Dev creeped out after he fired up Ubuntu VM on Azure, was immediately approached by Canonical sales rep

I always feel like somebody's watching me

Updated An Azure customer was outraged after finding himself on the receiving end of an unexpected LinkedIn message from Ubuntu maker Canonical last night.

The user, Luca Bongiorni, had spun up an instance of the Linux distro on an Azure corporate subscription in order to evaluate some tooling. Sensibly, the subscription is used as a sandbox for the purpose of testing.

Upon clicking "Add new VM", the first option was Ubuntu 18.04, according to Bongiorni, which he selected in order to get his Linux kicks. Shortly after, however, a message turned up from an Enterprise Development representative at Ubuntu with the ominous phrase: "I saw that you spun up an Ubuntu image in Azure," and offering to be a point of contact.

I would not have deployed that if I knew someone would stalk me outside corporate channels

Was Canonical somehow aware of what an Azure customer was doing on the dashboard?

The Register spoke to Bongiorni, who confirmed the sequence of events and noted that "Azure Portal's UI didn't provide any insight on whether that Template was coming with a specific ToS" as he cheerfully chose Ubuntu.

It's a reminder to always check the small print (and icons) as, indeed, the implications of the orange icon were not clear to him. Particularly not that his data would be shared.

"The creepiest thing," he said, "[was] the direct contact on my private LinkedIn account" – which he noted did not share "the same corporate email. Which means that Canonical sales hunted my name down into social medias to reach me directly."

Microsoft and Canonical are certainly good chums. The companies recently boasted of the one-year anniversary of "a partnership that delivers the best and most secure open source for customers" and a co-sell model launched back 2019 that was step up from mere passive engagement.

Certainly, a cold-call message out of the blue would not come under the description of "passive".

While the thought of Canonical's engineers peering over one's virtual shoulder with the tacit approval of Microsoft might appeal, the explanation is likely a little simpler. A look at the terms for the Azure Marketplace throws up this sentence: "If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage."

A hunt around Ubuntu's legals (as noted by Twitter user @dezren39) shows a whole section giving the company the green light "To market our products or services to you."

Bongiorni reckoned that the sharing of data was "in some ways" understandable when spinning up a third party's template on Azure, but added: "Make it very clear when you are going to pick a specific VM from the Azure Portal UI.

"I would not have deployed that if I knew someone would stalk me outside corporate channels."

Certainly, something a bit clearer than a little orange icon would be useful to indicate the imminent deployment of the stalkerbots. Or maybe just not doing it at all, hmm?

We asked Microsoft and Canonical for comment but have yet to receive an explanation from either. AWS commentator Corey Quinn reacted in colourful fashion:

And Bongiorni? He told us he was considering a switch to a different provider, likely based in Europe, "just to be sure there will be more transparency and more GDPR openness."

He also highlighted a further wrinkle in the story. If Canonical, as an Azure Marketplace Publisher, are handed information about anyone using its templates, could a hypothetical malicious publisher also receive similar?

"I am very curious to know what else these 'publishers' are getting from Microsoft about me and the machines I spun over the time that relied on their templates."

Updated at 1000 UTC on 12 February to add

Following publication of this article, Canonical responded to our calls for comment with a written statement:

"As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules.

"On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."

Microsoft also sent us a canned remark:

"Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes." ®

Similar topics

Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block Microsoft ad trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains. Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    "I tested the DuckDuckGo so-called private browser for both iOS and Android, yet neither version blocked data transfers to Microsoft's Linkedin + Bing ads while viewing Facebook's workplace[.]com homepage," Edwards explained in a Twitter thread.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022