ON SEPTEMBER 26, 2018, a row of tech executives filed into a marble- and wood-paneled hearing room and sat down behind a row of tabletop microphones and tiny water bottles. They had all been called to testify before the US Senate Commerce Committee on a dry subject—the safekeeping and privacy of customer data—that had recently been making large numbers of people mad as hell.
This story is a collaboration with Reveal from The Center For Investigative Reporting. Subscribe to Reveal's newsletter to get its next investigation emailed directly to you.
Committee chair John Thune, of South Dakota, gaveled the hearing to order, then began listing events from the past year that had shown how an economy built on data can go luridly wrong. It had been 12 months since the news broke that an eminently preventable breach at the credit agency Equifax had claimed the names, social security numbers, and other sensitive credentials of more than 145 million Americans. And it had been six months since
Facebook was engulfed in scandal over Cambridge Analytica, a political intelligence firm that had managed to harvest private information from up to 87 million Facebook users for a seemingly Bond-villainesque psychographic scheme to help put Donald Trump in the White House.
To prevent abuses like these, the European Union and the state of California had both passed sweeping new data privacy regulations. Now Congress, Thune said, was poised to write regulations of its own. “The question is no longer whether we need a federal law to protect consumers' privacy,” he declared. “The question is, what shape will that law take?” Sitting in front of the senator, ready to help answer that question, were representatives from two telecom firms,
Apple,
Google,
Twitter, and
Amazon.
Notably absent from the lineup was anyone from Facebook or Equifax, which had been grilled by Congress separately. So for the assembled execs, the hearing marked an opportunity to start lobbying for friendly regulations—and to assure Congress that, of course,
their companies had the issue completely under control. No executive at the hearing projected quite as much aloof confidence on this count as Andrew DeVore, the representative from Amazon, a company that rarely testifies before Congress. After the briefest of greetings, he began his opening remarks by quoting one of his company's core maxims to the senators: “Amazon's mission is to be Earth's most customer-centric company.” It was a stock line, but it made the associate general counsel sound a bit like he was speaking as an emissary from a larger and more important planet.
DeVore, a former prosecutor with rugged features, made clear that what Amazon needed most from lawmakers was minimal interference. Consumer trust was already Amazon's highest priority, and a commitment to privacy and data security was sewn into everything the company did. “We design our products and services so that it's easy for customers to understand when their data is being collected and control when it's shared,” he said. “Our customers trust us to handle their data carefully and sensibly.” On this last point, DeVore was probably making a safe assumption. That year, a study by Georgetown University found Amazon to be the second-most-trusted institution in the United States, after the military. But as companies like Facebook have learned in recent years, public trust can be fragile. And in hindsight, what's most interesting about Amazon's 2018 testimony is what DeVore did not say.
At that very moment inside Amazon, the division charged with keeping customer data safe for the company's retail operation was in a state of turmoil: understaffed, demoralized, worn down from frequent changes in leadership, and—by its own leaders' accounts—severely handicapped in its ability to do its job. That year and the one before it, the team had been warning Amazon's executives that the retailer's information was at risk. And the company's own practices were fanning the danger.
According to internal documents reviewed by
Reveal from the Center for Investigative Reporting and WIRED, Amazon's vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who's at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn't even map all of it, much less adequately defend its borders.
In the name of speedy customer service, unbridled growth, and rapid-fire “invention on behalf of customers”—in the name of delighting
you—Amazon had given broad swathes of its global workforce extraordinary latitude to tap into customer data at will. It was, as former Amazon chief information security officer Gary Gagnon calls it, a “free-for-all” of internal access to customer information. And as information security leaders warned, that free-for-all left the company wide open to “internal threat actors” while simultaneously making it inordinately difficult to track where all of Amazon's data was flowing.
To be clear: This story is not about Amazon Web Services, the cloud-computing wing that manages data for millions of enterprises and government agencies, which has its own, separate information security apparatus. It's about the online retail platform used by hundreds of millions of ordinary consumers. And on that side of Amazon's business, InfoSec staffers warned of an unnerving “inability to detect security incidents.”
By the time DeVore started testifying about Amazon's long-standing commitment to privacy and security, the dangers that the security division had identified weren't just theoretical. According to Reveal and WIRED's findings, they were real, and they were pervasive. Across Amazon, some low-level employees were using their data privileges to snoop on the purchases of celebrities, while others were taking bribes to help shady sellers sabotage competitors' businesses, doctor Amazon's review system, and sell knock-off products to unsuspecting customers. Millions of credit card numbers had sat in the wrong place on Amazon's internal network for years, with the security team unable to establish definitively whether they'd been unduly accessed. And a program that allowed sellers to extract their own metrics had become a backdoor for third-party developers to amass Amazon customer data. In fact, not long before September's hearing, Amazon had discovered that a Chinese data firm had been harvesting millions of customers' information in a scheme reminiscent of Cambridge Analytica.
Amazon had thieves in its house and sensitive data streaming out beyond its walls. But DeVore—who had himself received a report that year warning that far too many Amazonians had access to insecurely stored passwords, and who had aggressively shot down a company lawyer for questioning Amazon's reputation on customer privacy—didn't reveal any of that to the senators.
