Privacy: the more, the merrier?

Abstract

Privacy-enhancing technologies (PETs) have historically been used for safeguarding individual privacy from both public and private interference. But lately, tech companies have started using PETs as one instrument for the expansion of their power over different actors, as appears to be unfolding in the case of Amazon’s Sidewalk service: a United States-only privacy-preserving crowdsourced service that promises connectivity to Internet of Things (IoT) devices manufactured by third parties in smart-home, logistics, and utilities use-cases. Compatible IoT devices (‘endpoints’) are granted connectivity by ‘gateways’, namely smart-home devices from Amazon’s Echo (smart speakers) and Ring (smart cameras and doorbells) series that donate a portion of their bandwidth to endpoints that might be owned by others. Amazon pushed a software update to these Echo and Ring devices, that turned them from smart-home devices to contributors to the Sidewalk network, unless users actively opted out, yielding a coverage of at least 90% of the US population. With Sidewalk, Amazon leverages PETs (namely end-to-end encryption and device identifier obfuscation) to mitigate privacy concerns that the crowdsourced architecture yields. However, this necessitates significant investments from third-party manufacturers to make their devices Sidewalk-compatible, suggesting a power emergence shaped by PETs.

I answered the research question “How does Amazon’s use of privacy-enhancing technologies in Sidewalk affect its power over IoT manufacturers?” by reviewing grey literature, analysing the Sidewalk technology, and elite interviewing with high-ranking employees of Sidewalk-adopting manufacturers. I have shown that Amazon leveraged PETs to mitigate public security concerns, but in the meantime reshapes how manufacturers produce their devices. Part of this ploy is cementing AWS in their production processes. Amazon also uses this leverage to mobilise manufacturers’ and silicon providers’ resources to improve Sidewalk’s public reception, technology, and governance.

These reconfigurations are expensive and complicated to realise, but manufacturers stressed the importance of Sidewalk adoption to leverage Amazon’s reputation vis-à-vis suppliers and customers, and “befriend the giant” for they rely on Amazon’s Marketplace, cloud, and logistics.

Meanwhile, Amazon’s reductionist framing of privacy and security as protecting user identity and data confidentiality, means that confidentiality of manufacturers’ business-sensitive information is not discussed. With this vantage point, Amazon can learn which endpoint types are popular and how they work; but Sidewalk might also be a vehicle for Amazon to attract more IoT developers to AWS.

In sum, I have demonstrated that strictly pursuing user privacy (or confidentiality) in digital services may have unforeseen effects on production. Therefore, I call upon privacy and competition scholars, advocates, and regulators to question how privacy protection actually augments companies’ power, and stepping away from their narrow “consumer harm” lenses. These actors should debate a right to personal control over devices. A mere consumer focus in studying these developments is insufficient: I established that business-to-business relations and businesses’ production processes are more significantly affected than consumers. The production focus of this work lays bare the novel power dynamics between Amazon and manufacturers, shaped by PETs.