An Azure customer was outraged after finding himself on the receiving end of an unexpected LinkedIn message from Ubuntu maker Canonical last night.
The user, Luca Bongiorni, had spun up an instance of the Linux distro on an Azure corporate subscription in order to evaluate some tooling. Sensibly, the subscription is used as a sandbox for the purpose of testing.
Upon clicking “Add new VM”, the first option was Ubuntu 18.04, according to Bongiorni, which he selected in order to get his Linux kicks. Shortly after, however, a message turned up from an Enterprise Development representative at Ubuntu with the ominous phrase: “I saw that you spun up an Ubuntu image in Azure,” and offering to be a point of contact.
I would not have deployed that if I knew someone would stalk me outside corporate channels
Was Canonical somehow aware of what an Azure customer was doing on the dashboard?
The Register spoke to Bongiorni, who confirmed the sequence of events and noted that “Azure Portal’s UI didn’t provide any insight on whether that Template was coming with a specific ToS” as he cheerfully chose Ubuntu.
It’s a reminder to always check the small print (and icons) as, indeed, the implications of the orange icon were not clear to him. Particularly not that his data would be shared.
“The creepiest thing,” he said, “[was] the direct contact on my private LinkedIn account” – which he noted did not share “the same corporate email. Which means that Canonical sales hunted my name down into social medias to reach me directly.”
Microsoft and Canonical are certainly good chums. The companies recently boasted of the one-year anniversary of “a partnership that delivers the best and most secure open source for customers” and a co-sell model launched back 2019 that was step up from mere passive engagement.
Certainly, a cold-call message out of the blue would not come under the description of “passive”.
While the thought of Canonical’s engineers peering over one’s virtual shoulder with the tacit approval of Microsoft might appeal, the explanation is likely a little simpler. A look at the terms for the Azure Marketplace throws up this sentence: “If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage.”
Bongiorni reckoned that the sharing of data was “in some ways” understandable when spinning up a third party’s template on Azure, but added: “Make it very clear when you are going to pick a specific VM from the Azure Portal UI.
“I would not have deployed that if I knew someone would stalk me outside corporate channels.”
Certainly, something a bit clearer than a little orange icon would be useful to indicate the imminent deployment of the stalkerbots. Or maybe just not doing it at all, hmm?
We asked Microsoft and Canonical for comment but have yet to receive an explanation from either. AWS commentator Corey Quinn reacted in colourful fashion:
Instead they legit did exactly what their competitors don’t, but we worry about. https://t.co/U4AM0O8rMD
— Corey Quinn (@QuinnyPig) February 11, 2021
And Bongiorni? He told us he was considering a switch to a different provider, likely based in Europe, “just to be sure there will be more transparency and more GDPR openness.”
He also highlighted a further wrinkle in the story. If Canonical, as an Azure Marketplace Publisher, are handed information about anyone using its templates, could a hypothetical malicious publisher also receive similar?
“I am very curious to know what else these ‘publishers’ are getting from Microsoft about me and the machines I spun over the time that relied on their templates.” ®