Amazon’s Privacy Impact Assessment. Should I continue to trust Amazon?
Nov 21, 2021, from Substack
THIS WEEK, a lot of my privacy friends were commenting on the Wired article “Amazon’s Dark Secret: It Has Failed to Protect Your Data.” The article portrays the various threats that Amazon suffers as a large data collector and scathingly portrays it as Amazon’s own fault for failure to take data privacy seriously. It’s a great read. But, I have an opinion about pieces like this that may surprise you. I am frustrated that, once again, the general tendency is to disclose a harm without offering a corresponding remedy. It’s like a notice of a data breach.
What am I supposed to do now? Continue using Amazon, or find an alternative?
Many years ago, I worked for a company that was coming under heavy criticism by its employees. When I had joined the company, it was just another cool tech startup, but, a little later, it changed its business model to work with the government. Working with the government was unpopular and disfavored by many of our employees.
One employee in particular was very upset. She and I spoke often. I empathized with her but I was also quite conscious of the fact that her real gripe was that she had a new boss, which meant she was one more layer removed from the CEO. In other words, she really just needed to complain.
The Amazon story reads like a complaint, both in the casual sense and the legal sense. It portrays Amazon as dismissive of data privacy rights and it tells several stories of information security missteps.
For example, the following excerpt is a shocking account of a complete lack of security and monitoring of private data:
Just that May, staffers had discovered that, for a period of two years, the names and American Express card numbers of up to 24 million customers had sat exposed on Amazon’s internal network, outside a “secure zone” for payment data. It was as if a bank had realized that some sacks of cash had been left in a back office, outside the vault, for several seasons. The exposure was corrected, but the scariest part was that there was no way to be sure whether anyone had snooped on the payment credentials during all that time — because the data set’s access logs only went back 90 days. “So we had no idea what the exposure actually was,” Gagnon remembers. “I was astonished by that.” (Bemisderfer says, “There is no evidence to suggest the data was ever exposed outside of our internal system in any way.”)
Bemisderfer is an Amazon company spokesperson and Gagnon was the Chief Information Security Officer and one in a long line of senior security leaders.
Bemisderfer’s public statement is meant to be interpreted as comforting to Amazon’s customers; however, I think it is misleading. She said there was no evidence. That is true, there was no evidence, literally. No way to know, one way or the other, if one person or multiple people had accessed that exposed data, copied it or used it in any way. And therein lies the fault because there should have been evidence in the form of logs or backups of logs that would let them know for sure if there had been illegitimate access.
It’s a mind-blowing disclosure and deserves more of a reaction than a hands in the air emoji of “what are you gonna do about it.
But it also proves a point that I have been making for years and is one of the many reasons I started ClearOPS in the first place. Organizations are messy with personal data. And that actually makes sense. When big data became a “thing” in the late 2000s, early 2010s, the rules of data privacy were not well-known by the developers working on the technology. At my first IAPP conference in 2012, discussion around tech and big data and privacy was sorely lacking. I actually proposed it as a speaking session for their 2013 annual conference (it was not accepted).
The point is, without those data privacy guidelines around what could be collected, there was a data gold rush and everyone was mining. The general philosophy was collect what you can and we will figure out what to do with it later. As digital storage became cheaper, this mentality became ingrained.
So that meant that any company growing up in the 2000s and 2010s wasn’t being careful with personal data. Certainly no one even thought for a moment about a regular cleaning or scrubbing of databases to get rid of unused data. Why would they? That data might prove useful later and no one was questioning the storage cost.
And so it got messier and messier. People left, knowledge transfer lagged, databases were forgotten and mistakes couldn’t be fixed.
As Wired is chronicling Amazon’s story, it is also simultaneously chronicling how messy it was at other data processing companies growing up during that time. Another example mentioned in the article is customer service employees’ “God” access to customer data. The business wanted to make sure any customer service employee could handle a customer’s complaint. Speed and efficiency were valued much more than least privileged access. In cybersecurity, threat modeling is used to try to prevent this sort of behavior, but, a decade ago, we weren’t even aware of the risk because it was brand new data to access. No threats had been identified.
Seems naive now.
My problem with all of this is that there is no corresponding story on what is being done about it. Where are the good guys within Amazon now blazing the path to righteousness? I get it that a titillating story has to sell and that invoking fear and hate gets eyeballs, but should I stop using Amazon now? What should the everyday user do with this knowledge? How are they cleaning up their mess?
Complaining has a purpose, and change can be incredibly difficult, which is why the complaint is usually the spark behind the change. When that employee complained to me, I understood that others may be feeling the same way. We needed to acknowledge that the company was changing and provide room for employees to either embrace that change or do what was best for them. We had to adopt a culture of empathy that was adopted from the top to the bottom and that takes effort and planning.
I want to see Amazon start the long road toward a privacy-first company. Today, when you say you are customer-centric, it means earning and keeping trust. Step one is to organize where the data is and adopt customer-centric controls like data deletion that don’t also require account closure.
As Jeff Bezos said himself, “Customer trust is hard to win and easy to lose.”
I guess I am switching to Walmart.
I am a lawyer, which makes me an advocate. Now, I am an advocate for individual privacy rights. In today’s business culture, the burden of any data breach is borne by the individual, even though the fault is not theirs to bear. I aim to change that by improving the system from within.
ClearOPS is my company. ClearOPS is a privacy tech company. Want to hear a recent podcast where we talk about privacy tech? Listen here. These posts are just my opinion. Nothing contained herein is legal advice or constitutes legal representation in any way. I do my research but it doesn’t mean I’m perfect.