It was just another day for Luca Bongiorni, a security advisor for Bentley Systems. He'd just spun up an Ubuntu Linux 18.04 instance on the Microsoft Azure cloud using a corporate sandbox for testing purposes. Three hours later, on Bongiorni's LinkedIn account he received a message from a Canonical sales representative saying, "I saw that you spun up an Ubuntu image in Azure," and telling him he'd be his "point of contact for anything Ubuntu-related in the enterprise." Say what??
Actually, Bongiorni was a little more "frank" about his annoyance and surprise that a Canonical salesperson had tracked him down on an entirely different service and knew that he had just used Ubuntu on Microsoft Azure. "What the f*** is happening here? WHY MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!" Customer privacy, what's that?
Well-known Amazon Web Services (AWS) blogger and Chief Cloud Economist at the Duckbill Group Corey Quinn called out Microsoft for sharing its customer's data tweeting, "@azure had a GOLDEN opportunity to pull a 'we don't mine your data, we don't compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!' Instead, they legit did exactly what their competitors don't, but we worry about."
So what the heck is happening here?
I asked Microsoft and was told, "Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes."
The last is exactly what Canonical did.
Canonical in response to this incident replied, "As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical's CRM in accordance with privacy rules. On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."
Microsoft further muddied the waters when the company pointed me to section 3. Privacy and Data Protection of their Terms and Conditions. There you will find 3.a: Information Disclosed to Publishers. If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage. We will not share your Customer Data (as defined in this Section 3) with any Publisher without your permission."
Color me puzzled. I am not a lawyer, but I'd think your contact information is Customer Data. And, certainly, this information was used for marketing. And, who can blame Canonical for wanting this information for marketing? If I were a "publisher," I'd certainly want to know who's using my product.
Yes, a company's in-house counsel should examine them, but normal users? I doubt that one-in-a-thousand actually reads such legal boilerplate. In any case, even if you did, it's confusing enough that I, who cover intellectual property law issues for a living, certainly wouldn't expect to get a marketing call from Canonical for using Ubuntu or for any other Azure software publisher and its programs.
As Bongiorni tweeted,
Where exactly it is visible any ToS?!
As soon as I clicked on "add new VM", the first option suggested was Ubuntu 18.04.
I didn't dig into the Azure Marketplace. I just picked the first option available since I quickly need a Linux-based test VM.
Bongiorni doesn't blame the Canonical sales rep. "He just did what He has been told to do. The problem is with upper management I guess."
Looking ahead though, Bongiorni doesn't expect to be spinning any more instances of anything on Azure. He told The Register, he's considering taking his work to a European-based closed provider "just to be sure there will be more transparency and more GDPR openness."
Who could blame him?