Was Canonical somehow aware of what an Azure customer was doing on the dashboard? The Register spoke to Bongiorni, who confirmed the sequence of events and noted that "Azure Portal's UI didn't provide any insight on whether that Template was coming with a specific ToS" as he cheerfully chose Ubuntu.
I would not have deployed that if I knew someone would stalk me outside corporate channels
It's a reminder to always check the small print (and icons) as, indeed, the implications of the orange icon were not clear to him. Particularly not that his data would be shared."The creepiest thing," he said, "[was] the direct contact on my private LinkedIn account" – which he noted did not share "the same corporate email. Which means that Canonical sales hunted my name down into social medias to reach me directly."
Microsoft and Canonical are certainly good chums. The companies recently boasted of the one-year anniversary of "a partnership that delivers the best and most secure open source for customers" and a co-sell model launched back 2019 that was step up from mere passive engagement.
Certainly, a cold-call message out of the blue would not come under the description of "passive".While the thought of Canonical's engineers peering over one's virtual shoulder with the tacit approval of Microsoft might appeal, the explanation is likely a little simpler. A look at the terms for the Azure Marketplace throws up this sentence: "If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage." A hunt around Ubuntu's legals (as noted by Twitter user @dezren39) shows a whole section giving the company the green light "To market our products or services to you."
Bongiorni reckoned that the sharing of data was "in some ways" understandable when spinning up a third party's template on Azure, but added: "Make it very clear when you are going to pick a specific VM from the Azure Portal UI.
"I would not have deployed that if I knew someone would stalk me outside corporate channels."
Certainly, something a bit clearer than a little orange icon would be useful to indicate the imminent deployment of the stalkerbots. Or maybe just not doing it at all, hmm?We asked Microsoft and Canonical for comment but have yet to receive an explanation from either. AWS commentator Corey Quinn reacted in colourful fashion:
Oh my [email protected] had a GOLDEN opportunity to pull a "we don't mine your data, we don't compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!" Instead they legit did exactly what their competitors don't, but we worry about. https://t.co/U4AM0O8rMD — Corey Quinn (@QuinnyPig)And Bongiorni? He told us he was considering a switch to a different provider, likely based in Europe, "just to be sure there will be more transparency and more GDPR openness." He also highlighted a further wrinkle in the story. If Canonical, as an Azure Marketplace Publisher, are handed information about anyone using its templates, could a hypothetical malicious publisher also receive similar?
To create personalized Products that are unique and relevant to you, we use your connections, preferences, interests and activities based on the data we collect and learn from you and others (including any data with special protections you choose to provide); how you use and interact with our Products; and the people, places, or things you're connected to and interested in on and off our Products.
"I am very curious to know what else these 'publishers' are getting from Microsoft about me and the machines I spun over the time that relied on their templates."
Updated at 10.07 on 12 February to add:
Following publication of this article, Canonical responded to our calls for comment with a written statement:"As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules.
"On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."
Microsoft also sent us a canned remark:
"Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes." ®