Ubuntu

Spyware?

Asked by Fred on 2010-08-10

Is this software spyware?

Doesn't this violate my privacy?

Does it go behind my back and report information without my consent?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu canonical-census Edit question
Assignee:
No assignee Edit question
Last query:
2010-08-10
Last reply:
2010-08-10
Stephan Peijnik (speijnik) said : #1

I analyzed census (which has freely available code by the way, so you could do that yourself too). I have posted the details at http://techandsp.blogspot.com/2010/08/whats-all-fuzz-about-canonical-census.html.

From having a look at the code I can assure you that everything looks perfectly sane for me, plus you could always remove it using your favorite package manager.

Compare this open approach, which sends all information in plain text to the approach proprietary software often uses, which submits information in encrypted form. This way you can at least know for sure what is being submitted.

Fred (eldmannen+launchpad) said : #3

Array
(
    [scheme] => http
    [host] => census.canonical.com
    [path] => /submit
    [query] => count=0&dcd=&product=EP45-UD3&release=10.04
)

Sends;
* Counter
* DCD string (OEM info)
* Motherboard product name
* Ubuntu release number

Fred (eldmannen+launchpad) said : #4

I do not want Canonical, an OEM or anyone else to know that I installed Ubuntu.

I do not want Canonical, an OEM or anyone else know for how long I have been using Ubuntu or had it installed on my system.

I do not want Canonical, an OEM or anyone else know I use Ubuntu.

I do not want Canonical, or an OEM to know what my IP address is or where I live.

Perhaps by tieing my IP address to my motherboard product name, I could be tracked.

Since it is plain/text, my ISP or some hacker with a packet sniffer on the network could know what operating system I use and what version and that information could be useful for him in order to compromise my system.

This seems a bit like WGA and spyware.
http://en.wikipedia.org/wiki/Windows_Genuine_Advantage
http://en.wikipedia.org/wiki/Spyware

Why not though, What does it benefit anyone to know how long you've been using an OS? It's not going to compromise you identity or bank details.

If you don't want it, remove it. Linux is flexible like that. I'm not defending it, or applauding it. The small and quite trivial information it sends isn't really cause for concern at all but I believe the issue has been addressed as far as it can.

Fred (eldmannen+launchpad) said : #6

Could uninstall it:
* sudo apt-get remove canonical-concenus

Could nullroute it;
By census.canonical.com to 0.0.0.0
* sudo echo "census.canonical.com 0.0.0.0" >> /etc/hosts

It gets info from:
* /etc/lsb-release
* /sys/class/dmi/id/product_name
* /var/lib/ubuntu_dist_channel

It stores data in:
* /var/lib/send-install-count/counter

Fred (eldmannen+launchpad) said : #7

If census.canonical.com were to support SSL, then the SCRIPT variable in send-census could be modified to connect via SSL.

from
SCRIPT=http://census.canonical.com/submit

to:
SCRIPT=https://census.canonical.com/submit

andy@D420:~$ cat /sys/class/dmi/id/product_name
Latitude D420
andy@D420:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"

I'm from the UK

OOh no, I am in danger? No not at all....

GREG T. (ubuntuer) said : #9

if you are so worried about someone knowing about you ; i have an ideal for you first take a large hammer to every tech item you have start with your car computer then your tv ,then cell phone then home phone then your pc/laptop . after that set fire to all ,then move out your home go live under a bridge some where and move to a different one often . if some one want to know about you they could just go throw your trash to find a way to get what they want to know . paper sredders make good puzzels for some people .

Michael B. Trausch (mtrausch) said : #10

This is nothing like WGA. The fact that the comparison has even been made shows that homework hasn't been done and clearly people don't know or understand what they're talking about. What a shame.

Stephan Peijnik (speijnik) said : #11

Sorry Fred, but your points are invalid. Let's have a look at all of them:

> I do not want Canonical, an OEM or anyone else to know that I installed Ubuntu.
Did you ever have a look at your browser's user-agent header? If using Firefox it clearly tells every web server you connect to that you are using Ubuntu.

> I do not want Canonical, an OEM or anyone else know for how long I have been using Ubuntu or had it installed on my system.

Point taken, but using the user-agent header as described above one can get a rough estimate of how long you have been using Ubuntu, especially if you are not running latest-and-greatest in terms of the release and/or the browser version. For an up-to-date system that's a different story though.
However, using a webserver that logs that header one could easily get that information too.

> I do not want Canonical, an OEM or anyone else know I use Ubuntu.

See my comment to your first point. User-Agent does leak that info.

> I do not want Canonical, or an OEM to know what my IP address is or where I live.

Seriously? Then you should not be browsing the web anymore. Firstly once you establish *any* network connection the other end will know your IP address (except if you are using tor for example). And secondly, ever heard of GeoIP?

> Perhaps by tieing my IP address to my motherboard product name, I could be tracked.

Possible, but chances are the same that someone is tracking you via your User-Agent and your IP address whilst browsing right now.

The User-Agent was just given as an example. You could also have a look at email headers, for example. Or have a look at p0f, which can also fingerprint your OS using network connections (http://lcamtuf.coredump.cx/p0f.shtml).

Also, what everyone seems to forget right now is that canonical-census is neither shipping on any system right now, nor has an announcement been made that it's going to be included in vanilla Ubuntu in the future, so why is everyone so worried? Discussing about such a program is fine, but some people seem to be taking this way too far. Please take off your tin-foil hats.

Can you help with this problem?

Provide an answer of your own, or ask Fred for more information if necessary.

To post a message you must log in.