Apport error reporting privacy issues

Question

As apport is enabled by default since 12.04 I thought it would be important to get some much needed clarifications on certain privacy questions that have been bugging me.

How paranoid is apport about potentially sending sensitive information to a remote server? If I'm not mistaken it used to be pretty paranoid because it insisted on asking the user's confirmation for sending things like logs which might contain the usually harmless host name, but I went over the files in /var/crash/ and found loads and loads of data containing not only the host name but even core dumps (the "CoreDump" name which precedes a blob of data in one of those files) which could potentially reveal - if I'm not mistaken - any password that has ever been used on a computer (depending on circumstances, of course).
Can I assume that all logs found in /var/crash/ have been sent to Canonical "as is" - that is, as found in that directory, including the core dumps?
Oftentimes I experienced some crashes which resulted in a window asking me whether I want to send a report to Canonical, a window that had a button titled "Report problem..." but with no checkbox for allowing the user to inspect the information being sent. When pressing the button I expected to be presented with a follow-up dialog showing what is being sent (because of the "..." present in the caption of the button). However, no such follow up dialog appeared which leads me to my final question: what happened when I pressed that button? What is actually being sent to Canonical, if anything?

See also: http://askubuntu.com/questions/16135/why-did-apport-make-my-bug-report-private and http://askubuntu.com/questions/398775/how-can-i-check-if-an-apport-report-does-not-contain-any-sensitive-information. — landroni, Apr 01 '15 at 17:58
Possible duplicate of How confidential are automatic crash reports made by apport? — Gilles 'SO- stop being evil', Feb 23 '17 at 00:30

score 0 · Answer 1 · answered Apr 18 '17 at 19:02

Regardless the error reporting system, Apport or other, there are privacy concerns. This does not mean that sensitive information will always exist in an error report.

Why (long answer): the goal of error reporting is to gather information about the user failure-inducing execution in order to help developers to find its causes. Depending on the mechanism used, such information can come in many forms: memory dumps, log entries, etc. But anyway the goal is to transform such information into steps to reproduce the user execution that ended in failure. Therefore, if the application you were using deals with sensitive information, e.g. you were using your text editor to edit a confidential document, a mail client to exchange private messages, or some other application that involves credentials or credit card info, then such sensitive information may end up in memory dumps or in log entries.

Why (short answer): If you insert your data (sensitive or not) in the application and it fails, then the steps-to-reproduce your failure-inducing execution is your data -> likely to end up in the error report.

Therefore, my advice is not to authorize the transmission when your data is somehow sensitive. It should be fine otherwise and we should help developers to fix the problem by transmitting it.

Apport error reporting privacy issues

1 Answers1