Home  |   About  |   Energy  |   Politics  |   Software  |   Music

08 October 2012

Legal questions on the Ubuntu Shopping Lens

Several developments have followed the announcement of the default inclusion of the Shopping Lens feature in Ubuntu 12.10. What seemed at first a surreptitious inclusion of adware in Ubuntu turned into a full blown row when Mark Shutleworth, founder of Canonical, the company that coordinates the Ubuntu development, lit afire the blogosphere claiming that the company had administrative access to every computer running Ubuntu. From there we got to know that even the users that could benefit from the feature are not happy, since the results can not be filtered or customised. A further consequence of this is the possibility of adult oriented products showing up in the results, which puts at risk Ubuntu's usage by children and in professional environments. Answering to all the backlash, Canonical has decided to include settings that allow the user to switch off the Shopping Lens, but it will still be switched on by default.

Actually, this may be just the tip of the iceberg. The inclusion of this commercial oriented feature, more over by default, has the potential to open an unheard of conflict in the FOSS universe.

Update:In consequence of the questions raised in this post I created a petition addressed at Canonical requesting the removal of automatic data collection features.

My main objection against these lens is the automatic collection of search keywords, without consent, whenever the user tries to find a particular application or file in the system. This is clearly breaking the independence and confidentiality guaranties a user should have from its system, especially when it is open source. But beyond that, is this practice legal?

The European Directive 95/46/EC is a piece of legislation put together by the European Parliament in 1995 precisely to rule this kind of relationships between data subject and data processor. This directive was transposed to local law by all member states (even those that adhered to the EU after 1995) and is also the basis of personal data protection legislation negotiations with foreign countries.

The Directive starts by defining in detail a number of relevant concepts, commencing by the legal definition of "personal data":
Article 2


For the purposes of this Directive:

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
This clause makes it clear that the Lens searches are personal data, since they are sent to the Canonical servers together with the user's IP. It has to be this way so that the Amazon search results can be sent back to the system of origin; but it also allows to indirectly identify the user.

Clause (b) in Article 2 defines another important concept, that of "data processing":
(b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
This brings the collection of searches by the Shopping Lens clearly within the scope of this legislation. Also mind that in the following articles, the expression "data processing" applies directly to the particular action of data collection by Canonical.

Article 7 defines some clear presuppositions for the legal collection of personal data:
Article 7

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
This is where problems start. When a user downloads Ubuntu 12.10 or upgrades the system to that version, all the searches in the Lens will be sent to Canonical's servers without any sort of consent, implicit or explicit. Ubuntu being free distributable software, there is no formal contract between data subject and data processor that could legally frame the Shopping Lens. But things can get even more complex.
Article 8

The processing of special categories of data

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
In Ubuntu 12.10, if I do a search in my system for documents related to a political party, for instance, that keyword will be sent to Canonical, again by default. Is this legal? I would say that Article 8 of the 95/46/EC Directive can by itself put the Shopping Lens outside the law. This in spite of the existence of any unambiguous and explicit consent, it seems simply impossible for an application that collects all searches, regardless of whether the user is looking for a file or a gift for Christmas, to comply with EU law.

A further article also lays down some constraints on where the collected data is sent to:
Article 25


1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
Where are hosted the Canonical servers that collect the Shopping Lens searches? Are they inside the EU? If outside, does local law comply with EU law?

Canonical has just opened a Pandora's box with this unfortunate new feature. It seems to be at least pushing on the legal limits, and in more than one way. Collecting personal data without consent is not only ethically questionable, it is illegal in the EU. Anyone intended to keep Ubuntu out of the EU market has now a good deal ammunition to fire, and Canonical may be set to embrace legal challenges that it never faced before.

This comes at a time when Canonical is trying to push Ubuntu as a pre-installed system among hardware vendors. With Ubuntu 12.10 these vendors may be risking a forced market pull out, and in a worst case a host of legal procedures, fines and compensation claims.

To bring the Shopping Lens clearly into legal terrain I would suggest the following modifications to this feature:

  • Unbundle the Shopping Lens from other Lenses (applications, files, etc), making sure only searches intended for shopping purposes are sent to Canonical.
  • Ship the feature disabled by default and prompt the user for explicit consent on personal data collection before activation.
  • Inform the user on the location of the servers collecting the search data and which legal data protection framework applies in that country.
I sincerely hope that good sense prevails and Canonical tracks back on the Shopping Lens, at least disabling the feature by default. The future of my operating system of election should not be compromised by the careless and unprepared introduction of features whose legality is questionable.