AWS finally reveals govt surveillance levels on its infrastructure

By on
AWS finally reveals govt surveillance levels on its infrastructure

Amazon Web Services, the industry-dominating public cloud that hosts far more virtual machines than any other provider in the world, has not been in cahoots with a controversial NSA surveillance program and routinely contests the federal government's attempts to spy on its customers, according to the company's first public disclosure on the subject.

The secretive cloud provider on Monday US time, for the first time ever, released an Information Request Report -- a biannual document revealing how often authorities have come asking for customer data, and how frequently the company complies.

Amazon is the last of the notable Internet giants to provide the public with such statistics. Even the initially hesitant telcos have been issuing biannual reports enumerating surveillance requests.

Steve Schmidt, Amazon's chief information security officer, presented the surveillance stats with an accompanying blog post in which he explained the cloud provider's broad policies on dealing with government requests to peak at data belonging to its customers, who "care deeply about privacy and data security".

"Amazon does not disclose customer information unless we’re required to do so to comply with a legally valid and binding order," Schmidt wrote.

Schmidt asserted AWS never participated in PRISM, the clandestine NSA program that directly culled troves of data from at least nine major Internet companies. PRISM was one of the bombshells disclosed by NSA-contractor-turned-whistleblower Edward Snowden.

From the start of this calendar year through May, AWS received 813 subpoenas from the US government seeking access to customer accounts. In those five months, the cloud provider fully complied with 542 of those court orders, submitted partial information in response to 126 and didn't respond at all to 145.

Through the same period, Amazon received 25 search warrants from federal authorities and turned over all the data sought by about half of them, partially fulfilled eight others and withheld information requested by four of the warrants.

AWS fully responded to only four out of 13 court orders that weren't subpoenas or warrants, while refusing to turn over any data related to four of those.

Foreign governments were more successful with their solicitations to Amazon. Of the 132 non-US requests fielded by the cloud provider, more than 80 percent yielded complete data disclosures, while just 13 percent hit a dead end. Amazon also complied with the only request it received during the five months under review to actually remove a user's data from its servers.

Schmidt said Amazon's policy is to notify customers before disclosing any of their information. The only time the company won't do that is when there's a legal prohibition or clear signs that the service is being used for criminal purposes.

Still, the company is no pushover and typically flexes its legal muscles to ensure governments adhere to legal boundaries, according to Schmidt.

"We have repeatedly challenged government subpoenas for customer information that we believed were overbroad," Schmidt said.

Those challenges have resulted in court rulings that "have helped to set the legal standards for protecting customer speech and privacy interests," he said.

Amazon has also lobbied Congress to modernise "outdated privacy laws." The company believes law enforcement agencies must be obliged to obtain search warrants from courts before they can go after the communications of customers.

Amazon recognises "the legitimate needs of law enforcement agencies to investigate criminal and terrorist activity, and cooperate with them when they observe legal safeguards for conducting such investigations," Schmidt said. But the company opposes laws that either mandate or prohibit specific technologies that make customers more vulnerable to intrusion.

AWS users have the option of using security features available on the platform, including managing their own encryption keys, Schmidt noted.  

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?