Privacy is hard. Lets go shopping!

It is possible that you have read some stuff about the Ubuntu shopping lens recently. Unity and lenses are pretty cool, it kind of gives one place to search for all kinds of stuff, and you plug in additional search engines to throw your query at. So you might search for a word and find an application, some local files, some wikipedia articles, a file in a document management system and some products on Amazon that relate to your search terms. A kind of super dooper omni-global search for things as well as web pages. Some people are concerned that searching for things means you have to send your search terms about all over the place, you can’t truly anonymously just search for stuff, you have to tell these various search engines what you are looking for – and if you are using an omni-global super search that means that search terms might go to inappropriate places.


There they are!

Imagine you are searching for your socks, this is like looking in a drawer that normally contains socks and at the same time phoning up all your friends and asking them if they have seen your socks anywhere. This is not ideal and when people started noticing this (after about a year of it having this behaviour – people only noticed when there was obvious money involved) a switch was added to “implement privacy”. It was a rush job, nobody is arguing with that, and it satisfied most people at first glance. There is now a switch in the privacy controls that can be flipped to turn off online searches. Sounds good right? Well diving a little deeper this just sets a flag, and the individual search scopes (the things that put results in the lenses) have to be modified to check for that flag and not go searching. To stretch our sock analogy this is like contacting each of your friends individually and saying “when I set this flag, and phone you, please just hang up on me”. If you acquire a new friend you have to remember to tell them this important condition of friendship.

Now if you want to ask each of your friends “have you got my Justin Beiber CD?” you have a problem, because they will just hang up on you. So you have to unflip the flag to perform that search – your friends are entirely useless with the flag set because they will just hang up on you – or they will ignore the flag and might end up spying on your morning sock related searches if you accidentally phone them. You do still have the option of doing a focussed lens specific search rather than using the home lens omni-global everywhere search. Using lens specific searches you can “search in my sock drawer” or “ask that friend if they have seen my socks” without other friends finding out about your sock related issues.

A lot of people got hung up over whether the shopping lens should be opt in or opt out. This is a bogus thing to get hung up about, the problem isn’t the default setting, the problem is that it isn’t granular enough. Lets say you install the shopping lens and opt-in to online searches. Awesome, you can now have lots of fun purchasing toasters and shoes and better CDs than that Justin Beiber one that you lent to someone or other. Now lets say you install the rather fine Google Docs lens you would expect that to be opt-in too right? Well, bit late, sorry you opted in to online searches already and there is no more fine grained control (as it happens the Google Docs lens is one of those friends that doesn’t know about your flag and it totally ignores it and picks up the phone).

So, there are issues, the developers know about them and they are a clever bunch, I am sure that they will come up with a more considered and comprehensive approach to this by the next version of Ubuntu. In the mean time I am not particularly comfortable writing lenses because they either have to depend on all other online search lenses being turned on, or they have to ignore the flag. Both options kind of suck, so I have been exploring other interesting things that are similar to lenses, one of which is the topic of my next post.


  • Jo-Erlend Schinstad says:

    Even if you don’t consider any of the privacy issues, there are some problems with using the dash as a global search. I won’t spend too much time nagging about it, but in short, I think the dash should try to read my mind in order to reduce the distance between me and my stuff. But the computer can’t read my mind. However, it _can_ read my _history_. So if the dash was limited to applications, files, and other stuff that I have _used_ some time in the past, then it could spend more time trying to understand which of those I’m looking for. Other things should not be shown in there at all.

    In other words; the dash should display online things as well, but only once I’m accessed them at least once. It’ll be more difficult to implement, because you need to consider browser history, etc, but I think it’s also a better design and promotes better desktop infrastructure.

    “Keyboard access” isn’t necessarily the same thing as “searching for stuff”, though they’re obviously quite similar in nature. For instance, when I use the HUD, I don’t consider that “searching for menuitems”. I consider it a more semantic form of keyboard access to a set of actions. And that’s extremely important, but consider what would happen if the HUD didn’t only return results from the focused window/app, but all menuitems in the Ubuntu Software Center? It’s too much information. The HUD should only show the active applications actions and the dash home should only show things it knows I’m interested in because I’ve already done something with them. On the other hand, the apps lens should provide a much _deeper_ search for applications, using things like po-files, wikipedia, etc. And it should include web apps that would be automatically wrapped as a “standalone webapp”. When I’ve used it, then it appears in HUD, providing fast access.

    As a side effect, searches in lenses will be more explicitly online whereas the dash home will be more explicitly private.

    • Alan Bell says:

      webapp integration with the HUD is actually a *really* good thing. That is one of the features which is massively powerful and a bit undermarketed at the moment.

  • IdleOne says:

    Good post, looking forward to reading the next one.

  • cscarney says:

    I suspect that a lot of the privacy complaints about the shopping lens are from people who are actually upset with the commercial nature of the shopping lens rather than privacy.

    But for me the shopping lens forced the issue for a different reason: my privacy preference is for the home lens to be local-only while individual lenses may search online services. That avoids leaking search terms unnecessarily, while retaining the ability to access online content when it’s likely to be relevant. Every default lens followed that design until the shopping lens showed up.

    • Alan Bell says:

      Quite agree on both points, and I have been urging the developers to have a control on which scopes can “see” global search change events. Apparently this is non-trivial due to the way dbus works. I still think it could be done that way and it seems a more sensible dividing line than “online/offline”. In fact I even did a little GUI mockup of the front end for such a thing.
      privacy mockup

  • Philip Peitsch says:

    I disagree with your assertion that the argument about the default setting is bogus.

    The default setting is the root of the problem. Anyone that does not live and breathe Ubuntu is given no obvious notification or active decision to stop this feature. It is the most underhanded type of feature, in that before you can turn it off and restore your privacy, ONLY IF YOU FIRST KNOW IT EXISTS. Otherwise… Canonical profits from the free usage statistics… and joe-user is entirely unaware their information is being passed WITHOUT THEIR EXPLICIT CONSENT to Canonical.

    It feels extremely sneaky.

    • Alan Bell says:

      It is too small an issue to be worrying about in comparison to the big issues that most people don’t appear to have noticed.

      • Philip Peitsch says:

        I guess that’s the point though :). If the plugin was disabled by default, the “bigger issue” would not exist for 90% of the users. This would allow time to address and determine the best fix to what you believe to be the bigger issue of insufficient granularity of control, whilst ensuring only users who are conscious of the pitfalls of using the shopping lens are at risk.

        As it is, the choice of the default setting is what turns the lack of granularity into a problem magnitudes larger than it otherwise would have been.

        • Alan Bell says:

          The bigger issues exist for anyone wanting to write a lens. Just today a new lens arrived in the software centre
          It does not check the privacy flag, it will work perfectly well whatever position you set that flag to. The fact that you can go to the privacy settings and flip a switch that we are telling users stops lenses from doing online searches and it flat out doesn’t – even for lenses we have accepted into the repositories via the application review board – is to me a much much bigger issue. I would rather we didn’t have a privacy control than having one that mostly doesn’t work.

  • alan cocks says:

    My expertise is close to helping novice end users, I am not dev ‘techy’. One of my most popular leaflets, which advocates FLOSS is entitled ‘About Free Software’ and continues: ‘All ‘Free’ software is not equal. Software given ‘gratis’, with no charge, usually has secrecy attached. Please read on….
    The secrecy of what the program does in your PC. When you install the program, you are required to accept a Licence Agreement, and most people just click ‘yes’ without reading the pages of small print. But, no secrets with these: ‘
    (and the list is: Ubuntu, Firefox, Thunderbird, Libre Office).

    The objective of this leaflet, which continues the simple theme over several folded sides, is to draw attention to reasons to avoid proprietary software, and to advocate FLOSS. ‘Secrecy’ is pretty clear. With Ubuntu, there is a lot of transparency, no secrecy. However, the need to grow the unique Canonical business model by exploiting user behaviour (note 1) has blurred what was a nice boundary. Ubuntu is the ‘Best in show’ for me, and my advocacy. But I am deeply troubled by what has happened about search, and I am very clear that I will be removing whatever reduces privacy. If that removal becomes onerous, I am equally sure I will be reducing my commitment to Ubuntu, including with advocacy. I very much hope and trust that development in Ubuntu will find some ease of compatibility with the EFF comments and as far as possible, Stallamn’s comments.

    Note 1: I strongly support the need for Ubuntu to grow into using an economically sustainable business venture. This is not seemingly a part of Stallman’s agenda. Even if the shopping/search opt-out is not easy, Ubuntu may well succeed, although I think that would be a sub optimal situation. If the principled ideal of ‘Opt-In’ cannot be used, then in my view it is paramount that an elegant effective ‘Opt-Out’ method is available. This will have a powerful political, marketing, consequence. I run clubs for novices (Libre). One discussion included a member’s comment that he did not even understand why such privacy was in any way relevant. He has been a member for at least a year, and still is committed to Windows, but is interested in Libre. He will buy what is in the shops, whereas people like me will go to the ends of the earth to avoid that, and use Ubuntu. It seems to me that this is a bad time to be attracting adverse comment from the spiritual heart of FLOSS, or from people such as myself. A Win-Win in these situations would obviously keep and nurture legacy users and followers at least as long as it takes to become a majority OS. A disclosure – I am an FSF member, and I probably give as much money to FSF as I do to Ubuntu. The very unique Ubuntu business model will hopefully develop to reconcile itself somehow with uncomfortable principles on its way to prosperity. I *really* hope it can.

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>