This ticket should be updated to Security issue +250 points I highly doubt that this Motd News "feature" is compliant with EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https://gdpr.eu/eu-gdpr-personal-data/], in particular with respect to Recital 30 [https://gdpr.eu/recital-30-online-identifiers- for-profiling-and-identification/]
Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer. Daily report of computer's private infos without the users consent It affects Ubuntu Servers and Desktop (including roaming computers like laptops) since at least 18.04 LTS and also the current 20.04 LTS Sensible data sent - IP address of the computer running Ubuntu - Date of the HTTPS query - Kernel Version - CPU Vendor and Model - Uptime - Cloud identifier - Version of Curl so version of Ubuntu running ... $curl_ver $lsb $platform $cpu $uptime $cloud_id Sample from our PC Engines running Ubuntu 18.04 LTS: ``` curl/7.58.0-2ubuntu3.8 GNU/Linux/4.15.0-101-generic/x86_64 AMD/GX-412TC/SOC uptime/692518.54/2755023.47 cloud_id/unknown ``` https://motd.ubuntu.com/ ``` * MicroK8s gets a native Windows installer and command-line integration. https://ubuntu.com/blog/microk8s-installers-windows-and-macos ``` The perfect opportunity to map all Ubuntu Linux users worldwide on a daily basis? https://gdpr.eu/eu-gdpr-personal-data/ https://gdpr.eu/checklist/ See also https://askubuntu.com/questions/1105825/why-lubuntu-18-04-calls-amazon-servers-motd-ubuntu-com -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
