Amazon sellers use the apps to do business more efficiently, but they can also access shoppers’ personal information.
To be the “everything store,” Amazon relies heavily on outside merchants from around the world, who sell hundreds of millions of different products through its site. Powering this ecommerce machine is another marketplace that most shoppers will never see—a behind-the-scenes ecosystem of developers whose apps sellers use to run their businesses. Like other parts of its retail empire, Amazon has to make sure this system isn’t being abused.
Running an Amazon business is fiercely competitive. To streamline their operations, many sellers rely on specialized business apps that tap into the Amazon Marketplace Web Service APIs, which can integrate data including sensitive customer information like names, emails, and delivery addresses. There are tools that automate simple tasks, like printing shipping labels, as well as apps that monitor key metrics like user reviews and sales volumes, which determine whether products appear higher in Amazon’s search results—the most popular way to shop on the site. While Amazon has multiple policies governing the use of these apps and their data, the cottage industry that sprung up around Amazon MWS has been relatively decentralized. Amazon only launched its Marketplace Appstore in May 2018.
Amazon says the clampdown is the result of additional security features it implemented in early 2019 but didn’t specify what those features were.
Amazon tries to tightly control many aspects of its ecommerce platform, from how sellers communicate with customers to what kinds of information they’re allowed to see, to protect shoppers’ privacy and keep bad actors from gaming its system. But customer data is so valuable that some sellers have resorted to bribing Amazon staff to hand it over, according to a Wall Street Journal investigation last year, and the company has fired at least one employee as a result.
“Amazon has strict policies and procedures in place to protect our customers’ personal information, and we regularly audit use of our services to ensure compliance,” a spokesperson for the company said in a statement. “We also continuously assess and implement new measures when we see opportunity to further strengthen our protections for the use of Amazon data.”
Yev Marusenko was working in marketing for a startup that sold products on Amazon several years ago when he noticed an issue many sellers faced: There wasn’t a good way to easily advertise on other websites, particularly on Facebook. He already had access to Amazon Marketplace Web Service APIs, since all that was required at the time was a valid professional Amazon selling account.
So Marusenko built a tool that would let Amazon sellers automatically take their customers’ personal information, like their names, and then upload that data to Facebook’s Marketing API to better target campaigns. For example, if you purchased a T-shirt from a third-party seller on Amazon, Marusenko’s tool would allow that seller to target you—or people like you, using Facebook’s Lookalike Audience tool—with ads for more products, a common practice in the ecommerce industry. Marusenko called the app ZonTracker and sold it through his own website. Marusenko says that eventually more than 500 sellers were paying roughly $20 to $60 a month to use his tool.
The was just one problem: Amazon’s Data Protection Policy allows developers to use customer information only for tax and shipping purposes, not for advertising. Marusenko says he knew his software might be bending the rules but argues that it was an area Amazon didn’t seem to enforce—not to mention that thousands of sellers were requesting these kinds of features. “I was trying to find this balance on what Amazon wants and what Amazon sellers want,” Marusenko says. “There’s a lot of things Amazon doesn’t want sellers to do—but it’s very helpful for a lot of sellers.”
While Amazon MWS policies state that the company can audit developers to ensure compliance, it has relied heavily on developers to police themselves. “Originally, the MWS API was available to pretty much anyone,” says one Amazon developer, who requested anonymity because they feared retribution from the company.
But Amazon also appears to be exerting more control over outside developers since launching its Marketplace Appstore last year. For years, developers like Marusenko have been selling their software independently through their own websites. But soon they’ll be required to sell through Amazon, too: The company notified developers earlier this year that they must apply to list their apps in the Marketplace Appstore by September 30, according to an email reviewed by WIRED. (Sellers who develop apps for their own use and don’t offer them to anyone else appear to be exempt from this requirement.)
The app store, in theory, could give Amazon the ability to more closely monitor third-party apps and their data use, depending on how robust the application review is. The Marketplace Appstore could also earn Amazon revenue if it charged developers a percentage of sales similar to how Google and Apple’s stores operate. An Amazon spokesperson didn’t answer a question about whether the company planned to monetize its app store in the future.
The WIRED Guide to Online Shopping
In March, Marusenko began receiving emails from Amazon asking him to fill out a Developer Registration and Assessment form outlining what ZonTracker did, or risk losing access to Amazon data entirely. “At first I was really worried,” he says.
Marusenko wasn’t alone. Amazon’s seller forums are full of messages from confused and frustrated developers who abruptly lost access to its APIs throughout the spring and summer of 2019. Some posters have said they needed to wait months to hear back from Amazon about regaining entry. “They’re just basically like a bully; you don’t know how they’re going to behave,” one Amazon developer told WIRED.
Not everyone was blindsided by Amazon’s data crackdown. Liz Fickenscher, an industry liaison at the Amazon software firm eComEngine, says her company knew about the changes in advance because it’s part of Amazon’s Marketplace Developer Council, an invite-only program for a select group of developers. eComEngine was able to make the necessary adjustments, like updating a tool its clients use to send automated emails to customers. The tool had been pulling customers’ first names for a personalized greeting, but it stopped doing that in July. “Amazon has always been pretty protective of the data that they share,” Fickenscher says.
In the end, Marusenko says he told Amazon the truth about ZonTracker, and the company finally cut off his access to customers’ personal information last month. Before he lost the ability to pull that data, he found a way to adapt his business and survive. Marusenko says that ZonTracker now relies on aggregate data rather than individual customer information and that he successfully retained most of his paying clients. “I want Amazon sellers to be good about their data-privacy-protection policies, too,” he says.
A Larger Conversation
Amazon shoppers are unlikely to notice any changes as a result of Amazon’s MWS crackdown, but the move could help protect their privacy.
Last year, Facebook became embroiled in an international scandal when news broke that an app created by a third-party developer had collected data on millions of unwitting users, which was later obtained by the political firm Cambridge Analytica. The incident rippled through Silicon Valley, and privacy became a renewed concern at the biggest tech companies. Both Facebook and Twitter tightened access to their APIs and began requiring developers go through an application process. Amazon likely also wants to avoid anyone misusing its data for illicit or nefarious purposes.
“Data privacy is a hot topic in the current sociopolitical climate, and Amazon doesn’t want to be on the bad end of that conversation,” says Jon Derkits, a former Amazon employee who is now the chief product officer at 3PM Solutions, a firm that consults with ecommerce sellers.
But for the largest online marketplace in the world, more than user privacy is at stake. Amazon needs to ensure personal information isn’t used to spam customers or otherwise make the shopping experience worse. Data about who buys what on Amazon could also be incredibly valuable to competitors, if a developer were to sell it or if it were to leak. “Amazon is in a tug-of-war, where on one hand they need to give out this data to empower sellers,” an Amazon developer said. “On the other hand, by giving this data away, they can hurt themselves long term.”
All Rights Reserved for Louise Matsakis