Amazon Sidewalk is about to create a nation-spanning “smart network” connecting the devices of its customers, starting the rollout with select Echo speakers and Ring cameras in early June. The project is unprecedented, both in terms of capability and in terms of the privacy concerns it is raising.
Amazon promises that it will only take a very small sliver of data from user networks to make this project function, and that it will partition them off from other users securely. But users are left having to take Amazon at their word for the most part, as this is an area of technology in which there are not currently sufficient regulations. Smart devices are also an area in which hackers are extremely active.
Amazon Sidewalk makes user networks a company accessory
As Amazon Sidewalk continues to roll out, the company’s various smart devices (which range from light bulbs to door locks) will communicate with each other by drawing on small amounts of user network bandwidth. The purpose is to create a geographically extensive network that Amazon touts as having a wide range of benefits: solving the connectivity issues that sometimes plague outdoor devices, allowing users to stay connected to Amazon’s network as they leave the home, and even allowing for temporary home-based internet connections that draw from neighbors when a connection goes down.
The privacy concerns are immediately apparent. How will Amazon keep intruders out of the networks they are allowing sharing on? And how extensive will its tracking of individuals via devices actually be? The central tracking concern is the Tile system, a small Bluetooth-based tracking tag meant to be attached to easily-lost items like wallets and keys (and for some parents, slipped into the bag of a child sent off to school). How private will this system be, and can a malicious attacker slip a Tile into someone’s belongings or vehicle to use this network to track them?
Some of the Amazon Sidewalk privacy concerns are addressed by the fact that any smart device user can choose to opt out. However, at the moment they are opted in by default and may have to manually opt out multiple devices to unplug from the system. Privacy advocates tend to believe that systems this potentially invasive should be opt-in by default.
Amazon touts the service as being free to users, but is also pushing it to devices whether it is wanted or not. And, aside from the privacy concerns, it creates potential conflicts with internet service providers (ISPs). Amazon has promised that it will only use 80kbps transfers and a total of 500 MB of data per user each month, but some ISPs see it as a way for Amazon as a way to begin establishing itself in their market using their resources. In late 2019 Amazon announced it was launching a satellite-based internet service aimed primarily at providing service to rural areas that are otherwise poorly covered, but rumors of it having broader designs on the ISP market date back to 2016. It is also possible that Amazon Sidewalk use could unwittingly cause internet connectivity problems by putting an end user over the ISP’s monthly bandwidth cap.
Privacy concerns exacerbated by Amazon’s existing reach
Given that it can be opted out of and is ostensibly encrypted to keep out snoops and hackers, one might conclude that the privacy concerns are a little overblown. But these must be considered within the context of Amazon’s existing reach into American homes and neighborhoods, as well as its privacy track record. The company has an estimated 40 million Alexa smart speaker users, about 6.5 million Ring doorbell users streaming video to its servers, and has designs on regular drone flights over neighborhoods with its Prime Air service.
All of these components have their own established privacy concerns. Ring Doorbell has been characterized as the “country’s biggest civilian surveillance network” with about 1 in 10 law enforcement agencies now having warrantless access to it. Alexa has its own long-running collection of privacy issues, not the least of which include glitching and sending audio files to random people and sending intimate recordings to quality assurance testers unbeknownst to the end user.
Hacking and third-party access is also a significant concern. It remains to be seen how Amazon will limit access to user data that compatible devices made by third parties plugged into Amazon Sidewalk have, or what measures it will require these manufacturers to take to keep hackers out. The general state of smart device security remains dismal, with proper measures seen as too much of an expense by many manufacturers.
A security whitepaper outlines the security features of Amazon Sidewalk in greater detail, in a bid to at least partially head off privacy concerns. Amazon says that it minimizes the communication data to what is necessary, and uses three layers of encryption along with rolling device IDs that change every 15 minutes. But no one will know how secure (or free of bugs) it is until it has been deployed in the wild for some time and tested thoroughly by attackers.