Ubuntu 12.10 Home Lens User Data Still Exposed, Despite Canonical Claims

The queries made to Amazon, through Canonical, return images straight to the initial IP

  Mark Shuttleworth
As the Ubuntu 12.10 privacy blunder continues, more and more people find that integrating online searches into Unity Dash has a lot more ramifications than initially thought.

As the Ubuntu 12.10 privacy blunder continues, more and more people find that integrating online searches into Unity Dash has a lot more ramifications than initially thought.

Etienne Perot, an Ubuntu fan with a little more experience than the average users has shown that Mark Shuttleworth statements about the privacy of the users are not entirely correct.

A few days ago, Mark Shuttleworth was doing some damage control saying that “We are not telling Amazon what you are searching for and your anonymity is preserved because we handle the query on your behalf.”

Etienne Perot
noticed that this statement was only partially correct. The queries are indeed sent first to a Canonical server and from there to Amazon. The return trip of that query is not the same. The thumbnails used to display the result in Dash are downloaded straight from Amazon, over the HTTP protocol.

Amazon provides an SSL service for the images they send, ssl-images-amazon.com, so it's unclear why Canonical wouldn't chose the latter.

In this manner, Amazon can get the user's IP address and correlate the answer they send back with an “anonymous” query made by a Canonical server. In theory, Amazon could then use targeted advertisements for that IP after sending an image of a certain product, not to mention that third-party snooping over HTTP queries is also a possibility.

The user who filed the bug on Launchpad also provided the necessary means to check for yourself, using Wireshark.

The Launchpad bug has been confirmed, but the importance has yet to be determined. In light of the major problems Canonical is now facing with this issue, the developers have taken some steps already.

In the final version of Ubuntu 12.10, all the queries will be encrypted and sent on HTTPS protocol in order to ensure the privacy of the users. New options to stop the network traffic of the lenses will also be implemented, although is not clear whether if it's going to be available in Ubuntu 12.10 or 13.04.

Comments