Are Amazon Sidewalk’s privacy protocols ready for the real world?


Last week, Amazon opened up its Sidewalk protocol to third-party developers. Sidewalk is a large mesh network that uses people’s home internet connections in the US. It’s a service that requires a lot of trust, and so far most of the devices on it are Amazon’s own products. But that’s about to change — and as a result, Sidewalk’s privacy safeguards are about to be tested on a much wider scale.

No connected device is ever truly 100 percent private or secure. But so far, despite some initial concerns, Sidewalk has avoided major privacy disasters. Here’s an overview of how Sidewalk works, the risks it can pose to you as a user, and what we know about Amazon’s plans to defuse them.


Are Amazon Sidewalk’s Privacy Protocols Good?

Stoop makes sense should be a privacy nightmare. It uses your Amazon Echo or Ring camera as a bridge to siphon off a small portion of your internet bandwidth, which is then aggregated to create a mesh network. The more Sidewalk bridges in your area, the better it works.

Your Echo speakers can act as an Amazon Sidewalk bridge unless you opt out of the service.
Image: Jennifer Pattison Tuohy/The Verge

Why would you want this? It’s a way to make sure your smart devices work even when there’s no stable Wi-Fi connection. Let’s say you tape a Ring spotlight to your garage door, well out of range of your router. That device can instead use Sidewalk to stay connected. Sidewalk is also similar to Apple’s Find My network when it comes to Bluetooth item or location trackers. Before Sidewalk compatibility was added, Tile trackers were usually limited to your phone’s Bluetooth range. That’s fine if you lose your keys at home, but less convenient if you lose them on the street. Now select Tile trackers can leverage the Sidewalk network to notify owners of their last known location, even if you’re miles away.

Your devices connecting to and sending data over a network made from bandwidth borrowed from strangers? Sounds fishy. However, experts say they’re not too concerned about Amazon’s Sidewalk privacy and security protocols, which include three layers of encryption to secure data. (You can read more about this white paper.)

“Anyone who goes to the [Sidewalk privacy] protocol has said it is a Good protocolsaid Jon Callas, Director of Public Interest Technology at the Electronic Frontier Foundation. “There are no major flaws.”

So why the concern?

Amazon Sidewalk laundry quietly announced in 2019, but a privacy issue started in earnest before launching in June 2021. It revolved around the fact that Sidewalk was an opt-out service. If you had an Echo or Ring that could serve as a bridge when Sidewalk launched, it was enabled by default via an over-the-air update. Amazon said it sent users an email telling them how to unsubscribe, but who among us has read every ecommerce email in their inbox? It didn’t help that the setting was – and still is – hard to find in the Alexa app. The better option for privacy and security would have been to make the service opt-in. Instead, the backlash was fierce and Sidewalk made a less than stellar first impression.

Amazon has since stated that the first time you set up a compatible device, you’ll be asked if you want to enable Sidewalk. However, it is still not fully opt-in. In his white paperAmazon also says that if you don’t complete the setup, Sidewalk will be enabled by default unless you’ve previously opted out.

There were also concerns that Sidewalk was, in effect, stealing internet bandwidth. The fear was that users, possibly without permission, would end up with higher-than-expected internet bills and slower speeds. While Sidewalk “borrows” bandwidth, it limits usage to 500MB per month. That shouldn’t be a problem if you have wired broadband and for that amount of money it’s unlikely your service will be slowed down.

What do third-party developers have to do with it?

Until now, most Sidewalk devices have been Amazon Echo and Ring products, with a handful of other partners like Tile. Adding third parties will increase the number of Sidewalk-compatible products and hubs, but it inevitably means discovering bugs and other vulnerabilities that Amazon and experts have not considered. Sidewalk’s privacy and security protocols look good on paper, but they haven’t been tested under these conditions.

“It is not yet in line with reality. When all these things coincide with reality, problems arise,” says Callas, referring to Sidewalk. “I’m sure there will be at least one embarrassing bug in the system because everyone has at least one embarrassing bug.”

We are also still waiting for important information about Sidewalk. Apple, Google, and other tech giants all make sure developers meet certain criteria to use their APIs, and there aren’t many details about Sidewalk’s certification process or how it plans to ensure developers comply with the privacy policies of sidewalk. Similarly, Amazon has not detailed its plans to crack down on bad actors. We don’t yet know how quickly Amazon will respond to reported threats or how quickly it will patch bugs and vulnerabilities. And the fact is, we won’t know until it happens.

“I’m sure there will be at least one embarrassing bug in the system because everyone has at least one embarrassing bug.”

“Developers who want to participate in Amazon Sidewalk will go through the Works with Amazon Sidewalk Qualification Program (WWAS),” said Amazon spokesperson Jill Tornifoglio. The edge. The WWAS program, which is currently live, will reportedly test third-party designs for compliance with Sidewalk protocol requirements such as timing, packet structure, and size requirements. “We also check that devices connect to the Sidewalk network after the registration process,” says Tornifoglio.

Tornifoglio also clarified that Sidewalk has multiple layers of encryption, and those standards will also apply to third-party applications. Third parties may also issue unique identities to link devices to their apps to prevent unauthorized access.

“We believe technology can and should be used for good, but we recognize that bad actors can abuse many different types of technology. Any kind of abuse is unacceptable and subject to termination under our terms of service,” said Tornifoglio, adding that Amazon has the ability to remove bad actors and malicious devices from the network.

The Echo Show 10 is yet another Sidewalk bridge.
Image: Jennifer Pattison Tuohy/The Verge

So, should I be concerned?

At this point it comes down to how comfortable you are with uncertainty. So far, there are no major reasons to be wary – aside from your personal feelings about Amazon’s reliability. That’s fair, since Amazon screwed up the way it handled Alexa voice recording. The company doesn’t have the best track record either Ring cameras and surveillance. However, it should also be noted that Amazon’s AWS cloud services are considered to have excellent security measures.

If you’re concerned about Sidewalk, opting out is the only way to make sure it doesn’t affect your privacy in any way. (Here’s how.) But if you’re already an avid Amazon Echo or Ring user and you like the idea of ​​Sidewalk as a whole, feel free to participate until you get a reason not to .

“I wouldn’t worry about the details,” says Callas. “All these voice things like Echo, I don’t use them, but I don’t feel like people who do are putting themselves at risk in any way.”