Opening the Door

UCSB experts examine the personal safety and data risks associated with in-home delivery service

Not home? No problem.

Launched for the holidays in select cities like Los Angeles, San Diego and San Francisco, Amazon customers can opt for a new service — packages dropped off inside their homes when they are away. The convenience has raised alarm about security and privacy hazards — and with good reason — say experts at UC Santa Barbara.    

To avoid porch pirates and nasty weather, Amazon Key uses a cloud computer system to operate a smart door lock with encrypted safeguards and a security camera that records in-home deliveries. The company opens doors for delivery drivers via remote servers in giant digital data centers operated by Amazon Web Services (AWS).  

“Amazon has been pushing the envelope for a while,” said Sam Horowitz, chief information security officer for UC Santa Barbara. “Companies previously tried using exterior locked delivery boxes, but that was largely unsuccessful. In-home delivery was the next likely step.” He sees it as an extension of what many people already do — give a home key to dog walkers or service workers.

From a security standpoint, a remotely controlled lock poses a risk, according to Horowitz. “There is always the possibility that a latent vulnerability in the lock could be exploited,” he said, adding that he’s not suggesting Amazon’s devices are hackable — they operate on Zigbee, a closed wireless network separate from WiFi.             

Still, there’s plenty that can go wrong, said Jennifer Holt, an associate professor of film and media studies at UCSB, who researches data collection and information policy. While fearing a pet might escape when a delivery driver opens a door, Holt’s major concern is the escalating exposure and collection of private data — such as digital footage of your home’s interior or your daily in-and-out schedule. As a safeguard, Amazon customers can delete their videos on AWS.

“Obviously, younger generations are more tolerant of intrusions on their digital lives than the rest of us,” Holt said. “The idea of what we allow now would be unimaginable 20 years ago.” 

Beyond the futuristic delivery model, AWS — one of Amazon’s fastest-growing units — has entered the domestic space in all kinds of ways, Holt said. For instance, Amazon’s voice-activated in-home personal assistant, Echo, can answer questions, recite the weather, play music or control a home’s smart lights — similar to rival systems such as Google Home.

Echo operates on Alexa, an AWS cloud-based service that takes spoken instructions, sends them to the web, transforms them into digital commands and sends them back to the device, which converts those directions into actions — like turning on lights in the living room.             

During recent travels, Holt said, she noticed that AWS is being heavily marketed in airports — presumably directed at traveling executives — with a promise of storing institutions’ creative work. According to industry experts, AWS’ global network of remote servers provides organizations a cost-effective way to store, manage and process soaring amounts of data. Clients include the CIA, government agencies, Nordstrom, Nike, Under Armour, Comcast and Lionsgate.

“What’s most troubling to me is the role these private companies have now in establishing terms of service and user licensing agreements as data policy,” Holt said, noting the government hasn’t been able to keep up with the dramatic transformation in technology.             

Based on terms in an AWS service contract, a client agrees that any dispute with the company must be adjudicated in King County, Washington, where Amazon’s headquarters are located, Holt added. “So even if the dispute is over a server in Hong Kong, New Delhi or Paris, the company’s terms of service agreement usurps international laws and jurisdictions.”

Down the road, Holt believes the largest players hosting digital data — Amazon, Microsoft, IBM and Google — will become indispensable because they’ve established networks and relationships.

“They have made tech experiences somewhat seamless,” Holt said. “All of these security breaches don’t even scare people away half the time. It’s not like one company can ever own the internet, but the amount of control one company has over the traffic can definitely impact the experience we have.”            

Share this article

FacebookTwitterShare