Five of the six co-conspirators in the US v. Rosenberg et al (CR 2:20-151 RAJ in the US District Court for the Western District of Washington at Seattle) case have pled guilty, three have been sentenced and one is in India where one assumes Amazon is pursuing justice as well. Each guilty plea has revealed new information about how Amazon works, how it treats its sellers and the vulnerabilities of the system we all depend on to sell on Amazon.
The players have admitted their guilt, so I’m not rehashing the legal case here. My focus is on what sellers can learn from this case. It is as much an indictment against Amazon as against the defendants. In this series of blogs, I hope to stimulate industry problem-solving and discussion. Sellers are more than interested bystanders in what happens next.
Amazon’s Data is Vulnerable – And So Are You
CNBC’s recent story showed that black hat data dealers are still selling Amazon data for a price. The indictment isn’t having the “chilling effect” one might hope, and these co-conspirators are the guys who got caught, not the entire cabal of bad actors.
It is hard for people to understand just how damaging this stolen Amazon information is to sellers and consumers – and will continue to be until the problem is solved. Black hat data brokers would have you believe this is a victimless crime – a defense against an organization that holds all the cards, an edge in a highly competitive marketplace.
It is much more than that. Amazon’s internal seller and buyer data is being used to destroy good companies and their products. It is being used to elevate unsafe, shoddy products over safer, quality products. It is being used to allow stolen and counterfeit products back on the platform. It is being used by traffickers and money launderers to hide their crimes. It is being used by con artists to steal passwords and money from consumers and sellers alike.
Amazon’s PR statements in the CNBC story are misleading. They don’t have a handle on this. Amazon admitted it had no way to track who accessed its internal wikis and proprietary secrets from inside the company. This is a shocking revelation from a technology company. Wired Magazine had an in-depth feature on just how vulnerable Amazon’s seller and customer data is; I invite everyone to read it closely. Not only did Amazon not know who was stealing from it on the inside, they actively resisted internal recommendations to improve security.
And it’s not just Amazon’s own trade secrets that are vulnerable, it is buyer and seller data. My mother frequently gets packages that she never ordered for products on Amazon. We’ve reported it, but it is obvious that a LOT of bad actors have her address, and it is an exercise in futility.
While she didn’t get the infamous seed packets, she receives other small items. This happens when a bad actor wants to manipulate their sales rank and make it look like their product is popular and selling well. They create fake orders and send cheap, small, and light (usually) products to unsuspecting consumers. Mailing unwanted products is a relatively benign activity. Can you imagine what else a bad actor might do with millions of verified US buyer names, addresses and phone numbers?
This tactic is so prolific, service businesses sprung up around it. In a story reported two years ago, a Chinese firm was able to harvest millions of Amazon customer’s data that was then sold to Amazon sellers. Where did they get that data? They exploited a hole in Amazon’s own program that helps sellers collect sales metrics. For years! The sellers who bought this data then used it to manipulate reviews – from pressuring buyers to remove negative feedback to bribing others to leave 5-star reviews.
When Amazon finally discovered this, they shut down the Chinese service provider and investigated other developers with Amazon API access. According to Wired, they found that more than half of its third-party developers were “violating its terms of service.” They sent them stern letters and told them to delete this data from their servers. Stern letters?!? How secure are you feeling about your seller data right now? Me either. That wasn’t even a hack or a bribe. It was a security hole.
The indictment shows us how easy it was for the co-conspirators to access buyer and seller data for small amounts of money. In addition to review manipulation, some members of the conspiracy used seller data to take down competitors and wipe them off the platform.
Amazon is a victim in this, yes, but so is everyone who has ever bought or sold anything on Amazon. One of the things I hoped to see with the indictment was for Amazon to go after its high-level internal bad actors. If they are doing that, they are quiet about it.
Amazon Seller Performance workers in India have been purged several times, but they aren’t the only ones involved. Rosenberg was chastised by the prosecution for intimidating a witness in the early days (these trial documents were later sealed, but I have copies). This was one of his regular contacts high up in Seattle. He said he was “concerned” about him. It was a telling move. Why reach out if his contact had nothing to fear? This witness is still working at Amazon as are others who are linked to this trial.
Because Amazon is opaque about its internal investigations, we will never know the truth. And we don’t need to know the truth about particular people. What we deserve to know as fellow victims is that Amazon has fixed its data access problems, that they can track who is accessing what and when. This would go a long way toward keeping seller data safe and discouraging internal corruption.