Microsoft Azure and Canonical Ubuntu Linux have a user privacy problem

A user spun up an Ubuntu Linux instance on Azure and was extremely annoyed to receive a sales message from a Canonical representative.

It was just another day for Luca Bongiorni, a security advisor for Bentley Systems. He'd just spun up an Ubuntu Linux 18.04 instance on the Microsoft Azure cloud using a corporate sandbox for testing purposes. Three hours later, on Bongiorni's LinkedIn account he received a message from a Canonical sales representative saying, "I saw that you spun up an Ubuntu image in Azure," and telling him he'd be his "point of contact for anything Ubuntu-related in the enterprise." Say what??

Actually, Bongiorni was a little more "frank" about his annoyance and surprise that a Canonical salesperson had tracked him down on an entirely different service and knew that he had just used Ubuntu on Microsoft Azure. "What the f*** is happening here? WHY MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!" Customer privacy, what's that?

Well-known Amazon Web Services (AWS) blogger and Chief Cloud Economist at the Duckbill Group Corey Quinn called out Microsoft for sharing its customer's data tweeting, "@azure had a GOLDEN opportunity to pull a 'we don't mine your data, we don't compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!'  Instead, they legit did exactly what their competitors don't, but we worry about."

So what the heck is happening here?

I asked Microsoft and was told, "Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes." 

The last is exactly what Canonical did. 

Canonical in response to this incident replied, "As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical's CRM in accordance with privacy rules. On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."

Microsoft further muddied the waters when the company pointed me to section 3. Privacy and Data Protection of their Terms and Conditions. There you will find 3.a: Information Disclosed to Publishers. If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage. We will not share your Customer Data (as defined in this Section 3) with any Publisher without your permission."

Color me puzzled. I am not a lawyer, but I'd think your contact information is Customer Data. And, certainly, this information was used for marketing. And, who can blame Canonical for wanting this information for marketing? If I were a "publisher," I'd certainly want to know who's using my product. 

It seems to me that Microsoft has created a real privacy muddle here with its privacy policy. While the T&C is certainly there, it's not clear to me what information is shared with publishers and what restrictions they're under in using that data. Making matters worse, the T&C is a click-wrap agreement. That is to say, like end-user license agreements (EULA) for PC programs, when you sign up for a cloud service you must agree to their T&C before you can use it.  That's all well and good, but just like EULAs, almost no one reads them. 

Yes, a company's in-house counsel should examine them, but normal users? I doubt that one-in-a-thousand actually reads such legal boilerplate. In any case, even if you did, it's confusing enough that I, who cover intellectual property law issues for a living, certainly wouldn't expect to get a marketing call from Canonical for using Ubuntu or for any other Azure software publisher and its programs. 

As Bongiorni tweeted, 

Where exactly it is visible any ToS?!

As soon as I clicked on "add new VM", the first option suggested was Ubuntu 18.04.

I didn't dig into the Azure Marketplace. I just picked the first option available since I quickly need a Linux-based test VM.

Bongiorni doesn't blame the Canonical sales rep. "He just did what He has been told to do. The problem is with upper management I guess."

Looking ahead though, Bongiorni doesn't expect to be spinning any more instances of anything on Azure. He told The Register, he's considering taking his work to a European-based closed provider "just to be sure there will be more transparency and more GDPR openness."

Who could blame him?

Related Stories:


Ubuntu Core brings real-time processing to Linux IoT
Ubuntu Core Logo

Ubuntu Core brings real-time processing to Linux IoT

Internet of Things
How to Google more effectively to get the results you need

How to Google more effectively to get the results you need

Microsoft Azure-certified roles are well-paid, and you can study for certification for $39

Microsoft Azure-certified roles are well-paid, and you can study for certification for $39