In the rare occasions that backdoors or spyware have been injected into a particular Linux distribution, the nature of the open source community is such that it has been discovered and patched quickly. But we're talking about clandestine operations here, such as a bad actor unrelated to the distribution getting access to the source tree and injecting their bad code in the mix.

But what if the distribution does this on purpose? What if, by hook or by crook, a popular, successful distro released a new version that contained code that exposed much more information to third parties than a user would like, while simultaneously claiming that it's a nonissue? Canonical has run right into this wall, and the collision has been ugly.

The latest Ubuntu 12.10 beta includes a new feature in the Unity Dash that incorporates Amazon searches. This might sound a little odd, but it was meant to be innocuous, even helpful to the user, while generating referral cash for Ubuntu. Essentially, when performing searches through the Dash, this new widget adds "More Suggestions" to the search results, using information gleaned by searching Amazon.com's vast online shopping catalog.

This means that if you're looking for an MP3 you purchased or ripped, you will be presented with the search matches from your local system, but also with matches from Amazon, such as a link to purchase that same MP3. While the need to query Amazon for every file system search is dubious at best, to the casual observer it may seem somewhat innocuous. It's just a search after all, and Canonical claims that it proxies all of the searches so that Amazon cannot link a specific user or IP address with the search terms or results. Again, that sounds like a nonissue.

The problem is that this was a bad idea backed up by horrible design and execution. Etienne Perot goes into deep detail on why this is so, but I'll summarize here.

When you use this new feature of the Dash, your query terms are sent to a server run by Canonical that then proxies the search to Amazon, which returns the results. However, none of those communications are encrypted; they're just plainly visible queries. Further, this is completely at odds with what Ubuntu founder Mark Shuttleworth says on the matter: "We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf." While some of the second part of his statement is true, the first is not. They are definitely passing your query terms on to Amazon; they're just masking the originating IP address.