Amazon security flaws call for action on lawmakers

U.S. Senator Ron Wyden calls for a Federal Trade Commission investigation into Amazon, while other members of Congress say the company’s failures to protect customer personal information underscore the need for federal privacy legislation. data confidentiality.

Lawmakers respond to a recent Reveal survey from the Center for Investigative Reporting and WIRED, who found that Amazon couldn’t even keep track of all the sensitive data it kept about customers and businesses, let alone protect it adequately. Amazon customer service workers were able to spy on past and celebrity purchase histories. Internal company documents show employees took bribes to help dishonest sellers attack competitor’s businesses, corrupting the integrity of the market. Amazon has misplaced credit card data for years, records show. Shady outside companies have obtained the personal information of millions of Amazon buyers. And when Amazon found out, it didn’t tell them.

Here’s what Wyden, an Oregon Democrat, had to say:

As Amazon has captured an increasing share of the e-commerce market, consumers have entrusted the company with vast amounts of data about their purchases, which can reveal deeply personal and private parts of their lives. The recent revelations from Reveal and WIRED raise serious questions about whether Amazon is protecting the private data of its customers. The FTC and state attorneys general should investigate these allegations to determine whether the practices violate any law. As part of my own cybersecurity oversight, I reached out to American Express to find out more about how it is responding to allegations that Amazon has mishandled millions of American Express card numbers.

If companies mislead consumers by breaking their promises to protect customer information, the FTC can lay charges of unfair or deceptive acts and practices. States have similar consumer protection laws, and a few, like California, have comprehensive data privacy laws.

FTC spokeswoman Juliana Gruenwald Henderson declined to say whether the commission is investigating, saying the agency’s investigations are not public. President Joe Biden appointed eminent Amazonian critic Lina Khan as chairman of the commission, and Amazon asked for his recusal on subjects affecting the company.

One illustration shows little thugs breaking a computer.  Data is escaping from the screen.

Amazon knows a lot about you. Customers trust their data and purchases are kept secret and secure, but internal documents show the tech giant’s inability to protect its own data.

Listen now

Amazon did not directly respond to the call for an investigation, but spokeswoman Jen Bemisderfer said the Reveal and WIRED investigation was based on “outdated” information and did not reflect current security practices in the world. ‘business. “We have relentlessly high standards for security and privacy, and we are continually evaluating and implementing new measures when we see the opportunity to further strengthen our protections,” she said.

Lawmakers call for federal privacy law

While many Democrats and Republicans in Congress agree on the need for federal data privacy legislation, they have been deadlocked on the details for years. They disagree, for example, over whether federal law should take precedence over stricter state laws and whether individuals should have the right to sue for breach of privacy. Amazon said it supports federal privacy legislation that takes precedence over state laws. Meanwhile, a Reuters investigation found that Amazon had lobbied to undermine state-level privacy protections across the country.

Federal lawmakers on both sides of the aisle now say Amazon’s practices show the need for Congress to act:

Like countless companies before them, Amazon has failed to deliver on its promises and responsibilities to protect the vast amount of data they collect about their customers. They face the consequences for letting consumer data fall into the wrong hands, including third-party companies, and allowing employees to access the personal data of friends, family, former partners and celebrities. . These unacceptable failures underscore the need for a strong and enforceable federal law on data privacy and security.

Representative Jan Schakowsky, D-Ill., Chairman of the House Subcommittee on Consumer Protection and Commerce

This highlights the urgent need for Congress to adopt a uniform federal standard of confidentiality so that businesses and consumers have a clear understanding of their responsibilities and rights, respectively. It would also require companies to maintain strong data security practices and give the FTC a directive to prosecute bad actors who exploit consumers for personal gain.

Rep. Gus Bilirakis, R-Fla., Rank member of the House Subcommittee on Consumer Protection and Commerce

I was appalled to learn of the data abuse on Amazon. This revelation is yet another example of why we need a comprehensive privacy law, which Representative (Zoe) Lofgren and I proposed in the Online Privacy Protection Act. Our legislation includes a specific provision that obliges companies to minimize the number of employees and contractors with access to customer data to avoid this kind of situation. When a large organization does not make significant efforts to restrict internal access to customer data, this type of data abuse is predictable, if not inevitable.

Representative Anna Eshoo, D-California.

Concerns about collecting data on millions of Amazon buyers

In a single span of time, Amazon allowed the data of billions of customer orders to be passed on to outside companies with little oversight. In 2018, Amazon discovered that a sketchy online service linked to a Chinese data company likely obtained the personal information of millions of Amazon buyers, including names, addresses, phone numbers, and their orders. Companies that abused Amazon’s system to gain access could sell the data or use it to create targeted marketing – which “could violate customer trust if customers understood what was going on,” Amazon determined at the time.

Amazon spokesperson Bemisderfer said the company fixed the issue, but did not say how many Amazon customers collected their personal information. She said Amazon’s system does not provide access to credit card numbers or email addresses.

Privacy advocates compared the situation to Facebook’s Cambridge Analytica scandal and said Amazon was responsible for it.

It’s such a shame at first that Amazon created this system and didn’t monitor it and only realized it when billions of data points were already available. This is incredibly concerning given the scale of the problem.

Alain butler, Managing Director and President, Electronic Privacy Information Center

Alarm on foreign opponents getting US data

Since the personal purchase data of millions of Amazon customers was collected by a Chinese data company, the incident crossed a worry that antagonistic countries could aggregate and arm consumer data to monitor, influence and manipulate Americans.

Wyden, who is job on a bill to regulate the sharing of US data abroad, was particularly concerned about this aspect:

It is scandalous that Amazon has shared the transaction data of millions of customers with a company in China, exposing it to abuse and misuse by the Chinese government. Exports of sensitive data, including purchase history, to hostile countries can pose a serious threat to our national security.

AT 2018 hearing On data privacy, Senator Jon Tester raised the issue of Russian or Chinese companies obtaining data on American consumers. He asked a panel of technical executives, including Amazon Associate General Counsel Andrew DeVore, “Have any of you been asked for information from a company that does business in other countries and you supplied or sold them? ”

DeVore did not respond, but said earlier, “We don’t sell personal information. Yet four months before the hearing, Amazon found out it was allowing millions of customer data to be passed on to a Chinese company. Amazon has not disclosed this to Congress or the public. Bemisderfer said DeVore’s testimony was complete and accurate and that “any statement to the contrary is a deliberate attempt to misinterpret and distort both the questions and the answers of this testimony.”

Here’s what the tester said in response to the revelations:

Large US corporations have a staunch responsibility to protect the private data of their customers, especially our adversaries like Russia and China. Anything less is totally unacceptable. I will continue to work hard to make sure we protect Americans’ data and hold businesses accountable to ensure they understand their responsibility to their customers and our national security.

Senator Jon Tester, D-Mont.

Compliance with European law on the protection of privacy

Although the United States does not have a federal data protection law, the European Union has passed a sweeping one, called the General Data Protection Regulation, or GDPR, which came into effect in 2018 and limited how businesses could use customer data. At the time, Amazon did not have adequate controls over how sensitive personal data was used internally, according to a former Amazon lawyer who worked on the company’s GDPR readiness: “Personal data users flowed like a river ”.

Amazon is already fighting a GDPR fine of $ 883 million imposed by the Luxembourg authorities, where Amazon has its European headquarters. There could be more issues to come:

Your revelations indicate that there is or has been a complete lack of data protection within Amazon, and anyone in Europe whose data has been mismanaged in this way – presumably a very large number of people – can sue Amazon under GDPR. This is a legal bait, and it is certainly a reason for an urgent investigation by the (Luxembourg National Commission for Data Protection). If these employees are correct, then a severe sanction must follow.

Johnny ryan, senior fellow for the Irish Council for Civil Liberties and the Open Markets Institute

Will Evans can be contacted at [email protected]. Follow him on Twitter: @willCIR.

Comments are closed.