[Ubuntu-US-CA] RMS vs. Amazon search results feature

Grant Bowman grantbow at ubuntu.com
Mon Dec 17 21:01:23 UTC 2012 

On Sat, Dec 15, 2012 at 6:01 PM, Jono Bacon <jono at ubuntu.com> wrote:
> On Thu, Dec 13, 2012 at 10:23 PM, Grant Bowman <grantbow at ubuntu.com> wrote:
>> > What is the objection about Canonical making money in Ubuntu given the
>> > millions of dollars invested into Ubuntu?
>>
>> I think trust is the primary issue.
>>
>> First, that was a partial quote of a sentence and I think not the most
>> important aspect of this whole debate. Second, I didn't express that
>> particular sentiment accurately. Perhaps it would be more clear with
>> an appended "in this way." I am not alone in feeling this particular
>> implementation crosses a line of trust. Perhaps as you say Canonical
>> "didn’t get it 100% right". That's why I am trying to reserve
>> judgement despite it being released in a non LTS version inserted at
>> the last minute from what I heard. If Canonical had submitted a
>> similar feature to Debian do you suspect it would have gotten accepted
>> or is Canonical somehow abusing it's specially entrusted power? People
>> trust this environment because it is level and open. This feature as
>> implemented so far is neither.
>>
> A few things here:
>
>  * I believe that Canonical has demonstrated pretty good trust over the
> years.

+1. Canonical has never taken a user's keystrokes in the past,
arguably without their knowledge. We are talking about the
implications of a particular feature. The shock and dismay over the
implementation of this feature is compounded because of the positive
track record.

> Sure, there are some examples in which people feel Canonical them
> them down, but I think if we are talking about "trust", Canonical has
> generally acted in a trustworthy manner over the years - we are still very
> much a community project, openly governed, we sponsor many community members
> to every UDS to participate, and Mark Shuttleworth continues to be a member
> of the Community Council. I appreciate that you have reservations about this
> feature but lets keep things in perspective over the seven years that
> Canonical has been investing in Ubuntu.

The perspective that must be kept is about this feature and how it is
implemented.

>  * This feature did not get pushed in at the last minute. It landed near the
> end of the development cycle, but that is common across the Ubuntu
> development community. what happened was that the feature landed and then
> there were a series of improvements to it to refine it based on the original
> plan and based on feedback (e.g. encrypting the results, filtering adult
> results out, adding a opt-out button to the Privacy settings, adding a
> notice on the dash chrome to inform users about the feature, and updating
> the privacy policy). While I can understand people objecting the privacy
> policy, the means in which the feature landed in Ubuntu was perfectly normal
> within the context of the development branch.

This feature is not a normal size change. How many other program
features log key strokes to a remote internet destination? Does Debian
have any program features in their archives that do this? Does Ubuntu
have any others besides the dash? If not this is not a normal size
change.

>> Other entities including but not limited to the EFF have expressed
>> their concerns pretty well.
>>
>> https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
>>
>
> The EFF article was excellent; I agree.

Online security must be as good as local security given the connected
nature of our actions today. Those interested in privacy on Ubuntu
should check out part II on full disk encryption where the EFF says
Ubuntu "did an excellent job."
https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption

>> Where is the money coming from? Facebook, Twitter, BBC, Amazon and
>> other third parties of Canonical's choosing, right? This is done by
>> keylogging "send your keystrokes" from all the searches on a default
>> install with no notice to end users, right? Making money from work one
>> does is what Canonical has carefully done in the past. I believe
>> Canonical is trying to find the balance and is doing a better job than
>> anyone else I think in this regard.
>>
>
> You have this a little wrong on two points:
>
>  * Firstly, this is not keylogging. Keylogging is the covert collection of
> keystrokes against the knowledge of the user. This feature is not secret, it
> is pretty well documented, and we don't let malicious software such as
> keyloggers and spyware into the archive.

You said above there is chrome that notifies users? Wherever it is I
didn't see it during a default 12.10 install. It certainly is sending
keystrokes. Then the issue is whether it is covert or not.
http://en.wikipedia.org/wiki/Keylogging The remote sending of
keystrokes is not used on the whole system but is used in the dash, so
it is to me only a partial keylogger. There is no visibility into what
is done with the data after it is sent, another concern raised by the
EFF. Since the dash is now the primary UI for files and programs it is
a pretty important % of keystrokes that until now have been properly
assumed to be private on one's own system. This isn't a web page with
expectations of public viewing, it's access to one's own programs and
files locally potentially including the names of financial and legal
files.

>  * Secondly, you are confusing the web apps feature the Amazon feature.

Actually I was quoting the new privacy policy as quoted in the EFF
article under the subheading "It's Not Just Amazon". I am not an
experienced writer, but side stepping the main topic does not put me
at ease regarding the merits of Canonical's approach or what I have
seen of their response.

> In
> 12.10 we included support for web apps integration into Ubuntu such as the
> Facebookm BBC, and Twitter examples you mentioned. We don't make money on
> those - that is just feature integration so our users get a better
> experience. Also, in terms of the Amazon search results, we don't make money
> from the searches (again, this is not keylogging to make money), we only
> make affiliate revenue from purchases made through the dash. This is no
> different to if you put an affiliate link to a product on Amazon on your
> blog.

Except blogs are public and access to local programs and files are not
expected to be made public. It is not the same as Clint pointed out.

Grant



>     Jono
>
> --
> Jono Bacon
> Ubuntu Community Manager
> www.ubuntu.com / www.jonobacon.org
> www.identi.ca/jonobacon www.twitter.com/jonobacon
>
> --
> Ubuntu-us-ca mailing list
> Ubuntu-us-ca at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-ca
>

More information about the Ubuntu-us-ca mailing list