Why it matters: According to an internal Amazon document obtained by Vice, the company plans to use increasingly close surveillance measures on its customer service workers to better detect outside actors who try to access customer data. Amazon thinks this surveillance is sorely needed in a time when more Amazon employees are working from home.
According to the document, Amazon initially considered using software that records all of an employee's keystrokes. However, it is now looking at a product that analyzes user behavior in a more general way to create profiles which it then uses to identify whether another person is using that device. That behavior might include typing rhythm, mouse movements, and touch gestures. "We have a security gap as we don't have a reliable mechanism for verifying that users are who they claim they are," it reads.
The document points out different situations in which customer data could be stolen through employees' systems: A remote worker who doesn't live alone may leave their station without securing it; someone could use software on an employee workstation to input keystrokes at "superhuman" speeds; a hacker may have bought an employee's security credentials.
The profile-generating software comes from the cybersecurity company BehavioSec, which calls its system "behavioral biometrics." "In contrast to physical biometrics like a fingerprint, behavioral biometrics provides continuous authentication to verify digital identities by passively monitoring of behavioral inputs without negatively impacting their experience," reads the Privacy FAQ section of BehavioSec's website. BehavioSec claims the profiles can't be mimicked or used to identify an employee because they're based on statistical variances.
The document says Amazon wants to find more "privacy-aware" solutions than collecting all keystrokes because of legal obstacles. BehavioSec's FAQ section claims that what it does is fully GDPR compliant.
"While we do not share details on the technologies we use, we continually explore and test new ways to safeguard customer-related data while also respecting the privacy of our employees," Amazon senior PR manager Barbara Agrait told Vice. "And we do this while also remaining compliant with applicable privacy laws and regulations."
We pointed out some of the uses and risks of behavioral biometrics in a 2018 story. Companies have been able to use the method without notice, but a user's behavior might not always stay the same. They may swipe and type differently depending on sitting position, if they're tired, or if they develop a medical condition.
In March, a report came out claiming Amazon delivery drivers had to agree to allow AI-powered cameras to track their behavior while driving.
