Anonymize user and host name

Bug #192786 reported by Fred
6
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Binary package hint: apport

Sometimes my applications crashes (and people told me Linux was rock solid stable).

Then I get questioned whether I would like to send a bug report. Of course, I want to help, but now I won't send any bug reports with Apport.
Apport don't respect privacy of its user. It can send personally identifiable information.

I don't want it to send my username. It doesn't need to know my username.

I am business man, and I was watching a gay porno, and listening to Spice Girls, and now my Totem Movie Player crashed.
And it sends away who I am, my username, and my that I was watching a gay porno.

WTF?

Tags: privacy
Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

With username information are you referring to your computer's user id, or that the bug report is submitted with your Launchpad credentials? If the later, I'm not sure how we could change that to improve privacy, as we want users to be subscribed to bug reports so we can ask them questions as how to reproduce the crash, for example.

If you mean the former, I don't remember seen it, so please point us to a bug report which shows it. If the latter, how do you think we could solve the issue pointed above?

Changed in apport:
assignee: nobody → pochu
status: New → Incomplete
Revision history for this message
Fred (eldmannen+launchpad) wrote :

I am not talking about the Launchpad username.

I am talking about the computers username of my Linux account. The name of my home directory.

So it is the former.
My Totem Media Player crashed, and Apport came up, and it asked me if I wanted to send a report, and it showed me what it would send.
And in what it would send, it said my Linux account username,

I think it could be solved by not sending personally identifiable data such as usernames, or replacing my username with 'ubuntu' or something.

s/$USER/ubuntu/g
s/$HOSTNAME/mycomputer/g

Revision history for this message
Fred (eldmannen+launchpad) wrote :

I started to use Linux because I want to get away from proprietary software such as Windows and spyware and big corporations who do privacy violation.

I came to Linux for freedom, anonymity, privacy, security, safety. I must have privacy!

Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

We shouldn't report "ProcCwd" as it sometimes is the user home path (which will be /home/$user) and either not submit or change "Uname", as it will display the hostname. We could change it from "uname -a" to "uname -srvmo":

emilio@pochu:~$ uname -a
Linux pochu 2.6.24-8-generic #1 SMP Thu Feb 14 20:40:45 UTC 2008 i686 GNU/Linux
emilio@pochu:~$ uname -srvmo
Linux 2.6.24-8-generic #1 SMP Thu Feb 14 20:40:45 UTC 2008 i686 GNU/Linux

Importance High as this is about our users privacy.

Changed in apport:
assignee: pochu → nobody
importance: Undecided → High
status: Incomplete → Triaged
Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

For an example look at bug 190928 which has my username in ProcCwd and my hostname in Uname

Revision history for this message
Apport retracing service (apport) wrote :

We don't report it for bugs, but for crashes we do, because then we point out possible privacy issues, and show the report before sending it.

If you send core dumps, then these probably have your user name as well, but these get removed after post-processing in the retracers (and nobody can see the bug before, unless the retrace failed; but even in the latter case only a limited number of developers can see it, it's not public).

That said, it's possible to not add the hostname to Uname:, and do some easy string replacement on ProcCwd.

Changed in apport:
status: Triaged → In Progress
assignee: nobody → apport
Revision history for this message
Fred (eldmannen+launchpad) wrote :

Apport retracing service,
Well you shouldn't report usernames in crashes anyways.
Yeah, I can click "show report", then I see my username, but I cant remove it.
So I click "Cancel, dont dent report" button instead.

I got tons of crashes of applications. Would really like to help by providing feedback, but always pressed Cancel, because I didn't want my username and stuff there because that is private and none of anyones business.

So please do some string replacement for ProcCwd and Uname.

Also why does the post-processing happen at the retracers (on your computer), why doesn't it happen on my computer?

I like to help out, but my privacy is more important. If I have to sacrifice my privacy in order to help, then no thanks.

Revision history for this message
Fred (eldmannen+launchpad) wrote :

*@*: -> username@hostname:

/home/*/ -> /home/username/

$USER -> username
$HOSTNAME -> hostname
$LOGNAME -> username

*@*.*[2-4] -> <email address hidden>

Martin Pitt (pitti)
Changed in apport:
assignee: apport → pitti
Revision history for this message
Martin Pitt (pitti) wrote :

Fred, sorry, I was temporarily logged in as "Apport retracing service" since I had to fix something in the retracers. These do not run on my computer, but in the Canonical data center.

If you are concerned about your privacy, then please by all means don't feel bad about not sending crashes.

If you wish, you can do the retracing on your computer as well. You can add the debug symbol apt repository

    deb http://ddebs.ubuntu.com/ hardy main restricted universe multiverse

to your apt sources, and then, when a crash happens, let apport collect information, and then cancel when it displays the report. You can install the package apport-retrace and use the apport-retrace tool to manually generate a symbolic stack trace, if you have enough bandwidth and some time. This tool has quite an extensive manpage which explains the operation.

The long-term plan is to integrate this retracing on the client side into the GUI, but it's not there yet (see bug 75901).

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed in bzr head, will upload soon.

Changed in apport:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 0.103

---------------
apport (0.103) hardy; urgency=low

  * bin/apport-unpack: Print error messages instead of crashing for problems
    like nonexisting file names passed as arguments. (LP: #185273)
  * backends/packaging-apt-dpkg.py, is_distro_package(): Explicitly check site
    for "ppa", so that we do not automatically file bugs for PPA packages.
    This works around Soyuz bug LP #140412 for the time being.
  * apport/report.py: Add standard_title() test cases for Python crashes with
    a custom message, and a custom message with newlines. The latter
    reproduces LP #190947.
  * apport/report.py, standard_title(): Do not rely on a fixed position of the
    topmost function; use iteration and regular expression matching instead.
    (LP: #190947)
  * apport/ui.py, parse_argv(): Specify that --pid/-P argument must be an
    integer, to avoid exceptions when it's not. (LP: #193494)
  * apport/report.py: Use uname -srm, not -a, to hide the hostname. (part of
    LP #192786); also use os.uname() instead of calling the system program.
  * problem_report.py(): Make write() work for reports with CompressedValues.
    Add test case.
  * apport/ui.py: Add test case test_run_crash_anonymity() which asserts that
    the crash dump does not contain strings which can identify the user, such
    as the user name, login name, host name, and current directory.
  * apport/report.py: Add method anonymize() which replaces user specific
    strings with generic ones.
  * apport/ui.py, thread_collect_info(): Call anonymize() on the report.
    (LP: #192786)
  * bin/apport-retrace: Only update a bug report with new attachments if it is
    not a duplicate. (LP: #172792)
  * bin/apport-retrace: Print out proper error message instead of an exception
    if trying to do write operations to the bug tracker without specifying
    a cookie file. (LP: #146423)

 -- Martin Pitt <email address hidden> Mon, 25 Feb 2008 17:47:13 +0100

Changed in apport:
status: Fix Committed → Fix Released
Revision history for this message
Fred (eldmannen+launchpad) wrote :

Martin Pitt,
It is important for me to be a productive member of the society and the Linux community who helps out and reports bugs.
But privacy is the most important, and its an issue which needs to be taken seriously.
It would suck if Apport sent over my login name which is my realname, and the filename of the video that I watch which could be a gay-porno.
Or send over that it was me who wrote CIA_sponsored_UsamaBinLaden.pdf, or Microsoft_experiment_on_baby_fetuses.pdf, or Halliburton_war_profiteer.pdf or Blackwater_murder,_rape,_torture_in_Iraq.pdf or Yahoo_stock_scandal.pdf
Or that it is me who is the programmer of nuclear_silo_bruteforce.c or world_domination.py.
Or that I got the Google_revenue-report_2009_(preliminary).pdf or Lockheed_Martin_business-secrets.pdf

Launchpad Janitor,
Awesome that is fixed!
Can't wait until 0.103 his the repositories! :)

tags: added: privacy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.