U.S. Sen. Ron Wyden is calling for a Federal Trade Commission investigation of Amazon, while other members of Congress say the company’s failures to protect customers’ personal information highlight the need for federal legislation on data privacy.
The lawmakers are responding to a recent investigation by Reveal from The Center for Investigative Reporting and WIRED, which found that Amazon couldn’t even keep track of all the sensitive data it kept on customers and businesses, much less adequately protect it. Amazon customer service employees were able to spy on the purchase histories of exes and celebrities. Internal company documents show employees took bribes to help rogue sellers attack competitors’ businesses, corrupting the integrity of the marketplace. Amazon misplaced credit card data for years, the records show. Shady outside companies obtained the personal information of millions of Amazon shoppers. And when Amazon found out, it didn’t tell them.
Here’s what Wyden, a Democrat from Oregon, had to say:
As Amazon has captured a larger and larger slice of the e-commerce market, consumers have entrusted the company with vast amounts of data about their purchases, which can reveal deeply personal and private parts of their lives. Recent exposes by Reveal and WIRED raise serious questions about whether Amazon is protecting its customers’ private data. The FTC and state attorneys general should investigate these allegations in order to identify whether these practices broke any laws. As part of the own cybersecurity oversight, I’ve contacted American Express to learn more about how it responses to allegations that Amazon mishandled millions of American Express card numbers.
If companies mislead consumers by failing to live up to their promises to safeguard customer information, the FTC can bring charges of unfair or deceptive acts and practices. States have similar consumer protection laws, and a few, such as California, have comprehensive data privacy laws.
FTC spokesperson Juliana Gruenwald Henderson declined to comment on whether the commission is investigating, saying the agency’s probes are not public. President Joe Biden named prominent Amazon critic Lina Khan as chair of the commission, and Amazon has sought her recusal on matters affecting the company.
Amazon didn’t respond directly to the call for an investigation, but spokesperson Jen Bemisderfer said the Reveal and WIRED investigation was based on “outdated” information and doesn’t reflect the company’s current security practices. “We have relentlessly high standards for security and privacy, and we continuously assess and implement new measures when we see opportunity to further strengthen our protections,” she said.
Lawmakers Call for a Federal Privacy Law
While many Democrats and Republicans in Congress agree on the need for federal data privacy legislation, they’ve been deadlocked on the details for years. They disagree, for example, on whether federal legislation should overrule stronger state laws and whether individuals should have the right to sue over privacy violations. Amazon has said it supports federal privacy legislation that preempts state laws. Meanwhile, a Reuters investigation found that Amazon has lobbied to undermine state-level privacy protections across the country.
Federal lawmakers on both sides of the aisle are now saying Amazon’s practices show the need for Congress to take action:
Like countless companies before them, Amazon has failed to live up to its promises and responsibilities to safeguard the extensive data they gather about their customers. They must face consequences for letting consumers’ data fall into the wrong hands, including third-party companies, and allowing employees to access the personal data of friends, family, ex-partners and celebrities. These unconscionable failures underscore the need for a strong, workable federal privacy and data security law.Rep. Jan Schakowsky, D-Ill., chair of the House Subcommittee on Consumer Protection and Commerce
This situation highlights the urgent need for Congress to enact a uniform federal privacy standard so businesses and consumers have a clear understanding of their responsibilities and rights, respectively. It would also require businesses to maintain strong data security practices and give the FTC a directive to pursue bad actors who are exploiting consumers for personal gain.Rep. Gus Bilirakis, R-Fla., ranking member of House Subcommittee on Consumer Protection and Commerce
I was appalled to learn about data abuse at Amazon. This revelation is yet another example of why we need a comprehensive privacy law, which Rep. (Zoe) Lofgren and I have proposed in the Online Privacy Act. Our legislation includes a specific provision that requires companies to minimize the number of employees and contractors that have access to customer data to avoid this exact kind of situation. When a large company doesn’t take meaningful efforts to restrict internal access to customer data, this kind of data abuse is predictable, if not inevitable.Rep. Anna Eshoo, D-Calif.
Concerns About Harvesting Data on Millions of Amazon Shoppers
In one major lapse, Amazon allowed data on billions of customer orders to flow to outside companies with little oversight. In 2018, Amazon discovered that a sketchy online service linked to a Chinese data company had likely obtained the personal information of millions of Amazon shoppers – including names, addresses, phone numbers and their orders. Companies that misused Amazon’s system to obtain access could be selling the data or using it to create targeted marketing – which “could violate customer trust if customers understood what was happening,” Amazon determined at the time.
Bemisderfer, the Amazon spokesperson, said the company fixed the problem, but wouldn’t say how many Amazon customers had their personal information harvested. She said Amazon’s system didn’t provide access to credit card numbers or email addresses.
Privacy advocates compared the situation to Facebook’s Cambridge Analytica scandal and said Amazon bears responsibility.
It’s definitely bad in the first instance that Amazon created this system and didn’t police it and didn’t realize until billions of data points were already out there. It’s incredibly concerning given the scale of the problem.Alan Butler, executive director and president, Electronic Privacy Information Center
Alarm Over Foreign Adversaries Obtaining American Data
Because the personal shopping data of millions of Amazon customers was harvested by a Chinese data firm, the incident intersected with a concern that adversarial countries could aggregate and weaponize consumer data to surveil, influence and manipulate Americans.
Wyden, who is working on a bill to regulate how American data can be shared overseas, was particularly worried about this aspect:
It’s outrageous that Amazon shared millions of customers’ transaction data with a firm in China, exposing it to abuse and misuse by the Chinese government. Exports of sensitive data, including purchase history, to unfriendly nations can pose a serious threat to our national security.
At a 2018 hearing on data privacy, Sen. Jon Tester raised the issue of Russian or Chinese firms obtaining American consumer data. He asked a panel of tech executives, including Amazon associate general counsel Andrew DeVore, “Have any of you been asked for information from a firm that does business in other countries and you’ve given it to them or sold it to them?”
DeVore didn’t respond, but earlier testified, “We’re not in the business of selling personal information.” Yet four months before the hearing, Amazon discovered it had been allowing data on millions of customers to go to a Chinese company. Amazon didn’t disclose that to Congress or the public. Bemisderfer said DeVore’s testimony was complete and accurate and “any assertion otherwise is a willful attempt to misconstrue and misrepresent both the questions and answers of this testimony.”
This is what Tester said in response to the revelations:
Major American companies have an iron-clad responsibility to protect customers’ private data, particularly from our adversaries like Russia and China. Anything less is completely unacceptable. I’m going to keep working hard to make sure we protect the data of Americans and hold companies accountable to make sure they understand their responsibility to their customers and our national security.
Sen. Jon Tester, D-Mont.
Compliance With Europe’s Privacy Law
Although the United States lacks a federal data privacy law, the European Union passed a far-reaching one, called the General Data Protection Regulation, or GDPR, which went into effect in 2018 and limited how companies could use customer data. At the time, Amazon didn’t have adequate controls for how sensitive personal data was used internally, according to a former Amazon lawyer who worked on preparing the company for GDPR: “User personal data flowed like a river.”
Amazon is already fighting an $883 million GDPR fine by authorities in Luxembourg, where Amazon has its European headquarters. There could be more trouble ahead:
Your revelations indicate that there is or was a total lack of data protection within Amazon, and any one in Europe whose data have been mishandled in this way – presumably a very large number of people – can take Amazon to court under the GDPR. This is lawsuit bait, and it is certainly grounds for urgent investigation by the (Luxembourg National Data Protection Commission). If these employees are correct, then robust sanction must follow.Johnny Ryan, senior fellow for the Irish Council for Civil Liberties and the Open Markets Institute