Amazon has a transparency problem.
Three years ago, the retail giant became the last major tech company to reveal how many subpoenas, search warrants, and court orders it received for customer data in a half-year period. While every other tech giant had regularly published its government request figures for years, spurred on by accusations of participation in government surveillance, Amazon had been largely forgotten.
Since then, Amazon’s business has expanded. By its quarterly revenue, it’s no longer a retail company — it’s a cloud giant and a device maker. The company’s flagship Echo, an “always listening” speaker, collects vast amounts of customer data that’s openly up for grabs by the government.
But Amazon’s bi-annual transparency figures don’t want you to know that.
In fact, Amazon has been downright deceptive in how it presents the data, obfuscating the figures in its short, but contextless, twice-yearly reports. Not only does Amazon offer the barest minimum of information possible, the company has — and continues — to deliberately mislead its customers by actively refusing to clarify how many customers, and which customers, are affected by the data demands it receives.
ZDNet started covering Amazon’s then-lack of transparency and subsequently published reports when Stephen Schmidt, chief information security officer for Amazon Web Services (AWS), posted the debut report on the “AWS Security blog” late on a Friday night in mid-2015.
Since then, every report was put on an AWS subdomain page, which asks in the footer if you “want more information about AWS information requests?”
After its second report, we asked Amazon spokesperson Frank Fellows in July 2016 if the company would include data such as Echo audio, retail, and mobile service data in the future. He declined to comment.
Transparency reports came and went. We would occasionally contact an Amazon spokesperson for comment to provide context to data found in each report, but the company would either not respond or decline to comment.
Then, earlier this month, after we reported a record high in government demands for data, Amazon spokesperson Stacy Mitchell emailed to say the report “actually focuses solely on Amazon” and not just on AWS as we had reported, and as we had assumed in previous reports. With that being the case, we asked which products, services, and divisions the data in the report related to, but the spokesperson would not say. The logic was that if the figures don’t solely relate to AWS as the first transparency report was billed, it was necessary to provide context to what the figures did in fact relate to. We pressed, but, clearly at an impasse, we reached out to another spokesperson, Grant Milne, for clarity. After a short back and forth, Milne also refused to say which products, services, and divisions were included in the report.
Lastly, we asked Ty Rogers, Amazon’s director of corporate communications, who also declined to comment.
What started as a debut transparency report attempt, with all the hallmarks of aiming to appease its AWS customers (and misconstrued by this reporter), quickly became, albeit three years later, a successful effort to mislead and confuse by deliberately avoiding answering a simple question.
If Amazon’s transparency reports are not limited to AWS, the implication is that the government has requested customer data that includes Echo audio files and user shopping activity, at least.
“With Amazon Echo microphones sitting inside so many American homes, it’s essential that Amazon explain how often governments demand that data and how it fights back against overbroad requests,” said Matt Cagle, technology and civil liberties attorney at the ACLU of Northern California.
“Amazon’s ‘customer first’ commitment requires it,” he said, referring to a now well-known quote by the company’s founder Jeff Bezos.
No tech or telecom company is obligated to reveal how many requests for customer data they receive from the government in any set time period. But after Google proactively revealed its first transparency report in 2010, a raft of companies have since published their own figures, catalyzed in part following the NSA surveillance scandal in 2013, in an effort to counter the narrative that they were complicit or cooperated with government spying.
In the months and years after, Apple, Facebook, Microsoft, and Yahoo — among those named — began releasing more data points on the amount of subpoenas, search warrants, and court orders it receives each half-year.
These reports now more than ever have more context and are public — letting anyone drill down the data by region or country, by the type of request, and how many accounts are impacted in each reporting period. And, in some cases, the companies make available downloadable spreadsheets packed with raw data.
Amazon, which wasn’t named as a surveillance partner in the leaked NSA documents, publishes the least amount of data in its reports. By comparison, each report has just three pages and contains only basic information, like how many requests the company received and how many were approved or denied.
Unlike other companies, Amazon doesn’t even say how many customers were affected.
By that logic, a single government data request could amount to any number of customers or potentially all its customers. (Amazon, for its part, says in its reports that it “objects to overbroad or otherwise inappropriate” subpoenas, search warrants, and court orders.)
With Microsoft, Google, Facebook, and Apple, it’s arguably more clear what kind of data each company collects than Amazon, which has a sprawling business across retail, the cloud, and devices like its Fire tablets and Echo speakers.
It’s those Echo speakers that have the potential to be more intrusive than any other of the company’s businesses, products, or services.
Long have there been concerns that the government could access data from the Alexa-powered Echo speaker — or worse, compel the company (or on its own) remotely activate an Echo speaker in someone’s home or workplace. In 2016, Gizmodo filed a freedom of information (FOIA) request to see if the FBI had ever wiretapped an Echo as part of a criminal investigation, but the FBI neither confirmed nor denied if it had ever tapped the Echo.
Google doesn’t publish data specific to Google Home, the search giant’s rival smart speaker, but it breaks down the ratio of requests received to accounts impacted. (A Google spokesperson did not respond to a request for comment prior to publication.) And that’s a problem, too. On the other hand, Apple, with its rival HomePod speaker due out later this year, anonymizes user data, meaning there’s nothing for the company to turn over even if a demand was made.
But where Amazon has the market share — data says as many as 35 million Americans are Echo owners — the company falls far below what modern tech companies see as a baseline of transparency. And if Amazon won’t say how many of its customers had their data turned over to the authorities, it looks as though the company has something to hide.
Ironically, that’s the opposite of what the company intended in publishing its transparency reports.
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.