The problems with Ubuntu's Amazon results legal notice

Off the Beat: Bruce Byfield's Blog
Every Ubuntu release seems to have its own controversy. For Ubuntu 12.10, codenamed Quantal Quetzal, that controversy is the inclusion of results from Amazon when you use the dash for searching. Thanks to the controversy, this feature has been heavily modified. However the legal notice that has been add as one of those modifications is as much cause for concern as the feature itself.
To be fair, Ubuntu has shown many signs of listening to the complaints. Amazon search results can now be toggled off in the Privacy settings, and the feature now uses a blacklist of keywords to reduce the chances of returning pornographic results. Results are also encrypted before being transmitted to ensure user privacy. All these improvements make the search results more acceptable, and, amid all the criticism, Ubuntu does deserve credit for listening and genuinely trying.
However, the legal notice which was added in accordance with European law is another matter. Just like Ubuntu's Contributor Agreement in 2010, this notice serves to protect Canonical and Ubuntu, while giving users no rights or possibility of informed consent.
The Problems with the Notice
What makes the legal notice so objectionable? To start with, how you view it. The first time that you open the dash, the words "Legal notice" appear in the lower right corner, the place they are most likely to be overlooked. Then, after you read the notice, the words are replaced with an "i" in a circle that is even easier to miss. In either case, many users may never see the notice.
This invisibility matters because the legal notice states that you consent to its terms "by searching in the dash." In other words, regardless of whether you are aware of the notice or not, it tries to bind you to its terms. The condition is exactly the same one that the Windows 7 license uses when it claims to be applicable if you use the software.
But once you have read the legal notice, you may prefer not to be party to it. Although results are transmitted encrypted, for all anyone can easily find out, the encryption used may be ROT13.
Nor does the legal notice specify that transmission is anonymous, or give you any right to choose which third parties Ubuntu chooses to share your information with. You have to go to yet another page (http://www.canonical.com/aboutus/privacypolicy/thirdparties) to see a list of the third parties with whom Ubuntu might currently share information.
Admittedly, nobody has given any evidence that Ubuntu uses the information it receives irresponsibly, or disregards the legal notice. However, that is not the point. The point is that you don't have enough information to consent knowledgably, and the basis of security and privacy is knowing how your information is shared. No matter how trustworthy a company or project happens to be, security and privacy require proof, not faith.
The fact is, from a security perspective, Ubuntu's legal notice remains troublesomely vague. Even if you go to Ubuntu's privacy policy, which also affects the term of dash search, you aren't enlightened. All the privacy policy says is that you aren't asked for personal information "unless we truly need it." It adds that your information isn't shared "except to provide you with services, comply with the law, or protect our rights," nor shared "unless required for the ongoing operation of our services."
These terms are so broad as to give Canonical the right to do almost anything it wants to with your information. Some critics have complained about Mark Shuttleworth's cavalier "we have root" comment in response in such concerns -- a phrase since deleted from his blog entry, although not the comments on it -- but in fact, he was only re-stating what was already stated in the privacy policy.
Worse, if you want to know what third parties might do with your information, you are directed to each of those parties' own privacy policies. Not only is this considerably effort, but it's not impossible that some of those policies may be significantly different from Canonical's.
However, even if you could learn what information is collected or stored at the moment, or with whom it might be shared, the legal notice gives no guarantee that this knowledge will stay valid -- or that the legal notice itself won't change. Although the notice anticipates that "most changes are likely to be minor," it also states that any changes are "at Canonical's sole discretion." The responsibility for keeping current about the terms of use are entirely yours, "as we will not be able to notify you directly."
User rights and beyond
All of this is a lot to think about when all you want to do is search for an app on your hard drive. You might prefer just to toggle off Amazon search and forget the whole issue.
Yet there is a principle involved that extends beyond one users' relationship with Canonical and Ubuntu. Free and open source software is supposed to empower users. However, Canonical's legal notice and privacy policy do exactly the opposite. Instead, they disempower users altogether.
Why, I have to ask, do Canonical's efforts to protect itself -- a perfectly legitimate goal in theory -- have to be at the expense of users in practice?
Canonical has improved the use of Amazon search results immensely in the last few weeks. But if it really is the kind of company it likes to claim whenever it invokes the spirit of free and open source software, then it needs to take the final step and prove itself worthy of trust by offering a legal notice that respects the rights of users.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
-
OpenELA Releases Enterprise Linux Source Code
With Red Hat restricting the source for RHEL, it was only a matter of time before those who depended on that source struck out on their own.
-
StripedFly Malware Hiding in Plain Sight as a Cryptocurrency Miner
A rather deceptive piece of malware has infected 1 million Windows and Linux hosts since 2017.
-
Experimental Wayland Support Planned for Linux Mint 21.3
As with most Linux distributions, the migration to Wayland is in full force. While some distributions have already made the move, Linux Mint has been a bit slower to do so.