The other night we got “ding-dong ditched” (or “doorbell ditched” or whatever — apparently every region has a different term for this, just like “skipping class” (which, in some regions, is called “sluffing” for no discernible reason)).  This actually happens pretty regularly to us and, when you have a barky dog and a baby, can be REALLY frustrating.

Why does it happen pretty regularly to us?  Because we have a plain ol’ push button doorbell — unlike pretty much everyone else on our street.  We may very well be the last of the non-video doorbells in our neighborhood.

Which is weird given my enthusiasm (my wife may say obsession) for gadgets.  So why no video doorbells?  Well, there’s three reasons, and they range from the concrete to the philosophical, in order of increasing abstraction:

1. Serious cyber security concerns with anything IoT, but especially Amazon’s products.
2. Concerns with Amazon’s business model
3. Concerns with the creation of private surveillance states and the psychological effects thereof

Let’s dig into these concerns.

Concerns About Cyber security and IoT (and Amazon)

IoT stands for “Internet of Things” and refers to small devices that are connected to the internet, and typically serve a single purpose.  Things like connected thermostats, lightbulbs, vacuums, fridges, photo frames and, yes, video doorbells.

IoT devices are pretty poor from a cyber security standpoint for a few reasons:

1. They are cheap and small and generally aren’t as well tested as other platforms
2. They often don’t receive security updates and, when they do, those updates can be difficult to install
3. The device itself often lasts longer than the seller wants to support, meaning even those that do receive security updates will stop receiving them at some point, whether or not the device is still in use

All that adds up to devices that are on your home network, connect to the internet, and frequently have severe cyber security flaws.  These devices can be hacked themselves (baby monitors are a particularly disturbing example), and can potentially be used as a springboard onto the rest of your network.

The point is, these devices can be dangerous.  It doesn’t mean you can’t use them at all, but I’d only use them if they come from reputable companies that supply updates, if they provide a palpable benefit, and if you take a few network based precautions such as:

• Turn on your guest wifi network
• On the guest wifi network, disable the ability to see any other devices on the network (this is called “micro-segmentation” if you want to impress people)
• Connect IoT devices only to the guest network

Although this doesn’t keep a device itself from being hacked if there are vulnerabilities, it does keep an attacker from getting at anything else in your house, even if they breach that specific device, greatly reducing your risk.

Unfortunately, that’s where Amazon comes in.

Amazon has made it so their IoT devices (including echo speakers and ring cameras) can create a “mesh network” — basically a network directly between devices, instead of connecting to a router or wireless access point.

This isn’t that special, but what’s unique about Amazon’s implementation is that their mesh network connects to ANY amazon devices — even those in neighbor houses.  The reason they do this is to provide network redundancy, and it works like this:

Let’s say you and your neighbor both have amazon ring doorbells.  You’re using Comcast for internet and your neighbor uses Google Fiber or some other provider.  If your Comcast goes out, your ring doorbell will reach out to the neighbor’s doorbell, create a connection, and then continue sending doorbell alerts over your neighbor’s google fiber internet.

Maybe this sounds like a neat selling point, but think of the security implications for a second.  Remember microsegmentation above?  The goal of that is to keep network devices from talking to each other so that a compromised device can’t compromise any others.  But Amazon’s Sidewalk is a network standard created by one organization that bypasses any kind of segmentation by creating mesh networks among all their devices.  Literally millions of devices, all bypassing routers and firewalls created by other organizations — in other words, Amazon becomes a single point of failure.  If a hacker can find a flaw in the Sidewalk protocol they could use it to spread among millions of households without having to breach any other network defenses.

What is most troubling to me is that Amazon enabled this by default via an update — devices that didn’t have it when they were installed all of a sudden were “upgraded” with this mesh network capability, and end users didn’t have to opt-in.  In fact, you have to go to your amazon account and jump through hoops just to opt out.  They vastly increased the attack surface of millions of homes without even asking.

That makes me pretty uncomfortable.  IoT devices are bad enough on their own, but when an IoT device is designed to avoid any protections I may put in place myself … that raises some major red flags.  Especially given Amazon’s priorities, which brings us to concern number two…

Concerns about Amazon’s business model

In 2018 Amazon spent around a billion dollars to buy Ring — the video doorbell company.  Why did they do that?

There were congressional hearings about this that indicated they wanted to get into the space and decided to buy the leader (“Market position”).  Or maybe it was a natural extension of their Alexa product and they thought it made sense.

The answer is much simpler than that.  One report indicates that Amazon lost $19.5 billion to “porch thieves” in just one year.  When trying to solve this problem I have no doubt that engineers at Amazon realized a video doorbell could not only deter thieves, but might also serve as video proof that a package was delivered in case they don’t want to be liable for replacement.

In that context $1 billion isn’t actually that much — some studies show porch theft reducing by roughly 55% after installation of doorbell video cameras throughout a neighborhood.  It is in Amazon’s interest to get a video doorbell to everyone they can to cut back on the $19.5 billion in stolen packages (as a reminder, that’s almost $20 billion PER YEAR).

That is why Amazon always discounts Ring doorbells heavily, and bundles them with lots of other products.  Amazon doesn’t have to make money on each Ring they sell because the Ring being out in the world is already reducing their costs.  And this is one area where Amazon likely doesn’t care if they remain the market leader — if someone else is selling more video doorbells Amazon still gets a potential reduction in package theft costs.  They win either way.

So let’s take a minute and clarify what bothers me about Amazon’s business model.  Because reducing theft isn’t a bad thing!  Making a cheap video doorbell that people can use when they’re not home or that elderly people can use without getting up isn’t a bad thing either!

BUT

Ring wasn’t purchased, and the doorbells weren’t heavily discounted, because it was good for end users.  Amazon bought Ring because it is good for Amazon.  They are creating a nationwide mesh network and pushing it on their users not because it is beneficial to consumers but because, again, it is good for Amazon.

What is good for Amazon at the expense of their users has, sadly, guided much of their thinking lately.

I got my first Kindle (the Kindle Keyboard — the last one with a physical keyboard before they went all touchscreen) not long after getting married because we moved and, in doing so, realized we had a lot of books and they were heavy!  So, Amazon Kindle for all our fiction books, one moving problem solved (it didn’t help with non-fiction and now we have more books than ever but that’s another blog post).

I love my Kindle, and we’ve bought basically every new one that came out since then, even up to the weird big one they just released (the Scribe — it’s fine).  One of my favorite things back in the day was to finish a book and then go to the Amazon page and see what else was recommended for me.  Amazon’s algorithms were good at that, and I discovered a few authors I never would have if not for that pattern.

But things change.  Now if you look at a listing you don’t see a list of recommendations of books Amazon thinks you’ll like.  What you see is this:

That tiny “Sponsored” label let’s you know Amazon doesn’t think these are good for you, someone paid Amazon to recommend these books.  And below that, another sponsored row of books (“Four stars and above”) and below that, another sponsored row of books (“Related Products with free Delivery”).

For every book I think about buying, Amazon is stuffing four different “recommendation” sections with ads.  At first I didn’t think much of it, but eventually a few books started showing up over and over again — for example, the science fiction novels of L. Ron Hubbard, founder of Scientology.

Amazon says they pride themselves on being “Earth’s most customer-centric company,” but this change is decidedly hostile to the customer.  Instead of a list of books Amazon’s vast collection of purchasing and rating knowledge thinks I might like, we get a list of books that other people paid Amazon to put in front of me.  They have taken a great feature and replaced it with a lookalike that allows them to double dip — not just on the sale of the book, but advertising as well.

Their general search has become like this as well — with organic search results coming below sponsored results, often well below the fold.  Another not-particularly-customer-centric move.

I guess all this isn’t that surprising.  Amazon is basically the closest thing we have in modern times to the East India Company, so this isn’t anything new.  But it’s something we need to be aware of.

Amazon’s Ring camera isn’t there on your doorstep to benefit you.  Its Echo devices in your house, fire tablets, adorable robots with puppy dog eyes and quad rotor security drones — none of those are there to benefit you.  All of them exist to benefit Amazon and, if Amazon is forced to make a choice that might harm you but will benefit them, well … they’ve already made that choice in things as simple as their book recommendations.  Why wouldn’t it extend to the vast, unregulated, unrequested and un-blockable (thanks to their own mesh network) surveillance network they’ve created?

Which brings us to our final point.

Concerns with the creation of private surveillance states and the psychological effects thereof

I wrote a long section here, but realized it’s too much to get into in one blog post (and this one is already pretty long so I should wrap it up).  Instead I’ll make a couple of quick points.

Amazon has created, using their Echo and Ring devices, what is most likely the largest private surveillance empire ever.  There are two big problems with this:

1. That kind of reach concentrated in any hands without oversight (government or private) will inevitably be abused by individuals as well as the organization.
2. When we say “private” we maybe think Amazon has our back — that we’re the customer.  But remember, Amazon cares first and foremost about Amazon, and they’ve already stated they’ll turn over data when requested by the government, meaning the private surveillance network is basically private in name only.  If the government wants to pass a law, or even just create a warrant requesting data, that private surveillance network quickly becomes a state one.

Second, let’s talk about the psychological effect.

There are lower rates of violent crime today than 30 years ago, although most Americans mistakenly believe that’s not the case.  Why do they believe it?

Not long after moving into our house we had a person walk through our neighborhood peeking in everyone’s windows and trying their doorknobs.  Then he ran off.  The very next day a door-to-door security salesman came through our neighborhood.  Surprise surprise, they’d “heard” that there had been suspicious people who had been nosing around the neighborhood just the day before, casing everyone’s houses, but the one house in the neighborhood that had their security system installed had captured video of him and he’d run off when he saw the cameras.  Maybe we needed a similar system.

Security companies need to create an environment of fear to sell effectively.  Most aren’t as obvious and ham-fisted about it as the one that came by our house, but they all do the same thing — they have to.  It’s key to their very existence.

So they convince you that you need their product, and by having their product you are reminded every day that you need their product — because the world is dangerous and without it you would be vulnerable.

Final thoughts

So should you have security cameras?  I don’t know, that’s a personal choice.  It depends on a lot of things.  But you should be aware of where the data from your security camera is going, who has access to it, and what their motivations are.

Should you avoid IoT?  Again, it depends.  We use a few things in our house for convenience as well as security, but we take the precautions mentioned above.

The main point I want to make is that anything with a computer chip in it is much more powerful than we give it credit for — and it’s a potential way into your house.  You need to be sure the people you’re buying from have YOUR well-being in mind with the products they make.  That’s why the only Amazon devices we have in our houses are Kindles.  And even those are used differently now.  I really miss being able to trust their book recommendations.