← Back to team overview

ubuntu-privacy team mailing list archive

  1. ubuntu-privacy team
  2. Mailing list archive
  3. Message #00126

[Bug 1055952] Re: Direct data leaking to Amazon

  Thread PreviousDate PreviousThread Next 
I installed 13.04 and set the privacy setting accordingly to disable the
Amazon traffic. Despite this, it bothers me to know that Canonical made
such a foolish move like this. If this was disabled by default, I would
actually consider turning it on because I've always wanted to help
Canonical in any way possible to support Ubuntu. But at this point, no
thanks. This simply enrages me into a clouded state of wondering why I'm
still on Ubuntu. I'm beginning to think that it's time to distro shop
around and get something that is a little more logically aligned.

-- 
You received this bug notification because you are a member of Ubuntu
Privacy Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1055952

Title:
  Direct data leaking to Amazon

Status in Unity Shopping Lens:
  Confirmed
Status in “unity-lens-shopping” package in Ubuntu:
  Confirmed

Bug description:
  Despite claims from Mark Shuttleworth that data is not sent to Amazon
  (http://www.markshuttleworth.com/archives/1182), a quick look at
  Wireshark reveals that all images resulting from search results are
  downloaded directly from Amazon (see attached picture).

  Worse still, the request are over plain HTTP, even though Amazon
  offers an SSL service for images (ssl-images-amazon.com).

  So while it's technically true that the search terms are not sent to
  Amazon, the search results are, and that's just as bad. From this,
  Amazon and any third-party on the line (ISP etc.) gets the user's IP,
  date, time, and can deduce the search terms through correlation with
  recent searches or by looking at the name of the products in the
  result set.

  Additionally, the requests contains a fairly unique user-agent: gvfs/1.13.9, which seems to be tied to Gnome. I would imagine that there's not a lot of requests that would hit amazon.com with that user agent without originating from the Unity Dash. So now Amazon gets to know that I use the Unity Dash to search it, and how often.
  The query also shows an Accept-Language header; I haven't experimented with other language packs, but it should be relatively obvious that leaking the user's language is not necessary, since those are just static images and the products' names have already been downloaded from productsearch.ubuntu.com.

  How to reproduce:
  - Open Wireshark, start capture
  - Press the Windows/Meta key
  - Type anything
  - Check Wireshark output

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity-lens-shopping/+bug/1055952/+subscriptions
  Thread PreviousDate PreviousThread Next