The independent body investigated the implementation of the Unity Shopping Lens feature and its compliance with the UK Data Protection Act of 1998 after a formal complaint was filed by blogger Luis de Sousa last year.
‘Blogger Finds Breaches’
Like many users at the time, Sousa had concerns about the impact of the feature — which sends queries made in the Dash, along with non-identifiable location data to an intermediary server owned by Canonical, on to Amazon, and then return product suggestions matching the query back to the Dash — would have on user privacy.
“My main objection against these lens is the automatic collection of search keywords, without consent, whenever the user tries to find a particular application or file in the system,” he wrote at the time on his blog.
Having dealt with data protection issues as part of his professional career, Luis claimed to have found a number of instances in which the Shopping Lens implementation contravened a 1995 EU Directive on the protection of users’ personal data (enacted in the UK part of the Data Protection Act of 1998).
Concerned by these alleged conflicts, Sousa reached out to Canonical for clarification, wrote articles to raise awareness, and launched a petition to help bring about change.
Finally, as a last resort, he file a complaint with the Information Commissioner’s Office, the legal body concerned with privacy protection in the UK where Canonical operates, for clarification. He notes on his personal blog that this ‘was not a straightforward process, requiring some insistence’.
In an update posted this week, Sousa writes that the saga finally reaches an overdue end.
‘Independent Body Finds Nothing’
After waiting several months for the investigation to conclude, Sousa was finally given a response from the ICO on where Canonical’s features stand legally.
In short: the ICO found no instances of Canonical being in breach of the DPA.
Based on the information given to them by Canonical on the steps they were taking to ensure the shopping lens feature complies with the DPA (Data Protection Act), the ICO states they are:
“…satisfied that Canonical Ltd has a suitably thorough understanding of the DPA and its implications and requirements; and, that Canonical Ltd has taken and is taking due steps to comply with its obligations under the DPA.”
Further still, the independent body considers the legal notice linked to in the Unity Dash of Ubuntu 12.10 and 13.04 (relocated to the Privacy settings pane from 13.10) to have been sufficient to ‘comply with the DPA for the introduction of those searches’. They also feel that Canonical
“…have made reasonably available to Ubuntu users suitable information to assist people in limiting searches undertaken, or in removing the feature involved from their installation. ”
Happy with all the steps taken they conclude ‘no further action is required’ and Canonical has no current need to ‘improve its information rights practices at this time.’
So there you have it: the feature is legal; user data is collected and protected in accordance with the law.
Read the full response
You can read the commissioner’s full response to Luís de Sousa on his blog, linked below.