Users have privacy concerns about Microsoft’s inclusion in Raspberry Pi OS

Posted on Feb 4, 2021 by Caleb Chen
Users have privacy concerns about Microsoft's inclusion in Raspberry Pi OS

An unannounced update to Raspberry Pi OS has added Microsoft’s GPG key and apt repository for VSCode to the popular operating system previously known as Raspbian which is used on millions of Raspberry Pi devices around the world. What this means is that every time a Raspberry Pi OS user types “apt-get update,” they’ll be pinging Microsoft’s servers. This “upgrade” was made as part of Raspberry Pi OS’s embracing of Microsoft’s IDE for VSCode; however, a growing amount of backlash which has been censored on the official Raspberry Pi support forums suggests that the Raspberry Pi Foundation has moved a little too fast and broken one thing they shouldn’t break: the trust of Linux users and the open source community which has long held biases against Microsoft based simply on track record.

Surprise: Linux users don’t like pinging Microsoft servers

On the official Raspberry Pi forum, feedback was largely ignored and civil discourse was disrupted by the moderators. As a result, the Linux subreddit ended up being a much better mirror into the minds of actual Raspberry Pi users. In the original post, the original poster highlights the issue with Raspberry Pi OS trusting Microsoft’s GPG key:

“They also install Microsoft’s GPG key used to sign packages from that repository. This can potentially lead to a scenario where an update pulls a dependency from Microsoft’s repo and that package would be automatically trusted by the system.”

One redditor, CAP_NAME_NOW_UPVOTE, succinctly described in a stickied comment why having the Microsoft repo automatically included into an OS is a problem:

“By having this repo, every time a Raspbian [Raspberry Pi OS] machine is updated it will ping a Microsoft server. Microsoft will know you’re using Raspberry Pi OS/likely Raspberry Pi owner and your IP address. Many people try to reduce footprint as much as possible, so these are three additional datapoints Microsoft can use to build a profile about you. If you’re logged into a Microsoft service, use Bing, or even pull something from GitHub they can “identify” you as a Raspberry Pi OS/likely Raspberry Pi owner and influence ads, among other possibilities. Arguably (but small) this could be considered an ad itself for VSCode.”

It’s worth pointing out that in this day and age, pinging Microsoft servers is likely to happen whether you’re using Raspberry Pi OS or not… Such as when you download a repo from Github.

Microsoft repo sneakily added to Raspberry Pi OS

It’s entirely within the Raspberry Pi Foundation’s rights to add code to their operating system, especially in the name of education. What privacy conscious onlookers seem to have an issue with, is the simultaneously fly-by-night and tonedeaf way that this happened.

Another redditor, idontreallycaredou, addressed this aspect in a comment:

“I don’t believe that the action of making Microsoft products available to Raspberry Pi users is wrong; I simply don’t agree with the heavy-handed approach by the Raspberry Pi developers (primarily gsh and jamesh, based on the conversation threads). They seem to be ignorant of the GNU / open source clauses that apply to Raspbian / Debian and are closed to any suggestion of giving users a chance to explicitly opt out. I’m curious as to whether there’s some way to raise an appeal with the Raspberry Pi foundation, as they seem to be fairly reasonable.”

Eben Upton, the founder of Raspberry Pi, responded to questions about the Microsoft repo inclusion on Twitter:

Another redditor supplied theory from one jdrch: At the end of the day, what we’re seeing here might be the manifestation of whatever caused the operating system to be renamed from Raspbian to Raspberry Pi OS. The former name maintains the etymological association with Debian and Linux ideals which some fear are no longer being respected. At the end of the day, developers weigh “usability” versus privacy concerns and transparency and we now know unequivocally which side of that spectrum the Raspberry Pi Foundation is on. This doesn’t seem to be news to anyone working at Raspberry Pi – but it seems that many IRL users had different thoughts prior to this revelation.

The Director of Software Engineering from the Raspberry Pi Foundation, Gordon Hollingworth, stated to close a thread about the discussion on the official Raspberry Pi forum:

“Thank you, everyone, for your feedback, this won’t be changing because it makes the first experience for people who do want to use tools such as VSCode easier.”