Throughout the following weeks the row focused on the awkward matching of unsolicited advertisements with free and open source software. In the meantime I started wondering if something far more serious could be at stake. Regarding previous experiences with data collection in my professional career and after carefully re-examining the European Directive on data privacy, I made public a series of concerns that lead me to a mini-saga, and Canonical to consider the matter in a totally different way.
This is a short story of this mini-saga and how it finally came to an end last week.
The post entitled Legal questions on the Ubuntu Shopping Lens quickly made the rounds, after being referenced by specialised media, such as Softpedia and OMGUbuntu!. This post set a record for visits in a single day at this blog and still remains in the top ten of the most read.
Apart from some initial surprise, there was never much of a reaction from Canonical, at least publicly. I tried to engage the issue at the Ubuntu Forums, but my threads were persistently deleted or closed. I thus took the decision to trigger a formal investigation on the matter.
The first step in this process was the set up of a petition addressed at Canonical, essentially asking for the Shopping Lens to become an opt-in feature. This petition was in first place a gesture of good will and secondly a means for an entirely friendly resolution to mine (and many other users') concerns. Providing this non conflictual avenue was an indispensable step before any formal investigation.
The petition received some attention and would be eventually signed by 57 individuals. It was delivered to Canonical about one year ago; no sort of reply ever came through. But throughout this time Canonical was reacting, notably with the inclusion of a privacy policy notice in Ubuntu 13.04.
Absent a reply, and still feeling that the default activation of the Shopping Lens was not entirely conformal with the law, I decided to proceed with a formal complaint. This complaint could have been delivered at the data privacy office of any EU member state, but Canonical being seeded in the UK I opted for the Information Commissioner's Office (IOC). It was not a straightforward process, requiring some insistence; eventually I would get notified of an investigation opening last December.
Nine months passed without any further information from the IOC. A few weeks ago I started preparing a complaint to submit in another member state, but it all came to an end with an e-mail from the IOC last week. This response is fully reproduced below; in this context, DPA refers to the transposition of the European Directive into the UK law.
Case Reference Number RFA0519023In essence, the ICO deems the various improvements introduced to the Shopping Lens during the past two years sufficient to render it conformal with the law. This reasoning also means that when it was first introduced, with Ubuntu 12.10, the feature was not legal. While my concerns were not fully acknowledge by the IOC, this latter fact makes this whole process well worthwhile. In spite of the conformance method, the law applies equally to open source software.
Dear Mr De Sousa,
I write in relation to your complaint to us about Canonical Limited, Ubuntu and the Ubuntu Lens.
I apologise for the time it has taken for us to complete our enquiries on the matter and respond to you.
We want to know how organisations are doing when they are handling information rights issues. We are interested in the way organisations are handling personal data now and in the future and aim to improve the way organisations deal with the personal information they are responsible for. People reporting their concerns to us helps us do that.
Our role is not to investigate or adjudicate on individual concerns but we will consider whether there is an opportunity to improve the current and future practice of the organisations we oversee. We do this by taking an overview of all concerns that are raised about an organisation with a view to improving their compliance with the Data Protection Act 1998.
After considering the specifics and implications of your concern we then asked Canonical Ltd for an explanation of the steps it is taking, or has taken, to ensure Ubuntu’s compliance with the DPA and, in particular, the first data protection principle.
Having considered Canonical Ltd’s response to our enquiries, we are satisfied that Canonical Ltd has a suitably thorough understanding of the DPA and its implications and requirements; and, that Canonical Ltd has taken and is taking due steps to comply with its obligations under the DPA.
In particular, we consider the (first time displayed, and later ‘iconised’) legal notice added by Canonical Ltd to the bottom right corner of the Dash, when Amazon searches were introduced, to have reasonably ensured compliance with the DPA for the introduction of those searches.
We also consider Canonical Ltd to have made reasonably available to Ubuntu users suitable information to assist people in limiting searches undertaken, or in removing the feature involved from their installation.
As a result, we do not consider that any further action is required by the ICO at the moment. This is because we do not consider that there is an opportunity to improve Canonical Ltd’s information rights practices at this time.
Although at this stage we are not taking any further action your concerns will be kept on file. This will help us over time to build a picture of Canonical Ltd’s information rights practices.
Thank you for bringing this matter to our attention. If you are dissatisfied with the service you have received, or would like to provide us with feedback of any kind, please let me know.
I rest my case. I am still happy to use Ubuntu (with the Shopping Lens switched off).
No comments:
Post a Comment