Amazon Sidewalk Relies on Opt-Out to Scale

By: Smitha Gundavajhala

When HBO’s show Silicon Valley aired, many, including Forbes and Wired regarded fictional company Pied Piper’s concept of a “decentralized internet” as a not-so-distant reality. In the show, Pied Piper’ decentralized internet model involved a mesh network of smartphones that pooled their storage capacity to create an untethered internet. Wired noted that while a form of decentralized internet already existed at the time, those decentralized platforms built on the traditional internet infrastructure of fiber optic cables, rather than on a network of smartphones, as in Silicon Valley. Enter Amazon Sidewalk.

Amazon Sidewalk, which officially rolled out last year, uses Bluetooth and radio signals to transmit data across greater distances than Wi-Fi alone can reach. Currently, it connects Amazon-owned devices to extend the reach of Wi-Fi beyond of your home, but the technology could scale using internet-of-things devices such as smart watches. Some predict that Sidewalk might soon create entire smart neighborhoods. However, in order to achieve that kind of scale, it would have to bring a lot of devices online, and fast.

Season 4, Episode 9 of Silicon Valley foreshadowed this issue. Recognizing that they needed a lot of phones on their network for it to work, members of the Pied Piper team snuck into the conference of a competitor and uploaded Pied Piper to attendees’ phones without their consent. In order to get Amazon Sidewalk to scale quickly, Sidewalk did something similar, albeit much simpler: it enabled itself on existing Amazon devices. Amazon Sidewalk went live in June 2021, automatically enrolling Ring and Echo devices. Today, the network is also connected to Alexa and Tile.

According to the Amazon Sidewalk white paper, while users of new devices receive a notification allowing them to opt in or out, in existing devices it is enabled by default, so users can only opt out. However, under the European Union’s General Data Protection Regulation (GDPR), which is the current gold standard for data protection, consent must be opt-in. Under GDPR Article 7, consent must be freely given, implying that one is giving consent by a statement or clear affirmative act. When Amazon automatically enrolled Sidewalk-enabled devices, only giving existing users of those devices the choice to opt out, Amazon ran afoul of GDPR consent principles. 

If Sidewalk is to be the future of decentralized internet, it must contend with both local and international privacy regulations. Many state privacy laws, such as the California Consumer Privacy Act (CCPA), already reflect some GDPR principles, and there is a growing trend towards aligning local legislation with the internationally used privacy standard. While the CCPA does not require opt-in consent, Amazon will need to contend with privacy legislation at the state level that has opt-in requirements, such as the proposed People’s Privacy Act in Washington.

Rep. Shelley Kloba re-introduced the People’s Privacy Act in this legislative session. The bill, created by the ACLU of Washington with support from the Tech Equity Coalition, is based on the assumption that individuals’ data should not be used without their affirmative consent. The People’s Privacy Act is the first privacy bill in recent history to originate in the House of the state legislature, rather than in the Senate. If it passes, it would join the ranks of other state privacy laws in the country, including Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA), that require opt-in consent for the use or disclosure of all kinds of personal data. Of course, the People’s Privacy Act is subject to pushback from the many technology companies located in Washington, including Amazon. Even if it does not pass in this legislative session, it expresses a bold proposition that may become the gold standard of consent in the United States. 

In the Sidewalk white paper, Amazon claims that it will not collect personal data via Sidewalk enabled devices. Amazon goes to great lengths to describe the practices it will take to protect users’ privacy, including multiple layers of encryption and efforts to minimize data collection. However, internet-of-things devices are notoriously insecure, and Amazon’s current opt-out approach exposes users to privacy risks that they might not willingly take on. For instance, Sidewalk is a mesh network using Bluetooth, which is not invulnerable to malware or hackers. In addition, Sidewalk contains a Community Finding feature that allows users to look for Sidewalk networks. In practice, if you have Sidewalk-enabled devices in your home, this allows people to see the approximate location of your home. This location is anonymized, and the Community Finding feature is disabled by default. However, the very existence of this feature raises major privacy and cybersecurity concerns.

It is not yet clear whether Sidewalk will become the decentralized internet that Pied Piper envisioned. The notion of opt-in consent is in tension with Sidewalk’s ability to realize that vision, as it requires users to make an informed choice to volunteer some of their bandwidth for strangers to use, and to share relevant metadata with Amazon in the process. Sidewalk’s technology could be powerful for communities around the world, including rural communities that may have limited broadband access. However, if Sidewalk hopes to scale internationally, it must be prepared to adopt opt-in consent, the internationally used standard of consent from the GDPR. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s