A row of tech execs came into a marble-and-wood-paneled hearing room on September 26, 2018, and sat behind a row of tabletop microphones and miniature water bottles. They’d been summoned to appear before the US Senate Commerce Committee on a dull topic—the storage and privacy of customer data—that had recently enraged a huge number of people. Chairman of the Commission, South Dakota’s John Thune, convened the meeting and then began describing events from the previous year that demonstrated how a data-driven economy may go wrong. It’s been a year since the news came of a high-profile Equifax data breach that exposed the names, Social Security numbers, and other sensitive information of more than 145 million Americans. And it’s been six months since Facebook became embroiled in the Cambridge Analytica crisis, in which a political intelligence business obtained private information from up to 87 million Facebook users for an ostensibly diabolical psychological ploy to assist Donald Trump to win the presidency. Both the European Union and the State of California have established comprehensive new data privacy legislation to avoid similar intrusions. According to Thun, Congress is about to write its bylaws. He proclaimed, “The question is no longer whether we need a federal statute to protect consumer privacy.” “The question is, how will this law be implemented?” Representatives from two telecommunications firms, Apple, Google, Twitter, and Amazon, sat with the senator, ready to help answer this question. Nobody from Facebook or Equifax was on the list, although both companies have been questioned individually by Congress. The session provided an opportunity for the assembled CEOs to begin lobbying for more favorable regulations — and to reassure Congress that, of course, they had the matter under control. Andrew Devore, a representative of Amazon, a business that rarely speaks before Congress, was the only executive at the session who expressed such confidence in the topic. He opened his introductory remarks to senators by referencing one of his firm’s basic tenets: “Amazon’s purpose is to be the greatest customer-centric organization on Earth.”
Devore, a fiery former attorney general, argued that Amazon needs the least amount of government intervention possible. Consumer trust was already Amazon’s top concern, and the business prioritized privacy and data security in everything it did. “We build our products and services so that customers can easily understand when their data is collected and control when it is shared,” he explained. “Our consumers have faith in us to handle their data with care and logic.” DeVore may have been making a safe assumption on that last point. A Georgetown University study published that year revealed that, after the military, Amazon was the second most trusted organization in the United States. However, as Facebook has discovered in recent years, public trust can be fragile. What’s even more intriguing about Amazon’s 2018 certification, in retrospect, is what Devore didn’t say. At the time, Amazon’s division in charge of keeping customer data safe for the company’s retail operations was in disarray: understaffed, irritated, and weary by frequent leadership changes, and significantly limited in its capacity to do her job, according to its officials. The team had been telling Amazon executives that the retailer’s data was at risk the previous year and the year before. The risk was being exacerbated by the company’s actions. Amazon’s vast empire of customer data — its pervasive record of what you look for, buy, see, take, and say has become Alexa, and who stands at your door — is so sprawling, scattered, and illegally shared within the company, according to internal documents obtained by Reveal from the Center for Investigative Reporting and WIRED — is so sprawling, scattered, and illegally shared within the company that the security department couldn’t even fully map it out, let alone adequately defend its borders.