On September 26 2018, a row of tech executives stepped into a marble-and-wood-covered listening room and sat behind a row of tabletop microphones and small water bottles. They have all been called to testify before the US Senate Commerce Committee on a dry topic – the preservation and privacy of customer data – which has recently been driving large numbers of people into a frenzy.
Commission Chairman John Thune, of South Dakota, arranged the hearing and then began recounting the events of the past year that showed how a data-driven economy could go wrong. It’s been 12 months since news broke that a high-profile breach at credit agency Equifax had claimed the names, Social Security numbers and other sensitive credentials of more than 145 million Americans. And it’s been six months since Facebook indulged in the Cambridge Analytica scandal, a political intelligence firm that managed to gather private information from up to 87 million Facebook users for an apparently sinister psychological scheme to help put Donald Trump in the white. a house.
To prevent such breaches, both the European Union and the State of California have issued comprehensive new data privacy regulations. Now Congress is ready to write its own regulations, Thun said. “The question is no longer whether we need a federal law to protect consumer privacy,” he declared. “The question is, what form will this law take?” The senator, ready to help answer this question, was seated by representatives from two telecom companies, Apple, Google, Twitter, and Amazon.
Notably absent from the line-up was anyone from Facebook or Equifax, who have been questioned by Congress separately. So for the assembled executives, the hearing was an opportunity to start pushing for friendly regulations — and to assure Congress that, of course, they The problem was under complete control.
No executive at the hearing showed as much confidence in this case as Andrew Devore, representative of Amazon, a company that rarely testifies before Congress. After a brief greeting, he began his opening remarks by quoting one of his company’s core tenets to senators: “Amazon’s mission is to be the most customer-centric company on Earth.” It was a stock line, but it made the Assistant General Counsel look a bit as if he was speaking as an envoy from a larger, more important planet.
Devore, a strong-charactered former attorney general, explained that what Amazon needs most from lawmakers is minimal intervention. Consumer trust was already Amazon’s top priority, and privacy and data security were committed to everything the company did. “We design our products and services so that it is easy for customers to understand when their data is being collected and to control it when it is shared,” he said. “Our customers trust that we treat their data with caution and rationality.”
On that last point, DeVore may have been making a safe assumption. That year, a study by Georgetown University found that Amazon was the second most trusted institution in the United States, after the military. But as companies like Facebook have learned in recent years, public trust can be fragile. And in hindsight, what’s even more interesting about Amazon’s 2018 certification is what Devore didn’t say.
At that very moment within Amazon, the division tasked with keeping customer data safe for the company’s retail operations was in turmoil: understaffed, frustrated, and fatigued by frequent leadership changes, and – by the accounts of its leaders – severely hampered in its ability to do her work. That year and the year before, the team had been warning Amazon executives that the retailer’s information was at risk. The company’s own practices were exacerbating the risk.
According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon’s vast empire of customer data – its pervasive record of what you look for, what you buy, what you see, what pills you take, what you say Alexa has become, and who you stand at Your front door, so sprawling, scattered and illegally shared within the company, that the security department couldn’t even fully map it out, let alone adequately defend its borders.