Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Cloud Security Privacy Hardware

Amazon's Latest Gimmicks Are Pushing the Limits of Privacy (wired.com) 49

At the end of September, Amazon debuted two especially futuristic products within five days of each other: a small autonomous surveillance drone, called Ring Always Home Cam, and a palm recognition scanner, called Amazon One. "Both products aim to make security and authentication more convenient -- but for privacy-conscious consumers, they also raise red flags," reports Wired. From the report: Amazon's latest data-hungry innovations are not launching in a vacuum. The company also owns Ring, whose smart doorbells have had myriad security issues and have been widely criticized for bringing unprecedented surveillance to traditionally semi-private spaces. Meanwhile, the biometric data that Amazon Go will collect is particularly sensitive, because unlike a password you can't simply change it if a hacker steals it or it gets unintentionally exposed. Amazon has a strong record for maintaining the security of its massive cloud infrastructure, but there have been lapses across the sprawling business. The stakes are already phenomenally high; the more data the company holds the more risk it takes on. "Amazon has a major genomics cloud platform, so maybe they hold your DNA and now they're going to have your palm as well? Plus all of these devices inside your house. And your purchase history on Prime. That's a lot of information. That's a lot of personal information," says Nina Alli, executive director of Defcon's Biohacking Village and a health care security researcher. "When you give away this data you're giving a company the ability to access and manage you, not the other way around."
[...]
Additionally, while companies like Apple and Samsung have brought biometric fingerprint and face scanners to the masses by making sure the data never leaves the device, Amazon One takes the opposite approach. Kumar writes that "palm images are never stored" on Amazon One itself. Instead they are encrypted and sent to a special high security area of Amazon's cloud to be converted into "palm signatures" based on the unique and distinctive features of a user's hand. Then the service compares that signature to the one on file in each user's account and returns a match or no match answer back down to the device. It makes sense that Amazon doesn't want to store databases of people's palm data locally on publicly accessible machines that could be manipulated. But the system could perhaps have been set up to generate a palm signature locally, delete the image of a person's hand, and send only the encrypted signature on for analysis. The fact that all of those palm images will be going for cloud processing creates a single point of failure.
"I'm worried that people could read your palm vein pattern in other ways and construct an analog. It's only a matter of time," says Joseph Lorenzo Hall, a longtime security and privacy researcher and a senior vice president at the nonprofit Internet Society. "Both the home drone and the palm payment are going to rely heavily on the cloud and on the security provided by that cloud storage. That's worrying because it means all the risks -- rogue employees, government data requests, data breach, secondary uses -- associated with data collection on the server-side could be possible. I'm much more comfortable having a biometric template stored locally rather than on a server where it might be exfiltrated."

An Amazon spokesperson told WIRED, "We are confident that the cloud is highly secure. In addition, Amazon One palm data is stored separately from other personal identifiers, and is uniquely encrypted with its own keys in a secure zone in the cloud."
This discussion has been archived. No new comments can be posted.

Amazon's Latest Gimmicks Are Pushing the Limits of Privacy

Comments Filter:
  • and now it's becoming literally skynet
    • by Mr. Dollar Ton ( 5495648 ) on Monday October 12, 2020 @08:47PM (#60601264)

      It's the USA, the surveillance heaven. I miss the days when the children of the KGB only had their eyes, their ears and their expensive tape recorders to spy on us.

      Compared to the Googles, the Amazons and the Facebooks of today, the "totalitarian" state of the real 1984 is a joke.

      • Re: (Score:3, Insightful)

        by Dutch Gun ( 899105 )

        If you can publicly complain that you live in a totalitarian state without fear of reprisals... you probably don't actually live in a totalitarian state.

        • by geekmux ( 1040042 ) on Monday October 12, 2020 @09:56PM (#60601412)

          If you can publicly complain that you live in a totalitarian state without fear of reprisals... you probably don't actually live in a totalitarian state.

          Dear Citizen,

          What the fuck, are YOU going to do about it?

          Welcome to Corporate Arrogance. Not sure why you ever assumed we actually give a shit about your "complaints".

          Fuck You Very Much, and Have a Nice Day.

          Hugs and Kisses,

          - The Overlords you welcome with every I Agree

        • by Compuser ( 14899 )

          Probably, but you never know...
          https://en.wikipedia.org/wiki/... [wikipedia.org]

        • by Mr. Dollar Ton ( 5495648 ) on Monday October 12, 2020 @10:33PM (#60601496)

          Most people who lived in totalitarian states complained publicly without much fear of reprisal. The few that actually did something to the state ended up reprised. Kinda like an Edward Snowden we used to know.

          • by jay age ( 757446 )

            Your attempted trivialization of totalitarian states is shameful.

            This is patently not true. Not in the totalitarian state I lived in (which was during my lifetime already comparatively mildly policed), nor in any other.

            You couldn't say much wrong publicly in fascist Germany or Spain, nor in communist Soviet Union. To this day you can't say much in China (or newly also Hong Kong), North Korea or Russia before getting arrested, disappeared, poisoned or killed.

            US for all its faults is nothing like them.

        • If you can publicly complain that you live in a totalitarian state without fear of reprisals... you probably don't actually live in a totalitarian state.

          Either that or they simply don't give a shit.

    • Readers here push forward technology, but this is a festering wound of privacy leaking slime.

      Opt out by not feeding data to net aggregators, Ring, Alexa, Amazon, Microsoft Teams (turn on real time transcription to see creepy) by not buying data aggregation products and
      not enabling blue tooth or wi fi on your mobile devices when not at home.

      • Bad advice: without bluetooth your COVID tracker program will not work. You have no right to turn bluetooth off. People are dying.

  • by 140Mandak262Jamuna ( 970587 ) on Monday October 12, 2020 @09:12PM (#60601314) Journal
    The Amazon recommendation system shows up, when you search for "My palm print in Amazon has been hacked", it shows, "People whose palm prints have been compromised searched for: chain saws, tourniquet, bandages, pain killers, and prosthetic hands
  • Corporate Vacuum (Score:5, Informative)

    by RitchCraft ( 6454710 ) on Monday October 12, 2020 @10:15PM (#60601460)
    "We are confident that the cloud is highly secure." That's proven the opposite every single day.
  • One question is if this is a gimmick or does it actually make a image of your hand that can be reasonably differentiated from other people. I ask this because I have seen how hard it is to even take a fingerprint. Some countries require biometric Iâ(TM)d, and just getting my fingerprint to match takes 3 or 4 tries. It does not always work on my phone. Building a whole hand scanner for low cost seems prohibitive
  • Cool tech (Score:4, Interesting)

    by cusco ( 717999 ) <brian@bixby.gmail@com> on Monday October 12, 2020 @10:48PM (#60601522)

    **Full Disclosure** I work in physical security at Amazon, key cards, alarms, security cameras, that stuff. I also worked for five years in the AWS Security Operations Center. I have nothing to do with either of these products.

    I've worked in physical security for around 15 years and biometric scanners were always a nightmare. Finicky, touchy, needing regular calibration, and they failed so often you always needed at least two spares for every five readers. RSI Handkey readers were the worst, and when I heard that Amazon was working on a hand scanner I was skeptical to say the least. To my amazement 1) the thing actually works, 2) it works well, 3) it doesn't need regular recalibration, and 4) it's durable enough for retail installation.

    I'm not really clear on what people are worried about r.e.the "privacy implications". Unlike a credit card it can't be stolen,copied or falsified. Of course it's going to be used to track your purchases, did you think your credit/debit card wasn't already being used that way?

    • Re:Cool tech (Score:4, Insightful)

      by RitchCraft ( 6454710 ) on Monday October 12, 2020 @11:05PM (#60601566)
      It's not the tech but rather the company behind it that probably scares so many. Companies like Amazon (insert Google, Facebook, Microsoft, All advertising scum, etc..) have abused the power the Internet has offered. The "too big to care" attitude of these companies is frightening.
    • Re:Cool tech (Score:5, Interesting)

      by CaptainLugnuts ( 2594663 ) on Tuesday October 13, 2020 @12:04AM (#60601662)

      I'm not really clear on what people are worried about r.e.the "privacy implications". Unlike a credit card it can't be stolen,copied or falsified.

      This is the exact reason biometrics are currently unworkable for general use. When Amazon's database gets hacked (and it will) you can't change your palmprint. At best it's part of a multi-factor authentication. Even then it's a poor thing to rely on.

      • This is the exact reason biometrics are currently unworkable for general use. When Amazon's database gets hacked

        It looks like Doctor Victor Frankenstein was way ahead of his time -- he excelled in swapping hands and random body parts on people. Only had one complete success though, but then again practice makes perfect.

        For a biometric example, I always liked "Demolition Man"; I thought the eye scanner scene was great. "See? Here's my eye -- look, it's really me!"

        • For a biometric example, I always liked "Demolition Man"; I thought the eye scanner scene was great. "See? Here's my eye -- look, it's really me!"

          Even at the time that movie was made, high-end scanners already had the ability to detect a lack of life. It was a cute scene, but bore about as much resemblance to reality as... the rest of the movie really

    • You can cancel a credit card. Doing the same with this involves the liberal application of a steam iron.
      • by cusco ( 717999 )

        Why do you cancel a credit card? Because it's been hacked, or stolen. If you palm has been stolen you have more worries than your credit account, and they can't copy your palm with anything remotely like technology that will be available in the next decade.

        • Why do you cancel a credit card?

          I've cancelled at least two because of change in policies of the provider and the issuing bank.

          • by cusco ( 717999 )

            So you changed your credit provider. Once this is deployed more widely than just Amazon facilities you'll be able to associate your palm print with whatever provider you want, and end that arrangement as well. If you want two different credit providers simultaneously use the other hand.

        • If you palm has been stolen you have more worries than your credit account

          Well, I do if this sort of thing is in widespread use. Otherwise, my only worry is that someone out there can pretend their hand turkeys are actually *my* hand turkeys.

          they can't copy your palm with anything remotely like technology that will be available in the next decade

          They can get a copy of the relevant data. Then spoof it. They might not be able to walk into an Amazon store and do it, but 1. this is not going to end there, and 2. once the information is stored in Amazon's 'secure' cloud it may as well be published on Wikileaks.

          I'm really beginning to question this whole "I work in physical securit

          • by cusco ( 717999 )

            They can get a copy of the relevant data. Then spoof it.

            And what are they going to do with it? Can you crack the encrypted data stream between the register at a Go or 4 Star store and the data center? (If so they might have a very lucrative job offer for you.)

            They can get a copy of your fingerprint or iris pattern much much easier (a good camera is all it takes), and yet those are considered to be secure for most uses.

            once the information is stored in Amazon's 'secure' cloud it may as well be published on Wikileaks.

            Really? How often does Amazon expose its secure data to the world? When was the last time that AWS was hacked? (Hint: It's a really small num

    • by coofercat ( 719737 ) on Tuesday October 13, 2020 @08:15AM (#60602444) Homepage Journal

      My big problem with Alexa, Ring and now this is that it all needs "the cloud" to work. That means there is a database of all the palms that have ever been scanned somewhere - yet it's no ones business who places their hand on my hand scanner except maybe mine.

      Inside Amazon, I'll bet there's a whole world of information that's on a "need to know basis". I'll bet there are places that only certain people can go too. Yet when it comes to my personal data, privacy etc, apparently it's okay for me to give it all up to someone who absolutely doesn't need to know it at all - they just want it for... whatever. I'm afraid, I don't like that, so don't want to play, thanks.

      Also, onto the point about credit cards - it's true that my bank knows a lot about me because it sees my credit card usage. However, they're not trying to sell me stuff, so in some sense, that information isn't terribly useful to them. They're not allowed to sell it (because of regulation), and so, yes, I'm giving something up, but it's not likely to be used "against me" as such. Contrast to Amazon (and others) that are entirely unregulated, and apparently so far out of the reach of legal systems that they don't even need to pay tax (which is usually one of the things legal jurisdictions take most seriously). Giving Amazon anything means they can do what the hell they like with it - and quite probably are.

      • by cusco ( 717999 )

        I'll bet there are places that only certain people can go too.

        Yep, that's what I do all day every day, make sure that people can't get to places that they're not supposed to but can get to the places they need to. It's actually a fun and challenging job and we need more techies in the profession.

        they're not trying to sell me stuff

        Yes, they are. They're using it to market (or not) financial services such as investments, retirement accounts, mortgages, etc. Even our credit union does it. If it were worthwhile for them to direct you to a car dealership rather than be content with just financing the pu

        • I'm in the UK - and so no, banks aren't trying to sell me anything - although I take your point about mortgages and whatnot - they could try to sell me financial products, that's true - but actually even that's pretty limited because financial products have to "fit" the customer - if my bank tries to sell me something that's not actually in my best interests they can get into regulatory trouble (all the way up to losing their license). So at the moment at least, banks are really waaay down the pile of peopl

  • I'm not overly concerned about catching video of burglars inside my house, or recording a home invasion, but I do want to see what my dog is doing when I'm at work. If it occasionally catches me masturbating, well, that's kind of on them.

  • by BAReFO0t ( 6240524 ) on Tuesday October 13, 2020 @01:22AM (#60601786)

    They crossed it, and raped it to death, a long time ago.
    The are just now going in for seconds on the goatse'd bloody dismembered body.

    And I'll bet money that is only the distraction from their more evil actual plan [youtu.be].

  • There just doesn't seem to be any reason to worry about this here. I mean the whole thing with palm prints is that (like fingerprints) you leave them on surfaces you touch.

    So someone who wants your palm print has two options. One, just frequent the same places you do and wait until you touch something they can take a palm print of (they can assemble it from a bunch of partials) or they can try to hack amazon and then somehow reconstruct it from the palm print signature amazon has. Now, you almost surely

    • They aren't recognizing ridge patterns, so an attacker would have to take a picture with the same wavelengths the device uses. Still doable, though if it requires a flash or high intensity scanning beam hard to do covertly.

      • Ok, so even less need to worry because they literally can't use the info to infer your biometrics for any other biometric authentication device.

        I suspect that's not going to be true and there is enough overlap between the ridge pattern that you could predict something that would work. I mean it has to work across different levels of tan or staining.

    • Biometric identification only makes sense as a username. Not is identification. Not security.

      Passwords should still be used. A thumb print and then pin proves who you are and what you know.

      Why do people keep trying to use identification as passwords is beyond me.

      I use the thumb print on my phone that way !y phone knows it is me and unlocks. It isn't my password and it isn't my pin.

      • It depends hugely on context. Look, biometrics are a really great way for most people to unlock their phones because their threat model isn't evil hackers or even criminals but curious kids, snooping friends/lovers and to deter teen thieves.

        They are also a pretty great way to do security in a context with human monitors. I mean we are literally using biometrics when we let the president walk into the White House and issue orders without a password...just ones mounted on our heads. It's totally reasonable

  • Pushing the Limits of Privacy

    Note to editor: normally limits are understood to be pushed outward, not inward.

  • ... and you attack it, will that count as "assault on an officer" and get you locked away for life?

  • If this thing is flying around a house with a cat and the cat gets interested in it, it'll only be a matter of time before the cat gets it. Byebye, drone!

    Cats: guardians of your privacy!

news: gotcha

Working...