Hacker News new | past | comments | ask | show | jobs | submit login
“I saw that you spun up an Ubuntu image in Azure” (twitter.com/lucabongiorni)
1168 points by fireball_blaze 18 days ago | hide | past | favorite | 455 comments

The register article on this https://www.theregister.com/2021/02/11/microsoft_azure_ubunt... has responses from Canonical and MS, which shed a bit more light on the situation.

The Canonical quote is the most illuminating :-

"As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules.

"On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."

Actually, to me the MS statement is the most illuminating and I'm guessing that Canonical is getting some grumpy calls from Microsoft.

This is the last part of the Microsoft statement:

"Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes"

Canonical then tells us that this person was a Sales Representative, and it is clear from the content that this is a message aimed towards selling. Canonical has broken Microsoft's terms. That said, I can't see where that legal restriction is (e.g. can't see anything like that in https://azure.microsoft.com/en-us/support/legal/marketplace-...).

> "On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."

The part I find the most enlightening (ie: disturbing) is that Canonical's only regret is that the sales rep used "a poor choice of word" and they will train their salespeople better.

I assume the "poor choice of word" was when the salesman said, "I saw that you spun up an Ubuntu instance". Was Canonical's biggest regret that the salesmen INFORMED the user that they are monitoring installs and linking them to contact information?

Canonical never said "oh the salesperson wasn't supposed to market to you with this information", instead they basically said, the salesman wasn't supposed to TELL YOU that we are monitoring what you install and linking it to personal contact details.

> the salesman wasn't supposed to TELL YOU that we are monitoring what you install

Exactly. The old "I'm sorry I got caught" and not "I'm sorry I did it."

We can do better™

Legal wishes to remind you that that statement always needs this accompanying statement.

The word "better" does not imply a commitment towards customers and/or investors. *The word "do" should not be seen as referring to the taking of any specific course of action which may or may not yield tangible change. *The word "can" does not signify a concrete ability and is not forward-looking. *The word "We" should not be interpreted as Canonical Ltd. nor any of its subsidiaries or affiliated entities.

Reminds of the famous Bill Clinton qoute

>It Depends on what the meaning of the word is is


Except he had a perfectly legitimate point there, as far as I understand, he just utterly botched the explanation.

There's a big difference between "is" and "was". Which is what he should have said. There were no semantic games in that particular statement, in stark contrast to some of the other things he said.

I'm sorry, but I am not completely aware of the broader context and just shared that soundbite as meme.

It's fine and understandable, it's just weird how the meme version is so detached from what the actual problems were.

For the record, while in the midst of discovering a possible breach of contract with a company the size of Microsoft, it would be very good form, from a legal perspective, not to risk further jeopardy by openly saying that you've breached your contract. While lawyers are often distasteful to HN readers, they do have immense value in these situations, and they are completely correct to say "do not admit error at this time, not until we've formally analyzed it, post-mortemed it, and resolved our contractual obligations to Microsoft". Yes, y'all may want them to self-flagellate, but I'd rather see them honor their contracts and respect their lawyers first. They already admitted that they behaved inappropriately. The rest is just icing on the cake.

I like how the vocabulary you use imply there is something highly nefarious happening here whereas it is all fairly standard direct marketing based on an exchange of data clearly highlighted in the TOS.

I don't really understand why everyone is up in arms here. In this case, Microsoft is basically a reseller. They told Canonical that they sold one of their product to a customer and Canonical reached out on LinkedIn, a professional social network. It all seems fair game to me. This is not some creepy internet tracking using dubious way to segment people. This is basic direct marketing in a B2B context.

It's all pretty tame.

Unless you're the kind of person that actually sits and reads the EULA prior to hitting OK every single time, I'd say it makes complete sense people are up in arms. There is a difference between legally defensible and reasonable expectations.

It is actually completely unacceptable on what is advertised as a secure platform to engage in targeted marketing AT ALL. If any information about what my company is doing on your platform is shared to other companies, then you are not secure by any definition of the word that I'm aware of. It is not for you to judge what information is valuable or damaging for us.

> It is actually completely unacceptable on what is advertised as a secure platform to engage in targeted marketing AT ALL. If any information about what my company is doing on your platform is shared to other companies, then you are not secure by any definition of the word that I'm aware of. It is not for you to judge what information is valuable or damaging for us.

Security and data sharing have nothing in common. It is perfectly acceptable to share customers list when you are resellers if you clearly state you will do so in the contract. It doesn't become true because you write it in all cap and say it is not for me to judge. If you so value your company information, maybe you should start reading what you sign.

Once again, we are not talking about an unreadable EULA for personal software. Azure is a platform geared towards professional. Nothing creepy is happening here. That's Canonical reaching out and giving a potential customer a point of contact if they ever need support. This has nothing to do with broad data collection and spying and is perfectly reasonable. I don't understand why some commenters here find the idea of talking with an actual human being so traumatic.

Not who you are replying to, but I'd imagine your point:

> If you so value your company information, maybe you should start reading what you sign.

Is exactly what people are up in arms about. Even reading the EULA, you may not expect Microsoft to permit data sharing in this way. And if this is entirely unacceptable for you, then it's time to leave Microsoft.

Or you can make noise about it online like this, and cause Microsoft to realise this sharing will lose them customers. I doubt the data is worth the churn, and Microsoft will likely change the policy rather than lose the customers.

>"This is basic direct marketing in a B2B context. It's all pretty tame."

Well maybe it is ok from that perspective. However my personal reaction as a customer to such sales approach would simple be something in line of GFY to that salesperson.

Yeah, the only acceptable choice of words in this case would be: none.

>Canonical never said "oh the salesperson wasn't supposed to market to you with this information"

Canonical never said "oh the salesperson shouldn't have had this information".

There's only one way they could have used it.

It's all about plausible deniability.

Or as law enforcement call it: parallel construction.

The sales rep was probably expected to reach out claiming some other reason, making it look like the standard LinkedIn spam, but in reality much more targeted.

Yep, and the purported “retraining” will probably be more like, “use a vaguer or falser pretense to cold-call”.

Very reminiscent of that Netflix tweet calling out a small group if people for some extraordinary binge watching.

“The first rule of the the surveillance economy is don’t talk about the surveillance.”

As I recall their tweet did not indicate that they had direct access to the identity (such as name or address) of those people. I think they mentioned their municipality?

Of course they have the raw data, but it's possible the people who sent that tweet just have access to a database that contains only anonymized data.

I guess I don't understand the quote from Microsoft's statement. Canonical provides "implementation and technical support," right? But they're not allowed to use user data from Microsoft to market those services? How else would that data even be useful for Canonical's "implementation and technical support" services?

This is the full quote from MS, provided in The Register article:

"Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes."

My interpretation is:

Every time you buy or use something from the Marketplace, MS will give your contact details to the Marketplace publisher. That publisher is then restricted in what they can do with the information. They may not use it for Marketing, they may use it to provide technical support.

Yeah, I agree with your interpretation and that makes sense from Microsoft's perspective. Just one open question that that raises: does a name and employer count as "contact details"? Do Microsoft's terms allow Canonical to reach out to someone on LinkedIn for marketing purposes as long as they don't look them up using the email address Microsoft gives them?

And if the answer to that last question is no, what can Canonical do with the data that's actually valuable to them? If I were given access to a database of sales leads that I was explicitly disallowed from contacting, I would actively avoid even accessing the data to avoid any accusation or perception that I violated those terms, just in case I independently got in touch with those same leads through a different channel.

So I don't know the answers to your questions - but here's one interesting thing - according to GPDR your email address is personal information as you'd expect. However your work email address is not. Companies can do all sorts of harvesting and collection on professional information that they can't on personal.

This is not strictly true. Sales@example.com would not be considered personal data, bob.smith@company.com would be

If they discover a huge security problem with the distribution you installed, they can contact you and help you upgrade to a non-vulnerable version? This like like what "technical support" is supposed to mean

How more reasonable it would have been for Microsoft to provide the publishers details to consumers instead of the other way around.

Interesting that this is not so.

Microsoft can earn more money this way (selling data for sales purposes), so their behavior meets my expectations.

Mine too, it is hilarious that they present this gratuitous data sharing as "this is normal/we are the victims as much as you are"

But they aren't selling the data

On the off chance you are not being sarcastic, do you think that Canonical got the data for free?

Yes? Its pretty evident that when you publish a marketplace app, the details of those that installed it are automatically stored for use by the vendor. All of the statements above align with this, unless you're insinuating that Microsoft are liars.

This sounds like plausible deniability to me. "We sell your details to companies whose products you're using - which would be really useful marketing information; but they say they don't use it for that, so we did what we need to."?

Microsoft being lily-white (/s) would ensure they had GDPR-like positive consent from customers that they could pass on those customers info to specific third parties...

The idea that companies keep some sort of information wall between their support and marketing departments is pretty ridiculous. MS have to be fully aware of this, surely.

So, the story is Canonical taking part in the same crap as the more overtly crap companies, and just this one agent not being clever enough to keep their leads under wraps.

GDPR obliges companies to provide information on all this parties PII has been passed to. Given cookie lists (or UBlock blocked files) are hundreds of companies long I'm surprised we're not getting reports of who is buying up all this info.

> But they're not allowed to use user data from Microsoft to market those services? How else would that data even be useful for Canonical's "implementation and technical support" services?

The data on who was doing what would be useful for providing implementation and technical support to people who has already contracted with Canonical for those services, both for providing the service and, depending on price structure, possibly for billing.

> The data on who was doing what would be useful for providing implementation and technical support to people who has already contracted with Canonical for those services

So then why should everyone else who doesn't have any contact with Canonical have their data forwarded to them too? This should be opt-in rather then opt-out, let alone always happening with no way to opt out

By waiting for someone to reach out for "implementation and technical support," at which point Canonical already has the data they need to investigate deeper? Not that that's even great, because 99% of the people who spin up a service will never contact Canonical and shouldn't have their info shared.

Yeah, I thought about that possibility, but I'm skeptical because the usefulness of Canonical getting that data directly from Microsoft seems really minimal. Whatever data Microsoft is collecting from its clients (I'd think it's at most metadata about base images, instance types, and maybe number of instances and usage patterns) should be trivial for those clients to provide to Canonical, if needed, if and when they initiate a support contract.

“Ouch. Big bug. Let’s contact the users who installed it from the azure marketplace. Good thing we got their names when they installed it!”

"Ubuntu Server on Azure best practices guide.pdf"

> That said, I can't see where that legal restriction is

It's probably part of the contract between MS and Canonical.

Which is a problem. I'm much happier if that restriction both exists and is enforced. If we can't see that contract, then it's all based on trust, and trusting tech companies with personal information has not gone well so far.

> but restricts them from using contact details for marketing purposes ... Canonical then tells us that this person was a Sales Representative

I don't understand - what's the difference between marketing and sales? Sales is trying to sell you something? But that's also marketing?

Wow. I just lost a whole lot of respect for Canonical. “If you read the document we expect nobody to read, you’d know that you sold your soul to us. We didn’t mean for you to find that out but one of our salespeople got overeager and tried to sell you your soul back. He will be reprimanded. Can we all forget about this real quick?”

Canonical's been scummy for about a decade now. This is the same company that shoved Amazon results into local desktop searches, then responded to criticisms of that with "Don't trust us? We have root.".

Pretty ironic considering the meaning of the word "ubuntu".

I'm all for Occam's Razor and don't usually buy corporate bullshit, but this comes to my mind:

- Azure is the second largest cloud provider worldwide

- Ubuntu is probably the most common Linux distro installed in the cloud

- We never heard about another episode like this before

Now if Canonical was allowing / encouraging this kind of behavior from their sales rep, I think we should have seen it happen in the wild before (like, a thousand times?) already; since it only happened once, I'm inclined to believe them. Also see [1]

Now let me think: I'm not OK with Canonical accessing my contact information because I spin up a VM, but I'm also not OK with Microsoft sharing my contact information with Canonical. What's wrong with "let me call them if and when I need?" But I'm European so maybe a little too privacy focused.

[1] BTW: let's say 99% Ubuntu VMs are spun to host some boring Wordpress site, nuvelle cuisine blog or leather shoe shop. What's the chance of an Ubuntu sales representative to ever make a sale this way? I guess it must be pretty slim, so he'd have to contact hundreds of potential customers to turn a few sales - something that would quickly get reported if it was a corporate business habit. This reinforces my first impression.

We haven't heard about it before because other sales reps didn't admit to knowing that a customer has deployed something, and reached out to the customers under the guise of standard-looking sales pitch that got dismissed as regular kind of spam. That would be my take on it.

I feel like you're missing the point. I wholeheartedly believe Canonical does not encourage this kind of behavior from their sales rep, but only because it makes it obvious that they're getting data from MS they really have no right to access, when they really intend for it to just stay hidden behind some voluminous terms of service.

You know what they say, the definition of "gaffe" is when someone tells the truth.

This was my first response as well (it's not the data sharing that's the problem, it's that you noticed).

Thinking about it though, a lot of it is a question of surprise and unknowns. I would find this message to be a lot better - "We see that you've taken advantage of the Ubuntu image that Canonical provide in the Azure Marketplace. I am available to you for (etc.)".

> * I would find this message to be a lot better - "We see that you've taken advantage of the Ubuntu image*

No. That's not better at all.

The mere fact that Canonical has specific information to reach me when I am not a direct customer of Canonical is a complete violation of my privacy.

Ubuntu is a free product. Canonical should not be able to find out if I (specifically me or my organization) allocates or runs 1 or 10000 instances of Ubuntu.

> Ubuntu is a free product. Canonical should not be able to find out if I (specifically me or my organization) allocates or runs 1 or 10000 instances of Ubuntu

I agree with the message behind this and obviously Canonical and Microsoft are both being extremely gross.

But Ubuntu as a binary image (or source code) is a very different product than a VM with Ubuntu pre-installed and pre-configured, which is what you paid for (and is why you got ensnared by their horrible anti-user license).

> But Ubuntu as a binary image (or source code) is a very different product than a VM with Ubuntu pre-installed.

How? Why? If it's different in any meaningful way from just clicking "next" on the installer then it's no longer Ubuntu, and certainly not Canonical Ubuntu, that's pre-installed. It's become, at best, Microsoft-Ubuntu-Because-Microsoft-Added-Telemetry-For-Azure. Or it's Canoncical-Ubuntu-Configured-By-Microsoft-With-Azure-CLI-Preinstalled.

It's not "Ubuntu" any more.

You don't get to decide what is and isn't "Ubuntu", Canonical does. Did you likewise declare that Ubuntu isn't Ubuntu anymore when Canonical dropped Unity? or when they added snap? Or when they added or later removed the Amazon search plugin?

When I'm paying for an official Azure version of Ubuntu on Azure, I darn well expect there will be a closer support relationship than the free desktop version.

> When I'm paying for an official Azure version of Ubuntu on Azure, I darn well expect there will be a closer support relationship than the free desktop version.

Okay, but maybe other people don't want that if it entails their information being shared with a company they haven't initiated a business relationship with?

> Using their software on professionally hosted servers

> haven't initiated a business relationship


The servers are not hosted by Canonical

But the servers are running Canonical software. Just because it's GPL'd doesn't mean that Canonical doesn't own it or that you have no relationship with them by using it. You are paying them a license fee to get the azure image, after all.

To say that you have no business relationship with Canonical while paying Canonical to use Canonical software with official Canonical technical support is absurd to the highest degree.


Just FYI, this is bad manners. I deleted the comment because I didn't want to continue the conversation and I especially didn't want to engage with you - specifically, your comments here and elsewhere indicate that you are frequently toxic and hostile.

You deciding to resurrect the comment because you happened to see it before I deleted it is really not OK. It's the exact kind of toxic hostile, creepy interaction I was trying to avoid from you by deleting the comment!

> your comments here and elsewhere indicate that you are frequently toxic and hostile

I thought your comment was interesting and merited a reply for others to see and discuss. But I see you disagree so I've removed the content of my reply.

Feel free to flag any comments you find particularly toxic or hostile. You can do that by clicking on the timestamp of the comment and clicking the `flag` link.

Or even better, let me know (like you have done so here). I can't improve myself if I don't know there's a problem.

There's no problem with your comment so please do not "improve" yourself based on the parent; they should, not you.

Erasing history and demanding others follow your lead is bad manners.

Posting something and deleting it after it has been seen is basically gaslighting. Imagine the kinds of harassment people could get away with if they said rude things to coworkers on chat, then edited the messages to appear benign after the coworker responded to their hostility.

That is why people quote the text of comments to which they want to reply.

To be clear are we to suppose one has a right to say something and then insist others never bring up anything because one has at that point deleted?

Furthermore is strenuous disagreement now toxic and hostile?

Wouldn't it be more trivial to say I do not wish to engage and leave it at that? Ironically calling someone toxic hostile and creepy is... pretty toxic.

> are we to suppose one has a right to say something and then insist others never bring up anything because one has at that point deleted?

I think someone has the right to change their mind about something they've said. That's why I edited my comment to remove it.

> Furthermore is strenuous disagreement now toxic and hostile?

I don't think so. But I know that I sometimes get passionate about my opinions. I welcome someone's input to keep me friendly.

> Wouldn't it be more trivial to say I do not wish to engage and leave it at that? Ironically calling someone toxic hostile and creepy is... pretty toxic.

I would like to think better than that. I think it was good of @ojnabieoot to let me know that they thought I'd wronged them.

Some people can feel very anxious or awkward to conversation for very good reasons. They can state opinions and then choose to retract their opinions for any reason -- even if the opinion is held but they choose to remove themselves from the conversation. I think that's a good thing to discuss but this isn't the venue to.

If you go to Ubuntu's web site, they will offer several distinct ISOs, each optimized for different usecases; and yet I'm not charged all of my personal information there either.

Ditto the Ubuntu images on Docker Hub.

Right. If I can run Ubuntu on Docker without Canonical knowing, I should be able to run Ubuntu on Azure without Canonical knowing.

This is a big misstep for Microsoft, from my point of view. I think it's less a reflection on Canonical, because once they have the information, it's ultimately going to be used. Microsoft just should not have agreed to the arrangement at all.

Both Microsoft and Canonical are for-profit enterprises.

To quote the old native american (?) fable: You knew what I was when you picked me up.

> Both Microsoft and Canonical are for-profit enterprises.

I don't think that most of the people have a problem with that. The problem is being sucked-in to something without ever agreeing into.

In the era of privacy sensitivity (which I think is healthy), being watched in a place and prodded from a different channel is disturbing.

I don't mind people trying to reach me with the hope of sales based on information I've provided to them, but this is too far.

Also it removes two veils from both companies at once:

    1. It seems Microsoft still has sneaky tactics, but they're more invisible.
    2. Canonical is somewhat more aggressive and greedy than it seems, and Ubuntu desktop is just a freemium product, or another capturing device for further vendor lock-in.

The alternative is that Azure owns complete access to the customer. Which seems... well, an easy skip to App Store-esque rent seeking.

So MS sharing "their" customer details with the image provider seems more generous than evil. Provided there's a "Do not share" config option somewhere.

If I'm doing business with Azure, I would absolutely expect them to keep my data and behavior private. It's part of the reason why I would be paying them (instead of expecting something for free) in the first place.

So if I write a piece of software that eventually makes it to Debian and Ubuntu, am I entitled to your name, address, phone number, email, and a data feed showing every time you start or stop your Ubuntu instances on Azure? After all, I am a third party software provider at that point. And look, Azure doesn’t even have to tell you they are sending me all that stuff. It’s in the TOS you didn’t read!

If I choose to run an image maintained by IgorPartola, sure!

If I download packages and Ubuntu, and assemble my own image, or use one assembled by another org, probably not.

I think the disconnect is that for me, image packaging and updating is work, and that work has an author, and the author is deserving of certain rights others are not.

If Azure is auto-pulling Ubuntu images, building containers, and publishing themselves, then that's a different story.

The issue is more so *why* Microsoft is sharing this information with Canonical. — what does it obtain from it?

Ubuntu is gratis, so Canonical can't have coerced Microsoft into doing so; it is quite probable that one approached the other to make a deal, and that Canonical is paying a certain fee for this information.

The code is gratis. Although, partnership deals tend to go beyond simply sharing code, and into the realm of dedicating time and resources to working with each other.

I think this is why this doesn't shock (shock!) me.

We're talking about a curated, supported, official image here, right?

If folks want to use a "MyUbuntuImage" they or someone else packaged and uploaded, more power to them.

But by pulling a Canonical image, you have a relationship with Canonical. Expecting that relationship not to exist "because open source" seems to be misunderstanding who does what work.

As to whether this should be opt-in, done, etc. is another matter entirely. But the fact that it exists at all doesn't feel particular shocking.

It's not like we're talking about everyone who pulls a RedHat image's info being sent to Canonical!

The code is more than just gratis; it's libre. This is Ubuntu, based on Debian GNU/Linux. (Yeah, okay, some of the code is merely gratis, but most of it is libre.)

I don't expect an OS based on an OS based on an OS based on a half-finished OS based on free software principles to have shady data-dealing attached, yet hidden from the people whose data is being dealt.

My point is that it's not about the code at all.

You might not have expected it, but privacy protection is not any sort of obligation encoded in any extant concept of Free Software.

Free software is about user empowerment, and the ability for users to be hackers if they want to (or employ people to make changes on their behalf). “Sike, we've been stalking you and you can't do anything about it” is antithetical to this ideal.

Privacy protection is not an obligation, but transparency and openness is. Yes, you're not contractually required to not make a separate computer system that's proprietary and closed and disempowering, but that's so pedantic as to be malicious.

It has nothing to do with Free Software. I'd expect the same treatment if I were paying Microsoft to run Oracle for me.

So you didn't read the ToS, I take it? I did. I do whenever it's something important to the company's infrastructure. Canonical is the one at fault here for not adhering to Microsoft's guidelines. But Microsoft put the warning on the package.

I mean, it's kind of ridiculous to think that you could do anything in a cloud environment system and not have your actions tracked. Hell, with automated load balancing and load-based billing, that's literally what you're signing up for.

another vector here is the WSL

I wouldn't be surprised to learn Azure was paid (either money or developer time) and this is happening for other products. I would think twice before using Azure if I was concerned about my usage being shared.

It is. For example I've warned others about the eula shipped with Dell systems with Linux (Ubuntu) on them for similar reasons... and encourage people to do their own installion of images (containerized or otherwise).

It's not "free as in lying around on the ground", it's free as in "freedom". You have to agree to Canonical's "Terms of Service" to use Ubuntu, so you are a licensed customer of Canonical's.

In this case, the license is the GPL, none of which has anything to say about privacy. Maybe this is a failure of the Free Software Foundation's to not include privacy protection in the GPL. Though even if they were to create a GPLv4, the Linux Kernel is still only licensed under v2, so distro implementors have no obligation to use a more restrictive license.

AKA, "the cat is already out of the bag".

In the OP's case, they additionally are are customer of Microsoft's, who explicitly stated they share this kind of information with their vendors.

I am not sure we should add privacy protection to software license.

Debian Free software guideline does not allow discriminate against using debian for evil.

Oh, I definitely agree, I'm just trying to point out that a lot of people here are making assumptions about what "Free Software" means that literally nobody in the FOSS or Open Source movements have ever said were goals.

> nobody in the FOSS or Open Source movements have ever said were goals

Citation needed. RMS, the FSF and many other orgs made public statements around privacy many times.

I think you're the one who needs to provide a citation, because I've read a lot of the literature on the FSF's website and not once does privacy come up.

Now, I can't exhaustively prove a negative, but I think I can easily demonstrate that the FSF has never meaningfully expressed an opinion on privacy. Go to https://www.gnu.org/philosophy/philosophy.html, open every single page it links to in the body of the text, and search for the word "privacy". It does not show up in the body text of any of those documents. It shows up once in a footnote that mentions a change that Samsung made had that "caused privacy concerns".

The closest they get to even mentioning the concept of privacy is when they talk about the right to modify software and use those modifications "privately", which clearly does not mean anything about user privacy.

If privacy were so big of a concern for the FSF, you'd think they'd talk about it in their official documentation on their philosophy, or put something about it in the ONE tool they have to have power over anyone: the GPL.

This is plain false. Debian routinely disables trackers and homecalling functions in the packaged software and even in the documentation.

I think you misunderstand. Debian doesn't have restrictions on how end users use their software. They do however make an effort to ensure the software they distribute is high-quality and doesn't do bad things to the user.

Indeed, if you want to help fix privacy issues in Debian, please check out our wiki page:


> the license is the GPL, none of which has anything to say about privacy

The anti-patent-trolling, anti-tivoization and copyleft provisions are there to protect developers and users.

Additional clauses around privacy and security would be very nice.

Unfortunately, corporate-sponsored FUD made a lot of people wary of the GPL - which is ironic, given its protective features.

People are coming into this thread, talking about "this should not happen cuz free software." And Free Software protections are just completely orthogonal to privacy protections.

There is a certain level of reasoning where one might say that, if the software were truly libre, you could "just" fork it and rip out the parts you don't like. But because you clearly can't "just" do that, then the software must not be free.

Yes. The software is not Libre.

But it's not clear to me that this is the case because the system is hosted on Azure or the distro is Ubuntu. Your rights within a marketplace go only so far as you can throw your alternatives. Software, especially operating systems, are just too complex to expect the concept of Free Software to be sufficient to protect user privacy.

The idea is that, if free software principles were widely followed, this kind of spying could never be built in the first place. It'd be like a rice cooker that refuses to cook a full portion if you're putting on weight, or a washing machine that won't turn on during peak energy hours; a bizarre, unprecedented imposition on the principle that you should be able to do what you want with your stuff.

Will, it's a neat idea, but so is communism, on paper.

It is a violation of your privacy that you may have already agreed to - presumably MS mentions this in their ToS/privacy policy that this information will be shared. They just conveniently forget to remind you that when you deploy a VM...

Another interesting question: aren't you a direct customer of Canonical here? When you buy stuff off of any marketplace or though a reseller, it seems to me you are a customer for multiple companies. Examples: buying an iPhone from AT&T, buying a laptop from Amazon, buying a Subaru through a dealer.

I think there's a difference here; you can get Ubuntu got free outside of Azure without being a customer of Canonical, but you can't get an iPhone from Apple for free from them just by going through a different channel

I think I'm missing something... Ubuntu is developed by Canonical, right? Just because you do not pay for it when you get it outside of Azure does not mean you are not their customer?

Doesn't customer imply a paying relationship? If I put some code online and let people use my software I'd say that makes them at most my users, not consumers.

When you get it a certain way through Azure you both enter a contractual agreement with each other, and that does make you a customer.

I think requiring payment is a bit too strict requirement to define a customer. Your users still agree to your license, so there is a relationship established, you may just not get any benefit from it (monetary or otherwise). Even in your license you likely have to be explicit that "software is provided as-is" and you aren't responsible for it misbehaving - otherwise your customers/users could try to sue you. Just because you don't pay for Ubuntu doesn't mean Canonical does not get anything out of you deploying it. Do they gather any kind of data about users' behavior?

>one of our salespeople got overeager and tried to sell you your soul back. He will be reprimanded.

I don't think the (non-)apology even gave that much, just that the training/policies will be "reviewed", which is even weaker:

>>In light of this incident, Canonical will be reviewing its sales training and policies.

I speak enough corporate to know that this guy gets to be chewed out. They singled him out in their response and said he was new. If they stood behind this policy they would have basically diffused the responsibility without mentioning him by specifically. I could be wrong of course, but he cost a bunch of people a bunch of time and effort and unpleasantness so he'll get yelled at.

They singled him out because the original tweet showed the salesperson's full name and picture. He might lose his job because he unintentionally showed everyone how the sausage of monetizing open source is made.

Why Canonical? Isn't this a Microsoft feature?

Yes the fact that Microsoft shares this information is concerning. But Microsoft only provides the information to Canonical (according to the ToS) for technical assistance and product support, but not for Marketing purposes.

Canonical is the one who violates trust here. Because they are using this information for marketing purposes, which they are not allowed to do under the information sharing agreement that they have with Microsoft.

So yes, we could argue whether Microsoft should be providing the installation information in the first place. It should at the very least be opt-out (on by default with the ability to not share), and preferably it should actually be opt-in (off by default, check a box to allow). So there is a violation of trust going on here, but this isn't any different than every other major tech company is guilty of right now (not that it makes it right).

But Canonical is the one that took the information and used it in a way that was never agreed to by either the person sharing the information (Microsoft) or by the user via the ToS (the ToS says that it is strictly for tech support, not for marketing). Canonical is the one that really overreached here.

You're obviously correct in the de jure sense, here. But there is also a matter of relationship expectation.

An unstated assumption of using any "free" product is that it's not actually free. Canonical screwed up, to be sure, but I do think many of us just expect getting harassed by salespeople to be the cost of using a "free" product.

Microsoft, on the other hand, charges me by the hour for using Azure. They've taken their pound of flesh, so my business expectation is that I'm going to be left the hell alone for anything other than billing matters. Them sharing the data in the first place, for something I've paid money for, FEELS like the bigger violation to me.

Depends a lot on the free product.

For a linux distro, my expectations are that it's "free" but support will cost you money. My expectation is not that it's "free" and the OS will spy on you and report back to HQ so sales can make more sales.

If I don't give personal information on installation my expectation is the product is not harvesting or forwarding that information (For example, I expect that with Facebook, I don't expect that with GIMP).

Both are certainly wrong IMO. MS for giving personal info to a 3rd party and Canonical for bundling spyware with their OS. Both are super icky.

That depends on the distro, a lot of distros offer gratis support. Some like Debian have both paid and gratis support.


Well, in the case it's not from the OS, but purely from Azure.

And you're selling the information in order to get tech support from Canonical, otherwise you can get it without selling your info (but won't really receive tech support).

> They've taken their pound of flesh,

As an aside, "pound of flesh" doesn't mean "payment", it means "something that is one's legal right but is an unreasonable demand (esp in the phrase to have one's pound of flesh)", both in Shakespeare and in current usage.

Unless you feel Microsoft's price is unreasonable and you have no other option, "pound of flesh" isn't the right expression.

Something like "they've taken their cut" is more accurate.

Thank you for the aside!

Too late to edit, though.

Thanks for hearing it out!

Both to be honest. Canonical shouldn't have asked, and Microsoft shouldn't have agreed.

Neither one is an innocent party.

Shit companies in a shit business relation. Can't wait to see that marriage between the two.

Its an example of a risk with cloud providers that isn't talked about often or is ignored. For example, why doesn't WalMart use AWS?

Companies now leak alot of metadata about what they are doing. If a teeny company like Canonical is mining stuff like this, consider what Microsoft knows about how you use their products, and I'm sure your EA negotiation as a big company is at some level driven by what they know.

How is a Canonical rep contacting him purely a "Microsoft feature"?

It means that Microsoft is providing information that they shouldn't.

And Canonical decided to take that data, search him on Linkedin and contact him. Seems reasonable to see that as a reason to loose respect for Canonical over.

Don't get me wrong, what Canonical has done here also isn't good. But what they've done shouldn't have been possible because Microsoft shouldn't have given Canonical the information in the first place.

The question I have is what's in it for Microsoft, why did they even bother to do this in the first place? I can't believe there would be that big of a cash incentive.

If this were Windows, I would expect Microsoft to pass it to an internal department that sells higher service contracts and then off to 3rd parties that provide the same for up to a week after you find the "don't share my data" checkbox.

That (enterprise support) is a very important side business. Whether they got cash from other OSes or just set it up the same to fight an eventual Anti-Trust Case is anyone's guess.

Again, the user's relationship was with Microsoft, not Canonical. Microsoft is the one who the user entrusted to protect their data, and they didn't.

The user chose Microsoft's Azure product to run Canonical's Ubuntu product. The user has relationships with both vendors.

how makes that Canonicals side of things better?

It doesn't.

Well, what should we be more angry about? That Canonicals sales rep is using data in their CMS, or that Microsoft is selling data to third parties. The root cause seems to be Microsoft, not Canonical and (at least in my eye) the conclusion is not "don't trust Ubuntu", but "don't trust Azure".

Someone giving you a gun doesn't absolve you of the crime of shooting someone with it or of keeping the gun.

edit: The data doesn't just magically show up in Canonical's CRM. They spent time and effort establish an integration with Microsoft and then building processes on top of that data.

As stated above, MS isn't selling this information. They are providing it for customer support purposes.

In the business world, having data marked "customer support only" is pretty common. There are quite a few laws acknowledging the difference. Importantly, the data is supposed to be kept separate and it sounds like Canonical screwed up here.

The takeaway is "don’t trust Ubuntu or Azure".

It’s like if you tell a friend that there's a key to your back door under the mat but to keep it a secret and instead of keeping the secret they tell a mutual friend about it and that mutual friend robs you since they know where the key is.

You shouldn’t trust the friend that told the your mutual friend where the key was and you shouldn’t trust the mutual friend who robbed you.

The friend who told your mutual friend may have done so for what they thought were useful reasons, like letting the mutual friend know so they could fix something for you while you’re out, but they still violated your trust non matter what their intent was.

This is the 'not on prem' tax that will be the norm going forward.

I'm under the impression that on-prem Ubuntu phones home. I guess maybe it can't guess your LinkedIn name, though.

It's trivial to disable any telemetry considering it's open source:


Because Canonical’s response was “oops you actually found out.”

> one of our salespeople got overeager and tried to sell you your soul back. He will be reprimanded.

I wonder what have the consequences been for that guy.

Probably a promotion for failing upwards. At least, that's how precedence makes me feel about it.

Probably a "graduate trainee" who got a stern talking-to.

You had respect for Canonical after they put ads in the OS?

We all know that you can't trust Microsoft, but a lot of people blindly trust Canonical just because they create a Linux distro.

I haven't trusted Canonical since I noticed their pattern of creating competing alternatives to new Linux standards instead of helping them (Mir & Wayland, Snap & Flatpack, Unity & Gnome 3). It'd be one thing if they were bringing better ideas and long-term support to their alternatives, but they just seem to be half-baked copies. I appreciate all they've done for the Linux ecosystem, but I'll stick with my Debian.

Mir and WAyland was because wayland couldn't do what they wanted technically.

Snap came BEFORE flatpak. Flatpak was the "new competing standard" in that situation.

And Gnome shell, quite frankly, sucked. IMO it still sucks, but back then it sucked WAY worse.

Yeah, I wouldn't put down Ubuntu's traditional attitude as "we'll copy something so we can own it" - it's more of a "we'll do whatever we think is better for the experience we provide, screw the community". Which is still misguided and fundamentally doomed to fail in the long run, but not as malicious as, say, Apple's moves.

At the end of the day the scorecard reads:

- Mir: failed

- Unity: failed

- Snap: mostly failing

Meanwhile RedHat takes over stuff that doesn't work, makes it work a bit better, and pushes it on the whole ecosystem as "the" solution. And they win, and win, and win.

> - Snap: mostly failing

As much as I hate Snap and remove it from my Kubuntu systems, I don't see where it is failing. I frankly see a lot more non-linux-focused vendors support to snap than flatpak. Could you expand on that point?

It took years to get any sort of buy-in from app-developers, and I know quite a few users who are actively running from it. Just last week I helped a friend who was surprised and somewhat disgusted by the fact that certbot seems to have embraced it.

It’s not a question of which one will succeed between snap and flatpak, it’s whether the ecosystem really needs either one of those.

> Unity: failed

unity failed because they abadoned it, but it was way better than wayland+gnome. the problem was that it was based on gnome2 and had mir under its belt, so it would've been really really hard to somehow upgrade it

Mir is still going as one of the better Wayland compositors out there.

Unity didn't fail: ongoing development on it was cancelled because there was no way to successfully monetize it. It was, and remains, one of the most successful desktops out there.

Everybody knows how the FOSS ecosystem works: if you don’t get buy-in from the community, a project dies. Unity wasn’t adopted by the community, and as soon as sugar-daddy money ran out, it died. That’s what failure looks like on the Linux desktop.

Unity had fantastic buy-in from the community. There were more installations of Unity 7 than there were of Gnome 3 or KDE 4 back when it was still being distributed.

If your definition of community is "people who develop desktop environments for open source software" then you're already limiting the size of your community to a few dozen or so individuals, and we had a few dozen contributors to Unity so I'm not convinced of the strength of this argument.

If your definition of community is "people who don't use Unity" then of course "everybody knows" that's trivially true. Some people also know it's a tautology.

Unity is still around, it was forked by the community and renamed to Lomiri:


> Mir and WAyland was because wayland couldn't do what they wanted technically.

What exactly is it that you think Wayland couldn't do and why was it necessary to invent an incompatible application interface to achieve that?

> Snap came BEFORE flatpak. Flatpak was the "new competing standard" in that situation.

And AppImage came before snap.

> What exactly is it that you think Wayland couldn't do and why was it necessary to invent an incompatible application interface to achieve that?

From the mir technical architect (found on askubuntu): https://samohtv.wordpress.com/2013/03/04/mir-an-outpost-envi...

> And AppImage came before snap.

Exactly right! And if the ONLY goal was compatibility, we all should be using appimage over snap. But snap was and is trying to promise more in terms of end-user security and transactional updates from the vendor. So there is a legitimate reason to make something new.

For servers, I would trust Debian over Ubuntu/Canonical any day. The way their releases work, the default set of running services, etc.

In general, I personally prefer the way Debian works (Debian the Project - not the Distro). It has a board of elected developers governing the project. I would prefer that over somewhat opaque functioning inside a company (Canonical).

To cite as an example, here's how they decided on the question of init systems [1].

[1]: https://www.debian.org/vote/2019/vote_002

I'm not sure how many times this needs repeating, but Snap wasn't an "alternative" to Flatpak; the latter didn't even exist when the former was created. Many people arguing about this issue don't seem to get this.

Yeah, stuff like this is why I only treat Ubuntu as a stepping stone.

I even tried to install Debian while I'm still not really used to Linux, but the graphics card immediately crapped itself on boot, so it will have to wait...

> tried to install Debian […] but the graphics card immediately crapped itself on boot


This is kinda both hilarious and helpful. Thanks for sharing.

I guess you have an Nvidia card? The two other major vendors have mainline (therefore GPLed) drivers and basically work out of the box. Keep that in mind during your next hardware upgrade.

Nvidia was the least terrible solution about 10 years ago (I have PTSD from installing binary blobs and editing Xorg.conf to make it work.) While others have improved tremendously and you don't have to do anything to get full 2D and 3D acceleration (just boot the system), the Nvidia experience™ hasn't changed much since then.

No, AMD (which indeed surprised me).

I have to decrapify every ubuntu install. They have so much telemetry and autoupdate and other BS.

I'm starting to learn too much about apt to try and prevent things from reinstalling themselves.

Why keep using Ubuntu at that point? There are plenty of other Distros.

Launchpad, Bazaar, Upstart.

Some of them nice projects in their own right, but it's hard the shake the feeling of NIH syndrome.

Since Launchpad existed before Github, Bazaar before Git, and Upstart before systemd, I am not sure where the NIH feelings are coming from.

I think the Marketplace quote is worth noting too:

>A look at the terms for the Azure Marketplace throws up this sentence: "If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage."

So the publisher of something on their Marketplace gets some information.

This doesn't seem 'that' weird (well the linked in contact does) as it seems semi related to ... say apps and app stores and etc.

Edit: I'm not justifying the policy, but I am noting that on a marketplace with third parties, this seems pretty standard / something you should always consider when you install something from a third party.

But I think that these comments from the Twitter thread are very valid:

> I belive you spun up the VM based on an image from the Azure Marketplace, specifically one from Ubuntu. That is not a microsoft image, you accepted an offer from Ubuntu and now they contact you to follow up. That's my understanding of the situation. Hopefully someone can clarify

> Where exactly it is visible any ToS?! As soon as I clicked on "add new VM", the first option suggested was Ubuntu 18.04. I didn't dig into the Azure Marketplace. I just picked the first option available since I quickly need a linux-based test VM.

I mean, I'm not as familiar with the AWS marketplace, but I use the GCP marketplace, and when I choose an offering from that marketplace it's very clear I'm just buying a prepackaged solution from another vendor, and I'd expect that other vendor gets my info. IMO this is very different from choosing the OS for your VM from a dropdown.

I think this is one of the points that the spirit of GDPR and similar legal frameworks gets right: users have the right to opt-in, without service being degraded if they don't, to data sharing unless that data sharing is "necessary" to fulfill the transaction (I believe this is the basis for "legitimate interest").

If I'm buying a SaaS or DBaaS from a vendor over a marketplace, or launching a metrics collector where phoning those metrics home is a core value prop, I'd be fine to be told that sharing information with the end operator, not just the marketplace, is necessary to fulfill the transaction. And there should be contracts in place to ensure my data's not used for unrelated purposes. If the operator breaches those contracts, the operator is liable.

But in what possible way is "using a pre-packaged Linux distribution" a transaction where sharing information with the packager is "necessary?"

I have no doubt that Microsoft's lawyers have covered their posteriors here. But the spirit of these regulations would be that users don't have the expectation that they're opting into Canonical getting their info just because they use a bog-standard Ubuntu distro. Users didn't knowingly consent to this.

(EDIT: not a lawyer, not legal advice)

You buy a dishwasher from Best Buy. They send your name and address to Maytag. You buy soap from Walmart. They send your name and address to Johnson & Johnson. You buy a sandwich at your local deli. They send your name and address to Boar’s Head. Cool?

I know this is meant as a rhetoric, but it sounds like car sales. I bought a car last year. They sent my name and address to Sirius XM and now I'm getting spammed by marketing calls + marketing physical mail for Sirius XM when I don't need such service. I have a phone and all my music on it. It's already something that happens in the non-software world and it's definitely annoying there too!

In the car of Sirius it's pretty amazing the lengths they'll go. They send out a Customer Agreement with a welcome packet when they activate a trial subscription for a particular unit (usually when you buy a car, new or used, but I've received it on my car that I bought 4 years previously). That agreement, it claims, has the power of contract, and will be binding on the customer as soon as the service is activated or the customer receives they're policy. Of particular offense to me, it subjects the customer to binding arbitration (for a trial subscription the customer never requested or affirmatively agreed to). They've literally gone to the Supreme Court (and lost) arguing that a trial user could not sue for their nuisance mail because of the arbitration clause. The agreement states that it remains in effect unless the customer cancels their (trial) subscription within 7 days of activation, and only by phone.

In my most recent case I received such a packet 6 days after the date they said they activated the service. I called the same day and told the agent I wanted to cancel my trial subscription, citing specifically that I did not want the service and refused the terms of the agreement. The retention script (which is the same no matter which agent you talk with) is, "well you can keep the trial going and it will just expire", and repeat it several times. You have to be persistent and use the language "cancel my subscription", or you will get nowhere.

If the trial contract isn't enforceable, why bother canceling?

I want them to stop sending me nuisance mail whether or not the contract is enforceable.

Did canceling stop it? They still have your contact information and they still know you have a satellite radio in your car.

I still received mail sent before I cancelled, I received a piece of mail acknowledging a cancellation and offering a new, discounted subscription. I believe I received at least one more piece of mail.

To be clear, I do not think any of my efforts will get my contact info out of their databases. Auto purchases are recorded publicly (at least in my state).

My comment above was about the extent to which Sirius, as a company, puts up hurdles to protect their nuisance practices, including shrouding them with legal claims that they will defend at the highest levels of jurisprudence. They lost their case in 2014 and updated the language in their agreement, presumably to address the weakness of their previous agreement, since it still claims to bind the customer without any action on their part.

In any case, I do not want to derail this thread any further.

That specific one really sucks. Every time I’ve bought a car that had a satellite radio I got spammed for like two years by Sirius XM. How are they still in business?

Sometimes it's just public records... I know someone fucked up if they use the wrong last name. Makes it easy to filter out spam.

> You buy a dishwasher from Best Buy. They send your name and address to Maytag... Cool?

Since most appliance manufacturers require you registering your product with them for warranty service, yes, please take care of that for me (many appliance stores do). Now _should_ Maytag require that registration? If it makes for a quicker and smoother warranty service process then I'm okay with it - better than needing to dig up a receipt in three years, only to find that the thermal printing has faded.

There is a difference between you checking off a box that says “send my info to Maytag” and BestBut just doing it and then when you find out about it Maytag saying “you weren’t supposed to find out”.

The difference, as usual, is: consent and control. 1. the user did not provide affirmative informed consent (it was buried in a ToS doc that nobody reads) and 2. the user has no meaningful control of the sharing.

> Since most appliance manufacturers require you registering your product with them for warranty service, yes, please take care of that for me (many appliance stores do)

Manufacturers legally have to honor their warranty regardless of you giving them your information. They don’t exactly say you won’t be covered by warranty if you don’t “register”, because they legally can’t.

The trick used in the US is that if you do not offer this information you get a ridiculously short legal-minimum warranty.

In over two decades of buying appliances and electronics, I’ve never seen a device in the US offer a longer warranty if you send in your information.

Really? This happened to me at least ten times, and I'm not even American, just sometime buy devices directly from the US. For example, my LG phone comes with an additional year if you register your device.

I don't know if it is cool, but I wouldn't be surprised.

The idea that a AWS or Aszure market place with third parties involved is different than say my example, an App store with third parties seems like a good way to think about it.

I'm not justifying the policy, but I am noting the context isn't that different and how we should think about it.

That’s fair. I guess if Canonical is selling something directly by using Azure’s storefront that’s a different thing. Still, their response to this is pretty terrible.

> You buy a dishwasher from Best Buy. They send your name and address to Maytag.

For warranty purposes of course

> You buy soap from Walmart. They send your name and address to Johnson & Johnson.

In case they need to recall the soap

> You buy a sandwich at your local deli. They send your name and address to Boar’s Head. Cool?

So you can get some cool Boar's Head swag!

Just kidding of course. We need much better data privacy protection.

> So you can get some cool Boar's Head swag!

I can’t even imagine what that might be. But technical support for my sandwich making needs would be fun. Kind of how Butterball (I think it’s them) has a help line on Thanksgiving for cooking turkeys. They made the news a few years ago by hiring men to work the phones because they learned that men cook more frequently now but feel uncomfortable asking women for advice. I had a good chuckle at that.

>I can’t even imagine what that might be.

A mounted boar's head to mount on the wall that makes grunting sounds when it's sammich time. But being HN, it'll also have cameras for eyes (3d) and microphones in the ears so that it knows when it is time to re-order more product. Maybe it'll link with Alexa/Siri/GHome with an articulated mouth so that it makes it look like it is Alexa. If you place it where it can see the contents of your fridge and/or pantry, it will be able to automatically order food for you.

The lack of imagination these days... /s

I have a sneaking suspicion Boar's Head et al. know sandwich making secrets that would substantially improve my lunches.

I mean, you do anything for long enough, you get good at it. Especially if you're soliciting feedback from even more people who are doing it.

I think somewhere out there there's a story of a Brita customer support rep tracking down a filtration engineer to get a technical answer to how long one could filter and drink urine for.

Those actually seem reasonable (other than the swag one) if and only if that info is locked away on a need-to-know-basis, it’s used for precisely that purpose, and regulators vigorously punish any sharing or release. The GDPR seems like a good step in that direction.

For recalls the customer could subscribe to a public recall channel and warranty can be handled on a machine-identity basis (at least until the warranty actually kicks in) so none of those really require personal data upfront.

Up until a few years ago, something similar used to happen when you bought a TV set here in Sweden.

If you bought one, your information was shared with the entity ("Radiotjänst") in charge of collecting the mandatory TV fee (funding public service radio and TV programming).

The fee is now collected as tax instead, so that's no longer the case.

Except we are talking about licencing here, not buying. If one likes it or not, buying of physical or non-physical goods has long been very different (I'm not supporting it, but it's the reality.)

Cool? no. The reality? Almost certainly.

Pretty much. What do you think "loyalty" cards are actually for?

I am somewhat OK setting up a loyalty card with a grocery store. I am much less OK with that info being shared. But also grocery stores tend not to check your info when you sign up so I have a whole lot of cards in the name of e.g. Deez Nuts.

The distinction here is when it’s a marketplace. You buy a product from a third-party vendor on Amazon. Amazon sends details of your purchase to the third-party vendor for fulfillment. Cool.

I don't know how I feel about that. Am I doing business with Amazon or the third party? If it's the third party, I want it to be crystal clear that they are the ones who will get my info. And if it's not crystal clear and I find out and their response is "oops, you weren't really supposed to notice that"...

Again, think of the grocery store example: you go in, there is a Boar's Head counter where they sell sandwiches. You grab a sandwich and head to the checkout line. You pay the grocery store worker who is wearing a grocery store shirt and get a grocery store receipt that says you just bought a $5 sandwich and used your grocery store loyalty card. Do you expect that Boar's Head will get the details of your loyalty card, which sandwich you bought, what else you bought, etc. even if the back of the receipt says in fine print that the grocery store may share that information with someone?

If Boar's Head had their own clerk and their own cash register you'd be doing business with them. But then it would be clear cut, right? The fact that the grocery store is processing the payments and presenting it as essentially they are reselling Boar's Head products would imply that Boar's Head is not involved in your individual transaction.

If this is a service you are buying from Boar's Head but they simply use the grocery store's cash registers, accounting, inventory, etc. then I would argue it's on the grocery store and Boar's Head to make it crystal clear who you are doing business with, or else you run into situations like this. And if a situation like the one that started this whole debacle happens, their response should be "We are sorry. We never made it crystal clear why we get this information. You see, we are partners with the grocery store and when you buy our delicious sandwiches from your local Piggly Wiggly you are actually doing business with us. We know it's in the grocery store's TOS, but we think it should be clear that you are actually our customer as well when you transact business with them for our goods. This is to provide benefits X, Y, and Z. If you don't want to do business with both Piggly Wiggly and us, here are some alternatives to get our delicious sandwiches elsewhere and some recipes to make your own. In addition, this incident happened because our sales staff was not properly trained on how we should use our customer data. We are going to review our privacy policies and publish an update in six weeks or sooner with what we will be doing going forward. If you have any concerns, please contact me directly. XOXO CEO of Boar's Head."

Why is it OK for "Grocery Store" to see your data, but not "Boar's Head"? Corporations aren't people. The boundaries are imagianry?

Where did you get the idea that I think corporations are people?

It's OK for the grocery store to see my data for because I explicitly consented for them to do that when I gave them my name and address when I filled out the loyalty form. Same way that I need to give some info to Azure to create an account, right? They aren't an anonymous service. But it's an active opt-in situation. You give them your info. They don't just take it.

This is the real answer. I almost did the same thing but decided to spin up my own image instead of buying a prepacked one from the Marketplace.

Exactly, I'm not so much cool with the policy here, but absolutely we should think about what we want and take appropriate actions like you did if we want to avoid it.

Well, my reason was also because I was having so much trouble trying to find a machine+zone+disk setup that was available and under my $50/month budget since I'm running on MSDN subscription credit. What a freaking pain in the ass.

AWS has the same. If you treat it as an actual marketplace with individual images uploaded and licensed by their IP owners and not as “images of popular distros hosted by Microsoft” then it really does make sense. They’re not resellers, they’re just facilitating the marketplace.

I remember when Docker had some bad images show up.

There was much concern, but this isn't THAT different than any other marketplace. Gotta treat it that way.

In this case it's not obvious that you're participating in a "marketplace". Look at the screenshot of VM creation:


If we accept that the Ubuntu image is a marketing device then this screen is using dark patterns.

> app stores

We should praise Apple for not giving our identifying info to app developers.

Great, so their conclusion is "we should make this less obvious and creepy", not "we should probably stop doing this".

My first thought was that companies that are selling complementary services (and that's really the difference between Debian and Ubuntu here) are obviously going to have mutually beneficial affiliate agreements. The vast majority of us are probably working at companies that do that. Someone mentioned Oracle licensing enforcement and yeah, I wouldn't feel like a victim if I used bootleg copies of Oracle and the bootleg copy told them without me expecting it. I think in this case it should be clearer and opt out, but honestly - who among us is the least bit surprised that Canonical at least gets some referral here?

But where they specifically went wrong? Well one of them was absolutely the way the "point of contact" reached out. If my professional email was shared with you as part of a professional agreement, adding it to a mailing list to sell me on the paid version of what I used for free makes sense. Sending some of those specific details to my personal account, which by the way you aren't sure is actually me, is way over the line. The salesperson personally screwed up big time there for sure.

The other thing is the granularity of the data, and that's also over the line. I read that agreement and think sure - they'll know our company has used their company. But specific actions taken by specific developers? There are users that avoid certain providers like the plague because in some way they're competitive, and even if they trust them not to directly compromise security measures, interfere and steal data - they still don't want a competitive company having insight into their costs, development, traffic, etc. This kills the trust you may have in Microsoft from that standpoint.

Yes, that is the big takeaway here and why I just lost a ton of respect for Canonical.

In Canonical's statement they never regretted using the information to contact the user. The part they regretted was TELLING the user that they are monitoring the installs and linking those installs to personal contact details.

Canonical promised to improve training to avoid those "poor choice of words", NOT to stop the practice. Basically they will train their staff to make it feel more serendipitous when they just so happen to reach out about selling an enterprise license moments after you install the VM on Azure. Canonical doesn't regret this sales practice and plans to keep using it. That's the scary part in this story.

Once you decide your cloud platform will include a marketplace for paid, licensed enterprise software, this doesn't surprise me all that much (although it kinda sucks)

I mean, is it even possible to buy an Oracle license without Oracle knowing who you are?

That's marketing

Azure is... really weird like that. Sometimes it feels like I'm working with Amway, not Microsoft.

A few months ago I spent like a week or two playing with Azure Sentinel -- I'm a contractor for a company that develops some security solutions, and I was trying to see if and how the feature I was working on could be integrated with a SIEM. Sentinel, of course, was one of 'em.

So I do my thing, then a few weeks pass, then out of the blue, one afternoon, my phone rings...

...and there's a Microsoft representative at the other end, asking me what I thought about Sentinel, if I encountered any difficulties with it, what my plans are and so on. She seemed to be working off a full report of my usage, too, as the questions were pretty specific.

Thing is, my total usage of Microsoft Azure Sentinel was on the order of, what, 16-20 hours? spread across several months. I don't think I've issued 50 request in total, and I would've issued less than 5 if Log Analytics didn't take like forever to show my data on the free tier (not that I'm complaining, the price is unbeatable :P). I was on the free tier the whole time, it seemed like such a gimmick that I didn't even bother going through the company I was doing all this for.

Either the Azure team is desperate for customers or they have more salespeople than Oracle has lawyers if they ended up calling a small fish like me.

Microsoft is trying to position Azure into the world currently dominated by contractors visiting the Windows Server closets of Main Street businesses. This is how that world works.

I wonder whether the LinkedIn profile of the customer was directly handed out to the Canonical by MS, because invite by email on LinkedIn cannot send 'custom invite message', Canonical Agent seems to have manually sent an invite with custom message which leaves us with two possibilities -

1. Agent had enough details at hand to confirm that the LinkedIn profile was indeed that of the customer.

2. Access to LinkedIn profile itself (e.g. profile URL).

If 2. how did MS make that association? AFAIK there's no mechanism for the user to connect LinkedIn profile to Azure or vice versa.

P.S. I know MS owns LinkedIn.

He stated the LinkedIn profile was under a different email (makes sense, not corporate one). I'd guess 1: name+company matching was enough.

Isn't that even possibly illegal? I mean contacting someone on a personal channel for unsolicited B2B sales?

Sadly, I get B2B marketing spam like that all the time as CTO, so I'm definitely not as shocked as others in this thread.

How is LinkedIn a "personal" channel, and why would it be illegal anyway? Direct marketing isn't illegal.

Depending on the jurisdiction it might be. E.g. in Germany cold calls (actual phone calls) even for B2B are only legal under certain conditions (generally either preexisting registration of intent, or if it's common in the specific industry). I'm not sure what the regulations regarding cold e-mail or messaging are, though.

Forgive me. It's Friday.

What was the poor choice of word?

I get that the whole concept is poor. But what word or words?

"I saw that you"

(did something that you didn't expect me to see)

So the poor word choice was revealing how he knew to reach out? So it's that he got caught?

Looks like i’m switching to Debian this weekend, what a stupid company lol

Damn, I wasn't aware that they share this kind of information. Luckily I'm in Europe and I think here they'd need at least an additional opt-in to do stuff like that. That said I have to say "No thank you, please don't send all my data to the cloud" at least 5 times when installing Windows 10 these days, so I'm sure they definitely try. I haven't used Azure in a while though so I can't be sure.

That's also why I use Sublime Text instead of VS Code and run a private Gitlab instance instead of developing on Github (barring open-source work, which I do in the open anyway), as I'm pretty sure MSFT will find an excuse to mine my telemetry data for their own benefit eventually.

Even here in Europe privacy laws are much lighter when it comes to B2B stuff.

It's actually legal to send unsolicited spam to business emails sadly.

A T&C is a terrible place to put this in. This should work like an account linking flow (e.g. sign on with Apple to a site), where Apple lists everything they share explicitly when you click login.

Sending out a cold email is one thing (most of that ends up in spam anyway), but why the fuck are these people taking the contact details and plugging them into a social network?

I don't agree with any of it, it's a violation of trust and burying it in small print doesn't change that. But having people reach out on their personal networks takes the cake.

Given that "everyone" in the community probably blocked this guy on LinkedIn, I'm not sure he's going to have much luck as a salesman going forward.

Under CCPA, can CA residents opt out of this?

"privacy rules" is incorrect wording. You better say privacy legislation in this case.

"oops, our dirty secret is out. But we won't do it again, guv!"

Per the Azure's T&C? It's easy to blame Canonical here... but I that sounds like Azure's screw up, and Canonical accidentally revealing it.

As someone who works in tech sales - the real bullshit here is that this is some right-out-of-college 22 y/o entry level sales person (SDR) who was likely told to to take this list and message everyone on linkedin 1x1.

The negative impact of this goes on his shoulders where the positive responses from this get passed off to someone else who is outside the blast radius.

Stuff like this is the norm when sales is viewed as an extension of marketing ("we need more leads") and not as a function that helps companies coordinate the evaluation and purchase of software ("we need to find out if this is the right fit for them") and the ones who pay the highest price are at the lowest levels when it's executives who are giving the orders.

> The negative impact of this goes on his shoulders

Well, in this case, people are mad at Azure/MS and Canonical for betraying developer trust, not the individual salesperson. He's just a pawn in the game. It's not like this guy went rogue; this is his job.

The system is setup in a creepy way to enable this type of upselling, which makes people uncomfortable. Whether or not Azure or Canonical change policies, we shall see.

> Well, in this case, people are mad at Azure/MS and Canonical for betraying developer trust, not the individual salesperson. He's just a pawn in the game. It's not like this guy went rogue; this is his job.

It's still his linkedin profile plastered all over twitter right now though more than Azure's EULA/T&C's.

But no one is calling this guy a villain. For example, his name is not mentioned once in all these HN comments. It's not his fault.

And indeed the Azure T&C's are definitely referenced a in the Twitter discussion with the OP. Such as:


"On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies.""

My reading of this statement is that they are scapegoating the guy.

They are trying to scapegoat the guy. Thankfully, people are not falling for it.

I pulled up his LinkedIn. He started at Canoncial three weeks ago, fresh out of undergrad.

I really hope he comes out of this unscathed.

This. Typical Marketing and Sales tactics involve using the lowest level employee both because they're naive and because they have nothing to lose because they're already lowest on the pecking order.

I think an attempt to scapegoat would look more like "in violation of our established policies and rigorous training, a Canonical Sales Representative contacted one of these developers via LinkedIn."

The actual quote acknowledges that the company's training and policies are at fault. I'd also expect a scapegoat to be publicly fired or disciplined, did they say that elsewhere?

> "On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."

This was their official statement regarding this matter. They provided this to The Register to defend their actions when this story got written up: https://www.theregister.com/2021/02/11/microsoft_azure_ubunt...

Edit: Yes so just to be clear, according to their official statement they are scapegoating the salesman. They call him a "new Canonical Sales Rep" to imply he isn't experienced and made a mistake. The only responsibility that Canonical took is that they will "review its sales training".

The only blame they gave him was that he had a poor choice of words. They're not saying he went against training or policy. They're not saying that he's being disciplined or fired.

Canonical said that they need to review their policies. To me, this implies that what he did was not against policy.

Poor guy must be having a hard time.

It really depends on company culture. But there's probably a good chance this affects him at the company internally.

Perhaps. At the very least, it's gotta be uncomfortable for him.

No one is calling this guy the villain, but he is pictured as the villain.

> It's still his linkedin profile plastered all over twitter right now though more than Azure's EULA/T&C's.

This is pretty disgusting that someone didn't think to cover his name or image while complaining about what is essentially privacy and having a central beef with two companies. That said, while it's disgusting to me, it can easily be shrugged off as "thoughtless" by others because privacy is not a mainstream concept.

Frankly, using a personal profile for work activity in this vein is just not a good idea. Regardless of whether Linkedin ‘forbids’ creating secondary accounts.

This reminds of of a 2019 paper on "moral crumple zones"[1] which talks about how the human component of automated systems are increasingly there to act as the focus for moral failures. Did your giant automated system do something bad? Blame the one human who was assigned to somehow stop that from happening, no matter how impossible that might be.

[1] https://estsjournal.org/index.php/ests/article/view/260

Also see Normal Accidents[1] which discusses "human error" as a PR cover for systems that are simply too complicated for unaided humans to monitor and understand.

1: https://www.goodreads.com/book/show/192408.Normal_Accidents

Normal Accidents is a real classic of the genre of disaster studies and points out some very useful realities for tightly coupled systems. Engineers building highly complex systems would do well to read the book and take its lessons to heart.

The film "Brazil" was mentioned on another comment on another story a few days ago that touched on this theme, very good movie.

Interesting, that’s a great concept. But I’m not sure of the applicability to this case. I’d expect most people to feel icky contacting a lead on this basis, and so that feels like it’s well within the kind of thing a low level employee should throw a red flag at.

The aspect that reminded me of the paper (and the concept) was how the low level employee can really only screw up. If they do well, then it's a credit to their boss, but if they do something wrong it's on them and they'll be fired.

I think it really is a disgrace that his photo and name are out there linked to this. It's most likely not his fault.

It could be also that the sales person did this on his own initiative for a couple of extra points. It might not be standard practice, but we'll never know.

If a random sales person can easily go ahead and access PII on their own initiative, that's 1000x worse.

Your PII will be in their CRM and they will have access to their CRM. Literally all they need to do this is your name and linkedin. If you think sales people won't have access to names of potential leads then I am not sure what you think sales people do on outbound sales.

Even in an CRM there should be checks on who can access what PII and when. There is a difference between "you are assigned 100 leads for the duration of lead qualification" and "you can yourself pick out leads (and can get access to their PII) out of any of the thousands of possible leads".

I think your expectations of how a company handles Leads are unrealistic. A company just needs to keep your data safe. A sales person having access to Leads makes complete sense. A sales person being able to see if a lead has been chased makes sense. A sales person being able to find Leads to chase that they are best qualified to chase makes sense.

Yes, and MS claimed that their agreement with Canonical required them not to share that info with sales.

No it said not use that for marketing. And they didn't, the sales person said he would be the point of contact. They didn't market or try to sell him something in his message. He just send a request to be his contact.

Most people would view the message as being marketed to.

The employee was referred to as a salesperson. Any difference from marketing is pedantic.

The legal difference is important. No court would ever agree that “I’m your point of contact” is marketing anything. And since it was about the legal agreement between Microsoft and Cannonical the legal difference is anything but pedantic.

Courts look at the intent of contracts in the minds of the signers, not hyper literal readings of fixed-in-stone words. When both MS and Canonical agree that this breached acceptable usage, it’s time to give up that fight.

Neither company as far as I can tell agreed to that. Cannonical said it was a poor choice of words and in light of that review their policies. Aka tell people not to be so creepy. Microsoft just stated what the terms were. Unless there have been new statements released which I doubt since legal would probably have a fit if someone did that.

As I said no court would ever agree that “I’m your point of contact” is marketing.

$10 says there's an Excel sheet that's passed around with all of your info in it.

Of course there is, but there shouldn't be. _Especially_ in a bigger company like Canonical.

Yeah, they should definitely be using Libre office ;)

I think LinkedIn is kinda ... tainted so mass spam is just considered par for the course on there, sadly. Nobody thinks twice about spamming on there.

I log on there and it's all spam-ish content. And really all I want to know is what people I worked with are doing now / how they're doing....

Yeah spam, people kowtowing to their company's PR gospel, and the usual "inspirational" messages from sponsors.

It's a sickening mess of PR giddiness but unfortunately it's needed to get a job nowadays.

I hate it so much though, never post anything and I only accept people I actually know.

> is that this is some right-out-of-college 22 y/o entry level sales person (SDR) who was likely told to to take this list and message everyone on linkedin 1x1.

We don't know that

It could also have been that this person, just in the company and wanting to make a sale has used leads he wasn't supposed to act on.

I can definitely see an inexperienced person doing that kind of mistake. Not blaming the guy, he was just trying to do his job and meet his targets.

But I've seen a lot of "stupid" things done by new people at a company with various degrees of "making the customer or other departments annoyed" (in sales and in technical positions)

I like this distinction that you’ve made between marketing and sales. As a technically minded person in a business development roll, I’d like to know more about it. Do you have any resources that you can suggest?

This feels like some modern day "Glengarry Glen Ross" type stuff.

Modern day? The pressure of sales jobs never went away. Ask your local bank teller. Their jobs exist in this day and age, not to help Grampy who prefers interacting one-on-one, but to sell her credit cards, expensive chequing accounts and loans she doesn't need.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact