[Bug 1857975] [NEW] /etc/update-motd.d/50-motd-news is in violation of the GDPR
tastytea
launchpad at tastytea.de
Tue Dec 31 09:36:02 UTC 2019
Public bug reported:
/etc/update-motd.d/50-motd-news periodically makes a connection to
motd.ubuntu.com and sends an User-Agent containing: “curl/$curl_ver $lsb
$platform $cpu $uptime cloud_id/$cloud_id” (together with the IP
address, obviously).
While it can be argued that the checking for important messages (for
things like “Heartbleed“ etc.) is necessary, the expressive User-Agent
clearly is not. It is illegal (and potentially costly) to store any
personally identifiable data that is not absolutely necessary without
informed consent.
This problematic behaviour is known since at least 2017:
<https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068>.
Note that the fact that it can be disabled does not help. If you want to
collect this kind of data, you need informed consent.
Why not just let curl use the default User-Agent?
Please explain why you use this User-Agent, if you store it, if you
store the IP address and for how long. And if you store anything, stop.
** Affects: base-files (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1857975
Title:
/etc/update-motd.d/50-motd-news is in violation of the GDPR
Status in base-files package in Ubuntu:
New
Bug description:
/etc/update-motd.d/50-motd-news periodically makes a connection to
motd.ubuntu.com and sends an User-Agent containing: “curl/$curl_ver
$lsb $platform $cpu $uptime cloud_id/$cloud_id” (together with the IP
address, obviously).
While it can be argued that the checking for important messages (for
things like “Heartbleed“ etc.) is necessary, the expressive User-Agent
clearly is not. It is illegal (and potentially costly) to store any
personally identifiable data that is not absolutely necessary without
informed consent.
This problematic behaviour is known since at least 2017:
<https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068>.
Note that the fact that it can be disabled does not help. If you want
to collect this kind of data, you need informed consent.
Why not just let curl use the default User-Agent?
Please explain why you use this User-Agent, if you store it, if you
store the IP address and for how long. And if you store anything,
stop.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1857975/+subscriptions
More information about the foundations-bugs
mailing list