[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Sun Jun 14 09:16:15 UTC 2020 

I have decided to contact ICO (Information Commissioner's Office).

Because Canonical Ltd. has handled my personal information 
(IP address, Hardware CPU, Choice of Cloud Hosting, and various meta-data) 
and the one of the company I work for without concent.

The same apply to all users of Ubuntu (persons, companies, governements)
worldwide on a daily basis.

By collecting twice a day the following informations:

- The public IP address where Ubuntu system is used (part of the log of the HTTPS server)
- Date / Time when collected (part of the log of the HTTPS server)
- Harware info such as CPU Vendor and Model (via /proc/cpuinfo)
- The distribution version (via /etc/lsb-release)
- The operating system (via uname -o)
- The Linux kernel release (via uname -r)
- The computer architecture aka machine hardware name (via uname -m)
- Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init)
- Total number of seconds the system has been up (via /proc/uptime)
- The sum of how much time each core has spent idle in seconds (via /proc/uptime)
- Version of curl software (launched as root which is a bad IT practice and a security risk)

On top of that by making motd-news unremovable in the core of Ubuntu's base-files 
(like it was the case for Internet Explorer in Windows or the Telemery in Windows 10), 
they enforce the telemetry before you can disable it or opt-out from it.

Fell free to fill your own complaint or contact your local information commissioner
as this ticket is marked as Won't Fix by the manager of the Ubuntu Server team.

https://ico.org.uk/make-a-complaint/your-personal-information-concerns
/personal-information-complaint/

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Won't Fix

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list