Amazon's Dark Secret: It Has Failed to Protect Your Data
November 18, 2021 9:51 PM   Subscribe

 
While reading this article, I pulled up the Amazon app on my phone to see what info they already had on me, and if there was anything I could scrub. And there I saw it, a link to a new section of Amazon that I had not noticed before, that now had terrifying implications:

Pharmacy
posted by meowzilla at 12:37 AM on November 19, 2021 [7 favorites]


This has got to be the most unsurprising news since Vlad the impaler was found guilty of impaling
posted by The River Ivel at 12:44 AM on November 19, 2021 [29 favorites]


Previous discussion on Clifford Stoll's Amazon store being hijacked fleshes out the mechanics of some of the abuses shadow sellers are capable of.
posted by Mitheral at 1:24 AM on November 19, 2021 [4 favorites]


Across Amazon, some low-level employees were using their data privileges to snoop on the purchases of celebrities, while others were taking bribes to help shady sellers sabotage competitors' businesses, doctor Amazon's review system, and sell knock-off products to unsuspecting customers. Millions of credit card numbers had sat in the wrong place on Amazon's internal network for years, with the security team unable to establish definitively whether they'd been unduly accessed. And a program that allowed sellers to extract their own metrics had become a backdoor for third-party developers to amass Amazon customer data. In fact, not long before September's hearing, Amazon had discovered that a Chinese data firm had been harvesting millions of customers' information in a scheme reminiscent of Cambridge Analytica.

I suppose I should be shocked and appalled, but I'm like... yeah, sounds like par for the course.
posted by I_Love_Bananas at 4:49 AM on November 19, 2021 [7 favorites]


Thanks for the post, Pyrogenesis. As noted above this is unsurprising but still and also excellent journalism. (Kindly ignore derail but I can't help myself: "A trove of internal Amazon documents reveals how the e-commerce giant ran a systematic campaign of creating knockoff goods and manipulating search results to boost its own product lines in India - practices it has denied engaging in. And at least two top Amazon executives reviewed the strategy.")

To get back to the article posted: Not these fucking assholes again. Billions of profits have gone to a company that treats its customers, contractors, employees, and partners like shit. To be fair, I do not expect any organization to keep my info safe. Not any government, not any private company, not any nonprofit. I expect my info to get hacked, which is why I do not allow services I use to retain my credit card information. Not with my permission, anyway. That said, I expect said groups to exhibit some pride in their work and attempt to make a true effort to protect that data rather than be so damned sloppy. Sigh.
posted by Bella Donna at 5:20 AM on November 19, 2021 [11 favorites]


Makes one wonder what goes on behind the curtains at AWS… The business value of the data on there is not insignificant.
posted by romanb at 5:55 AM on November 19, 2021 [3 favorites]


TFA is plain about AWS having breach reporting and monitoring in place, and built-in security operations from much earlier than the 2018 GPDR fine that Amazon (the marketplace) received.
posted by k3ninho at 6:14 AM on November 19, 2021 [2 favorites]


As noted above this is unsurprising but still and also excellent journalism

It is, but he frustrating part is that Amazon will likely never face any consequences for any of this beyond maybe a token fine that Bezos can pay with some change he finds in his couch cushions.
posted by star gentle uterus at 6:21 AM on November 19, 2021 [5 favorites]


This has got to be the most unsurprising news since Vlad the impaler was found guilty of impaling

I posted this with the original title because reading it broke my sarcasm meter so I couldn't think of a better one.
posted by Pyrogenesis at 6:30 AM on November 19, 2021 [6 favorites]


Ah, the old "We're definitely not doing these things that it is painfully obvious we are doing without research, but oops, once some research comes out years later, it turns out we were totally doing that thing we denied doing for years. Whoops, sorry." approach.

It's a classic and widely used by corporate America. It's just repeating a lie enough in hopes people believe it. A lot of places even continue using the lie even after being thoroughly discredited.

I'm at the point where if a company says it isn't doing something bad, I immediately assume they absolutely are doing it and are doing everything they can to cover it up.

What a joke of a country we live in, if people can't see parallels with Soviet Russia as it was collapsing they're blind.
posted by deadaluspark at 6:48 AM on November 19, 2021 [13 favorites]


It isn't surprising. The warehouse situation is widely known, but I've also heard stories about the nature of other parts of the company. And considering the original article, I remembered MI5, MI6, and GCHQ planning to use AWS. Of course there was the speculation about why Bezos thought it was a good time to distance himself from daily operations while still basically being in control.
posted by joelr at 7:06 AM on November 19, 2021 [3 favorites]


Of course there was the speculation about why Bezos thought it was a good time to distance himself from daily operations while still basically being in control.

What speculation? I think it is just straight up observation. The only way could be more of Bond villain at this point is to get cast in the next movie.
posted by srboisvert at 7:17 AM on November 19, 2021 [2 favorites]


I know it's made from baby seals but free shipping
posted by The Half Language Plant at 7:28 AM on November 19, 2021 [8 favorites]




Possibly hilarious that they won't be able to advertise (as?) effectively because various unethical people are messing with their data. Or it might be ethical coming from idealists but not from people messing over their competitors
.
posted by Nancy Lebovitz at 8:00 AM on November 19, 2021


While reading this article, I pulled up the Amazon app on my phone to see what info they already had on me, and if there was anything I could scrub. And there I saw it, a link to a new section of Amazon that I had not noticed before, that now had terrifying implications:

Pharmacy


Except that division would actually be safer, because pharmacies are health care providers under HIPAA,and as such breaches have actual monetary consequences.

Once again, the answer is HIPAA For Everything. Tech is cavalier with data because there's no penalty for being so. Get some actual consequences with teeth, and you will see a marked change in how data is handled.
posted by NoxAeternum at 8:15 AM on November 19, 2021 [5 favorites]


One of the values of outsourcing data operations is Getting It Off Your Plate, meaning you have someone to blame for dropping the ball who isn't you. It's what keeps the global outsourcers in business.

If anyone remembers Head Office, it's where Rick Moranis says "I didn't MAKE that decision, I only APPROVED that decision!"

Effectively making Your Problem into Their Problem is a key defining skill of executives.
posted by lon_star at 8:24 AM on November 19, 2021 [4 favorites]


Oh, and laws like HIPAA are only as good as their enforcement, meaning the effectiveness of the punishment at changing behavior.

See....(weakly gestures around at everything)

Add a 10% surtax to a company's yearly tax bill for every felony conviction and watch the roaches cscatter. Not like that will happen with the USA's pledge-drive democracy but the EU does a good job of it.
posted by lon_star at 8:26 AM on November 19, 2021 [8 favorites]


I know it's made from baby seals but free shipping

The United States of America's epitaph.


-
posted by lon_star at 8:27 AM on November 19, 2021 [3 favorites]


> if a company says it isn't doing something bad, I immediately assume they absolutely are doing it

Trump's Mirror except for necromancy
posted by glonous keming at 8:39 AM on November 19, 2021 [3 favorites]


Not like that will happen with the USA's pledge-drive democracy but the EU does a good job of it

Well, the EU could do a good job of it, but unfortunately Ireland is a bit of a bottleneck. Most of the tech companies have their EU (or even non-US rest of world) HQ in Ireland, so that the Irish Data Protection Commissioner is responsible. Unfortunately, they seem to be rather slow at making any decisions. (I don't think Amazon has anything major in Ireland though.)
posted by scorbet at 8:56 AM on November 19, 2021 [1 favorite]


Oh, and laws like HIPAA are only as good as their enforcement, meaning the effectiveness of the punishment at changing behavior.

HIPAA has had massive effects on how healthcare data is handled, and is taken very seriously. It's why the industry has things like minimum necessary policies restricting data gathering and planned destruction of old data as its positive value goes to zero. And this is all things that I have seen, having worked in healthcare IT my entire career.
posted by NoxAeternum at 11:16 AM on November 19, 2021 [6 favorites]


In my professional life I’m a privacy expert. This is not a secret.
posted by His thoughts were red thoughts at 2:01 PM on November 19, 2021 [2 favorites]


OTOH HIPAA also has some pain in the ass things - for instance how your health care can never actually send you info by email just "hey log into our dumb site to see the message we sent you!"

Which I guess just means that for a more general use I'd like to see it dialed back at least a little.
posted by aubilenon at 4:57 PM on November 19, 2021


Not surprisingly, Amazon is also actively trying to reduce privacy protections:

Amazon wages secret war on Americans' privacy, documents show
posted by meowzilla at 5:39 PM on November 19, 2021 [1 favorite]


If I ask google for directions to a cancer center, that's one thing. If a scheduling e-mail goes through gmail and they get to data mine it, that's another. I don't know where you could "dial it back at least a little" and still have it be worth anything.
posted by tigrrrlily at 7:16 PM on November 19, 2021 [2 favorites]


TFA is plain about AWS having breach reporting and monitoring in place, and built-in security operations

The article repeats what Amazon managers told the journalist about AWS. The careful distinction between the two Amazon divisions is suspicious and raises a lot of red flags.
posted by romanb at 12:19 AM on November 20, 2021 [1 favorite]


The article repeats what Amazon managers told the journalist about AWS [having breach reporting and monitoring in place]. The careful distinction between the two Amazon divisions is suspicious and raises a lot of red flags.
I'm now rethinking my stance -- the article did journalism on Amazon web storefront and Amazon Marketplace, but no journalism on AWS so I think speculation about AWS muddies the waters.

I think that the segregation makes sense when Amazon is a web site that leases spare server capacity (Amazon Web Services) to other businesses, AWS being a base for Amazon shopping itself. AWS hosts businesses which operate under breach disclosure laws, so they facilitate those businesses with tools to monitor and report system breaches and availability.

I'm rethinking my stance because there's high likelihood that AWS inherited Bezos' culture and are weak on customer service loopholes and leaks, say to know what your competitor or rival is using or to suspend a rival's account for spurious T&C breaches. This article isn't about that -- if you want to operate in the fact-based reality we have to leave AWS out of chatter and say it's speculation.

But that 'inherited culture' line of thought causes me to want to raise red flags.
posted by k3ninho at 3:03 AM on November 20, 2021


OTOH HIPAA also has some pain in the ass things - for instance how your health care can never actually send you info by email just "hey log into our dumb site to see the message we sent you!"

This is because email is not a secure means of communication. You get told to log in to read a message that potentially contains PHI because then it can be done securely - which actually protects you.

Which illustrates one of the bigger problems with security - it's only as good as the weakest link, and that link is often a human one.
posted by NoxAeternum at 8:05 AM on November 20, 2021 [7 favorites]


Another epitaph:

"The color was draining out of people's faces...It was a fucking shit storm."

I actually am shocked, and about speechless.
posted by blue shadows at 10:05 PM on November 20, 2021


This article isn't about that -- if you want to operate in the fact-based reality we have to leave AWS out of chatter and say it's speculation.

I think there’s a difference between fact-based reality and corporate-based reality. This company is giving away my personal data to criminals (which is criminal in itself). Why should I be careful to not question whether it can be trusted with my business data as well? I don’t mean this as a rhetorical question: Is it important, for me, as a consumer/citizen, to make careful distinctions between corporate divisions when a breach of trust has occurred? Why?
posted by romanb at 1:30 AM on November 23, 2021 [1 favorite]


« Older I'm pretty sure there's 3 saxophones in one here   |   When foreclosing on farmers meant a merit bonus in... Newer »


This thread has been archived and is closed to new comments