Not much has happened since I reported on the potential incompatibilities of Ubuntu 12.10 with the European data protection legislation. At the time I got the impression Canonical was not even in tune to personal data protection and the company remained almost silent on the issue, avoiding to address it directly. I find this somewhat strange, for Mark Shuttleworth, the company
Update: The text of this petition has been kindly translated into French by Vince.
Meanwhile other sordid details came to my attention. First of all the fact that the Ubuntu Shopping Lens does not connect only to Canonical servers but also directly to Amazon servers. This seems to have been identified before the official release, but I only came to know it more recently. Why did Canonical stated that all Shopping Lens searches are dealt with solely by its servers when in fact they are not? Exactly what information is being sent to Amazon? Does the privacy policy yielded in the Shopping Lens applies to the data collected by Amazon or just to that collected by Canonical? These are all very uncomfortable questions to be posed on an operating system that so far had been a tenet of privacy and security.
Another awful detail was posted at CodeBlog. It seems incredibly easy to tweak the Shopping Lens for it to send the search key words to an alternative address. Of course this requires the access of a another person to your system in order to be harmful, which is exactly what happens in corporate or institutional contexts. Again, ill intended folk don't need the Shopping Lens to do wicked things, but there was no need for Canonical to help. This might not be an issue for every user, but it is one more detail that erodes the image of Ubuntu as a trustworthy operating system.
So what happens next? Contrary to what some of the reactions to my doubts suggested, these is not something to be solved in courts with layers and a judge. Data protection contention is dealt with by the national Data Protection Agencies existing in every European state, that where created to enforce the Data Protection Directive of 1995. Usually, the user would submit a formal complaint to one of these agencies, that if credible and founded would start an investigation. If the subject of the complaint is found to be in breach of the Law then the Agency issues sanctions and/or conduct recommendations (depending on the seriousness of findings) that automatically apply across the Union.
At this stage I have no interest in confronting Canonical this way. First of all because it can eventually damage the whole of the company and its employers, which in general do a great job innovating and maintaining Ubuntu, from which I greatly benefit. And secondly because if a formal investigation by a data protection agency takes place it will be a case without parallel. I already alluded to this when I initially raised my doubts, there is no sort of contract between the Ubuntu user and Canonical, although the relationship between the two is not that different from a commercial contract. My fear here is such an investigation having unintended consequences for the wider open source community, in case something like the Shopping Lens is deemed to require a formal contract to comply with the Law. In the end I just want Ubuntu to go back to what it was in September, assailing Canonical is not an objective of mine.
So today I propose to tackle this issue in a different way, creating a Petition addressed at Canonical, exhorting the company to quit any default data collection features. Below is the integral text of the Petition for a Better Ubuntu; if you're in tune, please jump to Avaaz and sign it.
Petition for a Better Ubuntu
Whereas we as Ubuntu users, acknowledge Ubuntu as an human-machine interface innovation platform, on which new features are constantly tested and matured.
Whereas we as Ubuntu users, acknowledge that Canonical, as the Ubuntu driving force, needs to source appropriate funding to ensure the long term success of Ubuntu.
Whereas we as Ubuntu users, would like Ubuntu to be an able operating system in any environment, be it institutional, corporate or private, taking full advantage of the versatility of Linux.
Whereas we as Ubuntu users, would like Ubuntu to remain a tenet of trust between computer system users and developers, retaining its characteristics of reliability and privacy protection.
Whereas we as Ubuntu users, would like Ubuntu to remain independent from corporate interests, the frontrunner among truly free and open source Linux distributions.
We thus request Canonical to:
1. Henceforth release Ubuntu with all data collection features disabled by default.
2. Request explicit user consent before enabling any data collection features, fully informing on which parties collect the data, where such data is physically stored and which protection policies the storing entity enforces.
3. Clearly separate search functionality on the user system from searches on remote resources, be it commercial or not.
No comments:
Post a Comment