[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Mon Jul 13 06:47:29 UTC 2020

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/

To: ICO

Dear Information Commissioner’s Office,

I confirm that I want to proceed with the creation of the case about
Canonical's motd-news as Canonical don't want to remediate the privacy 
issue of sending by default hardware details and public IP of all 
Ubuntu Desktop and Ubuntu Server twice a day, every day of the year.

Next to this message, you will find the final answer from Canonical.

https://ubuntu.com/legal/motd

The following are my comments on their legal information.

"The purpose of sending the system information is so that Canonical can
tailor the message returned by https://motd.canonical.com."

This is wrong motd.canonical.com does not exist and is part of motd-news.
The server used by Ubuntu is https://motd.ubuntu.com

lynx -mime_header https://motd.canonical.com

Looking up motd.canonical.com
Unable to locate remote host motd.canonical.com.
Alert!: Unable to connect to remote host.

The evidence is part of the Ticket
https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png

"None of this data can be used to identify a machine or user."

"Along with this data, the IP address and other network information is
transmitted to facilitate communication on the internet from the Ubuntu
machine to Canonical. This information is not stored by Canonical."

This is wrong as Canonical is using Apache and the default is to store
IP address in the access log

https://httpd.apache.org/docs/current/logs.html

Common Log Format

(%h)
 This is the IP address of the client (remote host) which
made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine.

lynx -mime_header https://motd.ubuntu.com

HTTP/1.1 200 OK
Date: Mon, 13 Jul 2020 06:05:38 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Mon, 13 Jul 2020 06:00:50 GMT
Accept-Ranges: bytes
Content-Length: 215
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-
macos/

"You can disable this service as follows:"
"/etc/default/motd-news has an ENABLED=1 setting that if set to 0 will turn off this functionality."

I assume 80% of Ubuntu Desktop users will not know how to disable motd-news
because they need a Terminal and sudo access. A regular editor running
a default user will not allow to edit this file as super user. So this doc
is useless. 

On top of that Canonical send motd-news information before
the user can even opt out during the installation of Ubuntu Desktop
and during the first boot of the Ubuntu Desktop operating system
so setting it is only useful to stop it but the harm is already done
and data already sent to Canonical.

Evidence https://launchpadlibrarian.net/487031151/ubuntu-
desktop-2004.png

For more information read
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424

Please also note that https://ubuntu.com/legal/motd title is not searchable
in their search engine and is not part of the legal notice during the installation of Ubuntu

Evidence (picture in attachment) and
https://launchpadlibrarian.net/487031391/ubuntu-desktop-2004-legal.png

"No, don't send system info" is not respected
https://launchpadlibrarian.net/487031210/ubuntu-desktop-2004-optout.png
https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png

Privacy does not have an option to opt out from motd-news
https://launchpadlibrarian.net/487031529/ubuntu-desktop-2004-privacy.png

-------- Forwarded Message --------
Subject: Re: Unremovable motd-news used as Telemetry and Advertising tool without explicit consent
Date: Fri, 10 Jul 2020 12:00:29 +0100

Dear Guy

Thank you for your patience.

Please now see the legal notice for MOTD on Canonical's website:
https://ubuntu.com/legal/motd

I can assure you that no access to or storage of IP address data is
made.

Canonical takes data protection compliance very seriously and we
continue to review how we can improve this and other services.

Many thanks

Director of Legal & Company Secretary
Canonical
Blue Fin Building, 5th Floor
110 Southwark Street, SE1 0SU
Ubuntu - Linux for Human Beings
www.canonical.com

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Won't Fix

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions