“What you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa and who’s at your front door” — it’s all accessible.
Next to the U.S. military, the most trusted institution in America is Amazon. According to a Harvard/Harris Poll done in June 2021, 71% of the public has a favorable or very favorable view of the giant company, ahead of the police, the Centers for Disease Control, the FBI and the Supreme Court. This shouldn’t be all that surprising, given how focused Amazon is on being “the world’s most customer-centric company.”
Well, maybe it’s time we thought again about how much to trust it. According to a new investigative report by Reveal News and WIRED magazine, the gigantic company has long-standing problems controlling access to customer information. “What you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa and who’s at your front door” — all of that data has become “so sprawling, fragmented and promiscuously shared within the company that [its own] security division [can’t] even map all of it, much less adequately defend its borders.”
It’s another privacy nightmare. Reveal and WIRED report that data privileges inside Amazon have been so loose low-level employees can spy on what celebrities are buying, while others take bribes to help scam artists game Amazon’s review system and hurt competitors. Perhaps of greatest concern: third-party developers figured out how to use a program that allowed sellers to extract their own metrics to collect troves of Amazon customer data. In fact, in mid-2018, at the same time that top company officials were testifying before Congress about how carefully they protect customer data, “Amazon had discovered that a Chinese data firm had been harvesting millions of customers’ information in a scheme reminiscent of Cambridge Analytica.”
Amazon’s failure to control access to all of this vital data is no accident; it is central to the company’s internal design. Founder Jeff Bezos has built the company as a network of small, nimble teams (none are supposed to be bigger than what two pizzas can feed). All of which have access to its massive database. In addition, its thousands of customer service representatives, many of whom work from home, have long had the ability to look up any user’s purchase history.
Internal information security, which ought to be a priority for a company so deeply enmeshed in consumers’ lives, was not prioritized in part because it was it was seen as an overhead cost that cut into profits. Gary Gagnon, a former information security chief brought in at the end of 2016 to improve things told Reveal and WIRED that “the budgets didn’t align with the needs.” A 2017 internal memo he wrote warned, “We lack visibility into the data we are charged with protecting. We do not systemically know the data flows and storage locations of sensitive data.” Gagnon was fired two months after writing that memo, though the circumstances around his firing aren’t clear.
In mid-2018, as the company belatedly formed a privacy team to help it get ready to meet the new requirements of Europe’s General Data Protocol Regulation, its risk intelligence team discovered that a third-party service called AMZReview, an offshoot of a Chinese analytics firm, had figured out to vacuum up information on millions of its customers. It was selling that info to businesses that wanted to game Amazon product reviews. The loophole it was exploiting is reminiscent of the one Cambridge Analytica used to harvest so much Facebook user data: sellers on Amazon are all given a special key to get detailed info on their customers. (In Facebook’s case, it was third-party app developers gaining access to their users’ data.)
While Amazon withheld its customers’ email addresses from what it shared with sellers, AMZReview matched that information by using other leaked databases. In this case, somewhere between 4.8 million and 16 million Amazon customers had their personal information breached. They were never notified. And when Amazon realized that more than half of the third-party developers it was working with might have similarly collected troves of customer data, all it did was ask the biggest ones to get rid of it — a move not unlike when Facebook CEO Mark Zuckerberg decided to trust companies like Cambridge Analytica instead of ensuring that they didn’t abuse their access to Facebook user data. In another screw-up reported by Reveal and WIRED, Amazon left the information on 24 million American Express cards exposed for two years; it has no idea if it was accessed because its own logs only go back 90 days.
The fact that some employees at Amazon have gone rogue and sold internal customer information to bad actors isn’t new, but to my knowledge until now we haven’t had a clue as to how systemically weak Amazon’s own systems are for protecting the information of its hundreds of millions of customers. It’s possible that some of the issues identified by Reveal and WIRED are being addressed, but the company has also grown dramatically in the last three years, creating many more opportunities for customer information to leak.
So should you trust Amazon to protect your data? In recent years, its lobbyists have killed or undermined privacy protections in more than three dozen bills across 25 states, according to an investigative report by Reuters that also came out this past week. It’s been particularly aggressive about blocking efforts to restricts its collection of biometric and voice data. In the course of that investigation, Reuters’ reporters got their own data from Amazon and what they found is astounding. One discovered that the company had more than 90,000 Alexa recordings of their family members; another found it had pulled in calendar data from non-Amazon devices like their iPhone.
To find out what Amazon knows about you, you can go to this Amazon link to request your data. Then, after you’ve regained consciousness, go join the Athena Coalition, an alliance of more than fifty groups working to hold the company accountable. There’s a lot of work to be done.