Ubuntuzon by Emmanuel Revah is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

You know how when you search for something within a search engine and the first results are adverts (sponsored links) ?

Now, you can get that feature right in your desktop environment ! Indeed Ubuntu has now added this thing, when you search for a program through the "lens" you get software results and right below "More Suggestions" which are products from your local Amazon online store.

Ubuntu and its followers defend this stating that Ubuntu needs to be funded somehow. It's a strange point of view that users of free email might understand as they already accept to have advertisements on their personal email pages (webmail). However I think both are perverse, we already are subject to so much consumer propaganda in public spaces as it is.

If Ubuntu is really in lack of money, they could have easily obtained funds by asking their users to donate. They already do that I heard, but I couldn't find where. Just put the link near the download link, or on the home page, or at least in the main menu. Offer services, like support, I don't know, maybe they should start a kickstarter page. Instead it looks like they are going in the direction of ChromeOS. I'll even predict that the next Ubuntu will be a just boot loader with the whole OS on their cloud.

Oh, I almost forgot, this probably means that whatever you type in the "Lens" thing is sent to Amazon.com with your IP (see update below).

Update: There is even a bug report about this. It seems the user's queries are not sent to Amazon directly but are sent to Ubuntu, the Ubuntu user's computer then gets a JSON formatted reply. That reply contains links to product informations and remote images that the user's computer will then request directly from Amazon.

This what a search like "games" looks like.

Mark Shuttleworth's honest response should make any Ubuntu user worried:

Why are you telling Amazon what I am searching for?

We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already.

No mister Shuttleworth, I don't trust you with my data, and this is just one of the reasons why.

Update 2: And so the bug reports are coming in, here are just a few.

• "More suggestions" icons are bigger than installed icons
• Dash now suggests software that can not be used with Ubuntu
• Editor's pick: grep -R doesn't automatically search amazon

Update 3: A post from the Free Software Foundation on Ubuntu, by RMS: Ubuntu Spyware: What to Do?

Update 4: The Ubuntu/Amazon parody logo is now under CC-BY-NC CC-BY-SA license thanks to Richard Stallman.

Lately there have been more and more attempts to legislate, censor and control the Internet and with that many protests to counter these measures. There are also more and new groups and political parties that advocate Internet freedoms, freedom of speech and all that stuff. Even some website that wants to have a "Bat signal" to gather activists when action is needed.

There are a few things that have been bothering me for quite some time now, if you already understand how we ended up with the Internet we have today you may skip to the end.

Brief History

Internet was designed to be a global distributed network, which means no central point of failure or governance. Having a decentralised network was key in the design, this made it virtually impossible to shut down communications between peers as there would be many different possible routes from point A to B.

Before 2000 it seemed normal or at least common for people to host their own services even at home on their desktop computer.. Even though things like AOL, Hotmail and other such services existed, censoring and/or controlling the Internet was nearly impossible. People used so many different email providers, different search engines and various forums and chatrooms, the users were scattered all over the place.

The network slowly concentrated in to bigger centres. Some services grew and became better and better to a point were their names became synonym for the type of service they initially provided. Some extended their services to new domains, like that search engine who quickly understood that user data was the real money maker. They offered to capture user data as a service, they called it "email with unlimited space". People loved it so much that the other providers had to follow the same path or risk extinction. It became the most popular way of monetizing the Internet.

Later on newcomers landed directly on this new world of "ad-supported data violating web based services" and saw it as normal Interweb procedure. Meanwhile many "computer geeks" abandoned their personal servers and signed up for FaceSpace+ accounts, with that the wild west style communities started to die off, their users were outraged by any web page that did not have Ajax effects or OMG kittens. The first battles in the war on Digital Autonomy and Freedom were lost to fancy user interfaces and pokes.

Current Situation

It's very simple, most users rely on one major search engine to tell them where to go, the same company provides them communication tools (email, chat), news aggregation, maps, calendars, document editors, etc etc. If you look at the top 500 global sites (according to Alexa) you can see that most of the biggest sites are all owned by a very small club.

Internet services are mostly centralised. It is now easier than ever to censor content on the Internet, Twitter accepts per country censorship on their network. Google has been complying too. In this case I am not judging Twitter and Google on their censorship policies and/or methods, they are quite open about this unlike others we might not always hear about.

This shows how easy it has become to control what information gets propagated on the Internet. Countries like Egypt may find it more effective to censor Tweets and Google searches rather than pulling the plug on the whole Internet. This more discreet approach should have something closer to the desired effect, indeed censorship works best when it goes unnoticed.

Tracking Users to Provide Tailored Content

Most Internet users nowadays have all their emails read by robots/scripts which then find the most appropriate advertisement to incorporate to their webmail page. Most of the data we feed into the machine gets mashed up into data that is sold to marketing researchers. If you don't have an account with any of these companies, you might still be feeding them copious amounts of data via cookies, analytics and other types of embeded web content.

It is nearly impossible nowadays to visit a web page that does not ask your browser to retrieve data from other sites. Even a simple image embeded to a website will provide useful statistics. True story, some random guy once linked to an image from my website for his site's footer, I suddenly had his complete visitor statistics.

Imagine how much more can be done from a company that owns an incredible amount of very popular websites and provides many analytical services to a point where almost every website visited implies a request to at least one of their servers. Now imagine that a lot of the people running around on this Internet are logged in to this big company's services and are hence personally trackable among almost all the sites they visit.

One of the goals of all this is to provide "tailored content", not the advertisements that happen to match your recent conversations, but your actual search results, news, etc. You might not have the same results using Google as someone sitting right next to you. Some say this is good, others say this is evil. I say is that it's a demonstration of what is technically possible today and it should make you react.

Internet Freedom Defenders, Please

The main reason why any of those CISPA/ACTA/PIPA/SOPA/CABANA things could affect the Internet is because of the way most of us use the Internet. Being mainly passive users has made it technically possible to apply very creepy legislation. I see these protests mainly as a wake up call for people to start changing their habits and to take the Internet back.

A few things many movements that try to defend and promote Freedom, Internet freedom, Free speech or any variant of those things need to start doing are:

• stop using Facebook as your primary point of contact
  

  I get that you must use those tools to reach the masses, but you are losing the core by doing so exclusively. I really can't take you seriously if you communicate mostly via the same website that supports the law you are protesting against (Facebook supports CISPA). Just setup a public webpage somewhere with the infos people need, then share/spread the info via other mediums such as social networks, email, forums, etc.

• Learn to use distributed and decentralised social networks
  

  You should use and promote usage of social networking tools that do not depend on a central authority, a great example is of course Friendica, there are many others too. Avoid corporate policy censorship by being your own social network administrator.

• Don't use URL shorteners
  

  It should be obvious that shortened links are obfuscated links, there is no good reason to use them, ever. If you have a link to share, just share the link, not a link to the link.

• Emails, install your own server
  

  This should be the most important element, a private mail server. This is where you tend to concentrate most of the confidential stuff. You should already want to do this by default, especially if you want to defend the Internet and Freedom, etc etc... . .

• Avoid embedding tracking devices on your websites
  

  All those gadgets to "like", "sign in with", "comment using", etc etc are often tracking devices. By embedding them you automatically identify most users to their email and/or social network providers about their visit, without the user's consent.

Just one more thing, when Facebook, Twitter or some site like that starts acting weird, remember this: Their terms of Service allow them to do pretty much anything and you agreed to them (if you have an account). They do not owe you anything because you are not the customer, you are the product.

I feel sad sight when I see organisations like Demand Progress ask their subscribers to sign a letter to ask Facebook to stop supporting CISPA. Instead of trying in vain to change the corporation, do what these fine people did when Godaddy supported SOPA, change your habits.

What you do counts more than what you sign.

The other day a good friend of mine suggested I implement Gravatar on my website, so I started checking how it works and found it was incredibly easy. All I'd have to do use put an img element with a link to an md5 hash of the commenter's email. Like this: <img src="http://www.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50" />

MD5's can be Sensitive Information

There are 2 issues with this:

• Without figuring out the email, you can still find other user's posts on other sites. Indeed, all you need is to search for the MD5 hash. Perhaps the Gravatar user is okay with this maybe not in every case (more later).
• If you are the administrator of a large user database, you can search for MD5 hashes and easily find out what your user database has been posting.

Other Issues

• Non Gravatar user's can be tracked on the web too

  Even if you are not a Gravatar user, many websites will submit your email's MD5 hash to Gravatar and show that hash to the visitor. This means that even non-Gravatar users are now Gravatar users. There is nothing stopping Gravatar from storing this and nothing stopping people you know from finding your posts. Yes, anyone you know can go insane (like many employers who demand your social media credentials) and search the web for your email's md5 hash.

• Gravatar can haz your blog statistics

  Every time someone visits a Gravatar enabled website, Gravatar gets some of the website's user statistics: visitor's IP, browser/OS and the page visited.

• Gravatar Knows Where You Have Been

  Of course, because of the above, Gravatar can know about all the posts made by their users on Gravatar enabled sites. Maybe they don't gather that info, but technically it's totally possible.

• Websites that use Gravatar deliver content from third party sources

  This can be a problem when your website uses HTTPS, using Gravatar means some of your content is no longer encrypted, unless you use Gravatar's https version. But using Gravatars HTTPS version means asking your visitors to trust their SSL certificate, which is issued by GoDaddy !

  I know it is a very common practice to have many bits of websites hosted behind many different URLs, but it's always good to limit that where possible. For example, embedding a Youtube video is understandable as it is actual content and generally users can see where this comes from. Pulling avatars, icons and such from all over the web isn't so cool.

  It also means losing control over what parts of your site are actually getting delivered to your visitors and how they are getting delivered. You cannot know if your visitor's connection to Gravatar is broken or altered.

  On a non-privacy insane perspective there could be performance issues, don't forget visitors now have yet another domain name to resolve. Reducing the amount of DNS queries can help what they call "the user experience".

How can we Fix This ?

• Give your commenter the choice of using Gravatar's service

  Instead of just hashing everyone's email "de force", why not let the commenter chose to have their email hash posted on the Internet first ? Perhaps even a Gravatar user may want to make a comment without linking it to their Gravatar profile ?

  I'll stress this a tiny bit more just because so many sites use Gravatar but don't even inform their users in the slightest way. If you would want to use Gravatar for every comment, why not, but you should at least inform your users.

• Not show the email's MD5 hash in the first place

  Why not just make the request to the Gravatar avatar from the website and then deliver that to the visitors ?

  The technical howto in a nutshell is to replace the Gravatar image link with a script and pass a get variable to it, like the comment id. The script then figures out the md5 hash (if the user agreed), requests an image from Gravatar and shows that to the visitor.

  This also helps reduce the amount of DNS queries your visitors will make, instead your website/webserver will do all the work. And your webserver should probably have better bandwidth than your average visitor.

I think this probably extends to many more services than just Gravatar. And Gravatar are probably nice people with pure intentions... . It's not the end of the world, but it would be nice if webmasters put more thought into this sort of thing. The Interweb is still an experimental place, we should still be actively thinking about how we build it not just lazily and passively do things the way they've always been done.

Gravatar Enabled

Starting today, on this website, if you post a comment you can chose to have your email's md5 submitted to Gravatar to see if you have an avatar there I can use. Your email's MD5 hash will not be visible to other users.

This is what the img element that displays the G/avatars looks like on this website:

<img src="/blah/modules/gravatar/gravatar_img.php?id=1" />

Many ISPs or other Internet services in these current days will often voluntarily co-operate with the authorities without requiring warrants and such. Some will be even working directly with the MPAA/RIAA. However there are some people out there, like Nick Merrill who are are totally not like that.

Today he is raising money to start a non-profit ISP and mobile phone service that will be designed to resist surveillance, with things like encryption, minimal logging and mostly by challenging requests by the authorities that are abusive and/or illegal and/or unconstitutional.

So if you do live in the U.S.A. and more precisely NY for now, you could be very interested in checking out Calyx Institute and perhaps donating via Indiegogo or via their Paypal form.

Also, check out the people on the advisory board.

The UK would like to implement a new system (originally brought up by the Labour party) that would oblige Internet access providers to monitor all electronic communications. The ISPs would have to store logs of all communications, though they say the actual content of emails wouldn't be recorded without a warrant.

They will most likely forge email providers certificates in order to intercept encrypted traffic, because most browser by default trust just about any certificate emitted by a "company" most users wont even notice.

If you are a UK citizen you can sign this petition. You can also check out ORG who follow these issues very closely (the only thing they do wrong is that they use bitly links!).

This came out yesterday, yet it's not an April fools joke..

Read more:

• Phone and email records to be stored in new spy plan - telegraph.co.uk
• Backlash over email and web monitoring plan - bbc.co.uk
• Stop the government snooping on every email and Facebook message - action.openrightsgroup.org
• Scrap Plans to Monitor all Emails and Web Usage - epetitions.direct.gov.uk

Yesterday (or still today in certain time zones) was Data Privacy Day.. I was made aware of this by a doodle on DuckDuckGo.

Of course I opened a new tab and rushed to see what the search engine that I used to use before they became evil had drawn for the event... And well, funny story, Google has totally avoided the subject and instead put up a doodle celebrating the 125th birthday of the biggest recorded snowflake.. p.s. please install Chrome.. Like WTF right ?

As you may know, if you have a Gaccount (Google account), Google has changed their terms of service so that now everything "G" is unified, and what you do in Youtube directly impacts the adverts in your emails, and things you search for.. . etc etc.. And all this with the magic wandish words like "simple", "easy" and "yada yada".

So why has Google omitted Data Privacy Day ? Maybe because data privacy is irrelevant in a system where your personal data lives across over 60 different services.. .. Perhaps I am wrong and it is just an innocent obsession with snowflakes..

BTW, this does not affect you if you do not have any account with Google, so for those rare people out there, bravo. : ]

O2, a UK phone operator, seems to be sending along in the HTTP headers of their clients http requests the user's mobile phone number! Lewis Peckover has discovered this and set up a test page for people to see what information their mobile ISP is actually sending to websites.

To test, disable your mobile phone's Wifi and visit this page. There you should see the usual stuff, user-agent, IP, languages, etc.. If you see other things like your mobile phone number you might want to ask your ISP for explanations.

Another thing that Lewis notes is that O2 modifies content, he claims they downgrade images and insert JavaScript links. If true, this is really really bad, this is basically tampering and altering private communications. It's just like if the post office opened your letters, made reduced photocopies so your letters are lighter and then passed that on to you.

I am guessing this shouldn't work using HTTPS, however I would like to ask Lewis what is the deal on this as I do not have a mobile phone and hence cannot test this at all. I also don't have a Twitter account so... . If you do, ask him. Khtxbye : ]

Update: I found this old thread about the same sort of thing affecting other customers on other mobile networks. This is really not new and this is not an 02 issue but rather a mobile phone ISP issue.

Today I would like to talk/rant about URL shorteners, these things that take a good old link and turn it into something short and obscure.

One day people realised that sending long links over some mediums such as email or instant messaging could be a pain as the link would sometimes be cut up into pieces, and lose clickability. One of the reasons (IMHO) was that in those days fancy clean URLs were not so common so it would be easy to come across some of those crazy long links.

Then came the tweeting days, when the Internet decided it was time that everybody published content, and because most people have difficulties with literary expectations that exceed one sentence they came up with the brilliant 140 character limit (also to be compatible with SMS). In this situation even a normal optimised pretty link looked super fat, it's like putting a normal healthy human being next to Kate Moss..

This was already becoming a problem but then people took it to the next level, links nowadays get shortened even when posted on websites.. It makes absolutely no sense.. .

So what is wrong anyway ?

• It hides the destination of the link
• It adds a layer of failability, now you depend on the url shortening service, if they go down or moderate/filter your link.. .
• There is a major leak of privacy
• The clicker generates statistics at the URL shortener's service
• The statistics are linked with the person who generated the URL and all the others that have followed the link

These statistics are available to whoever creates the link (you need to create an account generally for this function), there could be more things done with them. I am sure it can be quite interesting to see how a link gets propagated especially if you include IPs, User-Agents and most interesting maybe: the referrer (the site where the link was posted). I am sure with this kind of information you could map a viral movement of clicks a la Hans Rosling.. But as we all know, the Internet is power tool for marketing and the knowledge gained from these services will not benefit science nor the general public, au contraire.

So why ? Why do people use such things ? Even on those Twitter/Identi.ca type things I found that most links can actually fit and with room for a short description. I've even seen some privacy rights organisations who cannot restrain themselves from the urge to use such links, in emails and on their websites. Hello, it's like a vegetarian protesting in leather boots !

I am surprised to be writing this in 2010, I thought this obsession with having the shortest URL would have passed a few years ago.. . What next, maybe The Pirate Bay will start using Bit.ly as well ?

If you are in the petition signing mood today OR you just do not feel very comfortable with the idea with the government reading every email (the ones they actually can read of course) as well as all facebook transmissions (for those still using it) and other online communications (where possible).. . OR if you just feel like the money could be better spent on other matters.. then sign the Open Rights Groups petition.