Pluralistic: 27 Mar 2022


Today's links



A spooky cellar with a 'Beware of the Leopard' sign and a dialog box reading 'Amazon: Your Personal Data is Ready to Download.'

Amazon's relentless personal data foot-dragging (permalink)

Sometimes, the best way to understand a failure is to contrast it with a success. Take Amazon, whose avowed "relentlessness" created next-day Prime delivery and AWS, with its power to instantaneously, continuously emit "buckets" of data.

Amazon boasts endlessly about its efficiency, ease of use and speed – which means that whenever you find Amazon being inefficient, hard to use and slow, it's reasonable to assume that this is a deliberate choice. Like, say, when Amazon is giving you the data it has collected on you.

Nikita Mazurov is a security and privacy researcher with The Intercept. Noting that Amazon is now legally required (under California's #CCPA) to show him all the data it has gathered on him, he placed a request for that data. Therein begins the tale.

https://theintercept.com/2022/03/27/amazon-personal-data-request-dark-pattern/

Amazon – home of one-day delivery of physical goods – took 19 days to deliver that data. During those 19 days, it required Mazurov to jump through innumerable hoops, and, on six separate occasions, tried to divert him to his "Your Account" page where "you can access a lot of your data instantly."

The data, when delivered, came as 74 separate .zip files, with no "download all" button. Once Mazurov manually downloaded those files – clicking 74 links in succession and piecing the data together – it became apparent that the thin, sanitized stream of data on his "Your Account" page was a translucent scrim over a massive block of data Amazon had squirreled away on him.

It's…a lot: search keywords, chat logs, conversations with buyers and sellers, your IP addresses, how many search results you click on/add to your basket/buy, and mystery data like "Shopping Refinement" whose values are things like "26,444,740,832,600,000."

Amazon retains data you've explicitly deleted (like old shipping addresses), which exposes you to risk by providing answers to other services' verification questions ("What was your first street address?").

There are also files on everything you watched on Prime Video, everything you read on a Kindle, everything you listened to on Amazon Music, everything you uttered to an Alexa, and every game you played on Amazon Games. Mazurov doesn't use these, so he wasn't able to say how detailed they are, but given the overall level of detail, it's likely pretty granular.

This is where the contrast between Amazon's failures and successes come in. As Mazurov notes, one of the zip files lists 167 corporations who were sold access to his personal data, ranging from the Royal Bank of Canada to Fitbit to HCA Healthcare. It's a sure bet that when Amazon sells your data to these customers, it comes as a ready-to-use product, not 74 .zip files.

The gap between Amazon's "relentless" efficiency and its bumbling, Kafkaeque data delivery couldn't be more stark. Think of Amazon's product philosophy, it's one-click, Buy Now seamlessness versus this clunky, foot-dragging malicious compliance.

Here's Amazon's design philosophy: "If you have to click multiple buttons, if you have to wait for too long, if you have to answer a lot of information — all of those things create friction, and friction exponentially kills the joy of shopping."

https://www.cnbc.com/amazon-rising/

When Amazon is getting something from you, it is a marvel of efficiency. As Mazurov points out, when you want your data from Amazon, you fill in a form, then another form, then get misdirected six times to the "Your Account" page. Meanwhile, when Amazon wants to get your data, it takes it, silently, efficiently, insatiably – and relentlessly.

Amazon doesn't let the sensitivity of that data interfere with its product development, either. In contrast to its competitors, Amazon has a long history of treating customer records as a free-for-all, with no effective controls on how internal teams can access, copy and use your data.

https://revealnews.org/article/inside-amazons-failures-to-protect-your-data-internal-voyeurs-bribery-schemes-and-backdoor-access/

That has led to innumerable, completely predictable scandals, including insider attacks that spied on users – and blackmailed them. The company sidelined the security professionals it hired to clean up these processes, treating them as overly cautious killjoys. Eventually, it solved the problem by promoting unqualified people who wouldn't raise inconvenient objections – leading to a world-class breach:

https://www.wired.com/story/amazon-failed-to-protect-your-data-investigation/

Mazurov wondered if this chaotic data-handling practice might be behind Amazon's sluggish response to his request, but an Amazon's spokesperson vigorously denied that the company's security incompetence was to blame for its inability to deliver his data in a timely fashion.

Mazurov calls all the misdirection and delay a "dark pattern," revealing just how broad (verging on useless) that term has become. We have a perfectly well-understood term for telling a user that the "Your Account" screen has the data they're seeking when it doesn't. We call that "a lie."

I think we should get back to calling tech company fraud "fraud," rather than "dark patterns." It's one thing to have a giant "OK" button and a tiny, grey-on-white "I do not consent" link hidden in a corner of the screen. But when we call straight-up frauds "dark patterns," we engage in "criti-hype" – Lee Vinsel's term for criticism that amplifies the tech companies' own self-mythologizing:

https://pluralistic.net/2021/09/30/dont-believe-the-criti-hype/#ordinary-mediocrities

"Dark patterns" implies some kind of data-driven mastery of the blind spots of the human critical faculty. But when you try to buy n plane tickets from Fareportal and it shows you a false message stating that there are n+1 left, that's not a "dark pattern," that's "lying."

https://freedom-to-tinker.com/2022/03/21/holding-purveyors-of-dark-patterns-for-online-travel-bookings-accountable/

Amazon's data handling looks chaotic from the outside. For example, it somehow managed to delete Nelson Minar's entire history from Goodreads: 600 titles, 250 reviews.

https://www.somebits.com/weblog/tech/bad/goodreads-lost-all-my-data.html

Minar thinks it might have been a malicious deletion request from someone who hacked his account and then used CCPA to demand deletion to cover their tracks:

https://help.goodreads.com/s/article/How-do-I-cancel-my-account-1553870935772

But as we see with Mazurov's case, Amazon has more than one way to handle those requests. When retrieval might reveal Amazon's overcollection, the company takes 19 days to comply, and tries to divert you to a misleading page six times. When you explicitly delete information from Amazon that it can use for data-mining, it keeps the data and flags it "Is Address Active: No."

This all makes sense when you recognize that Amazon's relentlessness is pursuit of profit, not provision of service. Amazon will provide good service when it is profitable to do so – but when it is more profitable to put you at risk, then that's the choice it makes.


Hey look at this (permalink)



This day in history (permalink)

#20yrsago If the RIAA designed Napster https://web.archive.org/web/20020329125143/https://shift.com/web/feature/feature014a.asp

#20yrsago Doonesbury on Napster https://www.washingtonpost.com/doonesbury/strip/archive/2002/3/26

#15yrsago Jonathan Lethem on the Copyfight https://web.archive.org/web/20111123052316/https://www.salon.com/2007/03/25/lethem_interview/

#15yrsago DMCA’s author says the DMCA is a failure, blames record industry https://web.archive.org/web/20070315000000*/https://www.michaelgeist.ca/content/view/1826/125/

#15yrsago Smithsonian boss resigns in disgrace after Showtime sellout https://www.nytimes.com/2007/03/27/arts/27museum.html?ex=1332648000&en=cf139d6124b31372&ei=5090&partner=rssuserland&emc=rss

#10yrsago Liminal States: tour-de-force horror novel is also a bleak western, a noir detective story, and a dystopian sf story https://memex.craphound.com/2012/03/27/liminal-states-tour-de-force-horror-novel-is-also-a-bleak-western-a-noir-detective-story-and-a-dystopian-sf-story/

#10yrsago UK MPs recommend laws compelling Google to censor search results https://www.theguardian.com/technology/2012/mar/27/google-under-fire-from-mps

#10yrsago Haunted Mansion funnies: organist’s origin http://craphound.com/hm-organist.pdf

#10yrsago Norway’s new Minister of International Development is a D&D champ who thinks LARPs can change the worlds https://imagonem.org/2012/03/27/larps-can-change-the-world/

#10yrsago Spanish record industry cartel sues business prof who called their system an illegal cartel, claims “threatened honor” https://torrentfreak.com/anti-piracy-group-sues-professor-for-defamation-120327/

#10yrsago Skull carved out of obsolete computer manuals https://maskulllasserre.com/artwork/2501869_Incarnate_Three_Degrees_of_Certainty_II.html

#10yrsago TSA gets Bruce Schneier booted from House Committee on Oversight and Government Reform hearing https://www.schneier.com/blog/archives/2012/03/congressional_t.html

#10yrsago Copyright is alive and well on the Internet https://www.theguardian.com/technology/2012/mar/23/copyright-regulate-us

#10yrsago Turkish bootleg Star Wars figures of the 1980s http://theswca.com/images-speci/yglesias/uzay.html

#5yrsago Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities https://arstechnica.com/information-technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/

#5yrsago India’s Council of Scientific and Industrial Research blew so much money on rubbish patents, it’s gone broke https://www.thehindu.com/opinion/op-ed/the-compulsive-patent-hoarding-disorder/article62113454.ece

#5yrsago AP stylebook now allows the “singular they” in some instances https://www.poynter.org/reporting-editing/2017/ap-style-change-singular-they-is-acceptable-in-limited-cases/

#5yrsago CCTV-studded, teargas-shooting, water-cannon-ed riot-control killdozer https://web.archive.org/web/20160402052234/https://www.bozena.eu/techdata-riot-new/

#5yrsago Miele’s networked disinfecting hospital dishwasher has a gaping security flaw https://www.vice.com/en/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit

#1yrago Dirty NYPD cops can't lose: The secret legal defense fund for the indefensible https://pluralistic.net/2021/03/26/overfitness-factor/#heads-you-lose-tails-they-win

#1yrago Dreaming and overfitting: The Overfitted Brain Hypothesis has a lot of explanatory power https://pluralistic.net/2021/03/26/overfitness-factor/#dreamtime
#1yrago Good news about news co-ops: Save journalism, not media monopolies https://pluralistic.net/2021/03/25/facebook-has-a-facebook-problem/#good-news

#1yrago Zuckerpunch: Don't trust Mark Zuckerberg to solve the Facebook problem https://pluralistic.net/2021/03/25/facebook-has-a-facebook-problem/#played-for-zuckers

#1yrago Green investing is a fraud https://pluralistic.net/2021/03/24/greenwashing/#bargaining



Colophon (permalink)

Today's top sources:

Currently writing:

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Wednesday's progress: 515 words (76369 words total).

  • Vigilant, Little Brother short story about remote invigilation. Friday's progress: 576 words (8135 words total) – FIRST DRAFT COMPLETE

  • A Little Brother short story about DIY insulin PLANNING

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: What is “Peak Indifference?”
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "Marc Laidlaw's "Underneath the Oversea"> https://pluralistic.net/2022/03/20/marc-laidlaws-underneath-the-oversea/)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla