Mise à jour de la base de données, veuillez patienter...

One of the major advantages of free software is that the community protects users from malicious software. Now Ubuntu GNU/Linux has become a counterexample. What should we do?

Proprietary software is associated with malicious treatment of the user: surveillance code, digital handcuffs (DRM or Digital Restrictions Management) to restrict users, and back doors that can do nasty things under remote control. Programs that do any of these things are malware and should be treated as such. Widely used examples include Windows, the iThings, and the Amazon "Kindle" product for virtual book burning, which do all three; Macintosh and the Playstation III which impose DRM; most portable phones, which do spying and have back doors; Adobe Flash Player, which does spying and enforces DRM; and plenty of apps for iThings and Android, which are guilty of one or more of these nasty practices.

Free software gives users a chance to protect themselves from malicious software behaviors. Even better, usually the community protects everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has malicious code. Generally the next thing they do is release a corrected version of the program; with the four freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are free to do this. This is called a "fork" of the program. Soon the community switches to the corrected fork, and the malicious version is rejected. The prospect of ignominious rejection is not very tempting; thus, most of the time, even those who are not stopped by their consciences and social pressure refrain from putting malfeatures in free software.

But not always. Ubuntu, a widely used and influential GNU/Linux distribution, has installed surveillance code. When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical's servers. (Canonical is the company that develops Ubuntu.)

This is just like the first surveillance practice I learned about in Windows. My late friend Fravia told me that when he searched for a string in the files of his Windows system, it sent a packet to some server, which was detected by his firewall. Given that first example I paid attention and learned about the propensity of "reputable" proprietary software to be malware. Perhaps it is no coincidence that Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy various things from Amazon. Amazon commits many wrongs (see http://stallman.org/amazon.html); by promoting Amazon, Canonical contributes to them. However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it.

People will certainly make a modified version of Ubuntu without this surveillance. In fact, several GNU/Linux distros are modified versions of Ubuntu. When those update to the latest Ubuntu as a base, I expect they will remove this. Canonical surely expects that too.

Most free software developers would abandon such a plan given the prospect of a mass switch to someone else's corrected version. But Canonical has not abandoned the Ubuntu spyware. Perhaps Canonical figures that the name "Ubuntu" has so much momentum and influence that it can avoid the usual consequences and get away with surveillance.

Canonical says this feature searches the Internet in other ways. Depending on the details, that might or might not make the problem bigger, but not smaller.

Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn't occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.

Even if it were disabled by default, the feature would still be dangerous: "opt in, once and for all" for a risky practice, where the risk varies depending on details, invites carelessness. To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches, as earlier versions of Ubuntu did. A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.

We who present free software as a defense against malware do not say it is a perfect defense. No perfect defense is known. We don't say the community will deter malware without fail. Thus, strictly speaking, the Ubuntu spyware example doesn't mean we have to eat our words.

But there's more at stake here than whether some of us have to eat some words. What's at stake is whether our community can effectively use the argument based on proprietary spyware. If we can only say, "free software won't spy on you, unless it's Ubuntu," that's much less powerful than saying, "free software won't spy on you."

It behooves us to give Canonical whatever rebuff is needed to make it stop this. Any excuse Canonical offers is inadequate; even if it used all the money it gets from Amazon to develop free software, that can hardly overcome what free software will lose if it ceases to offer an effective way to avoid abuse of the users.

If you ever recommend or redistribute GNU/Linux, please remove Ubuntu from the distros you recommend or redistribute. If its practice of installing and recommending nonfree software didn't convince you to stop, let this convince you. In your install fests, in your Software Freedom Day events, in your FLISOL events, don't install or recommend Ubuntu. Instead, tell people that Ubuntu is shunned for spying.

While you're at it, you can also tell them that Ubuntu contains nonfree programs and suggests other nonfree programs. (See http://www.gnu.org/distros/common-distros.html.) That will counteract the other form of negative influence that Ubuntu exerts in the free software community: legitimizing nonfree software.

Reference

Privacy in Ubuntu 12.10: Amazon Ads and Data Leaks by Micah Lee at the Electronic Frontier Foundation.

Copyright 2012 Richard Stallman
Released under the Creative Commons Attribution Noderivatives 3.0 license

This holiday season, support computer-user freedom by giving an FSF membership to your loved ones.

Are you already feeling tired and overwhelmed by the thought of having to figure out what to get the software user you love this holiday season? Concerned about spending money on yet another dust collector or future regift? Is "retail therapy" actually not that therapeutic for you? Are the myriads of consumer options generating a cloud of anxiety over your head? Free yourself from the consumer funk and this "paradox of choice" by opting to give your loved one a gift that will raise their social consciousness, create more lasting cheer, and defend computer-user rights: donate an FSF membership.

Membership support makes up the lion's share of the FSF's operating costs, and an FSF membership will help fund our work to defend and promote computer-users' freedom. Your gift recipient will receive a number of benefits: an ultra-slim USB membership card, the opportunity to take advantage of the FSF-member e-mail forwarding service, free attendance at the annual LibrePlanet conference, a 20 percent discount on FSF merchandise, the FSF's biannual bulletin, and discounts on training classes.

Giving a membership as a gift is easy: make a donation of $60 for a student membership, $120 for an associate membership, or any larger amount you wish, using the gift recipient's name. Please note: a thank-you e-mail will automatically be sent out to the e-mail address associated with the donation, and the welcome packet (including the USB member card and the bulletin), will be mailed to the mailing address you enter. If you wish to give the recipient the welcome packet yourself, and save the surprise for later, please enter your own e-mail address and your own mailing address. The addresses can always be updated later.

So, think about the conscientious techies on your gift list, and consider giving them a membership to the Free Software Foundation this holiday. It comes with tangible benefits and good karma.

FSF board member and former executive director Bradley Kuhn discusses the landmark copyright case of Oracle v. Google and what it does -- and doesn't -- mean for free software.

Back in the summer, there was a widely covered story about Judge Alsup's decision regarding copyrightablity in the Oracle v. Google case. Oracle has appealed the verdict so presumably this will enter the news again at some point. I'd been meaning to write a blog post about it since the original Alsup decision was released. The upside in my delay has been that I can respond to some of the comments that I've seen in the wake of decision's publication.

The most common confusion about Alsup's decision, in my view, comes from the imprecision of programmers' use of the term “API”. The API and the implementation of that API are different. Frankly, in the free software community, everyone always assumed APIs themselves weren't copyrightable. The whole idea of a clean-room implementation of something centers around the idea that the APIs aren't copyrighted. GNU itself depends on the fact that Unix's APIs weren't copyrighted; just the code that AT&T wrote to implement Unix was.

Those who oppose copyleft keep saying this decision eviscerates copyleft. I don't really see how it does. For all this time, free software advocates have always reimplemented proprietary APIs from scratch. Even copylefted projects like Wine depend on this, after all.

But, be careful here. Many developers use the phrase API to mean different things. Implementations of an API are still copyrightable, just like they always have been. Distribution of other people's code that implement APIs still requires their permission. What isn't copyrightable is general concepts like “to make things work, you need a function that returns an int and takes a string as an argument and that function must called Foo”.

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 United States License.