Ubuntu ruffled some feathers recently when they announced the Home search in Unity as included with Ubuntu 12.10 will include the ability to search Amazon for products related to your search terms. Ostensibly, the idea is to use the Amazon referral bucks to support Ubuntu, but many users are worried the feature unnecessarily sells out user privacy for a quick cash grab.
Diving into the API behind the feature, some were quick to point out that the queries are not encrypted, however Mark Shuttleworth and Jono Bacon have both stated that the feature will be encrypted before the launch of 12.10. In the linked post from Mark, he seems to intimate that only Canonical will ever see these queries:
We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf.
Which is somewhat true; the query goes to http://productsearch.ubuntu.com which uses its redirect method to send the user to the appropriate destination. Once https is enabled, only Canonical will see this initial query. Unfortunately, the redirect method results in lots of calls directly to the upstream provider. Here’s an example query for “The Beatles”:
http://productsearch.ubuntu.com/v1/search?q=The%20Beatles;decade=1960;geo_store=US
which produces results in which we can find:
images": {
"350x350": [
"http://cdn.7static.com/static/img/sleeveart/00/005/854/0000585438_350.jpg"
],
a direct call to 7digital, an online music store. It’s likely that 7digital will only be able to capture your IP, the content retrieved, and the time it was retrieved, but clearly things aren’t only occurring between the user and Canonical. Without proxying these search results the privacy implications of the built in search are not quite as cut and dry as Canonical seem to indicate it they are.
This is, of course, pre-release software, and the only people getting their hands on it are people specifically going out of their way to get a look at it before it’s finished. This situation could completely change in short order, but Mark also added these endearing words to that post:
Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community. And most importantly, you trust us to address it when, being human, we err.
Well that gives me the warm fuzzys. There’s nothing like being told not to worry about privacy problems because they’re already up in your business anyway. I’ll be interested to see how they handle this situation and if they end up proxying the results as well, but his “we have root” comment is indeed a compelling argument – to try something other than 12.10.
PS: In case you are curious, the Amazon associate tag passed in the proxied queries from ubuntu.com appears to be “u1treatyrslf”
