unity-dev team mailing list archive

[Alan Bell <alanbell@xxxxxxxxxx>]

I like the Amazon shopping lens. I think it is great.
There has been a bit of a fuss about it, and yet another article here
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks

which advises people to remove unity-lens-shopping and also:

"If you want Dash to only search your local computer and not search the 
Internet at all, you can open the Privacy app and switch "Include online 
search results" from on to off, as pictured below."

now this, I have a problem with. That checkbox does not do what it says 
it does, and it worries me what people are going to say when they find 
out. The checkbox absolutely does not perform any sandboxing of lenses 
preventing them from accessing the internet. It simply doesn't. What it 
does is set a preference flag that lenses can look at, and decide what 
they want to do about it. The lenses we ship by default look at the flag 
and indeed graciously modify their behavior to not send the query to the 
internet. This is 100% optional. Any third party lens (or scope) could 
listen to the global search query and send it straight out to the 
internet where some evil genius could then figure out a dastardly plan 
using a data warehouse full of "termi" and "gedi" and "firef". In fact 
when writing a lens there is nothing in the documentation as yet on how 
one should honor this preference, you have to look at the source of an 
existing lens to figure it out, by default lenses written won't have any 
restriction on internet based searching.

Personally I don't see internet based searching as a real issue - but 
the misleading privacy option is the problem.

I don't particularly want my global search text going off to Amazon or 
other places, not because I care in any way about it, just I need that 
eyeball space for stuff I actually want. If I want to buy stuff on 
Amazon I want to click on the shopping lens in the lens bar and use 100% 
of the dash for the shopping search results. Right now I can't do that 
because the shopping lens sets visibility to false and hides from the 
dash lens bar. This leads on to the thought that an evil genius could 
write a lens/scope that is invisible, and presents no results, but 
listens to the global search query change event and sends every 
keystroke out to the internet, regardless of the privacy preference 
setting. This is bad. I don't see any valid use-case for a lens to set 
the visible property to false.

I think that the privacy option should be ripped out, and replaced with 
a list of scopes that the user can whitelist for global searches. If a 
scope is not on the whitelist then scope.active_global_search will 
return nothing. The scope will *only* see search queries that are in 
scope.active_search - i.e. searches in that specific lens. This way a 
user can decide (with sensible defaults) which scopes are allowed to 
present results to the dash home (perhaps not shopping), but the user 
will still retain the ability to go specifically to the shopping lens 
and do searches from there - which will mean fewer people will uninstall 
the thing.

Alan.

--
I work at http://libertus.co.uk