Maybe...but in the past, AWS proactively looked at traction of products hosted on its platform, built competing products, and then scraped & targeted customer list of those hosted products. In fact, I was on a team in AWS that did exactly that. Why wouldn't their investing arm do the same?
But, if you see something, say something. This crap continues because there are too many folks that are happy to help support immoral business practices for some extra scratch. This isn't all on you in particular but when google folks started raising hell about Chinese censorship the company was forced to move. We all have the power to withdraw consent over how our labour will be used and, as software developers, we've got a strong enough employment market that we have real power to help make companies behave better - power that folks working in the warehouse are absolutely deprived of.
Amazon needs to be properly taxed so that this crap doesn't happen anymore.
The idea that they shouldn't pay taxes simply because they're large should absolutely enrage everyone.
You're a fish, eat other fish and evolve into a shark, you eat other sharks and become a whale shark, you start eating everything and then become godzilla.
A whistle blower isn't going to fix this. This is the system. The system MAKES godzilla sharks like this.
Oh yeah sure a whistle blower will do what? Get amazon fined for how much?
Then they just change tactics. Outsource. Make agreements and partnerships and farm out doing the same thing just with different proxies. I mean come on man this is a company that can buy other countries.
And let's not forget Microsoft was pulling the same shit until they got put under the same charges and then all of a sudden years later after Bill got tired of stabilizing his empire and making sure it would live without him he became a saint all of a sudden. Cuz like yeah if I was richer than 99% of the people on the planet yeah I could start being a nicer person and shit too.
I think taxes aren't really a solution anyways - fines might be but taxes would hurt honest players just as much as dishonest ones. What they did is (AFAIK) illegal and needs to be punished, if it isn't then there is no incentive for them to correct their action.
There's specific credits/exemptions in the tax code that they are able to exploit (and perhaps they can only exploit some of them _because_ they are a big company), but it really isn't about their size.
Can we please stop arguing like influencing is only true if it is done in the most direct way (similar to the quid pro quo debate). Obviously if big company lobbyists try to get tax law in their favour they are not pushing for "please write a law which exempts companies over N employees from taxes." They push for laws that sound innocent but only they will be able to take advantage of, just like it is at the moment. The outcome is still the same they pay less or zero taxes.
We had access to absolutely none of that information. We flew blind, relying entirely on the fact that we gave our customers enough hand-holding support that they would willingly volunteer information about their workloads so we could help them optimize it/save money.
No one even attempted to get more detailed customer information AFAIK because it would have been extremely against company culture. That isn't Earning Trust or having Customer Obsession. The idea of reading data in someone's S3 bucket or inspecting what is happening inside of someone's EC2 instance in any way was unthinkable. Amazon is huge and imperfect, but from what I saw AWS takes data privacy extremely seriously.
But there's probably other superficial business data that's helpful to evaluate that.
From a technical standpoint, that statement is false.
Every employee might not have the credentials to, but for AWS to function as it does, SOMEONE inside the company has to have those credentials.
If you change 'cannot' to 'don't', well then we've just gotta take you at your word, which is where we started anyway.
That's not necessary unless SOMEONE includes computer programs.
Yes, when things go very seriously wrong, I believe AWS can have literal people override that permission, which will leave a mile long audit trail and likely accompanied by an internet scale outage.
I don’t want to devolve into audit logs and permissions and multi user key signing and wether they actually do or not.
The statement that ‘they can’t’ is 100% false, full stop. That’s all I’m trying to get across.
It’s probably not a good idea to make a system with no human fallback, but it IS possible with current, non-magic technology.
Amazon does take privacy and security very seriously, but these systems are run by people. Attacks like the recent Twitter attack could work for various AWS services.
Source: I used to work in EC2 Networking.
I worked with a DO on an technical issue, and they were steadfastly against me granting them temporary access to our servers even though it would have made the issue easier to diagnose. Cloud provider that verifiably get caught doing this will quickly lose the trust of all their large customers
Those people are jealous of AWS.
They recognized that their processes were too mechanistic and inhuman, and introduced a lot more compassion and open communication into them—and even chose to spend more money on hiring people to reduce ticket queue wait times.
I'd say that speaks volumes in DigitalOcean's favour.
Source: Worked at AWS for several years including working on systems that had audit requirements for [secret project where I could not know the name of the customer because I don't have TOP SECRET security clearance].
And there are lots of things that many folks at the big cloud providers don't know about their internal threat management and monitoring. Source: Audited most of them for that customer you weren't allowed to know the name of. :)
This is one area where AWS takes things MUCH more seriously than it's competition, and they don't talk about it enough publicly.
and you def cant see in s3 buckets or instances. hell if a customer sends you a link to an object in their s3 youre not supposed to open it
The raw billing information, oh motherfucking yes.
Technically, its absolutely possible. Most likely you'll just need a support ticket or bug, and then you can troll around as engineer.
Also, security teams also usually have access to stuff when things get interesting.
Better to say that access is strictly on a case by case basis and monitored thoroughly.
Ideally customer is notified each time it happens - that would be cool, but likely technically not possible since data ends up in so many systems (like logs, SIEM, telemetry, debug files, backups, data scientist desktops,....)
You're underestimating the investments that AWS (and Amazon at large) make in to security, confidentiality, and auditing. You're also missing a fundamental implication of building AWS on AWS primitives.
As a relevant example there is only one AWS IAM and one CloudTrail. It's a core tenant of AWS IAM to put that control and root of trust in to the customers control. That means when developer support is helping with your ticket they do so via your accounts AWSServiceRoleForSupport role. That means you can control whether that role exists, which principals can assume it, the capabilities it has, and you can see those same API calls in your CloudTrail logs. Although it would make support difficult you're welcome to delete that service linked role and prevent support.amazonaws.com from assuming said role in your account.
I'm not talking about Amazon SSH into your EC2 instance - but of course they can do that also - at will, without you authorizing it.
Lower level disks, logs, hypervisor, telemetry, etc.. are accessible beyond your control.
Of course there are lower level primitives. And if the public documentation and observed behavior is insufficient I encourage you to inquire more about the various compliance, certification, and third party auditing programs in place https://aws.amazon.com/compliance/programs/. However at some point this approaches solipsism and I can’t prove a negative in a HN thread.
> I'm not talking about Amazon SSH into your EC2 instance - but of course they can do that also - at will, without you authorizing it.
No. Extraordinary claims need evidence. Either you have serious non public information counter to many AWS statements ... or you misunderstand some fundamentals of SSH and public key cryptography.
> Lower level disks, logs, hypervisor, telemetry, etc.. are accessible beyond your control
I would encourage you to read the AWS data privacy statements https://aws.amazon.com/compliance/data-privacy-faq/. Particularly the definitions of “customer content” and the “shared responsibility model.”
Depending on how the infrastructure is built, or what the particular service set up, it may not even be possible to gain access to specific data without extraordinary means, possibly involving replacing physical hardware.
If someone has access to customer’s data for their work they have to do a bunch of extra training and do other stuff. Potentially sign some things and there’s probably a different way to authenticate. I really don’t know because I never had to do that and nobody I knew had that type of access but I heard when you do you have to put with more things.
i don't see anybody claiming that amazon is harvesting data from inside their customer's infrastructure. amazon has a lot of data that's "amazon's data" that would tell them about businesses that are operating on AWS that might be ripe for competition.
For example, they know what your AWS bill is, and how it's been trending. If you pay a huge bandwidth bill and it goes up 50% each month, they know you've got a business model that's working and that they can undercut you on one of your big expenses.
However, metrics like AMI popularity is Amazon's data... and that definitely informs first-class AWS product development. Once the company identifies a business opportunity, different teams often investigate "build" and "buy" options simultaneously.
Same goes for retail - Amazon works backwards from high-margin categories to identify opportunities, then pursues investment in existing brands versus spinning up products under the company brands.
This all feels very monopolistic to me, but regardless it's worlds apart from the accusation of stealing private information through faux investment offerings.
2. What measures that you know of is Amazon implementing to make sure no employees across all teams are having access to said resources?
Basically is preferable to get a bullet in the head than to ever reveal or tamper with customer’s data.
I cannot answer your question about who has access or not but I’m telling you what’s the culture when it comes to customer’s data.
At the end of the day I was just another IC doing menial work so probably not a good reference, but that was my experience
Capital One Financial Corp. said data from about 100 million people in the U.S. was illegally accessed after prosecutors accused a Seattle woman identified by Amazon.com Inc. as one of its former cloud service employees of breaking into the bank’s server.
While the complaint doesn’t identify the cloud provider that stored the allegedly stolen data, the charging papers mention information stored in S3, a reference to Simple Storage Service, Amazon Web Services’ popular data storage software.
AWS customers that want to avoid this vulnerability should disable IMDSv1 as per https://aws.amazon.com/blogs/security/defense-in-depth-open-...
The EC2 instance credentials via the metadata url is public documented functionality. Its how things like the SDK “just work.”
The S3 bucket policy, instance creds, and (inferred) overly permissive IAM policy is all public documented functionality. This looks like a simple case of an initial intrusion being escalated via permissive configuration and controls. There would be no story if the suspect had not been employed by AWS in the past.
Disclaimer: Im a Principal jn AWS but have no direct or inside knowledge of this incident. Everything I know or have stated here is public record (eg the indictment) or public AWS docs.
There is no way an employee can look into customer data. There's enough trail inside AWS to prove that without any doubt.
Basically Everytime you touch AWS your session is tagged with your credentials and has a unique ID. So everything downstream you touch has your session ID associated with it.
Now say somebody from Redshift wants to access the customer's data. They will then need to access to the encryption key in KMS. The trail will be there since KMS lives in the customer's account (you can audit your own access). And for production services, human actors cannot access these keys - only production credentials can. An engineer who can log into a prod host in theory can grab the temporary credentials there but it expires in 15 minutes so your trail will be rather visible. Also access to prod host has a high bar - only senior people can do it.
Now in theory somebody can coordinate with a malicious user in KMS team - but the bar is high. Also the actual master key never leaves the premise for KMS so your attack surface is very limited.
Of course there are some core teams like IAM and KMS where if they become vulnerable the whole thing falls apart. But that's a big stretch for those systems since they are the core to the business.
What the technical implications are is moot, the process that hands out these credentials should not be accessible to anybody but the customer. It implies that AWS personnel can impersonate customer representatives or processes run on behalf of those customers. That's a serious problem.
In all the years that I've been co-locating I do not remember a single instance where a representative of the hosting facilities that I've used gained access to our data or hardware without my very explicit permission.
As for audit logs: they are only as useful as those inspecting them, and more often than not are entirely passive until required for evidentiary purposes.
Rather than being a serious problem I think it's more on an obvious fact. AWS personnel build services that specifically exist to act on the customer's behalf with delegated credentials. Any time you configure a managed service to run with an IAM role, that service assumes the role and acts with the credentials granted to the role. AWS personnel have access for emergencies to the systems running their services, and by their very nature those services are in possession of customer credential sets for the IAM roles that the service is configured to use.
For example, a Lambda Function can be configured to run with a particular role. When the Lambda service goes to run the function, it fetches the role credentials from IAM and makes them available to the running Function. It could not be otherwise, because the purpose of a managed service like Lambda is to carry out actions on behalf of the customer. The role's credential set is as much a piece of data as the code of the function to be executed.
But leaving all of this aside, of course AWS personnel can access any and all data you store in their systems. They are legally obligated to turn whatever you have stored over to the courts in response to a warrant. So not only could they gather up your data by this roundabout method of misappropriating credential sets, they must have a way to simply access all of the data directly in a way that doesn't appear in audit trails. I assume for simplicity that the IAM service simply has an endpoint accessible to the company's lawyers that will serve up forged customer credentials on demand.
In short IAM controls everything, there is no “back door” or universal admin access, and KMS is used to perform sensitive operations NOT handing secrets to arbitrary (internal or external) consumers.
but no 1 can export the private key itself. and key policy changes are vry heavily audited by aws (and can be by the customer, too). this is all proven by the 3rd party audits aws receives
Somebody can access the key hardware but they can't extract the actual key out of that. However, I've never met anyone with that level of access - and AFAIK you have to go through various security clearance and approval before such human intervention is permitted.
There's no such thing as perfect security - but KMS is as solid as I can see with centralized key management at the moment. And customer can roll out their own key server as well that is managed in your own data center.
KMS is very clear about it's usage and what it involves. It's obvious that with Symmetrical Encryption AWS obviously needs to know the other end of the key at some point so that it can decrypt the data.
However, as customers can't even export these keys and the whole system is based on using KMS to actually perform the decrypt operations it is a non-starter. It's a lot more secure than most infrastructure which probably encrypts locally but is stored in a broom cupboard with a $10 lock.
Its worth noting that even symmetric keys dont imply direct access to the secret itself. You can instead use the highly controlled secret material to derive less sensitive material. For example a hash derived from a known input + the secret. A third party can use this to prove that two other parties both have/had access to the shared secret. But the third party never needs to access the secret itself.
Theres a great example of this in the chained hashes that make up an AWS sigv4 API request signature. https://docs.aws.amazon.com/general/latest/gr/sigv4-calculat...
In order for AWS to comply with LEO's they must have some way of accessing data, that is NOT to say they do this for business purposes.
And of course, you're always vulnerable to someone with access to the physical host of an EC2 instance where your workload is running. Only GCP AFAIK offers an encrypted-in-processing compute service, and it's like a week old.
Even if the customer had a misconfigured S3 bucket that was exposed to the public, it would still constitute as accessing customer data you're not meant to see.
As other users have provided insight on, everything you do as an Amazon employee basically leaves a trail with your employee ID, even if you had access to private information (which you wouldn't basically because it's locked behind several layers of security). Fireable and sueable offense which Amazon would definitely not allow, let alone endorse.
That might be true in retail, but it wasn't anywhere close to true in AWS. When I left most engineers still had SSH access to the production hosts (and a not-insignificant portion of operations relied on that fact).
There are many easy mechanisms to audit and monitor SSH sessions. So... no?
Before going into our AWS production S3 buckets, looking at our databases for customer lists AWS seems to be pretty careful to get an OK.
Now we are being told that production customer data was normal to trawl? How in the HELL are they passing all their certs with all production data so wide open. I do customer managed keys - I mean, this is a HUGE backdoor.
Either Amazon is lying about AWS security (and has fooled a bunch of others) or routinely trawling AWS customer production workloads for data is a false statement.
This isn't amazon billing data etc (obviously I expect they analyze that carefully given they bring in billions from billing). To ROUTINELY go through AWS customer production datasets is beyond all reason.
How are they trawling through all our buckets and databases without codepaths for access?
Again, they aren't talking about amazon data (ie, billing, support inquiries etc). They are talking about customer production data.
Don't ask someone to admit to felonies over email. Tech employers have a LOT of power to investigate their employees' digital behavior.
How about this instead: https://www.nytimes.com/tips
But it would be helpful if you broke that down a little more than 'trawling customer data', because at the most innocuous, if they're just looking at what's publicly selling on Amazon, what goes into sales rank, that seems acceptable, to me anyway.
In this case, tech investing and online retailing are not the same industry. Amazon is using a dominance in one to fund the other, which then it uses to either drive valuations of potential competitors down or to simply outcompete them.
And that's a plausible antitrust problem.
I'm normally not in the Amazon haters camp. Most of the time I'll defend them against the typical charges of unfair competition. Not this time. This is sketchy.
It's not. And there are plenty of trainings inside of Amazon to make you aware of that. It is your fault, in the end, to not report your team. I have been on several teams at Amazon and this would always be an absolute no-go. It's already difficult to even get basic ideas about customer data, things that you would consider "essential" to improving the customer experience.
Talk about all time gaslighting. It's the managers/directors job to ensure compliance, not normal employees.
That is totally false.
Conspiracy requires two elements: an agreement to commit a crime, and an act in furtherance of said crime. There is nothing unlawful about looking the other way. You might be a scumbag, but that's a different problem.
The elements of criminal accessory require one to harbor, conceal, or act in such a way as to help someone avoid or escape arrest or punishment (CA law here, other states may be different). Again, merely "looking the other way" is not an act. Otherwise, anyone who merely witnessed a crime could be charged with criminal accessory.
That said, corporate policy might be quite different. If I look the other way while a colleague violates customer security policies (and I'm aware of such violation), I can justifiably be fired.
*Not giving legal advice, seek licensed counsel in your jurisdiciton.
(ignore the odd source of the link. it's the only place I could find her CoS and District Director's email addresses.)
It definitely feels scummy, but it didn't sound like GP had access to evidence of a crime. IANAL.
I read it as they scraped user databases to get email addresses and the like.
It is however, good ground for an Anti-Trust case. Using your position as a market maker to push your own products is literally illegal anti-competitive behavior and can trigger a court order to break up the company.
Violating Anti-trust statues isn't criminal...but it is still illegal. Anti-trust violations also aren't the only potential laws this would violate. It sounds like it would violate unfair trade practices as well (most states has statues/laws/codes on point).
This is where End User Agreements may be worth checking. There may be a specific clause AWS customers agree to.
See this helpful FTC page: https://www.ftc.gov/tips-advice/competition-guidance/guide-a...
Patents were used, in many cases, as a form of research into a new area.
Nobody at google even remotely mentioned "we will drown them in legal fees".
If anything, I have a huge respect for google legal.
Disclaimer: former googler.
There's no legal reason to worry about being influenced by a patent. The only concern might be boxing your creativity where you can't think of alternative solutions to a problem once you've seen one solution. That doesn't seem like a strong enough reason for a blanket policy.
IANAL but this confuses me.
(Of course: not a lawyer, this is not legal advice)
Your experience matches mine. I think it might even be somewhere in the mandatory periodic training.
Doing a patent search as a software engineer can only hurt you. Better just to route any questions to product counsel.
I've heard the same thing in startups and other companies. This is not something unique to Google.
Unfortunately the way patent law works now, make patents usually not work unless someone is ignoring the law.
Patents were created to give a reason for people to publish their "secret sauce" in a public manner, so anyone could read and copy them or create new products based on the patent.
If you DON'T want your product copied, the correct course of action instead is make it secret, for example this is what Coca-Cola does (they rarely, if ever, patent their products, and they hide the best they can their recipes and processes)
Contemporary article: https://www.nytimes.com/2006/07/06/business/06coke.html
More dramatized version with info from court proceedings: https://thehustle.co/coca-cola-stolen-recipe
To be honest, I didn't think of it as anything sinister at that time. AWS had such high octane culture to move fast and innovate that I actually felt what they had done was quite smart. It was a super competitive culture and people did whatever was needed to build new things. On a day to day basis the only pressure was to build... I don't remember instances where ethical guidelines were brought up. So, in a way, the outcomes were a result of what people were rewarded on.
Only after I left AWS I started thinking it was ethically iffy. I still believe Amazon is an amazing company and my time at AWS was one of the best learning experiences.
I wish we went into this in much more detail in high school when covering economics and ethics (if the school even bothers to teach ethics). It should be a prerequisite in any capitalistic economy (but not only those, it can easily be extended to other things).
I've also worked in industries that I think don't operate very ethically. It's amazing what you can ignore as an outlier because the alternative is uncomfortable or means you have to make a large personal change.
Companies and people sometimes do shitty things. It isn't always on purpose (misunderstandings, one bad person, etc), and there isn't always a good way to fix it afterwards. I don't condemn people and companies because of this, and there's a tendency to assume this when you see something and work at the company. It can take a while before you start seeing a pattern and accept that it might just be how things are done sometimes and the management is fine with it. If you don't have a lot of options, I think there's a tendency for people to not look closer either on purpose or subconsciously because they might not like what they find, and then they've put themselves in a harder situation, where they must choose between what they believe is right and a hardship.
Sometimes ignorance is bliss, and the human mind is very complex. That's all I'm saying.
Previous discussion of Amazon releasing a Basics version of an item at half the price:
The above statement may be "true" if you redefine what is confidential. The Amazon MNDA in past years basically said that they could use any information they remembered from the meeting. I read non-disclosures carefully. I've never seen anything like it.
We ended up signing it, but I went back and forth with their counsel to neuter this clause so that it was significantly safer:
Notwithstanding anything to the contrary contained in this Agreement, Recipient may use Residual Knowledge, subject to
Provider’s valid patents, copyrights[, trade secrets], and mask work rights. [For the avoidance of doubt, no license is granted to the Recipient for any of Provider’s Confidential Information, patents, copyrights, trade secrets, or mask work rights.] "Residual Knowledge" means any information that is retained in the unaided memories of Recipient's Representatives who have had access to Confidential Information of Provider[, without specific or intentional memorization or reference to any written or electronic information or documentation. Notwithstanding the foregoing, Residual Knowledge may only be used for internal purposes by Recipient, and Recipient may not disclose Provider’s Confidential Information to third parties under any circumstance except as outlined elsewhere in this Agreement.]
The parts in [ ] were added by me. We tried to neuter the clause as best we could; they really wanted to have one in there, for whatever reason, so my focus was on neutering it rather than arguing to remove it. There are always other concessions in a negotiation from the other side. :)
I was certainly naive when I heard about other big retailers who would refuse to allow any subcontractors to use AWS. "Surely Amazon has a Chinese wall" to prevent that kind of data sharing, I thought. Never underestimate the lack of morals in business is the right answer I guess.
It’s remarkable to me how many competent programmers with years or decades experience in this industry don’t understand —- If you’re using AWS, Amazon has access to ALL of the data you put on AWS.
Not that they 'can' or 'want to', given the current state of technology they absolutely have to have access to all your data for AWS to function.
There isn’t currently a feasible technical way to work around this. And to head off all the ‘but FHE’ comments, see the ‘currently feasible’ above.
Access records for public services have a very detailed iam audit trail that logs people who accessed what at what time, and service teams don't get to just jump around that. Maybe they can see some metadata but certainly not actual data in an S3 bucket somewhere.
Even with ‘enclaves’, from what admittedly little I know about them, you still have to have the key to decrypt things on the machine somewhere, which means whoever is running that machine for you has access to your unencrypted data, and we’re back where we started.
The comments above indicating 'well someone has access' - yea, obviously, it's data hosting. Someone has access.
But the amount of conspiracy here is frustrating.
Amazon will play very aggressively within the bounds of the law, meaning, if they can glean public info about something, or look at their own sales data for a product, they will do that.
But to look at s3 data would risk the entire empire.
It's rational for people to be a bit skeptical, and so Walmart can say 'no data on AWS' but it's also an easy thing to do.
Now - is it possible that new retail PM, who used to be an AWS PM, and who for some reason still had access to things he shouldn't - went ahead and did that? That could happen. And maybe his boss finds out and looks the other way but calls IT and tries to have the loophole closed quietly. Etc.
As a policy are they trying to copy your product and even ask you for information and aggressively pursue customer data? Yes.
As a policy are they looking at your S3/ec2 data - no.
But individual actors are individual actors, in a company of 100 000 people, some will go astray.
They are pushing their 'white label' stuff agressively, I have no doubt the PM's have zero qualms about using Amazon.com sales data to their advantage.
But I also submit that retail PM's actually getting access to private S3/EC2 is totally rubbish, at least by any policy or scale.
They could be sued for billions in each case of that breach, and the resulting PR fallout would be impossible.
Imagine you are the VP of AWS - you make all the profit for Amazon.
Are you going to somehow allow some dirty Retail PM access to your customers data?
When your customer finds out, and tells the world, and it gets in the press, what happens?
If your ABC startup had evidence that Amazon was creeping on your data as policy, you'd have to dump them instantly.
They could say goodbye to every government contract.
If you are Bezos - would you risk the entire Brand and the cash-cow to move some low-margin pair of shoes and USB hub?
So no, I think the firewall between AWS and Retail is systematically legit.
We mostly only do CI type stuff there, so that didn't work so well for them, but if most of our revenue & operational use was through AWS, you bet I'd be worried about what they could infer.
It's not just my experience. Talking to startups and warehouses in Canada, the stories are all about how Shopify invites for friendly talks and then stonewalls you once they have got the required information
aka, we did not sign an NDA with the party across the table
If you blatantly ignore and NDA, and then make a lot of money from it, then the 'small startup' will have a ton of money because the prize is huge, i.e. a % cut to lawyers who can work pro-bono.
Imagine you have a $10B company and some bonehead PM steals info from some small startup, for some stupid small project - it puts everything at risk.
In most case, I think you have boneheaded actors, usually not acting in the best interest of the company.
The economic and reputation cost Amazon would take in ever accessing customer data to come up with some competing B-list product (say ElasticSearch as a managed service) is astronomical compared to potential profits. One thing I know about that company... they care about optimizing profit and are long term focused.
Please provide evidence for your extraordinary claim.
The customer data on Amazon Retail is Amazon's, not the seller's , just like the customer data when you buy shampoo from Walmart is Walmart's, not Procter&Gamble's
1. This article is behind paywall, but thanks for posting.
2. EVERYONE should ask for evidence for any/all unsubstantiated claims, no matter where on the opinion spectrum they sit.
1. Someone needs to pay the people who write stories. If proof is important you should not object to contributing to the people who work on your behalf.
How would a startup that was concerned of Amazon copying it be certain to avoid such surveillance other than running its own data center?
How is that confidential information if it's hosted on their own servers?
I think the original Netscape folks would disagree with your assessment of M$ sherlocking competence.