Complaint: Amazon doesn’t allow baseline TLS security

Data Security
 /  02 March 2020

Baseline email security missing. During their route to the recipient, emails are handled by different entities, nodes and service providers which may intercept, manipulate and unlawfully use the content. In order to reduce these risks, it is a baseline industry standard to use so-called TLS encryption.

TLS is like an envelope around a letter. If not used, anyone can read the content of an email in transfer.”

Stefano Rossetti, privacy lawyer at noyb

Surprisingly the Amazon servers reject TLS connections in certain cases, for example when third party sellers on Amazon communicate with customers vie email. This means that millions of emails that are sent via Amazon may be exposed everyday.

Violation of GDPR. Article 32 of the GDPR requires companies to implement “appropriate” security measures, such as encryption, to protect the confidentiality of communications. As TLS encryption is very cheap and simple to implement and the number of sellers and customers on Amazon is very high, it seems inappropriate to neither require not allow TLS for emails.

Complaint filed today. noyb submitted a complaint to the supervisory authority of the state of Hessia in Germany on behalf of an Amazon seller. The Hessia data protection authority will have to investigate the matter and verify whether or not Amazon’s systems appropriately protect our privacy. It is likely that this case will also be handeled by the Luxembourg Data Protection Authority, as Amazon has its European headquarter in Luxembourg. In such a case the DPAs can fine Amazon up to 2% of it’s global turnover, which would be up to € 4,2 billion.