Amazon planning to monitor customer service workers' keyboard and mouse strokes

Daniel Sims

Posts: 106   +5
Staff
Why it matters: According to an internal Amazon document obtained by Vice, the company plans to use increasingly close surveillance measures on its customer service workers to better detect outside actors who try to access customer data. Amazon thinks this surveillance is sorely needed in a time when more Amazon employees are working from home.

According to the document, Amazon initially considered using software that records all of an employee's keystrokes. However, it is now looking at a product that analyzes user behavior in a more general way to create profiles which it then uses to identify whether another person is using that device. That behavior might include typing rhythm, mouse movements, and touch gestures. "We have a security gap as we don't have a reliable mechanism for verifying that users are who they claim they are," it reads.

The document points out different situations in which customer data could be stolen through employees' systems: A remote worker who doesn't live alone may leave their station without securing it; someone could use software on an employee workstation to input keystrokes at "superhuman" speeds; a hacker may have bought an employee's security credentials.

The profile-generating software comes from the cybersecurity company BehavioSec, which calls its system "behavioral biometrics." "In contrast to physical biometrics like a fingerprint, behavioral biometrics provides continuous authentication to verify digital identities by passively monitoring of behavioral inputs without negatively impacting their experience," reads the Privacy FAQ section of BehavioSec's website. BehavioSec claims the profiles can't be mimicked or used to identify an employee because they're based on statistical variances.

The document says Amazon wants to find more "privacy-aware" solutions than collecting all keystrokes because of legal obstacles. BehavioSec's FAQ section claims that what it does is fully GDPR compliant.

"While we do not share details on the technologies we use, we continually explore and test new ways to safeguard customer-related data while also respecting the privacy of our employees," Amazon senior PR manager Barbara Agrait told Vice. "And we do this while also remaining compliant with applicable privacy laws and regulations."

We pointed out some of the uses and risks of behavioral biometrics in a 2018 story. Companies have been able to use the method without notice, but a user's behavior might not always stay the same. They may swipe and type differently depending on sitting position, if they're tired, or if they develop a medical condition.

In March, a report came out claiming Amazon delivery drivers had to agree to allow AI-powered cameras to track their behavior while driving.

Permalink to story.

 

Dimitriid

Posts: 1,084   +2,060
Why would a customer service rep have *any kind of relevant access* at all? I worked customer service jobs and I can tell you 90% of the time you have the exact same tools as the customer can view and your job is just to repeat what the customer can view on the website and then let them vent and tolerate the verbal abuse for an hour while trying your best not to let them talk to "a supervisor"

Even the "supervisors" that can probably process cancels, refunds and RMAs, issue small credit to accounts, waive fees, etc. Basically had very specific rules to do so, were constantly monitored already and had to justify every single move they made to accounts or orders.

This really is unjustified and has nothing to do with security: this is a union busting effort 100%.
 

ScottSoapbox

Posts: 117   +187
It's almost enough to make one want to develop a skill valuable to other people so that one could get a job using said skill. Almost.
 

wiyosaya

Posts: 6,518   +4,905
"We have a security gap as we don't have a reliable mechanism for verifying that users are who they claim they are,"
What a load of :poop: If crApazon cannot verify that access to their network is legitimate, they have far bigger problems, IMO, and I doubt that these moves will improve the situation at all. Monitoring your CS reps in any way like this is 1984 like control. IMO, this stinks of corporate overreach and an effort to tighten their grip on their employees.

I'll just keep ignoring those supposed "employment opportunities" I get from them every once-in-a-while.