A security researcher says Microsoft Azure and Canonical are creating a privacy issue by allowing sales reps to track users spinning Ubuntu Linux on Azure. Bentley Systems advisor Luca Bongiorini was stunned when a Canonical sales rep contact him shortly after he spun an instance of Ubuntu 18.04 on Microsoft's cloud platform.
Just three hours later, he received a message from a rep saying, “I saw that you spun up an Ubuntu image in Azure.” Bongiorni was stunned that a salesperson was able to track him in such a manner. It is worth noting Canonical is the developers behind Ubuntu.
Outraged by this breach of privacy, the security expert was less than diplomatic in his response: “What the f*** is happening here? WHY [did] MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!” Customer privacy, what's that?
3 hours ago I spun a Ubuntu 18.04 on Azure with a corporate subscription.
Now I get spammed over non-corporate channel by Ubuntu.
What the fuck is happening here?
WHY MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?! 🤔
— Luca Bongiorni (@CyberAntani) February 10, 2021
The situation provided Microsoft rivals with a chance to score some free points against the company. Corey Quinn, Chief Cloud Economist for Duckbill Group but also a pro-Amazon Web Services (AWS) blogger suggests Microsoft is playing fast and lose with user information:
“@azure had a GOLDEN opportunity to pull a ‘we don't mine your data, we don't compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!' Instead, they legit did exactly what their competitors don't, but we worry about.”
So, is Microsoft allowing third-party services to have almost instant access to Azure data? ZDNet reached out to the company for an explanation. According to a spokesperson, it's withing Azure's T&Cs to allow service/app publishers to access customer data when their product is used:
“Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes.”
Canonical confirms this is what happened in this instance:
“As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical's CRM in accordance with privacy rules. On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies.”
Microsoft also adds:
“If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage. We will not share your Customer Data (as defined in this Section 3) with any Publisher without your permission.”
One problem here is Microsoft is clearly offering a blurry privacy setup that may confuse Azure customers. For example, how does contact information (which can be shared) not fall under the same classification as Customer Data (which requires consent)?
This probably means the original Azure wrap up agreement – you know, the one no-one reads but agrees to anyway – is all the consent Microsoft needs to share contact information. As for Bongiorini, once was enough and he is jumping to another cloud provider.
Tip of the day:
Do you get flooded by notifications in Windows 10 from apps and want to disable them completely or just the notification sound? Our tutorial shows you how to do this. As an alternative you can also configure Windows 10 Focus Assist (Do Not Disturb Mode) and set quiet hours.