<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.79 1.86 -->
<title>Malware
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in the Kindle Swindle /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Amazon's Software Is Malware
- GNU Project - Free Software Foundation</title>
 <!--#include virtual="/proprietary/po/malware-amazon.translist" -->
<style type="text/css" media="print,screen">
<!--
#content div.toc li { list-style: none; margin-bottom: 1em; }
#content div.toc { margin-top: 1em; }
-->
</style>
<!--#include virtual="/server/banner.html" -->
<h2>Malware in the Kindle Swindle</h2>

<a
<h2>Amazon's Software Is Malware</h2>

<p><a href="/proprietary/proprietary.html">Other examples of proprietary malware</a>

<p>We refer to this product as the
<a href="/philosophy/why-call-it-the-swindle.html">Amazon Swindle</a>
because it has <a href="/philosophy/proprietary-drm.html">Digital restrictions
management (DRM)</a>  and <a href="/philosophy/ebooks.html">
other malicious functionalities</a>.</p> malware</a></p>

<div class="highlight-para"> class="comment">
<p>
Malware and nonfree software are two different issues.  Malware means
the program is designed to mistreat or harm users when it runs.  The
difference between <a href="/philosophy/free-sw.html">free
software</a> and nonfree software is in
<a href="/philosophy/free-software-even-more-important.html">
whether the users have control of the program or vice versa</a>.  It's
not directly a question of what the program <em>does</em> when it
runs.  However, in practice nonfree software is often malware, because
the developer's awareness that the users would be powerless to fix any
malicious functionalities tempts the developer to impose some.
</p>
</div>

<div class="toc">
<div class="malfunctions">
<ul>
<li><strong>Type of malware</strong></li>
<li><a href="#back-doors">Back doors</a></li>
<!--<li><a href="#censorship">Censorship</a></li>-->
<!--<li><a href="#insecurity">Insecurity</a></li>-->
<!--<li><a href="#sabotage">Sabotage</a></li>-->
<!--<li><a href="#interference">Interference</a></li>-->
<li><a href="#surveillance">Surveillance</a></li>
<li><a href="#drm">Digital restrictions
    management</a> or “DRM” means functionalities designed class="important">
<p>If you know of an example that ought to restrict what users can do with the data be in their computers.</li>
<!--<li><a href="#jails">Jails</a>—systems
    that impose censorship on application programs.</li>-->
<!--<li><a href="#tyrants">Tyrants</a>—systems
    that reject any operating system not “authorized” by this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the
    manufacturer.</li>-->
</ul> URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>
</div>

<p class="c" style="font-size: 1.2em">
 <a href="#swindle">Kindle Swindle</a> 
 <a href="#echo">Echo</a> 
 <a href="#misc">Other products</a> 
</p>

<h3 id="back-doors">Amazon id="swindle">Malware in the Kindle Swindle Back Doors</h3>
<ul>
<li> Swindle</h3>

<p>We refer to this product as the
<a href="/philosophy/why-call-it-the-swindle.html">Amazon Swindle</a>
because it has <a href="/proprietary/proprietary-drm.html">Digital restrictions
management (DRM)</a>  and <a href="/philosophy/ebooks.html">
other malicious functionalities</a>.</p>

<h4 id="back-doors">Back Doors</h4>

<ul class="blurbs">
  <li id="M201503210">
    <p>Amazon <a
    href="https://www.techdirt.com/articles/20150321/13350230396/while-bricking-jailbroken-fire-tvs-last-year-amazon-did-same-to-kindle-devices.shtml">
    downgraded the software in users' Swindles</a> so that those already
    rooted would cease to function at all.</p>
  </li>

  <li id="M201210220.1">
    <p>The Amazon Kindle-Swindle has a back door that has been used to <a
    href="http://pogue.blogs.nytimes.com/2009/07/17/some-e-books-are-more-equal-than-others/">
    remotely erase books</a>.  One of the books erased was 1984,
    <cite>1984</cite>, by George Orwell.
</p> Orwell.</p>

    <p>Amazon responded to criticism by saying it
    would delete books only following orders from the
    state.  However, that policy didn't last.  In 2012 it <a href="http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html">wiped
    href="http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html">
    wiped a user's Kindle-Swindle and deleted her account</a>, then
    offered her kafkaesque “explanations.”</p>
  </li>

<li>

  <li id="M200700000">
    <p>The Kindle also has a <a
    href="http://www.amazon.com/gp/help/customer/display.html?nodeId=200774090">
    universal back door</a>.</p>

  <p>Amazon <a href="https://www.techdirt.com/articles/20150321/13350230396/while-bricking-jailbroken-fire-tvs-last-year-amazon-did-same-to-kindle-devices.shtml">
      downgraded the software in users' Swindles</a>
    so that those already rooted would cease to function at all.</p></li>
  </li>
</ul>

<h3 id="surveillance">Amazon Kindle Swindle Surveillance</h3>
<ul>
  <li><p>The


<h4 id="surveillance">Surveillance</h4>

<ul class="blurbs">
  <li id="M201212030.1">
    <p>The Electronic Frontier Foundation has examined and found <a
    href="https://www.eff.org/pages/reader-privacy-chart-2012">various
    kinds of surveillance in the Swindle and other e-readers</a>.</p></li> e-readers</a>.</p>
  </li>
</ul>

<h3 id="drm">Amazon Kindle Swindle DRM</h3>
<ul>
  <li><p><a


<h4 id="drm">DRM</h4>

<ul class="blurbs">
  <li id="M201704130.1">
    <p><a href="http://techin.oureverydaylife.com/kindle-drm-17841.html">
    The Amazon Kindle has DRM</a>.  That article is flawed in that it
    fails to treat DRM as an ethical question; it takes for granted that
    whatever Amazon might do to its users is legitimate.  It refers to
    DRM as digital “rights” management, which is the spin
    term used to promote DRM.  Nonetheless it serves as a reference for
    the
  facts.</p></li> facts.</p>
  </li>
</ul>



<h3 id="echo">Malware in the Echo</h3>

<h4 id="echo-back-doors">Back Doors</h4>

<ul class="blurbs">
  <li id="M201606060">
    <p>The Amazon Echo appears to have a universal back door, since <a
    href="https://en.wikipedia.org/wiki/Amazon_Echo#Software_updates">
    it installs “updates” automatically</a>.</p>

    <p>We have found nothing explicitly documenting the lack of any way
    to disable remote changes to the software, so we are not completely
    sure there isn't one, but this seems pretty clear.</p>
  </li>
</ul>


<h4 id="echo-surveillance">Surveillance</h4>

<ul class="blurbs">
  <li id="M201905061">
    <p>Amazon Alexa collects a lot more information from users
    than is necessary for correct functioning (time, location,
    recordings made without a legitimate prompt), and sends
    it to Amazon's servers, which store it indefinitely. Even
    worse, Amazon forwards it to third-party companies. Thus,
    even if users request deletion of their data from Amazon's servers, <a
    href="https://www.ctpost.com/business/article/Alexa-has-been-eavesdropping-on-you-this-whole-13822095.php">
    the data remain on other servers</a>, where they can be accessed by
    advertising companies and government agencies. In other words,
    deleting the collected information doesn't cancel the wrong of
    collecting it.</p>

    <p>Data collected by devices such as the Nest thermostat, the Philips
    Hue-connected lights, the Chamberlain MyQ garage opener and the Sonos
    speakers are likewise stored longer than necessary on the servers
    the devices are tethered to. Moreover, they are made available to
    Alexa. As a result, Amazon has a very precise picture of users' life
    at home, not only in the present, but in the past (and, who knows,
    in the future too?)</p>
  </li>

  <li id="M201904240">
    <p>Some of users' commands to the Alexa service are <a
    href="https://www.smh.com.au/technology/alexa-is-someone-else-listening-to-us-sometimes-someone-is-20190411-p51d4g.html">
    recorded for Amazon employees to listen to</a>. The Google and Apple
    voice assistants do similar things.</p>

    <p>A fraction of the Alexa service staff even has access to <a
    href="https://www.bnnbloomberg.ca/amazon-s-alexa-reviewers-can-access-customers-home-addresses-1.1248788">
    location and other personal data</a>.</p>

    <p>Since the client program is nonfree, and data processing is done
    “<a href="/philosophy/words-to-avoid.html#CloudComputing">in
    the cloud</a>” (a soothing way of saying “We won't
    tell you how and where it's done”), users have no way
    to know what happens to the recordings unless human eavesdroppers <a
    href="https://www.bnnbloomberg.ca/three-cheers-for-amazon-s-human-eavesdroppers-1.1243033">
    break their non-disclosure agreements</a>.</p>
  </li>

  <li id="M201808120">
    <p>Crackers found a way to break the security of an Amazon device,
    and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html">
    turn it into a listening device</a> for them.</p>

    <p>It was very difficult for them to do this. The job would be much
    easier for Amazon. And if some government such as China or the US
    told Amazon to do this, or cease to sell the product in that country,
    do you think Amazon would have the moral fiber to say no?</p>

    <p>These crackers are probably hackers too, but please <a
    href="https://stallman.org/articles/on-hacking.html"> don't use
    “hacking” to mean “breaking security”</a>.</p>
  </li>
</ul>



<h3 id="misc"> Malware in other products</h3>

<ul class="blurbs">
  <li id="M201902270">
    <p>The Ring (now Amazon) doorbell camera is designed so that the
    manufacturer (now Amazon) can watch all the time. Now it turns out
    that <a href="https://dojo.bullguard.com/dojo-by-bullguard/blog/ring/">
    anyone else can also watch, and fake videos too</a>.</p>

    <p>The third party vulnerability is presumably
    unintentional and Amazon will probably fix it. However, we
    do not expect Amazon to change the design that <a
    href="/proprietary/proprietary-surveillance.html#M201901100">allows
    Amazon to watch</a>.</p>
  </li>

  <li id="M201901100">
    <p>Amazon Ring “security” devices <a
    href="https://www.engadget.com/2019/01/10/ring-gave-employees-access-customer-video-feeds/">
    send the video they capture to Amazon servers</a>, which save it
    long-term.</p>

    <p>In many cases, the video shows everyone that comes near, or merely
    passes by, the user's front door.</p>

    <p>The article focuses on how Ring used to let individual employees look
    at the videos freely.  It appears Amazon has tried to prevent that
    secondary abuse, but the primary abuse—that Amazon gets the
    video—Amazon expects society to surrender to.</p>
  </li>

  <li id="M201711200">
    <p>Amazon recently invited consumers to be suckers and <a
    href="https://www.techdirt.com/articles/20171120/10533238651/vulnerability-fo">
    allow delivery staff to open their front doors</a>. Wouldn't you know
    it, the system has a grave security flaw.</p>
  </li>

  <li id="M201411090">
    <p>The Amazon “Smart” TV is <a
    href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance">
    snooping all the time</a>.</p>
  </li>
</ul>


</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2014, 2015, 2016, 2017 2017, 2018, 2019 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2019/09/18 16:01:41 $
<!-- timestamp end -->
</p>
</div>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>