The Ubuntu Shopping Lens and UK privacy law

It was almost two years ago that the infamous Shopping Lens feature was added to a beta preview of Ubuntu 12.10. Plenty of folk did not like the idea of having their Ubuntu suddenly transformed into an online shop; the inadvertently fashion in which the feature was announced only dumped more wood on the fire.

Throughout the following weeks the row focused on the awkward matching of unsolicited advertisements with free and open source software. In the meantime I started wondering if something far more serious could be at stake. Regarding previous experiences with data collection in my professional career and after carefully re-examining the European Directive on data privacy, I made public a series of concerns that lead me to a mini-saga, and Canonical to consider the matter in a totally different way.

Apart from some initial surprise, there was never much of a reaction from Canonical, at least publicly. I tried to engage the issue at the Ubuntu Forums, but my threads were persistently deleted or closed. I thus took the decision to trigger a formal investigation on the matter.

The first step in this process was the set up of a petition addressed at Canonical, essentially asking for the Shopping Lens to become an opt-in feature. This petition was in first place a gesture of good will and secondly a means for an entirely friendly resolution to mine (and many other users’) concerns. Providing this non conflictual avenue was an indispensable step before any formal investigation. The petition received some attention and would be eventually signed by 57 individuals. It was delivered to Canonical about one year ago; no sort of reply ever came through. But throughout this time Canonical was reacting, notably with the inclusion of a privacy policy notice in Ubuntu 13.04.

Absent a reply, and still feeling that the default activation of the Shopping Lens was not entirely conformal with the law, I decided to proceed with a formal complaint. This complaint could have been delivered at the data privacy office of any EU member state, but Canonical being seeded in the UK I opted for the Information Commissioner’s Office (IOC). It was not a straightforward process, requiring some insistence; eventually I would get notified of an investigation opening last December.

Nine months passed without any further information from the IOC. A few weeks ago I started preparing a complaint to submit in another member state, but it all came to an end with an e-mail from the IOC last week.

In essence, the ICO deems the various improvements introduced to the Shopping Lens during the past two years sufficient to render it conformal with the law. This reasoning also means that when it was first introduced, with Ubuntu 12.10, the feature was not legal. While my concerns were not fully acknowledge by the IOC, this latter fact makes this whole process well worthwhile. In spite of the conformance method, the law applies equally to open source software.

At The Edge Of Time: