On September 26 2018, a row of tech executives stepped into a marble-and-wood-covered listening room and sat behind a row of tabletop microphones and small water bottles. They have all been called to testify before the US Senate Commerce Committee on a dry topic – maintaining customer data and privacy – that has lately been driving so many people crazy.
Commission Chairman John Thune, of South Dakota, arranged the hearing and then began recounting the events of the past year that showed how a data-driven economy could go wrong. It’s been 12 months since news broke that a high-profile breach at credit agency Equifax had claimed the names, Social Security numbers and other sensitive credentials of more than 145 million Americans. Six months have passed since then Facebook social networking site mired in the Cambridge Analytica scandal, a political intelligence firm that managed to gather private information from up to 87 million Facebook users for an apparently sinister psychological scheme to help put Donald Trump in the White House.
To prevent such breaches, both the European Union and the State of California have issued comprehensive new data privacy regulations. Thun said Congress is now about to write its own bylaws. “The question is no longer whether we need a federal law to protect consumer privacy,” he declared. “The question is, what form will this law take?” Seated in front of the senator, ready to help answer this question, there were representatives from two telecom companies, An appleAnd google browserAnd Twitter, And Amazon.
Notably absent from the line-up was anyone from Facebook or Equifax, who have been questioned by Congress separately. So for the assembled executives, the hearing was an opportunity to start pushing for friendly regulations — and to assure Congress that, of course, they The problem was under complete control.
No executive at the hearing showed as much confidence in this matter as Andrew Devore, representative of Amazon, a company that rarely testifies before Congress. After a brief greeting, he began his opening remarks by quoting one of his company’s core tenets to senators: “Amazon’s mission is to be the most customer-centric company on Earth.” It was a stock line, but it made the Assistant General Counsel look a bit as if he was speaking as an envoy from a larger, more important planet.
Devore, a strong-charactered former attorney general, explained that what Amazon needs most from lawmakers is minimal intervention. Consumer trust was already Amazon’s top priority, and privacy and data security were committed to everything the company did. “We design our products and services so that it is easy for customers to understand when their data is collected and to control it when it is shared,” he said. “Our customers trust that we treat their data with caution and rationality.”
On that last point, DeVore may have been making a safe assumption. That year, a study by Georgetown University found that Amazon was the second most trusted institution in the United States, after the military. But as companies like Facebook have learned in recent years, public trust can be fragile. And in hindsight, what’s even more interesting about Amazon’s 2018 certification is what Devore didn’t say.
At that very moment within Amazon, the division tasked with keeping customer data safe for the company’s retail operations was in turmoil: understaffed, frustrated, and fatigued by frequent leadership changes, and – by the accounts of its leaders – severely hampered in its ability to do her work. That year and the year before, the team had been warning Amazon executives that the retailer’s information was at risk. The company’s own practices were increasing the risk.
According to the internal documents reviewed by reveal From Investigative Reporting Center and WIRED, Amazon’s vast empire of customer data – its pervasive record of what you look for, what you buy, what you see, what pills you take, what you say to Alexa, and who stands in front of you is a door sprawling, fragmented and inexorably shared. So legal within the company that the security department couldn’t even fully map it out, let alone adequately defend its borders.