As big tech companies have steadily and stealthily made ever-increasing profits from using our data, governments have finally started to wake up to the fact that our privacy is being eroded. After Edward Snowden leaked evidence that the NSA had been spying on citizens across the globe, the European Parliament passed the General Data Protection Regulation (GDPR), imposing extensive requirements on organizations that process the data of EU citizens. The US has been slower to regulate. However, from March of this year, all that require data processors to inform citizens in case of a data breach. Not quite as far-reaching as the GDPR, but it’s a start. 50 US states now have laws The Limitations of Regulation Regulations that protect our data and privacy create a deterrent for companies who would otherwise have free reign over our data. Regulations also create awareness about data protection and make us more mindful about handing over access to our data. However, regulation isn’t a panacea. It only works within its own jurisdictional boundaries. If a breach happens outside its jurisdiction, the damage can’t be undone as regulators cannot force foreign companies to “give back” data that’s been leaked or hacked. This is a problem that’s currently happening with Amazon user data, which appears to be exposed to Chinese third-party companies through a little-known gap in the tech giant’s data flow between buyers and sellers. How Amazon Got into Bed with the Chinese Amazon started life as a US company, but it’s now a global mega-marketplace that’s heavily dependent on China in many areas. For example, Kindle’s are one of it’s best-known products, assembled by workforces in factories based in China. Amazon relies on Chinese hardware and other components for its data centers, so it’s to shots fired in the current US-China trade war. stock is vulnerable However, the Amazon marketplace is where the true extent of this dependent relationship is revealed — and where Amazon consumers risk having their personal data exposed to Chinese companies. In 2015, onto its platform, by easing the freighting process between China and Amazon warehouses in the West. As a result, is now based on goods from China. Of one million new sellers who registered with Amazon in 2017, 25 percent of them were located in China. the company began to lure Chinese sellers one-third of the Amazon marketplace It’s incredibly easy to set up as a seller on Amazon. The company runs its Fulfilled by Amazon (FBA) program, meaning sellers don’t even need to handle any inventory. Simply, sellers can buy products wholesale, have them shipped to an Amazon warehouse and sell them to Amazon customers needing only to set up a seller account on Amazon and have a receiving account for the proceeds of their sales. The receiving account can be a local bank account, or any payment processing company offering the service. In China there are several local payment processors including Lianlian, Pingpong, and iPayLinks. From discussions that have taken place on various sites including , , and , there is evidence to suggest that some of these Chinese domestic payment processors have been accessing sellers accounts as well as sensitive customer data. Weixin Chenfei Amazon’s own Seller Central Wait, what? Why does a seller even need access to customers data? Surely, under the FBA model, there isn’t any need for Amazon to share buyer data with a seller, if the goods are shipped from Amazon warehouses? Well, whether or not a need exists, sellers have access to Amazon customer data, including names and addresses and in some cases, even payment information. do indeed Exploiting Gaps in the Data Flow So how does a payment processor access this information? Well, when a seller sets up an account on Amazon, they have the option of allowing third parties to plug into that account for activities including payment processing, reporting and suchlike. The access levels for third parties are variable. A reputable payment processing company will ask for a Marketplace Web Services (MWS) web token provided by Amazon. This token connects the sellers Amazon account to a payment account using an API, allowing the seller to receive and withdraw money paid by Amazon. However, the seller also has a secret key for their Amazon account. Anyone with the secret key can access all of the data in the sellers account, including — you guessed it — all the customer data. This may include name, address, purchase history or even credit card details. What’s evident from reading the various discussion forums mentioned previously is that some payment processing companies have been demanding from sellers to send them the secret key for their Amazon account, so that they can receive payments. Unfortunately, limited information to sellers about the differences between API access and secret key access, creating a knowledge gap. Many sellers just aren’t aware of the differences, meaning they inadvertently allow full access to any third party who requests any kind of access. Amazon only provides It seems Amazon is aware of the issue, as the discussions refer to some seller accounts having been shut down. It also appears that some payment providers have now started to adopt more ethical practices but Amazon hasn’t clarified the issue or tried to rectify the situation. A Perfect Case Study of Regulatory Failure This case perfectly demonstrates the limitations of data protection regulations. While the EU or the US governments could impose fines or other punitive measures on Amazon if they become aware of such a data leak, they have no jurisdiction over these foreign firms that are now in possession of data to which they had no lawful means of access. Surprisingly, this issue seems to be well below the radar of most people, as it hasn’t been widely reported on. However, if it becomes more commonly known, it could result in a public outcry directed towards Amazon, similar to what Facebook encountered this year after its antics with Cambridge Analytica. While regulation is well-intentioned and useful to an extent, it just doesn’t work for globally interconnected online services. In the current climate, data is a valuable global commodity. It’s time that our governments adopted a more holistic and integrated approach to ensuring that companies working together worldwide are held fully accountable for their actions in processing our personal data.

Flow

Amazon

Analytica

Facebook

The 5 Dumbest Data Breaches in History and What You Should 
Learn from Them

Beyond Consent-Blockchain Can Actually Ensure Data Privacy

Read My Stories

Too Long; Didn't Read

Download free Tech Leaders Productivity Report!

Using Amazon? Your Data is Probably Already in the Hands of Foreign Companies

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Attempting to Reform the Global Pension System With Blockchain

The Noonification: How Amazon Treats Warehouse Workers Who Contracted COVID (11/30/2022)

10 Free Ways to Promote Your Amazon Products

10 Failed Startup Product Examples by Google, Microsoft and Amazon

10 Best Infographics Of 2018

Attempting to Reform the Global Pension System With Blockchain

The Noonification: How Amazon Treats Warehouse Workers Who Contracted COVID (11/30/2022)

10 Free Ways to Promote Your Amazon Products

10 Failed Startup Product Examples by Google, Microsoft and Amazon

10 Best Infographics Of 2018

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps