Calamares unauthorised data leaking , ethics and EU data regulations

I have just been looking at installing lubuntu which uses calamares. The nice clean look of the installer and its ergonomic design impressed me. Some tasks, like partitioning, which are complex are clearly presented and easy to follow. Very nice to use.

However, one aspect I did not find too agreeable is sneaking leaking of system configuration information. It seems that whenever a working network connection is found certain system information is automatically sent to … well who knows, since you do it behind our backs.

While I can see that having a database of hardware descriptions for target systems can be useful to a distro in targeting hardware support, the underhand way in which this is done behind the user’s back and without his knowledge and consent, is not good.

Not only is this not in the spirit the open source community and the social contract of distributions like Debian/Ubuntu it is very likely illegal under the EU General Data Protection Regulations.

I would expect a dialogue box giving the user the option of transmitting his system data. A “details” option allowing him to review the contents being sent would probably encourage users to authorise what is being sent.

I do not expect to have to unplug my network before running an installation because I cannot trust the installer. This is NOT an encouraging way to start a new OS installation.

You may like to review how this is done and make it more honest and transparent

For example?

I don’t understand, what you mean. Please explain, what is done.

Where exactly do you see a violation against the GDPR?

I’ll have to do another installation to get specifics, though I did see something which said it recorded and sent system h’w details to help the distro see what kind of machines it was getting installed on. It did not show what it was actually intending to send. It seems this may correspond to the tracking module of calamares ( which is not actived by default upstream ) .

The next time I used the installer I pulled the network and it complained and warned that “certain features” may not work. It did continue and complete the installation.

I think it may be sniffing geo data to set default language and timezone. Since I did the original installation in France it automatically set french keyb layout.

When I have time, I’ll try to do another installation if that is not specific enough for you see what it refers to.

Where exactly do you see a violation against the GDPR?

Since it does not tell me what it is sending, I cannot know but it is something that needs to be considered once in possession of actual data transmitted ( allegedly ) :wink:

OK, I think I must have seen the text I described here:

Calamares can be configured to do installation tracking. If it is, you will get a page in the installation process that asks you to enable installation tracking. If, and only if, you enable installation tracking, then Calamares will send information once only about your hardware to the server configured by the distribution.

This is used by distributions to count how often they are installed, and on what kinds of machines – which helps the distribution tailor its packages to the machines its users typically use.

When Calamares sends information about the hardware, it sends:

the make and model of your CPU
the amount of main memory
the total amount of attached disk As part of sending this information, Calamares necessarily makes your IP address known to the receiving party.

Having had issues using the installer I wanted to open a bug about the problems. I found out that lubuntu was using that as the installer I went to find out about it and read that. There is no mention of it being optional and not enabled, so I not unreasonably assumed it was part of lubuntu installation. That is pretty much what I recalled having seen about it so I’m pretty sure that is the source rather than anything seen on screen during installation.

If that is not activated then there is no issue for lubuntu and I apologise for ( apparently ) false assumption this feature was present.

Since it seems to have surprised everyone here, I guess you are not using this module, which is reassuring.

Just wanted to point out for everyone paying attention to this that the OP opened an issue against Calamares wherein it was confirmed Lubuntu does not use this tracking module but we do use calls against ipapi.co for localization purposes and against lubuntu.me to check for Internet connectivity.

3 Likes