[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Wed Jun 10 20:10:13 UTC 2020 

Privacy:

Ubuntu users don't have the opportunity to opt-out from motd-news before all the private infos
and telemetry are sent via User-Agent. So even if people change ENABLED=1 to ENABLED=0
in /etc/default/motd-news they only stop future leaks but the initial leak has already been
done in background after the boot via systemd/motd-news service.

I repeat, this doesn't look GRPD-compliant at all. There is no prior consent ever asked for.
The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018.

motd-news has been designed in 2017 and is enabled by default on all Ubuntu Server, 
Ubuntu Desktop, Ubuntu Flavors (such as Mate, Raspberry), Ubuntu derived such as Nvidia Jetson Nano
without prior consent.

Security:

Run curl as root every 12h are you serious?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Confirmed

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list