ubuntu-privacy team mailing list archive

Thread
Date

[Bug 1055952] Re: Direct data leaking to Amazon

To: ubuntu-privacy@xxxxxxxxxxxxxxxxxxx
From: Etienne Perot <1055952@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Jan 2013 21:55:55 -0000
Reply-to: Bug 1055952 <1055952@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@keremhd: While I fully agree with your opinion about the privacy
implications of the shopping lens towards Canonical and what data is
being passed around to them, this is not what this bug is about.

This bug is about the fact that Shuttleworth's statement, "We are not
telling Amazon what you are searching for. Your anonymity is preserved"
is simply not true in the current shopping lens implementation.

What you describe ("data leaking to Canonical") is a conscious design
decision made by Canonical. Shuttleworth acknowledges it as being the
way it works ("we handle the query on your behalf", which is true).

tl;dr: what you are referring to is Canonical's intentional data
gathering; what this bug is referring to is Amazon's unintentional data
gathering. These are two separate issues.

--
You received this bug notification because you are a member of Ubuntu
Privacy Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1055952

Title:
Direct data leaking to Amazon

Status in Unity Shopping Lens:
Confirmed
Status in “unity-lens-shopping” package in Ubuntu:
Confirmed

Bug description:
Despite claims from Mark Shuttleworth that data is not sent to Amazon
(http://www.markshuttleworth.com/archives/1182), a quick look at
Wireshark reveals that all images resulting from search results are
downloaded directly from Amazon (see attached picture).

Worse still, the request are over plain HTTP, even though Amazon
offers an SSL service for images (ssl-images-amazon.com).

So while it's technically true that the search terms are not sent to
Amazon, the search results are, and that's just as bad. From this,
Amazon and any third-party on the line (ISP etc.) gets the user's IP,
date, time, and can deduce the search terms through correlation with
recent searches or by looking at the name of the products in the
result set.

Additionally, the requests contains a fairly unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests that would hit amazon.com with that user agent without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it, and how often.
The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' names have already been downloaded from productsearch.ubuntu.com.

How to reproduce:
- Open Wireshark, start capture
- Press the Windows/Meta key
- Type anything
- Check Wireshark output

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity-lens-shopping/+bug/1055952/+subscriptions