As apport is enabled by default since 12.04 I thought it would be important to get some much needed clarifications on certain privacy questions that have been bugging me.
How paranoid is apport about potentially sending sensitive information to a remote server? If I'm not mistaken it used to be pretty paranoid because it insisted on asking the user's confirmation for sending things like logs which might contain the usually harmless host name, but I went over the files in /var/crash/ and found loads and loads of data containing not only the host name but even core dumps (the "CoreDump" name which precedes a blob of data in one of those files) which could potentially reveal - if I'm not mistaken - any password that has ever been used on a computer (depending on circumstances, of course).
Can I assume that all logs found in /var/crash/ have been sent to Canonical "as is" - that is, as found in that directory, including the core dumps?
Oftentimes I experienced some crashes which resulted in a window asking me whether I want to send a report to Canonical, a window that had a button titled "Report problem..." but with no checkbox for allowing the user to inspect the information being sent. When pressing the button I expected to be presented with a follow-up dialog showing what is being sent (because of the "..." present in the caption of the button). However, no such follow up dialog appeared which leads me to my final question: what happened when I pressed that button? What is actually being sent to Canonical, if anything?