Not Just No

Not just no, but hell no. I’d use an even stronger word, but I try to keep this blog within shouting distance of being safe for work.

As anyone who reads this blog regularly has probably guessed, I’m talking about the just-announced Amazon Key service.

For those of you who haven’t heard about Amazon Key, it’s the Big A’s take on an idea Walmart introduced recently: a way for delivery people to put your packages inside the house, so they can’t be stolen.

Walmart’s version, by the way, is a little creepier: they’re offering the service for groceries, and it includes putting them in your fridge. For now, Amazon Key seems to be limited to setting your packages inside the door and leaving it at that. I say “for now” because it’s apparently their way of getting a foot in the door (sorry) and will be expanded later to offer services such as dog walking and housekeeping.

The way the service will work is relatively straightforward: you (well, not you, because I hope everyone reading this blog is smart enough to give Amazon Key a pass) buy a particular Wi-Fi camera and smart lock. Once they’re installed, if you don’t answer the door, your friendly package delivery peon can contact somebody at Amazon HQ, who will remotely unlock the door. You get an alert on your phone and can use your phone and the camera to watch the peon put your packages inside. Presumably the door will lock again when it’s closed.

Amazon claims they’ll be vetting the delivery people. That’s nice. They also claim to vet the current delivery people. You know, the ones who park in the middle of the street and hurl packages over the fence. (A side note: since I wrote that post, I’ve seen several female Amazon delivery peons. Most of them were accompanied by males who were, unlike the women, not wearing any Amazon logo-bearing clothing. Does Amazon also vet those security ride-along people?)

Amazon also says they’ll be carrying insurance to cover you against delivery issues, property damage, or theft. That’s nice. They also explicitly warn against using the Amazon Key service if you have pets who might come to the door. So, clearly they don’t think the insurance will cover lost pets–nor do they want to deal with lawsuits from their gig economy, vetted delivery peons seeking to make the Big A responsible for their dog bites and/or allergic reactions.

But leave that aside.

Remember last year, when a researcher found that “twelve of sixteen locks he bought at random had either no security or absolutely horrible security“? I’ve seen nothing to make me think matters have improved in the last fourteen months. Granted, Amazon is better than many companies about issuing software updates to products they sell under their own name. But it’s not entirely clear to me whether the lock will be Amazon-branded, let alone Amazon-built.

Then there’s that camera. Look back another year, when reports were going around about baby monitors. At that time, nine out of nine popular baby monitors were found to have serious security flaws. Don’t think camera manufacturers have improved their security in the past two years: cameras have been prominent contributors to the waves of zombified Internet of Things attacks we’ve seen in the past year, beginning with last October’s Mirai malware-controlled mess.

But leave that aside, too.

Suppose everything works perfectly according to Amazon’s plan. Amazon is already a huge target for hackers. Do you think giving them the ability to remotely unlock doors will make them less of a target? Do you believe their security is that much better than, say, Target? Experian? Hell, a quick Google search should remind you that the National Security Agency can’t keep their own data secure.

As far as I’m concerned, a massive security breach at Amazon exposing the personal information of millions of customers is only a matter of time.

I’ll pass on Amazon Key, thanks. I hope you will too.