[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Tue Jul 14 09:49:04 UTC 2020 

On my point of view, it's NOT enough to implement a legal notice
https://ubuntu.com/legal/motd with technical errors and it is not
possible to verify that Canonical does not store the IP address of
Ubuntu users in Apache log (the default) and/or database without an
external auditor (PwC, EY, KPMG, etc.).

Nothing has been done regarding the consent of the user.

I except one of the following two options to be implemented by
Canonical.

(A)

Ask for consent during the installation of the operating system Ubuntu
and before sharing my personal information via the motd-news software
used for Telemetry, Tracking, Advertising purpose instead of providing
meaningful "security messages or other news" on a daily basis.

(B)

Or disable it by default via ENABLED=0 in the file /etc/default/motd-
news and move motd-news software outside "base-files" package and make
it user removable.

If Canonical doesn't takes data protection seriously by implementing
technical measures such as stop calling motd-news during installation
and after automatically without consent and implement an easy way to opt
out for people without technical knowledge in linux shell then ICO will
need to evaluate the choice of Canonical of enforcing Telemetry hidden
in motd-news's User-Agent without asking user consent and not respecting
"No, don't send system info" choice of the user during the installation
wizard, sending beacons with IP address, system info twice a day, every
day from all Ubuntu Desktop and Ubuntu Server installations worldwide.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Won't Fix

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list