-sensus of what I heard in the discussion. I always remember the axiom: a leader is like a shepherd. He stays behind the flock, letting the most nimble go out ahead, whereupon the others follow, not realizing that all along they are being directed from behind.” – Nelson Mandela

Update: Jono has apologized to Richard Stallman

  • http://twitter.com/andybleaden Andy Bleaden

    I neither like nor love it (shoppng lens)but then there are many things in Ubuntu I do not use but have no opinion on.

    I do not use facebook but would have thought the facebook unity/ubuntu plugins are really useful…if you like that sort of stuff. I dont necesarily think therefore that Ubuntu is wrong.

    • http://benjaminkerensa.com/ Benjamin Kerensa

      Have you removed the package entirely?

      • http://twitter.com/andybleaden Andy Bleaden

        Nope just disabled the results through settings.I have to be honest here and admit that on installation(upgrade) to 12.10 I tried a few of the webapps but found few useful -yet and even made a small one for work outlook email so I removed them.

        The thing is I would actually find the amazon thing useful if I shopped more often but I don’t so the results were not helpful so switching them off was to prevent annoyance.

        I think if I bought more music online it could be useful but as I have most of what I want it is not.

        A case in point is on my google nexus 7 which now on google music which here in the UK works (officially! instead of me hacking) and has a store with tons of music I am aware that they track my searches so only my stuff comes up.That is Google and the Nexus 7 is a media player.

  • Dave Kokandy

    I agree that Richard Stallman calling it “spyware” was bigger than the issue warrants. I agree that it would be a simple enough thing to make it opt-in by adding an additional checkbox on the installer that says something like “Would you like to enable online searches through the Unity Lens?” That way it would be within the user’s control.

    I can’t really answer the poll here above because I don’t think I either LOVE or DISLIKE the Unity Shopping Lens – I accept the shopping lens for what it is. I have actually found it helpful once or twice – when searching for music or movies on my device, I have found some nice things to add to my Amazon wishlist. If that helps Canonical fund future development, great.

    Stallman’s issue seemed to center around the fact that Canonical is logging my searches… but I am fine with that if it leads to future innovations. I think the real promise of online lens search is if Canonical can discover new possible extensions for the Unity Lens. My favorite Lens extension is the Google Docs Unity Web app, for instance, because I use Google Docs extensively. If Canonical logging and aggregating my searches leads to further integration with upcoming web apps, I wholeheartedly consent and encourage Canonical to do so.

    I do recognize that other people are concerned with that kind of aggregation, and those same users who do not want Canonical to log their stats would probably also be skeptical of keeping documents in on Google servers in Google Drive, so they would not use the additional online searches this leads to. But I think Jono Bacon’s points are well-made – the concerns I have heard of to my ears do ring as FUD… Fear that Canonical will use the data inappropriately, uncertainty about the security of the function, and doubt about Canonical’s actions in the future.

    You say that it’s a liability until users have the ability to switch it off, but that time is now – it is configurable in the settings, or you could simply “sudo apt-get remove unity-lens-shopping” to kill it entirely. Totally within the user’s control. But I agree it would be a minor effort and a big philosophical improvement to make it opt-in.

    • http://benjaminkerensa.com/ Benjamin Kerensa

      The problem is not every Ubuntu User or Linux user for that matter knows how to use commandline let alone remove packages from command line. The biggest issue is that the privacy switch they added does not even work.

      Further still people are upgrading daily and installing and are not presented with any popup or message warning them that their unknowingly having their dash keystrokes sent out over the wire.

      Also if your on a LAN shared with other users its possible for someone to intercept your keystrokes or even worse send you back bad responses.

      http://www.outflux.net/blog/archives/2012/11/09/product-search-in-ubuntu-12-10/

      • http://www.mhall119.com/ Michael Hall

        The shopping lens can be removed from the Ubuntu Software Center, the command-line isn’t necessary.

        • http://benjaminkerensa.com/ Benjamin Kerensa

          But for users who do not know the feature exists they would not know their keystrokes are being sent over the wire or how to remove it. Again there has not been good effort to inform users.

          Like Kees said: “Even if the default for this is enabled, there needs to be (likely at
          install-time) a page describing what to expect, and the system owner can
          choose “yes, search online” or “no thanks”.”

          • http://www.mhall119.com/ Michael Hall

            Should that choice be only for Amazon product search, or all online searching?

            • http://benjaminkerensa.com/ Benjamin Kerensa

              I believe he was reffering to just Amazon but IMHO I think that all online lens should have some master control under privacy and it should be a one stop choice during install or during first boot on fresh installs and upgrades. At the very least their could be one of those notifications that says “Hey we added this and it does this so before you get started if you dont like this then do this to make that go away”

              • Dave Kokandy

                I agree that a master control would be ideal.

                • Marc Deslauriers

                  There already is a master control, it’s in the Privacy applet in system settings.

                • Alan Bell

                  It doesn’t apply controls to anything and it doesn’t work. It is a flag that the pre-installed lenses (all of the pre-installed lenses, which are just a few of the lenses available) check for, but third party lenses will ignore it completely. Can we stop claiming that this is some kind of panacea that will protect your privacy please. It is a preference setting for the pre-installed lenses.

                • http://www.mhall119.com/ Michael Hall

                  We can let 3rd party lens/scopes authors know how to check for it and encourage it’s adoption.

                • Alan Bell

                  that really isn’t anywhere near good enough. The control should be implemented externally to the lens so that it actually controls the lens and imposes the limitation. This can be done. It can be done the very hard way with sandboxing and limiting internet access to the process. It can be done the easy peasy way by having a control to allow the user to select which lenses see global search change events and the global search text.

                • Marc Deslauriers

                  Any other piece of software that runs in your user session has the capability of sniffing your keyboard strokes and sending it to the Internet. There is no good reason why special measures need to be implemented just for lenses.

                • Alan Bell

                  There wouldn’t be any reason if the “control” didn’t exist. If it exists it should work. I would be much more comfortable with it from a security standpoint if there was no control at all. This is lulling people into an utterly false sense of security.

                • http://www.mhall119.com/ Michael Hall

                  With our goal of having 100 scopes installed by default, any solution that asks the user to make a choice for each scope is not feasible.

                • Alan Bell

                  so, if I build a lens to search an intranet resource should it respect the flag?

                • http://www.mhall119.com/ Michael Hall

                  If your concern is about sending local search terms over the network,then yes, it should.

                  If your concern is about sending local search terms to Amazon, then no, it shouldn’t.

                • Alan Bell

                  My concern is that there are two entirely valid and contradictory answers to the question.

                • http://www.mhall119.com/ Michael Hall

                  There are, and that’s what Jono meant when he called is personal. Some people want privacy, without regard to inconvenience. Some people want convenience, without regard to privacy. Most of us fall somewhere between the two.

                  My problem with Stallman’s recommended solution is that it’s completely at one end of that spectrum. It’s not “let the user choose” it’s “make the user choose”. Stallman isn’t concerned about convenience or usability, just read about his ideal method of browsing the web.

                  Ubuntu does, and always has, existed between those opposite extremes. That’s what lets us bring the best of Open Source to the millions of people who wouldn’t be served by an “only Open Source” ideology.

                  We make tough, practical decisions about how to balance the two, and we adjust those decisions over time. We’re going to adjust this one too, as we find better solutions. But we’re not going to run to Stallman’s edge of the spectrum.

                • Alan Bell

                  no, that isn’t my point at all. The problem is that this control has now caused a situation where it is not safe to develop lenses for Ubuntu as there is a choice of respecting the flag, or not respecting the flag and which ever choice you make is horribly wrong from some valid perspective. It isn’t clear at all whether third party lenses should respect the flag or not https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1087873

                • http://www.mhall119.com/ Michael Hall

                  Writing software is never safe, you’re always going to offend, annoy, or piss off somebody. The reason it isn’t clear whether third party lenses should respect the flag is because people aren’t clear about what they want it to do.

                • Marc Deslauriers

                  If third party lenses aren’t checking the user preference, then they have a privacy issue. A bug should be filed, and they should be fixed.

            • Dave Kokandy

              I think all online searching, because any online searching could have the same risks (surveillance, co-opting, presenting bad results, logging, etc)

          • http://fitoschido.wordpress.com/ Fitoschido

            “For users who do not know”… such a repeated, weak argument. people aren’t stupid.

      • Dave Kokandy

        I think though that even if Unity searches were intercepted, there’s not much that would really be learned by those searches… I know I and other people in my loco (I should say those who use Unity in the first place) primarily use it as an app or file launcher – so my data stream probably looks like half-typed names of apps, documents, or media. Sending back bad responses is more dangerous, but hopefully Canonical will look into encrypting these searches.

        • http://fitoschido.wordpress.com/ Fitoschido

          They say they anonimize the queries, for what is worth.

  • Marc Deslauriers

    Actually, the search box on the Android home screen on my phone searches both locally and the Internet by default. Of course, it does say “google” in the middle of it, so maybe it’s implied. Perhaps the search box in the dash global search tab should be “Search (locally and Internet)” or something?

    • http://benjaminkerensa.com/ Benjamin Kerensa

      I have a Android phone and heck even on the Custom roms if I use the Google Search Widget the first time that I input anything it brings a nice little overlay that explains the feature and I have to tap a blue “Okay” button on the overlay to proceed. Plus when you setup your phone for the first time it has the privacy policy and agreements all there presented all up front before you even get going.

      • Marc Deslauriers

        So making the legal notice that’s available at the bottom of the dash be a click-through would satisfy you?

        • http://benjaminkerensa.com/ Benjamin Kerensa

          Actually I think the suggestions that Ubuntu/Debian Developer (Former Canonical Employee) Kees Cook suggested is the best route and most respectful of users. http://www.outflux.net/blog/archives/2012/11/09/product-search-in-ubuntu-12-10/

          • Marc Deslauriers

            Well, I disagree with having it at install time, as a large number of users are getting Ubuntu preinstalled, and at install time you completely lack context of what exactly you are agreeing to. I guess a pop up on first use would be acceptable. Heck, I don’t even remember clicking through one on my phone, so I guess it wouldn’t be that intrusive.

  • Rodney Dawes

    “Let’s be clear that Ubuntu is the only Linux Distro that currently does anything like this.”

    Actually, Novell/SUSE was doing something very much like this, 6 years ago. I don’t think it still does, after what’s happened with them since then, but privacy/security aren’t the reasons it stopped there. The two main pieces of software which provided the feature simply fell by the wayside.

  • Guest

    The title and image in your post are ridiculously unrelated to the content written. I’m with Jono on this, and it’s quite disturbing that you use a childish meme to make fun of him. I think you need to review the Code of Conduct you signed in the past.

  • kris

    12.10 was such a bad release that I would not make any judgments based off it. The shopping lens will probably be put into a real lens sometime soon and if it isn’t fixed by the next LTS then freak out. He was probably right calling Stallman short sighted, unless the direction really is to push everything you do into one lens.

  • http://about.me/nlsthzn Neil Oosthuizen

    And the quote by Mandela is because!? I will never be able to install Fedora cause I don’t wear hats right? :-

  • http://www.fuduntu.org/ Fewt

    Perhaps because it is a lie to call it FUD. Your company collects search data – and it isn’t opt-in, it is opt-out. While there may be no malicious intent – it still has the same properties as common spyware.

    Your goal was to put lipstick on a pig, as that is what Mark hired you to do. Just be honest about it.

  • http://www.facebook.com/jsebean Jonah Sabean

    I don’t get this stupid argument to be honest. I agree with RMS regarding spyware, my definition of spyware is anything that sends information to a remote server automatically, without it specifically being opt-in. Privacy Policies and terms and conditions just don’t cut it for me, because lets be honest here, who really does read them. I mean I take the time to read them but I know for a fact that my friends and family are not going to waste their time reading them, they trust the companies/projects in respecting their privacy.

    That said, that is FUD. FUD is not a bad thing, when something like this happens it is something we should be concerned about.

    Now for me personally, I switched for Ubuntu because it’s based on GNU/Linux and respects my freedom, but I’m not another RMS. I think there is room for proprietary software, as long as it respects my privacy. “Right to Modify and redistribute” is not something as important for me for some things, but anyway that’s a whole other argument Point is I moved to Ubuntu because I think it has a perfect balance with “free software”, and propriatary aspects (such as non-free codecs and drivers). But I always felt it respects my privacy. I’m currently on 12.04 because I’m an LTS kind of guy, but if 14.04 is like 12.10 and this issue isn’t solved, I will not be an Ubuntu user come April of 2014.

    My opinion to fix this: Disable the feature by default and make it clear where info is going and to who when users turn it on. I then would keep using Ubuntu. Until them I’m sticking to 12.04 and really hope and pray you guys get this right.