As big tech companies have steadily and stealthily made ever-increasing profits from using our data, governments have finally started to wake up to the fact that our privacy is being eroded. After Edward Snowden leaked evidence that the NSA had been spying on citizens across the globe, the European Parliament passed the General Data Protection Regulation (GDPR), imposing extensive requirements on organizations that process the data of EU citizens.
The US has been slower to regulate. However, from March of this year, all 50 US states now have laws that require data processors to inform citizens in case of a data breach. Not quite as far-reaching as the GDPR, but it’s a start.
Regulations that protect our data and privacy create a deterrent for companies who would otherwise have free reign over our data. Regulations also create awareness about data protection and make us more mindful about handing over access to our data.
However, regulation isn’t a panacea. It only works within its own jurisdictional boundaries. If a breach happens outside its jurisdiction, the damage can’t be undone as regulators cannot force foreign companies to “give back” data that’s been leaked or hacked.
This is a problem that’s currently happening with Amazon user data, which appears to be exposed to Chinese third-party companies through a little-known gap in the tech giant’s data flow between buyers and sellers.
Amazon started life as a US company, but it’s now a global mega-marketplace that’s heavily dependent on China in many areas. For example, Kindle’s are one of it’s best-known products, assembled by workforces in factories based in China. Amazon relies on Chinese hardware and other components for its data centers, so it’sstock is vulnerable to shots fired in the current US-China trade war.
However, the Amazon marketplace is where the true extent of this dependent relationship is revealed — and where Amazon consumers risk having their personal data exposed to Chinese companies.
In 2015, the company began to lure Chinese sellers onto its platform, by easing the freighting process between China and Amazon warehouses in the West. As a result, one-third of the Amazon marketplace is now based on goods from China. Of one million new sellers who registered with Amazon in 2017, 25 percent of them were located in China.
It’s incredibly easy to set up as a seller on Amazon. The company runs its Fulfilled by Amazon (FBA) program, meaning sellers don’t even need to handle any inventory. Simply, sellers can buy products wholesale, have them shipped to an Amazon warehouse and sell them to Amazon customers needing only to set up a seller account on Amazon and have a receiving account for the proceeds of their sales.
The receiving account can be a local bank account, or any payment processing company offering the service. In China there are several local payment processors including Lianlian, Pingpong, and iPayLinks. From discussions that have taken place on various sites including Weixin, Chenfei, and Amazon’s own Seller Central, there is evidence to suggest that some of these Chinese domestic payment processors have been accessing sellers accounts as well as sensitive customer data.
Wait, what? Why does a seller even need access to customers data? Surely, under the FBA model, there isn’t any need for Amazon to share buyer data with a seller, if the goods are shipped from Amazon warehouses? Well, whether or not a need exists, sellers do indeed have access to Amazon customer data, including names and addresses and in some cases, even payment information.
So how does a payment processor access this information? Well, when a seller sets up an account on Amazon, they have the option of allowing third parties to plug into that account for activities including payment processing, reporting and suchlike.
The access levels for third parties are variable. A reputable payment processing company will ask for a Marketplace Web Services (MWS) web token provided by Amazon. This token connects the sellers Amazon account to a payment account using an API, allowing the seller to receive and withdraw money paid by Amazon.
However, the seller also has a secret key for their Amazon account. Anyone with the secret key can access all of the data in the sellers account, including — you guessed it — all the customer data. This may include name, address, purchase history or even credit card details.
What’s evident from reading the various discussion forums mentioned previously is that some payment processing companies have been demanding from sellers to send them the secret key for their Amazon account, so that they can receive payments. Unfortunately, Amazon only provides limited information to sellers about the differences between API access and secret key access, creating a knowledge gap. Many sellers just aren’t aware of the differences, meaning they inadvertently allow full access to any third party who requests any kind of access.
It seems Amazon is aware of the issue, as the discussions refer to some seller accounts having been shut down. It also appears that some payment providers have now started to adopt more ethical practices but Amazon hasn’t clarified the issue or tried to rectify the situation.
This case perfectly demonstrates the limitations of data protection regulations. While the EU or the US governments could impose fines or other punitive measures on Amazon if they become aware of such a data leak, they have no jurisdiction over these foreign firms that are now in possession of data to which they had no lawful means of access.
Surprisingly, this issue seems to be well below the radar of most people, as it hasn’t been widely reported on. However, if it becomes more commonly known, it could result in a public outcry directed towards Amazon, similar to what Facebook encountered this year after its antics with Cambridge Analytica.
While regulation is well-intentioned and useful to an extent, it just doesn’t work for globally interconnected online services. In the current climate, data is a valuable global commodity. It’s time that our governments adopted a more holistic and integrated approach to ensuring that companies working together worldwide are held fully accountable for their actions in processing our personal data.