Amazon might have a Cambridge Analytica-size problem
Amazon could be the next big tech firm to find itself in the eye of a data privacy storm.
- This year the Cambridge Analytica scandal broke, implicating Facebook and creating mass data privacy concern.
- Concerns have been raised of Amazon user information being leaked to third parties on a regular basis.
- With the amount of sensitive information and huge number of users on the Amazon platform, this is no small concern.
2018 hasn't been a good year for Facebook. In March, the Cambridge Analytica scandal broke, implicating the company in data harvesting activities for political purposes. The story is far from over, with recent reports stating that the UK Parliament has seized Facebook internal company papers linked to an ongoing investigation into the matter.
Shortly after the scandal broke, Apple CEO Tim Cook twisted the knife, revealing in an interview with MSNBC that he believed Facebook should have shown some self-restraint. He addressed his own company's customers, stating their value to Apple and promising, "We're not going to traffic in your personal life."
Of course, the sentiment is admirable — even for hardened cynics who see the marketing angle of such a statement. However, it doesn't change the fact that all the big tech firms currently process our data inside a black box. Before the Facebook/Cambridge Analytica scandal, Google was under the microscope due to Edward Snowden's disclosures of NSA spying activities.
Now, Amazon could be the next big tech firm to find itself in the eye of a data privacy storm. The issue? America's biggest marketplace is heavily dependent on Chinese sellers, who are unwittingly allowing some of China's biggest payment processors access to Amazon customers' personal data.
How Chinese payment processors access Amazon user data
Amazon is a global marketplace, meaning that it's very easy for virtually anyone to become a seller on the platform. When you make an order on Amazon, your personal data including name, address, and basic credit card information and purchase details are passed through to the seller. The seller also needs to have a receiving account, so they can receive the proceeds from your purchase. Amazon requires that the receiving account is linked to the country where the seller is operating.
For this reason, many Chinese sellers use big payment processing companies based in China such as Pingpong, and Lianlian. The payment provider needs access to the seller's Amazon account to set up their receiving account, and here is where the data privacy issue occurs.
A seller has a couple of options for how a third party can plug into their Amazon account. The highest level of access is using the seller's secret key. Someone with a seller's secret key can access all the same data as the seller themselves, including customer data of people who have ordered from the seller.
Even the fact that sellers receive customer data may come as a surprise to many. After all, we assume that Amazon is the company receiving and processing our data, not some small seller on the other side of the world. However, since Amazon accepts pretty much any seller, many will need customer data to fulfill and process payment for the order.
Amazon does provide the option of using an API for payment providers to access a seller's account. However, they provide only the very thinnest of instructions to their sellers on how to do this and explain the dangers of giving out private keys in the vaguest of terms. From discussions taking place on Weixin, China's version of WhatsApp, it's apparent that Chinese sellers are being asked by payment providers to release their secret keys.
Even discussions on Amazon's own community pages imply some sellers have disclosed their secret keys. This means that payment providers, which are huge Chinese companies, now likely have access to the customer data of a currently unquantified number of American Amazon users.
The extent of the damage
While the amount of data breached is unquantified, the sheer scale of Amazon and its ties to China provide some insights into the potential extent of the damage. There are an estimated 90 million Amazon Prime subscribers in the US, with 46% of subscribers buying something at least once per week.
34% of Amazon's top sellers are based in China, with 250,000 new Chinese sellers having joined Amazon in 2017 alone. Pingpong is just one example of a Chinese payment services provider and it has processed more than $1 billion worth of US payments.
Regulators have taken greater steps to intervene in matters user data privacy, but regulatory control only has a defined geographical scope. A court can hold Amazon accountable for its actions in securing customer data in its own jurisdiction, however it cannot rule against the use of data that has already leaked to foreign companies. Nevertheless, the US has been slow to introduce user privacy laws compared to the EU, which has attempted to control the issue with its far-reaching General Data Protection Regulation (GDPR.)
Because Amazon is a global company, the issue is not necessarily limited to US customer data. However, this is taking place against the backdrop of an extremely tense period in US-China trade relations. During 2018, both countries have imposed an increasing series of tariffs on imports from the other, leading to a situation which many economists believe could be extremely damaging to the global economy. Sectors including technology, healthcare, and agriculture are being impacted by the tariffs.
It remains to be seen whether or not Amazon user data may become a pawn in the trade war between President Trump and China's leader Xi Jinping. Amazon is a US company, after all, and any misuse of US Amazon user data by Chinese companies would be likely to be seen as an attack on the US. With the famously unpredictable President Trump in charge of Chinese trade negotiations, it could go either way.
Regulators must hold big tech accountable
The privacy issues with Amazon customer data highlighted here further underline the level of trust we are placing in big tech companies. We rely on their systems, processes and overall integrity to keep our data safe. Increasingly, these firms are demonstrating that they do nothing to earn our trust.
However, once the Facebook/Cambridge Analytica scandal broke, regulators including the US Senate and the UK Parliament were quick to intervene. This has cast a shadow over Facebook's practices, and the company is finally being held to account for its actions. Perhaps it's only a matter of time before Amazon comes under the same level of scrutiny.