Is an EU law on data protection being broken in Ubuntu 12.10?

That’s the charge being put forward by blogger Luís de Sousa, who has spent the best part of 10 years working with state institutions where, he says, ‘issues with private data are recurrent.’

Sousa claims to have found several articles of an 1995 EU Directive on the protection of users personal data that Ubuntu’s controversial new ‘Shopping Lens’ conflicts with.

As I’m not a lawyer it’s not for me to judge. So below we’ll recap what Sousa is claiming, how he thinks it relates to the shopping lens, and get the opinion from a leading digital rights group….

The Basics So Far

Before we dive in to the specifics of Sousa‘s research, which he has shared with us, we’ll run over the basics of what the Shopping Lens is and how it works.

The ‘Shopping Lens’ is a new feature present in the development builds of Ubuntu 12.10 that displays Amazon product (or Ubuntu One Music Store) suggestions in the Dash.

When you enter a search term in the Unity Dash of Ubuntu 12.10 your query, along with your IP address, is sent to a server owned by Canonical. From there your search query is sent on to Amazon, where product suggestions based on your term are matched and sent back to Canonical’s server and then into the Dash.

How the shopping lens works

All of this happens in mere seconds.

Although enabled by default the Shopping Lens can be removed or disabled by the user via a ‘switch’ in Privacy settings.


Calling the Shopping Lens ‘controversial’ is at the same time an exaggeration and an understatement.

For whilst many found complaint with the feature for a host of reasons- ranging from ‘search terms’ not being encrypted (now fixed); adult products being shown (now fixed); and an omission of some text required by Amazon’s seller API (again, now fixed) – the vast majority of early testers have been willing to accept its arrival.

But for Luis de Sousa, a software engineer/architect used to trawling through the minutiae of European political documents, the question of whether or not the practice is ‘legal’ was his chief concern.

“My main objection against these lens is the automatic collection of search keywords, without consent, whenever the user tries to find a particular application or file in the system,” he wrote on his blog.

So he did some research to see if this was the case, unearthing European Directive 95/46/EC in the process. This directive, made in 1995 but currently in the process of being updated ahead of ratification in the next year or so, applies to all member states – including the UK, where Canonical have an office.

The EU Issues

Article 2 clause (a) of the document defines what ‘personal data’ is within the context of the directive:

(a) ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

As all Lens searches are sent to Canonical servers with the IP address from they are made from (required so it can send results back to the right computer) it theoretically allows, Luis claims, ‘to indirectly identify the user’. 

Article 2 clause (b) defines another important concept, that of “data processing”:

(b) ‘processing of personal data’ (‘processing’) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

This, Luis argues, ‘brings the collection of searches by the Shopping Lens clearly within the scope of this legislation.’

Further on in the directive Article 7 lays out the situations in which collection of data is made legal:

Member States shall provide that personal data may be processed only if: 

(a) the data subject has unambiguously given his consent; or 

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or 

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or 

(d) processing is necessary in order to protect the vital interests of the data subject; or 

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or 

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

It’s this article in particularly that Sousa finds the most contentious.

Ubuntu 12.10 Beta ships the Shopping Lens as default. He feels that no form of ‘consent, implicit or explicit‘ is asked of the user before downloading or after installing. Aware or not, all search terms a user then makes in the Dash are sent onwards to Canonical’s servers.

Amazon results in Unity

It’s this lack of ‘consent’ that Sousa sees as being ‘where the problems start’.

‘[As Ubuntu is] freely distributable software, there is no formal contract between data subject and data processor that could legally frame the Shopping Lens’, he adds.

More Issues

Articles 8 and 25 are also worth looking at in relation to the Shopping Lens according to Luis.

Article 8 concerns restrictions on the ‘processing of special categories of data‘ – such as info relating to political parties, ethnicity, religious beliefs, etc.

Because the Unity Dash is used to searches local – personal – files as well as online sources Souza thinks that this ‘puts the Shopping Lens outside the law.’

“It seems simply impossible for an application that collects all searches, regardless of whether the user is looking for a file or a gift for Christmas, to comply with EU law.”

Lastly, Article 25 lists a number of constraints on where data collected by a service/company can be sent to:

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. 

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

“Privacy important to Canonical’

At the time of writing the servers that process the data for this Shopping Lens feature are located within the UK. This means that they likely already comply with EU law. In fact, a company as large as Canonical, with its own dedicated legal team, have likely been aware of these issues and ensured legal assurance and recompense for them.

But it pays to check, so we asked Canonical whether or not they can confirm that the feature complies with EU law, how long data collected is kept for, and whether all of the servers used in the processing of the data were in the UK.

Unfortunately we didn’t get explicit answers to those questions, but the company did stress to us how important they take the privacy of users:

“At Canonical we respect our users and we respect their privacy’, they told us, adding that they take their legal requirements and community responsibility ‘very seriously’.

“Ubuntu 12.10, which is currently in beta, includes the “Shopping Lens”. We are currently developing this feature to ensure that our users understand more about how it operates, what data we collect and what happens with that data.

 “As always, we encourage feedback on our products and services and we very much welcome the feedback we have recently received from our community of users in relation to the Shopping Lens feature. We hope that our users will see that we are working to address their concerns.”

Ubuntu’s Community Manager Jono Bacon has also sought to downplay fears of the features by informing people of how the feature technically works.

Writing on his blog he explained that ‘the raw httpd logs are only visible to a small group of people whose job requires that they have access and who are trained in respecting people’s privacy in accordance to European law on this matter.’

Searches queries themselves are, according to Jono, ‘stripped of the IP addresses’ and only available to a ‘group of people to enable statistical reporting’.

So is there an issue?

Fundamentally Problematic…’

With data protection being a delicate and somewhat syrupy quagmire to wade through we reached out to Privacy International –  a UK charity founded in the 1990’s to ‘defend the right to privacy across the world’ – to see what they made of it.

Their chief technologist Sam Smith weighed in:

“While innovation in the desktop experience is a good thing, the implementation of this feature does seem to be flawed.

The lack of explicit user consent is fundamentally problematic, and the implications can be significant. Linux distributions are generally excellent at promoting user privacy, security and independence. Users legitimately expect that documents on their desktop remain private, and desktop search should not expose those search terms beyond the system itself. 

…the implementation of this feature does seem to be flawed.

The search terms used to find a document are highly indicative of its contents. Even if no link is clicked, that the search was run is known to Canonical, Ubuntu, and possibly others, and there is ample experience showing that knowing just the search terms can lead to actually identifying the individual (see previous cases involving AOL, Netflix and Wikipedia). It is unfortunate that Canonical wishes to be added to this list.

Strongly worded stuff, but is the feature illegal? On that Smith was less certain:

“Whether the setting default contravenes the EU Data Protection Directive would take a closer look at the feature itself, but on the face of it, in our opinion it would need to do more to seek the user’s informed consent, particularly as it involves the sharing of users’ information with third parties.

It certainly does not meet the ethos of the free software community aiming to widen the use of free and open source software.”

Summary & Solutions

First of all I am not a lawyer, so I am not in the position to say whether or not this feature contravenes EU law. Sousa has clearly done his homework, claims experience in this area, and makes compelling arguments.

But he is not a lawyer, either.

Whether the Shopping Lens turns out to be wholly legal or inadvertently not it’s important to note that this feature is in development. Ubuntu 12.10, which includes the feature, has yet to be released. Anyone using development builds will likely be aware of the feature prior to installing, thus (arguably) giving implicit consent in using it.

Again, I am not a lawyer, but one would assume that were there a standalone ‘shopping lens’ one would also give the implicit consent so vital to many of the points raised by de Sousa’s research.

Canonical and Ubuntu are their own community; it’s not in their interest to add a feature that undermines themselves.

Hopefully we’ll get further clarification of this story, and many of the points raised in it, over the coming days.

In the mean time if you’re using Ubuntu 12.10 and have privacy concerns you can disable the Lens from the ‘Privacy’ section in System Settings, or remove it entirely by running the following command in a Terminal:

  • sudo apt-get remove unity-lens-shopping
With thanks to Louis De Sousa & Privacy International
Diagram Image Credit: Benjamin Kerensa
Canonical data protection legal politics shopping lens