https://ico.org.uk/make-a-complaint/your-personal-information-concerns/
To: ICO Dear Information Commissioner’s Office, I confirm that I want to proceed with the creation of the case about Canonical's motd-news as Canonical don't want to remediate the privacy issue of sending by default hardware details and public IP of all Ubuntu Desktop and Ubuntu Server twice a day, every day of the year. Next to this message, you will find the final answer from Canonical. https://ubuntu.com/legal/motd The following are my comments on their legal information. "The purpose of sending the system information is so that Canonical can tailor the message returned by https://motd.canonical.com."; This is wrong motd.canonical.com does not exist and is part of motd-news. The server used by Ubuntu is https://motd.ubuntu.com lynx -mime_header https://motd.canonical.com Looking up motd.canonical.com Unable to locate remote host motd.canonical.com. Alert!: Unable to connect to remote host. The evidence is part of the Ticket https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png "None of this data can be used to identify a machine or user." "Along with this data, the IP address and other network information is transmitted to facilitate communication on the internet from the Ubuntu machine to Canonical. This information is not stored by Canonical." This is wrong as Canonical is using Apache and the default is to store IP address in the access log https://httpd.apache.org/docs/current/logs.html Common Log Format (%h) This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine. lynx -mime_header https://motd.ubuntu.com HTTP/1.1 200 OK Date: Mon, 13 Jul 2020 06:05:38 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Mon, 13 Jul 2020 06:00:50 GMT Accept-Ranges: bytes Content-Length: 215 Vary: Accept-Encoding Connection: close Content-Type: text/plain * "If you've been waiting for the perfect Kubernetes dev solution for macOS, the wait is over. Learn how to install Microk8s on macOS." https://www.techrepublic.com/article/how-to-install-microk8s-on- macos/ "You can disable this service as follows:" "/etc/default/motd-news has an ENABLED=1 setting that if set to 0 will turn off this functionality." I assume 80% of Ubuntu Desktop users will not know how to disable motd-news because they need a Terminal and sudo access. A regular editor running a default user will not allow to edit this file as super user. So this doc is useless. On top of that Canonical send motd-news information before the user can even opt out during the installation of Ubuntu Desktop and during the first boot of the Ubuntu Desktop operating system so setting it is only useful to stop it but the harm is already done and data already sent to Canonical. Evidence https://launchpadlibrarian.net/487031151/ubuntu- desktop-2004.png For more information read https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424 Please also note that https://ubuntu.com/legal/motd title is not searchable in their search engine and is not part of the legal notice during the installation of Ubuntu Evidence (picture in attachment) and https://launchpadlibrarian.net/487031391/ubuntu-desktop-2004-legal.png "No, don't send system info" is not respected https://launchpadlibrarian.net/487031210/ubuntu-desktop-2004-optout.png https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png Privacy does not have an option to opt out from motd-news https://launchpadlibrarian.net/487031529/ubuntu-desktop-2004-privacy.png -------- Forwarded Message -------- Subject: Re: Unremovable motd-news used as Telemetry and Advertising tool without explicit consent Date: Fri, 10 Jul 2020 12:00:29 +0100 Dear Guy Thank you for your patience. Please now see the legal notice for MOTD on Canonical's website: https://ubuntu.com/legal/motd I can assure you that no access to or storage of IP address data is made. Canonical takes data protection compliance very seriously and we continue to review how we can improve this and other services. Many thanks Director of Legal & Company Secretary Canonical Blue Fin Building, 5th Floor 110 Southwark Street, SE1 0SU Ubuntu - Linux for Human Beings www.canonical.com -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
