This week's Intelligence Brief looks at Amazon Sidewalk, the retail giant's new data sharing program, and issues it has raised with relation to data privacy and transparency.

Amazon Wants to Welcome You to Its Massive New Data Sharing Program

Amazon

Welcome to this week’s edition of The Intelligence Brief… items we will be focusing on in this installment include 1) Amazon’s new Sidewalk data-sharing network, and some of the controversies that have ensued in advance of its launch 2) the company’s numerous problems with data collection in the past, and 3) what recent events tell us about the necessity for cybersecurity in an increasingly connected world.

Before we wade into this developing situation, a few of the stories we’ve been covering over at The Debrief in recent days include researchers who are using carbon nanotubes to create extremely tiny technological applications, and over in the defense world, the USAF’s recent testing of  its Eagle Passive Active Warning Survivability System (EPAWSS), an electronic warfare suite for the F-15 fighter. We also have had another incident involving space junk threatening the sensitive equipment on board the International Space Station, and a number of other stories we’ll have linked at the end of this week’s newsletter.

With all of that said, let’s look at the latest endeavors by Amazon to bring to fruition a more connected world, and why this is generating controversy among some privacy advocates.

 

Amazon Sidewalk Steps Toward an Internet of Things

Many customers of the online superstore Amazon were notified in recent days that they have a week to opt out of the company’s plans to have all of its U.S. customer’s Echo speakers and Ring security cameras connected to a single large network.

The company has announced that its new network will be called Amazon Sidewalk, of which it says having all of the devices on a single shared wireless network will facilitate better performance and troubleshooting for its customers.

“Amazon Sidewalk is a shared network that helps devices like Amazon Echo devices, Ring Security Cams, outdoor lights, motion sensors, and Tile trackers work better at home and beyond the front door,” reads a FAQ page at the company’s website.

“When enabled, Sidewalk can unlock unique benefits for your device, support other Sidewalk devices in your community, and even locate pets or lost items.” In fewer words, we’re talking about the creation of smart neighborhoods.

According to Amazon, Sidewalk will utilize an additional system called Sidewalk Bridge to operate a low-bandwidth network that will link devices by sharing small amounts of internet bandwidth between customers and neighbors who also use the devices. The more people in an area that are using the devices—and hence pooling small amounts of internet bandwidth—the stronger the network becomes.

To summarize, unless they opt out within the next week (or choose to disable the update at some point in the future), every Amazon customer who currently owns one of its Sidewalk enabled devices will soon be enrolled in a massive new data-sharing program. The new service will likely also collect certain data from the millions of its customers who have such devices in their homes, all of which will now be linked to a massive, centralized network.

Hey, what could possibly go wrong?

 

The Long, Bumpy Road to Transparency

In response to concerns about the implementation of its Sidewalk network, Amazon issued a privacy and security whitepaper outlining how it would manage the system and addressing transparency issues many of its customers have had. This comes as no surprise, since Amazon is no stranger to controversies involving how it has gathered data in the past, as well as controversial affiliations it has had with various government agencies related to data and privacy.

“For years, Amazon has collected detailed information about what its customers buy, considered buying, browsed for but never bought, recommended to others or even wished someone would buy them,” read an NBC News article from 2005. The report also aired concerns from several privacy advocates, who felt that Amazon’s data collection methods, which includes proprietary software that helps to track trends in purchases made by its customers, is potentially alarming.

“People need legal rights to see the profiles that are built about them and to change or delete what they want,” Jason Catlett of the privacy advocacy group Junkbusters was quoted saying in the NBC article.

More recently, in 2019 a pair of controversies erupted around the company’s handling of voice recordings made by its Alexa devices, which resulted in the company considering whether to change some of its policies.

“We don’t want data for data’s sake,” Amazon’s devices and services chief Dave Limp told GeekWire following the controversy. “We want to use data where we can actually improve the experience on behalf of the customer.”

Earlier that summer, Forbes reported that close to 500 Amazon employees had signed a letter expressing unrest over the company’s affiliations with Palantir, a Silicon Valley data mining company which, through its cooperation with ICE, aids in deportations. The outcry from Amazon employees was echoed by immigration advocates following reporting in 2019 about poor conditions at several migration detention centers ICE operates.

Amazon

Concerns over privacy and data collection aren’t the only problems Amazon has faced in advance of the launch of its Sidewalk network. According to The Guardian, “Sidewalk has come under fire for the apparent lack of transparency with which Amazon has rolled out the feature, as well as the limited time available for users to complete the tricky process required to opt out.” Additional concerns have been raised about whether some of Sidewalk’s settings might inadvertently result in some customers breaching the terms and conditions of their internet service providers.

 

Data for Sale… Or Held for Ransom

In the past, even many critics of Amazon’s data collection policies have admitted that such practices make shopping simpler and more convenient for them. Broadly speaking, as we move ever-nearer to the eventuality of an “internet of things,” a greater degree of connectedness between our devices and online systems can only be expected. However, as recent events have shown, the reliance many industries have on this connectivity can present a number of problems as well.

The shutdown of the Colonial Pipeline, which caused severe fuel shortages in the Eastern United States several weeks ago, followed by a similar ransomware attack on JBS—one of the world’s largest meatpacking companies—each served as a sobering reminder of our modern necessity for cybersecurity. Although JBS facilities in its home country of Brazil, Mexico, and the United Kingdom remained unaffected by the attack, several U.S. locations and Australian facilities were closed over the weekend while the company was resolving the situation.

Previously, Colonial Pipeline chose to pay $4.4 million to resume its operations, and many speculate JBS may have elected to do the same in order to prevent supply chain disruption on account of having a significant portion of its operations closed.

“The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data,” read a 2019 FBI alert on high-impact ransomware attacks on U.S. businesses. “In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”

The other obvious problem with companies that do elect to pay ransoms is that the offending cybercriminals may thereby become incentivized to carry out similar attacks.

“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals,” the 2019 alert reads. “However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

Albeit different from the general cybersecurity and data collection concerns that have dogged companies like Amazon for many years, the recent prevalence of cybercrime incidents underscore the uphill battle large companies will face as they attempt to implement web-based services that see largescale connectivity and, thereby, potential access to data about those who utilize them.

“Preserving customer privacy and security is foundational to the design of Amazon products and services,” the company’s recent whitepaper stated, “and Amazon Sidewalk provides multiple layers of privacy and security to secure data travelling on the network and to keep customers safe and in control.” This, in addition to multilayered encryption, periodic flushing of old IDs to prevent users from being tracked, and other protections Amazon will implement with its new network are at least a step in the right direction for Sidewalk.

That concludes this week’s installment of The Intelligence Brief. Don’t forget to subscribe and get email updates from us here, or read past editions of The Intelligence Brief at our website. And as always, if you have a tip or other information you’d like to send along directly to me, you can email me at micah [@] the debrief.org, or Tweet at me @MicahHanks.

Meanwhile, here are the top stories we’re covering right now…