Monday, February 08, 2021

When techies have no clue: Raspberry Pi phones home to Microsoft.

 Yes friends, Raspberry Pi. That thing you love that you thought was safe from the eeeeviles of Big Tech surveillance and Silicon Valley fuckery? Well, no. Not so much.

The latest update installs a Microsoft apt respository on all any machine running Raspberry Pi OS, and does it without any admin consent. As discovered by Reddit user fortysix_n_2, the official reason is an endorsement of Microsoft's integrated development environment (IDE), Visual Studio Code (VSCode), which is fine and dandy. However, it's claimed this even gets installed on headless devices that used a light image without a GUI. As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

"By having this repo, every time an install of Raspberry Pi OS is updated it will ping a Microsoft server. Microsoft will know you're using Raspberry Pi OS/likely Raspberry Pi owner and your IP address. Many people try to reduce footprint as much as possible, so these are three additional datapoints Microsoft can use to build a profile about you," fortysix_n_2 explains.

So yes, the latest update of Raspian does include this thing, it does "phone home" to a Mickeysoft server and it does deliver information about the Raspberry Pi you're using, your IP address and make it possible to track your Raspy when it accesses GitHub, Bing or other Microsoft owned web site. And of course Mickeysoft owns much of the infrastructure the web runs on, so that's a long frigging list. Also it's more operating system bloat, it eats battery life and it adds a data load that doesn't need to be there.

For Raspian to have included this thing is not that big a deal, in and of itself. But.

"Never in my 2 decades of using Debian and Ubuntu has either modified my sources.list without my consent. What the actual f**k? I could understand if they just added it to the default installation image, but they had to actually write a script to add this repo to existing installations. That is shady as f**k!," a user commented in the thread.

"This is also on my 3 lite installations. I'm mad about this, because I always check what new dependencies are installed. Followed back the log, and can't find anything about this. Even the way it's installed is shady. With a postinstall script, not the usual 'extract' method," another user wrote.

This can make it easier for people who use VSCode, as some have pointed out. But phoning home has a way of giving people the heebie-jeebies (rightfully so in many cases), especially when it feels like the functional was added on the sly.

It was sort of "slid" in with no discussion, it isn't any use except to people using VSCode, and there's no mention of it anywhere. It's shady, or at least has the appearance of being shady. Like they took some money from Microsoft and didn't want anybody to know type of shady. The appearance of possible impropriety is unavoidable. (For the reading challenged, that means I have no evidence of improper deals, but this does not look good to me.)

But this here is the clueless part.

Eben Upton is a founder of the Raspberry Pi Foundation. He and the rest of the developers at the foundation ought to bloody well know better than be surprised when their user community gets outraged at having their OS phone home to Big Tech. Regardless of the utility of the change to the "average" user, adding Phone-Home bloat to the Raspian-OS without telling anyone is stupid. Suggest a new policy, just make a list of shit that phones home and a checkbox next to it so people can shut it off. How hard would that be?

And let this be a lesson to you Linux dweebs: If you didn't personally build it, chances are it phones home to somebody. http://linuxfromscratch.org/ , build your very own OS from the source code, which you can READ first to see that it doesn't Phone Home to Google or whatever every time you boot it.


Update from the article comments: Dianne S said "It's MUCH worse than this. Microsoft has essentially been given root access on every affected Pi. If they push out a newer version of a package like (say) libc, it will be pulled from their repo in an upgrade and its postinstall script will run as root. I suspect very few people will notice this when doing an upgrade."

That is an excellent point.

No comments: