motd-news transmitting private hardware data without consent or knowledge in background

Status changed to 'Confirmed' because the bug affects multiple users.

This ticket should be updated to Security issue +250 points

I highly doubt that this Motd News "feature" is compliant with EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https://gdpr.eu/eu-gdpr-personal-data/], in particular with respect to Recital 30 [https://gdpr.eu/recital-30-online-identifiers-for-profiling-and-identification/]

Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer.

Daily report of computer's private infos without the users consent

It affects Ubuntu Servers and Desktop (including roaming computers like laptops)
since at least 18.04 LTS and also the current 20.04 LTS

Sensible data sent
- IP address of the computer running Ubuntu
- Date of the HTTPS query
- Kernel Version
- CPU Vendor and Model
- Uptime
- Cloud identifier
- Version of Curl so version of Ubuntu running ...

$curl_ver $lsb $platform $cpu $uptime $cloud_id

Sample from our PC Engines running Ubuntu 18.04 LTS:
```
curl/7.58.0-2ubuntu3.8 GNU/Linux/4.15.0-101-generic/x86_64 AMD/GX-412TC/SOC uptime/692518.54/2755023.47 cloud_id/unknown
```

https://motd.ubuntu.com/
```
 * MicroK8s gets a native Windows installer and command-line integration.

     https://ubuntu.com/blog/microk8s-installers-windows-and-macos
```

The perfect opportunity to map all Ubuntu Linux users worldwide on a daily basis?

https://gdpr.eu/eu-gdpr-personal-data/
https://gdpr.eu/checklist/

See also
https://askubuntu.com/questions/1105825/why-lubuntu-18-04-calls-amazon-servers-motd-ubuntu-com

Anyone privacy-conscious using any version of Ubuntu should do this in a shell ASAP

sudo sed -i -r 's/(ENABLED)=.+/\1=0/' /etc/default/motd-news

Thanks security-conscious Dustin Kirkland for this great bash script
("I've insisted on shell here for transparency! - Dustin ")
and other contributions like NSA's SELinux or security sensible
software like Pollinate (Entropy-as-a-Service in the cloud) via
https://entropy.ubuntu.com

Packing so many sensible info inside User-Agent sent daily by default
from all Ubuntu to https://motd.ubuntu.com is brillant!

less /etc/update-motd.d/50-motd-news
```
# 50-motd-news - print the live news from the Ubuntu wire
# Copyright (C) 2016-2017 Canonical Ltd.
# Copyright (C) 2016-2017 Dustin Kirkland

##############################################################################
# This program could be rewritten in C or Golang for faster performance.
# Or it could be rewritten in Python or another higher level language
# for more modularity.
# However, I've insisted on shell here for transparency!
# - Dustin
##############################################################################

# Curl browser version, for debug purposes
curl_ver="$(dpkg -l curl | awk '$1 == "ii" { print($3); exit(0); }')"

# Distribution version, for messages releated to this Ubuntu release
. /etc/lsb-release
lsb=$(echo "$DISTRIB_DESCRIPTION" | sed -e "s/ /\//g")
codename="$DISTRIB_CODENAME"

# Kernel version and CPU type, for messages related to a particular revision or hardware
platform="$(uname -o)/$(uname -r)/$(uname -m)"
arch="$(uname -m)"
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e "s:\s\+:/:g")"
cloud_id="unknown"
if [ -x /usr/bin/cloud-id ]; then
    /usr/bin/cloud-id > "$CLOUD" 2>/dev/null
    if [ $? -eq 0 ]; then
        # sanitize it a bit, just in case
        cloud_id=$(cut -c -40 "${CLOUD}" | tr -c -d '[:alnum:]')
        if [ -z "${cloud_id}" ]; then
            cloud_id="unknown"
        fi
    fi
fi

# Some messages may only be pertinent before or after some amount of uptime
read up idle < /proc/uptime
uptime="uptime/$up/$idle"

# Piece together the user agent
USER_AGENT="curl/$curl_ver $lsb $platform $cpu $uptime cloud_id/$cloud_id"

...

        # Fetch and print the news motd
        if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$u" >"$NEWS" 2>"$ERR"; then

```

Well known...
https://twitter.com/search?q=ubuntu%20motd-news&src=typed_query&f=live

Part of the base OS ... resistance is futile

dpkg -L base-files | grep motd-news
/etc/default/motd-news
/etc/update-motd.d/50-motd-news
/lib/systemd/system/motd-news.service
/lib/systemd/system/motd-news.timer

sudo grep news /var/log/syslog
Jun 4 04:44:22 mbx 50-motd-news[94986]: * MicroK8s gets a native Windows installer and command-line integration.
Jun 4 04:44:22 mbx 50-motd-news[94986]: https://ubuntu.com/blog/microk8s-installers-windows-and-macos
Jun 4 04:44:22 mbx systemd[1]: motd-news.service: Succeeded.
Jun 4 08:57:00 mbx systemd[1]: motd-news.timer: Succeeded.

Please give the Message of the Day (MOTD) every time I get online on the Internet
or I reboot my Ubuntu computer ...

Hold on, connecting to Amazon Cloud (Amazon Data Services) motd.ubuntu.com ...

Your message of the day is

Building Trust is Hard, Breaking Trust is Easy

In exchange, please give me your User-Agent will all your private informations
so I know who you are (IP, Ubuntu Cloud ID, Linux Kernel Version, Curl version, etc.)

GET /bionic/x86_64 HTTP/1.1
Host: motd.ubuntu.com
User-Agent: curl/7.58.0-2ubuntu3.8 Ubuntu/18.04.3/LTSGNU/Linux/4.15.0-72-generic
            /x86_64 Intel(R)/Core(TM)/i5-8500B/CPU/@/3.00GHz uptime/108266.13/21
            2047.71 cloud_id/unknown
Accept: */*

https://ma.ttias.be/what-exactly-being-sent-ubuntu-motd/

[Unit]
Description=Message of the Day
After=network-online.target
Documentation=man:update-motd(8)

[Service]
Type=oneshot
ExecStart=/etc/update-motd.d/50-motd-news --force

Thanks Canonical for this great Telemetry master piece
hidden in a Daily "News" (Message of the Day) deep inside
the core of Ubuntu.

I found it active on all the Ubuntu laptop of my friends
and coworkers, all Ubuntu servers from local ISP and my
work. As well as on all Ubuntu flavours and Ubuntu derived
Linux distros.

It is also present in cloud-init images of major cloud providers,
and all Docker images from Docker Registry based on Ubuntu.

What a (s)hell for transparency!

This is more than just a Telemetry, It as a Trojan in Ubuntu Distro.

A remote code-execution (RCE) vulnerability
in all Ubuntu of the world! Why?

Simple

curl is launched as root (not the best practice!),
and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day
if someone (like 3-letters or 4 letters) controls this Amazon Web server
knowing the version of curl (provided by the script) exploit any local
known vulnerability present in curl or use a curl zero day it will have
"root" access to any Ubuntu Server or Desktop, Laptop of the world!

Proof of Concept

Add the following before the for calling curl in /etc/update-motd.d/50-motd-news

date +'%Y-%m-%d %H:%M:%S' >> /tmp/test
whoami >> /tmp/test
echo $USER_AGENT >> /tmp/test

wait 12 hours... or 12:00 / 00:00 or reboot

cat /tmp/test

2020-06-05 12:00:00
root
curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**********-generic/x86_64 Intel(R)/Core(TM)/i7-******/CPU/@/*****GHz uptime/70.55/921.20 cloud_id/unknown

motd-news is present in Nvidia Jetson Nano (derived from Ubuntu)
and Ubuntu for Raspberry Pi. It is enabled by default and also calling Home
Ubuntu via Amazon Cloud.

motd-news is also present in Ubuntu Core 18 for embedded systems (like Tesla Car)
but unlike Ubuntu Server and Desktop Distro it is not enabled by default.
I don't have a Tesla car to verify if it is enabled or not.

unxz ubuntu-core-18-amd64.img.xz
sudo mount -o loop,offset=$((106496*512)) ubuntu-core-18-amd64.img /mnt/
sudo unsquashfs -d /tmp/core18 /mnt/system-data/var/lib/snapd/seed/snaps/core18_1668.snap
/tmp/core18/etc/default/motd-news
/tmp/core18/etc/update-motd.d/50-motd-news
/tmp/core18/lib/systemd/system/timers.target.wants/motd-news.timer
/tmp/core18/var/lib/systemd/deb-systemd-helper-enabled/motd-news.timer.dsh-also
/tmp/core18/var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/motd-news.timer

sudo grep ENABLED /tmp/core18/etc/default/motd-news
ENABLED=0

The original request for motd-news came from Dustin Kirkland on 2016-10-30

https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1637800

I recommend the following action points to restore a bit of trust in Ubuntu Product
after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at Canonical)

- Run all motd scripts including motd-news AND curl as non privileged account -- not as root

- Move motd-news functionality from base-files to a removable package called motd-news

- Set ENABLED to 0 by default on all Ubuntu Distos or at least ask the user consent
  (during install and later with cloud-init)

- Remove private information from User-Agent (uptime, kernel version, curl version, type of cloud) and stop using HTTPS Header such User-Agent as proxy to exfiltrate sensible infos from Ubuntu

- Make the code behind https://motd.ubuntu.com auditable, signed and open source

- Check the logs of https://motd.ubuntu.com if it has been compromised the last 3 years if it is the case report it so people can reinstall their Ubuntu Server, Desktop, Laptop to restore trust

Currently Ubuntu users are trapped as they can only disable motd-news but not uninstall it
and any software update of base-files could bring back the security issue.

Anyone who has access to motd.ubuntu.com (or via DNS + MITM) could in theory execute code on any Ubuntu if a serious vulnerability in curl has been found or if the user did not update curl.

Running curl as root, reporting the curl version and the kernel version give all the information needed to implemented a persistent backdoor in any Ubuntu worldwide.

sudo apt-get purge base-files

WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  base-files bash
0 upgraded, 0 newly installed, 5 to remove and 26 not upgraded.
After this operation, 4,525 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?]

I don't think it was safe decision to link the security of Ubuntu
base OS to curl running as root every 12 hours via motd-news just
to display Ads for products and not important security messages
like suggested in the original ticket (1637800).

Just imagine the consequence of https://motd.ubuntu.com being compromised
starts to redirect to a TFTP URL and send private memory contents
from root account every 12 hours or if curl has a new vulnerability
such as buffer overflow discovered automatically by Google's OSS-Fuzz
and not yet patched within 30 days by curl maintainers or by
Ubuntu Security Team.

https://curl.haxx.se/docs/CVE-2017-1000100.html

A malicious HTTP(S) server could redirect a vulnerable libcurl-using client
to a crafted TFTP URL (if the client hasn't restricted which protocols it
allows redirects to) and trick it to send private memory contents to a
remote server over UDP.

https://bugs.chromium.org/p/oss-fuzz/issues/list?q=curl&can=1&sort=-reported

The usage of motd-news as Advertising media for Canonical products is well documented.
Now we need to know if Canonical share the crafted User-Agent with sensible info in it with third party and use it for telemetry like Microsoft Windows 10.

Samples output of motd-news mirrored in both login prompt via motd and syslog

- MicroK8s gets a native Windows installer and command-line integration.
  https://ubuntu.com/blog/microk8s-installers-windows-and-macos

- How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow, Keras & React Native on Ubuntu

- Overheard at KubeCon: "microk8s.status just blew my mind".
  https://microk8s.io/docs/commands#microk8s.status

https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068

All messages received over a year (Ubuntu 18.04):

* Congrats to the Kubernetes community on 1.16 beta 1! Now available
* Kata Containers are now fully integrated in Charmed Kubernetes 1.16!
* Keen to learn Istio? It's included in the single-package MicroK8s.
* Kubernetes 1.18 GA is now available! See https://microk8s.io for docs or
* Latest Kubernetes 1.18 beta is now available for your laptop, NUC, cloud
* MicroK8s 1.15 is out! It has already been installed on more
* MicroK8s 1.15 is out! Thanks to all 40 contributors, you get the latest
* MicroK8s passes 9 million downloads. Thank you to all our contributors!
* Multipass 1.0 is out! Get Ubuntu VMs on demand on your Linux, Windows or
* Multipass 1.1 adds proxy support for developers behind enterprise
* Overheard at KubeCon: "microk8s.status just blew my mind".
* 'snap info' now shows the freshness of each channel.
* Ubuntu 20.04 LTS is out, raising the bar on performance, security,
* Ubuntu's Kubernetes 1.14 distributions can bypass Docker and use containerd

None of them are about security and none of them are customized
using uptime, ubuntu version, kernel version, curl version, ip, ...

Why do pack all this into User-Agent which can be linked to public IP every 12 hours?

Privacy:

Ubuntu users don't have the opportunity to opt-out from motd-news before all the private infos
and telemetry are sent via User-Agent. So even if people change ENABLED=1 to ENABLED=0
in /etc/default/motd-news they only stop future leaks but the initial leak has already been
done in background after the boot via systemd/motd-news service.

I repeat, this doesn't look GRPD-compliant at all. There is no prior consent ever asked for.
The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018.

motd-news has been designed in 2017 and is enabled by default on all Ubuntu Server,
Ubuntu Desktop, Ubuntu Flavors (such as Mate, Raspberry), Ubuntu derived such as Nvidia Jetson Nano
without prior consent.

Security:

Run curl as root every 12h are you serious?

Thank you for taking the time to report this issue. As you note, this is a long-standing feature of Ubuntu that Canonical leverages to help understand our user base and improve and prioritize work that makes Ubuntu better for all. I can assure you that all information is GDPR compliant and that we implement all policies as far as accessing any such data. For example, as the manager of the Ubuntu Server team, I’ve never seen the IP address of any Ubuntu user and am unable to map the installs out there.

As you note, this feature was done transparently, with clear documentation, and is trivial to disable if anyone is uncomfortable. I am marking this bug as “Won’t Fix” as it’s a design decision, and while there are some that do not agree with it and I respect those feelings, it’s also not something we’re currently planning on changing. This allows us to make Ubuntu better for everyone and make sure that we’re doing the best that we can. Thanks.

https://github.com/curl/curl/issues/5557

Maybe as manager of the Ubuntu Server team, you should ask to improve motd-news software
to not curl as root.

You should also improve landscape and landscape on premises level of access so any users
cannot list all processes and reboot any servers or execute shell script as root.

Good luck, I think we are done with Ubuntu.

Well, it is disappointing that you choose to close this as “won’t fix”.

As pointed out in the initial bug report, this “feature” is implemented without notice or consent.
In other words, and to rephrase, this was done transparently in an hidden way. Which is, to say the least, not corresponding to standard usage and best practices, let alone the security aspect by running it as root.

This is definitely not very reassuring for users who are left with the suspicion, confirmed by the manager of the Ubuntu Server team, that Ubuntu is comfortable implementing (and might implement in the future) this kind of “features” and data collection without further notice or consent from the users.

As professional users we have already our share of burden to protect our assets from all kinds of threats, being obliged to add to that list the base OS leaves us with no other choice but to reconsider Ubuntu as a (un)trusted provider. Sad.

By the current design, you don't give choice to the Ubuntu users as they cannot opt-out BEFORE
the laptop or server contacts motd.ubuntu.com sending the telemetry. By implementing it as
essential package, you don't let user remove it but only disable it when it is too late.

The same apply to landscape, you don't give choice to disable some dangerous features
like executing very powerful script, list all processes, etc. This is why, we decided to stop
using landscape (both in the cloud and on premises).

It will be your responsibility as Ubuntu Server manager, if motd.ubuntu.com gets compromised
and motd-news is exploited because it runs curl as root and all Ubuntu servers could get
compromised at the same time within 12 hours.

And don't tell me that the fact that Canonical use motd as Telemetry was done transparently,
with clear documentation... most users complain only about the advertising but don't realize
that the motd-news is used as telemetry tool but seems to act as a advertising / news purpose
and the risk of the bad design decision of running curl as root.

Best practices by Dustin Kirkland
https://manpages.ubuntu.com/manpages/focal/en/man5/update-motd.5.html

- No mention of curl running as root
- No mention of the exfiltration of private data done via User-Agent
- No mention of the novel concept of advertising via motd
- No mention of using motd-news as telemetry
- No mention that motd-news is part of core Ubuntu "base-files" and cannot be removed

Feel free to guide me to the correct info on your website or update your documentation.

Additional discussions on Twitter
https://twitter.com/lusis/status/880446088083329024
https://twitter.com/astarrb/status/880170781841514496
https://twitter.com/lelff/status/1210619413885575168
https://twitter.com/hessu/status/1269994718018056199
https://twitter.com/nikitonsky/status/1073714951104184320
https://twitter.com/wamdamdam/status/1044197012353298433
https://twitter.com/marcodavids/status/1245054456955314178
...

I have decided to contact ICO (Information Commissioner's Office).

Because Canonical Ltd. has handled my personal information
(IP address, Hardware CPU, Choice of Cloud Hosting, and various meta-data)
and the one of the company I work for without concent.

The same apply to all users of Ubuntu (persons, companies, governements)
worldwide on a daily basis.

By collecting twice a day the following informations:

- The public IP address where Ubuntu system is used (part of the log of the HTTPS server)
- Date / Time when collected (part of the log of the HTTPS server)
- Harware info such as CPU Vendor and Model (via /proc/cpuinfo)
- The distribution version (via /etc/lsb-release)
- The operating system (via uname -o)
- The Linux kernel release (via uname -r)
- The computer architecture aka machine hardware name (via uname -m)
- Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init)
- Total number of seconds the system has been up (via /proc/uptime)
- The sum of how much time each core has spent idle in seconds (via /proc/uptime)
- Version of curl software (launched as root which is a bad IT practice and a security risk)

On top of that by making motd-news unremovable in the core of Ubuntu's base-files
(like it was the case for Internet Explorer in Windows or the Telemery in Windows 10),
they enforce the telemetry before you can disable it or opt-out from it.

Fell free to fill your own complaint or contact your local information commissioner
as this ticket is marked as Won't Fix by the manager of the Ubuntu Server team.

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/personal-information-complaint/

I will first contact the Data Protection Officer (DPO) of Canonical Group Limited
<email address hidden>

https://ubuntu.com/legal/data-privacy

FYI Canonical's legal departement is reviewing motd-news "feature" (such as telemetry)
and will provide updated information next week.

All motd-news related tickets

https://bugs.launchpad.net/ubuntu/+source/base-files/+bugs?field.searchtext=motd-news&orderby=-datecreated&search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE

"Canonical has launched the Ubuntu Appliance initiative which aims to transform Raspberry Pi devices or personal computers into secure, self-updating solutions" (source 9to5linux). I checked nextcloud-core18-pi.img (and core18_1753.snap), motd-news is still present but turned off by default -- Good! ENABLED=0 in the file /etc/default/motd-news. I hope Canonical will apply "Secure by design" motto to the rest of Ubuntu products https://ubuntu.com/appliance

I too, would like to see this fixed. I initially reported something very similar in https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068 back in 2017.

This is unacceptable, especially for EU users. It needs to be an option top opt-in at install time. By default I believe this should be opted out.

No updates from Canonical's legal departement

"A picture is worth a thousand words"

https://news.softpedia.com/news/canonical-under-fire-for-putting-ads-in-the-ubuntu-motd-530372.shtml

Article like "Canonical Under Fire for Putting Ads in the Ubuntu MOTD"
miss the point that motd-news is not only displaying Advertising in the login prompt but it a Privacy Nightmare because it has an hidden Telemetry feature which is enabled by default Without Consent and leak IP Address, System critical informations (Kernel Version, Uptime, CPU Vendor, CPU Model, Idle Time, Uptime) every 12 hours via User-Agent from curl on all Ubuntu Desktop and Ubuntu Server including the current version of Ubuntu.

On top of that, motd-news is also a security nightmare as it runs curl as root which can be exploited to gain root on any servers, laptops etc.

I recommend that all Ubuntu users open a Terminal and execute the following

sudo sed -i -r 's/(ENABLED)=.+/\1=0/' /etc/default/motd-news
sudo apt-get -qq -y purge curl

N.B. curl is not installed if you explicitly select Ubuntu Minimal during the installation of Ubuntu Desktop so motd-news cannot contact motd.ubuntu.com without curl even if ENABLED=1 by default

GDPR : EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https://gdpr.eu/eu-gdpr-personal-data/], in particular with respect to Recital 30 [https://gdpr.eu/recital-30-online-identifiers-for-profiling-and-identification/]

Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer.

Canonical Ltd. has handled my personal information without concent.
By collecting twice a day the following informations:

- The public IP address where Ubuntu system is used (part of the log of the HTTPS server)
- Date / Time when collected (part of the log of the HTTPS server)
- Harware info such as CPU Vendor and Model (via /proc/cpuinfo)
- The distribution version (via /etc/lsb-release)
- The operating system (via uname -o)
- The Linux kernel release (via uname -r)
- The computer architecture aka machine hardware name (via uname -m)
- Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init)
- Total number of seconds the system has been up (via /proc/uptime)
- The sum of how much time each core has spent idle in seconds (via /proc/uptime)
- Version of curl software (launched as root which is a bad IT practice and a security risk)

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/

To: ICO

Dear Information Commissioner’s Office,

I confirm that I want to proceed with the creation of the case about
Canonical's motd-news as Canonical don't want to remediate the privacy
issue of sending by default hardware details and public IP of all
Ubuntu Desktop and Ubuntu Server twice a day, every day of the year.

Next to this message, you will find the final answer from Canonical.

https://ubuntu.com/legal/motd

The following are my comments on their legal information.

"The purpose of sending the system information is so that Canonical can tailor the message returned by https://motd.canonical.com."

This is wrong motd.canonical.com does not exist and is part of motd-news.
The server used by Ubuntu is https://motd.ubuntu.com

lynx -mime_header https://motd.canonical.com

Looking up motd.canonical.com
Unable to locate remote host motd.canonical.com.
Alert!: Unable to connect to remote host.

The evidence is part of the Ticket
https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png

"None of this data can be used to identify a machine or user."

"Along with this data, the IP address and other network information is transmitted to facilitate communication on the internet from the Ubuntu machine to Canonical. This information is not stored by Canonical."

This is wrong as Canonical is using Apache and the default is to store
IP address in the access log

https://httpd.apache.org/docs/current/logs.html

Common Log Format

(%h)
 This is the IP address of the client (remote host) which
made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine.

lynx -mime_header https://motd.ubuntu.com

HTTP/1.1 200 OK
Date: Mon, 13 Jul 2020 06:05:38 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Mon, 13 Jul 2020 06:00:50 GMT
Accept-Ranges: bytes
Content-Length: 215
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/

"You can disable this service as follows:"
"/etc/default/motd-news has an ENABLED=1 setting that if set to 0 will turn off this functionality."

I assume 80% of Ubuntu Desktop users will not know how to disable motd-news
because they need a Terminal and sudo access. A regular editor running
a default user will not allow to edit this file as super user. So this doc
is useless.

On top of that Canonical send motd-news information before
the user can even opt out during the installation of Ubuntu Desktop
...

I added https://ubuntu.com/legal/motd to Archive.org's Internet Wayback Machine

https://web.archive.org/web/20200713070037/https://ubuntu.com/legal/motd

On my point of view, it's NOT enough to implement a legal notice https://ubuntu.com/legal/motd with technical errors and it is not possible to verify that Canonical does not store the IP address of Ubuntu users in Apache log (the default) and/or database without an external auditor (PwC, EY, KPMG, etc.).

Nothing has been done regarding the consent of the user.

I except one of the following two options to be implemented by Canonical.

(A)

Ask for consent during the installation of the operating system Ubuntu and before sharing my personal information via the motd-news software used for Telemetry, Tracking, Advertising purpose instead of providing meaningful "security messages or other news" on a daily basis.

(B)

Or disable it by default via ENABLED=0 in the file /etc/default/motd-news and move motd-news software outside "base-files" package and make it user removable.

If Canonical doesn't takes data protection seriously by implementing technical measures such as stop calling motd-news during installation and after automatically without consent and implement an easy way to opt out for people without technical knowledge in linux shell then ICO will need to evaluate the choice of Canonical of enforcing Telemetry hidden in motd-news's User-Agent without asking user consent and not respecting "No, don't send system info" choice of the user during the installation wizard, sending beacons with IP address, system info twice a day, every day from all Ubuntu Desktop and Ubuntu Server installations worldwide.

Ubuntu decided to remove uptime from motd-news' data leak (exfiltration) via User-Agent: and move /etc/default/motd-news conffile to the motd-news-config package and switch from curl to wget.

Remove uptime from the motd-news user agent
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1886572

motd-news: use wget instead of curl
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1888572
-- I hope they will stop launched it as root as well
see https://github.com/curl/curl/issues/5557

Split motd-news config into a new package
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1888575

To Be
Continued --->