Unity and the post-Snowden world2 min read

I typically don’t listen to podcasts or watch talk shows, but the 29nd episode of the 2nd season of the Linux Action Show was referred to me and it does have a very interesting part where they discuss the usability and privacy issues around the latest iteration of Canonical’s “Unity” interface. The ten minutes where these guys discussed the matter were surprisingly thought-provoking even for someone like me who was already aware of privacy issues.
The part where they discuss the usability problems and relevance of “smart scopes” search results is between 51 minutes 40 seconds and 55 minutes.
The part where they discuss the privacy implications is between 55 minute 30 seconds and the 1 hour 1min mark, and that’s the one I’m particularly interested in here. It feels important enough for me to transcribe bits of it for you here:

“[…] they track what you search for, and the IP it came from. [Canonical] also state in their terms of service that if they’re served a warrant, they will hand that information over. […] I was more comfortable with it before Edward Snowden existed (sic). And now what I know, where you have companies like Lavabit, where federal authorities will come in with outrageous warrants… and so… there was just a recent crackdown on Tor and so, right?
[…] Here’s the thing: in a post-Snowden world, if I decide to run Tor Browser, everytime I type “Tor browser” into this, there is a ping that goes off to Canonical’s servers and says “the person at this IP address just launched Tor”. Now, if I’m the federal authorities, I can go subpoena these records and I can say “now look, we saw this Tor traffic, and we saw your computer launch Tor at this time, let’s go get a warrant and search through Chris’ files because we saw, when we subpoena’d Canonical’s information, that he launched the Tor browser on his computer, thereby giving us justifiable means to search his whole machine.
Why did they even put themselves into that position?!
[…] The main problem is… it gives a record of the commands I launched on my computer. It’s a keylogger.”

This depiction is so simple, yet so elegant and powerful in explaining the issue at hand! It makes me glad to be running a desktop environment that aims to spearhead privacy by default and by principle, governed by the community and a registered non-profit organization rather than controlled by a single entity keen on turning me into the product to be monetized out of desperation.
Sure, you could say privacy does not exist, but the local computing experience of an open-source desktop operating system is an entirely different matter than the world-wide web. Locally run open-source software is the last bastion, the one area where we can put our trust and must hold our ground.


Comments

13 responses to “Unity and the post-Snowden world2 min read

  1. Jo-Erlend Schinstad Avatar
    Jo-Erlend Schinstad

    Sure it sounds nice, but they’re making stuff up and that is quite helpful when you want to convince someone that something nasty is going on. Have a look at the Ancient Aliens-series. They’re quite convincing too, as long as you don’t know that all their “evidence” is falsified and that they omit everything that doesn’t lead you to believe in alien constructionworkers from outer space.
    In the LAS, for instance, he claims that if he enters “tor” and presses enter, then they know that you’re launched the Tor Browser. This quite simply not true, according to Canonical. Because the Tor Browser is local and local actions are not sent. So while it is true that “tor” was being sent as a search, this search could potentially lead to billions of different things that have absolutely nothing to do with the onion router. One example is any picture of my grandfather, since his name is Tor Andersen. If you live in a country where you can get in trouble with the government for entering a common name like John or Tor, then that’s not really a technical issue. You have to be _really_ paranoid in order to be afraid of that scenario.
    If you have a look at the smart scopes protocol, you’ll easily see that it’s designed not to be based on IP-addresses, but rather on a session-based UUID/keyword, where a new session is generated each time you open the dash. So you could actually use Tor to anonymize the searches itself and then, even though they have an Apache log aside from the search feature itself, the IP wouldn’t be very interesting.
    In summary; even if a story sounds convincing, that doesn’t prove that the “evidence” that appears in this story is actually true. In this case, they’ve constructed a story based on supposition and not fact, but still presenting it as fact, which makes Linux Action Show a very untrustworthy source of information. And that’s sad.

  2. Hei Jo-Erlend,
    to the best of my understanding, everything you enter as a command in the Unity Dash will be sent as a search (or partial search), even if the local matches of the search and actions upon them are not sent.
    Do you not consider this to have any adverse privacy implications?
    Why is this a sane default for the user of the software?

    1. Jo-Erlend Schinstad Avatar
      Jo-Erlend Schinstad

      I believe I was one of the first Ubuntu community members to officially raise this issue on the Ubuntu Desktop mailinglist, back in 2011. It will be very difficult for anyone to pretend that I don’t take this privacy issue seriously, but this is not my issue; we have a separation of fact and communication that worries me. That’s my issue. My original post can be found here: http://markmail.org/message/gwv3xhmijlidpesd#query:+page:1+mid:nt6bhxjfducdf5ya+state:results
      Nobody supported my claims that this was a potentially damaging issue back then, though it obviously have become one. In 2013, people are dramaticing it. I have an issue with that. We should make our cases while the debate is ongoing and not wait until everything is settled and then make a big deal out of it. That’s just destructive, in my view. Since long before this new debate started, my personal belief has been that online searches should be opt-in and not opt-out. This has been my stance, it still is in the present and will be in the future. However, I do want online searches.
      I have seveal issues with Unity Scopes, but none of them are related to privacy or security, except for that one thing; it should be easily activated, but semi-disabled by default. By semi-disabled, I mean that searches should not be online by default, but that you would be able to press shift+enter to enable one-shot online-searches. I think you should also be able to enable automatic online searches by default very easily. But default should be local with a one-shot enablement strategy to make it easy for people to explore the possibility without feeling insecure.
      The Smart Scopes service actually appeals to me because it has a potential to be a very good anonymous search engine. I’ve never seen anything with greater potential. Obviously, it’s still immature. But in my view, because it’s scoped, decentralized and anonymous, it could be synced and distributed. I had an interesting discussion with Richard Stallman about this precise subject a few years back. (Long before Ubuntu even considered anything like smart scopes). His claim was that decentralized search was impossible and could never be accomplished because of the enormous amounts of data. I believe that scoping searches can enable us to actually accomplish it. “web search” and “cinema ticket search” are radically different things. One can easily be decentralized whereas the other cannot.
      To me, it’s all about how to make it good, rather than how to make it sound bad.

  3. Jef Spaleta Avatar
    Jef Spaleta

    Jo-Erlend Schinstad,
    Hey man… don’t say nobody. MPT actually had your back with is great reference to Apple’s change to an opt-in policy in that thread. I wish I had seen that so I could use Apple’s policy correction as a talking point to put more public scrutiny on getting that change into smart scopes before it was widely deployed. It’s not too late I guess to bring up Apple’s policy correction to inspire a Canonical one.
    And I would agree, the linux action show content seems to have cross over a line into sensationalism on this issue. But I sort of expected this to happen because of the way its designed and how aggressive the search results are about putting up…purchasing opportunities…(not using the word advertisement…not doing it..oh crap I did it.).
    -jef

    1. Jo-Erlend Schinstad Avatar
      Jo-Erlend Schinstad

      I shouldn’t have said “nobody”, because I was obviously quite aware that there were some others. I should’ve said “hardly anyone”. I should appologize to mpt. I hope it’s obvious that I wouldn’t call him “nobody”. I have great respect for the man 🙂
      Oh, and wrt the ads thing; in LAS, he enters a search phrase in order to get online results, and then he claims that he didn’t ask for them. I guess he’s offended by the fact that you can buy stuff on the internet.
      Of course, the quality of the search results has to improve. But it’s hardly surprising that a crowd sourced search engine needs a crowd in order to function properly.

  4. Hi Jo-Erlend, thanks for taking the time to comment on this. You bring some very interesting points.

    In the LAS, for instance, he claims that if he enters “tor” and presses enter, then they know that you’re launched the Tor Browser. This quite simply not true, according to Canonical.

    You know, I’ve grown to be very cautious of “according to Canonical” in the past few years.

    Because the Tor Browser is local and local actions are not sent. So while it is true that “tor” was being sent as a search, this search could potentially lead to billions of different things that have absolutely nothing to do with the onion router.

    Sure, but as you say it yourself, whatever is typed, by default, is sent to Canonical’s servers as a search query to provide contextual results. According to Ubuntu/Canonical’s privacy policy:

    […] Unless you have opted out (see the “Online Search” section below), we will also send your keystrokes as a search term to productsearch.ubuntu.com and selected third parties […]. By searching in the dash you consent to: 1) the collection and use of your search terms and IP address in this way; and 2) the storage of your search terms and IP address by Canonical and such selected third parties (if applicable).

    And the whole “Access” section of that policy needs to be read too.
    Regarding your argument of “well, this search query can be lost in a sea of rubbish/irrelevant stuff anyway”: it doesn’t matter if you consider what LAS presented in terms of “triangulation”. The information stored on Canonical’s servers is not to be used in isolation, it is meant to be used for cross-referencing, validation and targetting you, providing “justifiable means” or “probable cause”.

    Nobody supported my claims that this was a potentially damaging issue back then, though it obviously have become one. In 2013, people are dramaticing it. I have an issue with that. We should make our cases while the debate is ongoing and not wait until everything is settled and then make a big deal out of it. That’s just destructive, in my view.

    I commend you for that, and I of course agree that issues must be discussed as they brew instead of when they are set in stone. However keep in mind that I have not considered myself part of Ubuntu for the past few years. I am not subscribed to mailing lists, I only find out about this “after the fact”, and even if was actively involved and posting on such mailing list discussions I wouldn’t have managed to change Canonical’s business imperatives regarding this, no matter the amount of arguing (you, yourself, are an example of having tried to uphold users’ rights by requesting this to be an opt-in instead of opt-out – see how well that worked).
    I am therefore only reporting on what has been brought to my attention from a user’s point of view – you could say that’s destructive, but it is not the goal, the goal is to raise awareness about this. You previously said “you have to be _really_ paranoid in order to be afraid of that scenario”: well, even the “mildly” paranoid were being dismissed as lunatics before the Snowden affair. The events of 2013 force us to revisit our appraisal of the situation and privacy risks, and what we can do to limit them. It’s never too late to change.

    1. Jo-Erlend Schinstad Avatar
      Jo-Erlend Schinstad

      «You know, I’ve grown to be very cautious of “according to Canonical” in the past few years.»

      Then you’re entering another subject that was dismissed in LAS; Mark Shuttleworth pointed out that since they’re running the archives, they can get root to your system at any time. If you have no trust for Canonical, then you shouldn’t use Ubuntu at all, making the whole smart scopes discussion completely irrelevant.
      According to Michael Hall, they have normal apache logs, but the smart scopes service itself doesn’t use IPs. The protocol itself seems to be designed not to rely upon user identification at all. Otherwise, what would be the point in using a per dash-session UUID to begin with? Using Tor with the dash is completely feasible. It’s a feature that doesn’t exist because nobody has created it. If Canonical refused a good patch that enabled this, then it would be interesting to hear the arguments for that, but to my knowledge, it hasn’t happened yet.

      «I am therefore only reporting on what has been brought to my attention from a user’s point of view»

      That’s how all rumours work. Raising awareness is a noble goal, but simply propagating a rumor and one-sided stories, is not a good thing.

      «well, even the “mildly” paranoid were being dismissed as lunatics before the Snowden affair.»

      Well, if you look at the LAS episode, when he searches for Tor, other things appears, such as tuTORials and Transmission Bit TORrent. He ignores that, because he has decided to tell a frightening story and then you have to ignore anything that dispells the idea of a monster hiding under the bed.
      If you seriously believe that the government will be out to get you if you read a tutorial, then your issue isn’t really with technology, but with your government. I don’t really believe he’s that paranoid at all, but rather that he wants attention to his show… Which you’ve providing. If he told a balanced story with no technoparanoid thrillers, you probably wouldn’t have written about it, would you?

      1. Just to address this particular statement:

        Then you’re entering another subject that was dismissed in LAS; Mark Shuttleworth pointed out that since they’re running the archives, they can get root to your system at any time. If you have no trust for Canonical, then you shouldn’t use Ubuntu at all, making the whole smart scopes discussion completely irrelevant.

        First, they actually did address that point at 1h into that episode. They said this (which you are entitled to disagree with):

        I don’t want you to ever, ever have any entry on any server about what my IP address was or what commands I ran. I don’t care if you update server nodes, because that doesn’t give anybody an obvious trail of what I use.
        Now for Mark’s argument is “Well you gave us root for your updates”…. that’s UPDATES! That’s not the commands I wrote! That’s a huge difference.

        I think I understand what they mean. To come back to your point… yes, Mark said that, “you gave us root, so Y U NO TRUST US?”… that’s possibly the most stupid and disastrous PR statement that could have been imagined from the head of an open-source tech company.
        You can inspect and trust more the software that they provide to you as packages. Data on a server that can be seized by authorities anytime? Not exactly the same thing. But I see what you mean (seriously!)

        your issue isn’t really with technology, but with your government.

        Honestly, which is easier to fix: the US government or the software we write and run? I’ll let you think about that 🙂 I’m not from the USA by the way, and yet that doesn’t mean we are not affected one way or another by their policies and influence.

        1. Jo-Erlend Schinstad Avatar
          Jo-Erlend Schinstad

          «Honestly, which is easier to fix: the US government or the software we write and run?»

          If you can get arrested by saying a name, such as Tor or James, then how would you fix that by updating your software?
          By the way; do you have apache logs on https://fortintam.com? I usually enable logs, not because I’m an evil person, but because logs are sometimes useful. Of course, as you point out, it is impossible to prove that you’re not logging IP-addresses.

  5. And to make things clear: I did not blog about this to “bash”, it is more of a way to bring attention to a nebulous area of the free software desktop that many people will run “by default”. I was surprised when I discovered that some pretty savy people around me were unaware of this issue.
    As you know, I do not run this particular piece of software myself, partly because of hairy issues like these. The fact that I’m not using it for myself doesn’t mean I shouldn’t say anything about it if it seems relevant to the public in the post-Snowden context.
    I’m fine with other people using and enjoying Unity & Ubuntu, just like I’m fine with people running proprietary platforms like Windows or Mac OS, but they need to do so in full awareness of the risks and issues involved. It needs to be an informed decision along the lines of “Yeah, there *might* be a risk with my keystrokes being somewhere on Canonical’s servers and I need to trust Canonical enough to live with that, and even if I opt-out of this particular feature I need to watch my back for other things, but in the grand scheme of things I trust them enough to be the providers of the software I run so I’ll use this anyway.”

    1. Jo-Erlend Schinstad Avatar
      Jo-Erlend Schinstad

      Are you contious about your use of “keystrokes” in this regard? Because there’s obviously quite a bit of destructive rhetoric in this new language we’re seeing. I don’t know where it comes from, but I do know that pure propagation is risky business. It is impossible to use any search engine without sending your “keystrokes” to that service. The situation is identical in Firefox’ search field. It must also, by LAS’ logic, be considered a keystroke logger. However, nobody uses that rhetoric against Mozilla.
      Why do people ignore Wikipedia, Github, launchpad, youtube, etc and focus entirely on Amazon? That’s because they want to change the rhetoric. If you start to talk about Wikipedia ads, then you won’t be convincing. If instead you talk only about Amazon, then you might be able to fool people into thinking that Ubuntu is now actually an ad-based operating system, which obviously isn’t true, but is favorable if you want to hurt Ubuntu.
      The normal way to talk about search engines, is that input is referred to as “search phrases” and output as “search results”. However, with Ubuntu, this has now been changed to “keystroke logging” and “ads”. And yes, people are repeating this language, probably without knowing who started doing it. There is no secret that many groups want Ubuntu to hurt. Obviously, Richard Stallman has always been honest about that, whereas Microsoft and Apple doesn’t want to call attention to Ubuntu at all. But it is very easy to construct this kind of language and when people just repeat the word, they’re acting as amplifiers.
      As I’ve said before, I agree with much of the criticism, but to me, the language that is being used, seems almost crafted. It’s a dishonest use of phrases, especially when you start to notice how people avoid inconvenient facts in order to support this rhetoric.

      1. Sven Avatar
        Sven

        @Jo-Erlend
        I read your linked 2011 post and valid points raised by you rather early. As
        more surprising that you shifted 180 degree. For example this, your words:
        [quote]
        he claims that if he enters “tor” and presses enter
        [/quote]
        That is so much off. Please re again. The transcript says:
        [quote]
        I type “Tor browser”
        [/quote]
        That renders your whole “Tor Andersen” nonsense. Unfortunely
        you open a second such case direct the sentence after by
        saying “tor browser” isn’t even send just to be proven wrong
        again.
        And then you turn that onto a its all about Amazon vs Wikipedia
        road while the point never ever was or is about 3th partys but
        about Canonical who receives all your keystrokes (or keylogger
        input to name it correct) on THERE servers before forwarding
        to Amazon/Wikipedia/etc.
        And then you complain thay people not complain that
        Mozillas Url-bar does the same or that a Google search
        on google.com logs your input. Come on, you know the
        difference since you identified exactly that as problem
        in your linked 2011 mail. How comes you forget, turned
        aeound and now even come up with such, well, stretched
        excuse for whatever.

        1. Jo-Erlend Schinstad Avatar
          Jo-Erlend Schinstad

          I came from a technicall discussion. It has now become a question of language. If we want to relabel thumbnails as ads and search boxes as spyware, then we should do that for all Free Software products. We probably shouldn’t. I don’t understand why so many people wants to destroy the discussion by using irrational attacks rather than technical or ethical arguments.
          «Canonical who receives all your keystrokes»
          I want the search engine to receive all my inputs. A search engine that loses parts of my input, would be a very bad search engine. I’m sure that’s not your point. Your point is to create the impression that Ubuntu in general is keylogged, which obviously isn’t true, but works well when you want to create drama or hurt the Ubuntu community specifically or GNU/Linux in general.
          And if I don’t want the search box to search online, then I simply deactivate the search engine. It’s not a big deal. And no, I haven’t turned 180 degrees. I have always said and still say that these features should be easily activated, but deactivated by default.