[Bug 881754] [NEW] sync feature fails to notify already logged-in users that is that is uploading package data

Mark Stosberg mark at summersault.com
Wed Oct 26 01:29:10 UTC 2011 

Public bug reported:

I'm using Ubuntu 11.10 and just found the "sync" feature in USC today
and clicked on it-- neat idea!

I was curious about how it worked, so I searched and found the spec and
read about it. By the time I read the part that it uploaded my data to
another server, it was already too late-- my data had already started to
be sent without my consent.

I had submitted some reviews earlier in the day, so apparently I was
already signed in, so I received zero notifications before or after the
upload that data was being sent off site.  I consider this a privacy
issue, and something that users should be notified about. It's possible
that people have installed custom packages that could reveal things
about their computer use that they would rather not. Or, it may simply
reveal that they have specific, exploitable versions of software
installed.

The "Sync" name is not enough to convey this. I assumed that the feature
either worked via the "sneaker net", or would connect directly to
computers on the local network without storing data at a third party.

** Affects: software-center (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: privacy usability

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-center in Ubuntu.
https://bugs.launchpad.net/bugs/881754

Title:
  sync feature fails to notify already logged-in users that is that is
  uploading package data

Status in “software-center” package in Ubuntu:
  New

Bug description:
  I'm using Ubuntu 11.10 and just found the "sync" feature in USC today
  and clicked on it-- neat idea!

  I was curious about how it worked, so I searched and found the spec
  and read about it. By the time I read the part that it uploaded my
  data to another server, it was already too late-- my data had already
  started to be sent without my consent.

  I had submitted some reviews earlier in the day, so apparently I was
  already signed in, so I received zero notifications before or after
  the upload that data was being sent off site.  I consider this a
  privacy issue, and something that users should be notified about. It's
  possible that people have installed custom packages that could reveal
  things about their computer use that they would rather not. Or, it may
  simply reveal that they have specific, exploitable versions of
  software installed.

  The "Sync" name is not enough to convey this. I assumed that the
  feature either worked via the "sneaker net", or would connect directly
  to computers on the local network without storing data at a third
  party.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-center/+bug/881754/+subscriptions

More information about the foundations-bugs mailing list