Sorry gents. I didn't realize we already had a thread on this topic before I created another. A link to the thread I created:
viewtopic.php?f=6&t=264101
My questions are:
- What is the LinuxMint team's viewpoint on this?
- Will the team use the 18.04 LTS as the base for the next release of Mint or will they switch to another base distro?
- What are the opinions of the community members?
Personally, I think its a terrible idea in the realm of betrayal of trust. There are reasons why I choose and recommend Mint vs. the raw Ubuntu. Privacy is a big part of it. Just imagine the blow back one will encounter in discussions about Linux. As soon as we cite the privacy issues of Win 10, any heckler/clown within a google search will counter that point with Will Cooke's mail-list post, and the OMG Ubuntu article where they clearly are trying to make it seem like its no big deal. Worse is if I get someone to try Linux and I bring up privacy issues only to have this data collection mess be thrown back at me a few weeks/months down the line. It will look like I intentionally tried to mislead them.
This isn't just an attack on our privacy. It is an attack on the reputation of Linux (OS/distros), the reputation of the Linux community and the reputation of each of us as members of the community. This brings Linux down to the level of Windows 10, which makes the indirect battle against the misperception and misinformation a bigger challenge. Misinformation and the rumor-mill spread of it will feed misperception which will persist for years.
If we look at the list of data to be collected at install it is almost a replica of the MS Window User Experience Improvement program data collection list.
-
Unbuntu Flavor/Version - implies that Mint and the other derivatives will have no choice in participating in this data collection effort (a pretty ugly implication)
-
Location - I keep the location feature on my phone turned off. I do not allow websites to access my location information although my IP address would give away my general location anyway.
-
Auto login enabled or not - Indicating if this is a security lax install or not... usually associated with stationary home PCs which adds to the relevance of location data
-
Disk layout selected - Ubuntu only?.. or dual boot Windows?... hackintosh?... what goodies do you have tucked away on that storage device?
-
Third party software selected or not - doesn't matter until the MPAA or codec owners use the US Federal gov. to force Canonical to turn over this and Popcon info
-
Popcon (not popcorn) - is usage tracking...
on-going usage tracking... doesn't this make 18.04 equivalent to Win10?
-
Apport - default inclusion in the data collection program... depending on what is collected it could be anywhere from benign to dangerous (browser crash while online banking and app. memory dump file sent)
-
“diagnostics=false” sent if user opts out - similar to a camera shy tick counter not a true opt-out
Not storing the IP address won't matter. The user's IP address is just means to an end. The location data from from IP-to-location lookup is vastly more valuable. The IP-to-location lookup could happen every time Popcon reports home. Don't store the IP address, store the latitude/longitude coordinates. In the United States, IP-to-location lookup can determine:
- one's political district
- the county or municipality
- postal zone (zip code region)
- telephone area code region
- proximity to local retailers and banks
- proximity to local schools, polling/voting sites, police precincts and fire dept. locations
- approximate household income based on location (by zip code, or by latitude/logitude <-> street address <-> zip code)
- if certain federal agencies have jurisdiction (ex: border patrol within 100 miles of any US border)
God help the clueless user who connects directly to the internet via cable modem without a router/firewall using IPv6 (yeah because he/she would be on Linux and Linux don't get no stinking viruses like Windows right? /wink). Correct me if I'm wrong but a MAC address can be harvested from an IPv6 address which is a unique ID.
This is amounts to a digital finger print because they are going to turn the data into a relational database (RDB). RDB's are dependent on primary keys (unique IDs). Popcon data sounds like it will need unique IDs. Even if they collect the data as tick counters (+1 app X and -1 app y) its still on-going surveillance. There is no mention of what specific data Popcon transmits.
There is just way too much opportunity to turn the data collection/publishing into a revenue generating activity. Publishing the data in a searchable manner just means search engines like Google/Bing will be able cache and track the data over time along with Canonical. So, if M$/Google/Amazon or any other interested 3rd parties paid Canonical a few million $$$ to do the dirty work of data collection they would be transmitting the data to the buyer without having to transmit data. It also provides partial but concrete evidence to support that 1% - 2% Linux desktop market share crap, which serves to help M$. If a telecom company purchased Canonical/Ubuntu or just signed contract with Canonical/Ubuntu they could link the Ubuntu collected data to their own users. The linked data has real monetary value. This is a real possibility not a tin foil hat prospect.
There are long-term implications as well such as Shuttleworth deciding to sell off Ubuntu. The data collected and the collection infrastructure will be a factor in the sale price because it adds value to Ubuntu as tradable commodity. Lastly, Cooke says, "The Ubuntu privacy policy would be updated to reflect this change." They are rushing so fast to put this in place that they haven't even fleshed out the changes to their privacy policy document. In layman's terms they have not consulted with their legal department yet, and their in-house attorneys will have to scramble to provide them with legal protection.
The last part about the privacy policy really drives home my gut feeling that Canonical has already been paid to put this in place. I know many are going to be thinking "paranoid" and "tin-foil hat" until they realize how this all connects to big money. Canonical does not need this information.