Skip to main content

Amazon Ditches Encryption, Leaving Users Wide Open

Between advertisers, cybercriminals, and intrusive government agencies, it's no surprise that encryption has become a huge issue over the past few years. Anyone who spends even a modest amount of time online knows the importance of keeping your data safe and private, which is why it's absolutely shocking when a major company decides that its customers no longer need that option. If you have a Kindle Fire device, Amazon has given you two stark and highly insecure choices: either lose the ability to encrypt your files, or never get another security update.

A user named John G. pointed out this issue on the Amazon Kindle forums a while back, and the furor has only been growing since then. His Kindle HDX 8.9 tablet prompted him to install Fire OS 5 (the device shipped with Fire OS 4), but also informed him that if he went through with the update, he would lose the ability to encrypt his personal data stored on the device. Other users soon confirmed that John was not alone.

MORE: Smartphone Encryption: What You Need to Know

Explaining what encryption is and why it's so important requires its own article, but briefly, a decent encryption protocol keeps your files safe from unauthorized intruders. A third party, attempting to intercept encrypted files and folders, will find only gobbledygook, and be unable to translate it without an encryption key. These keys are easy to manufacture, and usually extremely difficult to break. In short, encryption is one of the strongest privacy tools that users have at their disposal, and not providing the option is a huge security faux pas. Removing the option after users already had it is arguably even worse.

Consider the ramifications for Amazon products. Removing encryption on a Fire TV might not make much of a difference, since you're not likely to store much on the device other than videos and music. On a tablet, though, you could have corporate e-mails, banking information, creative works-in-progress or identifying information such as social security numbers and home addresses. If your tablet is a secondary work device, or your lightweight computer-away-from-home, it is simply not reasonable to suggest that these files should go unprotected.

Tom's Guide contacted Amazon, and received the following response from its PR team: "In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using. All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security including appropriate use of encryption.” While that may be true for items stored in the cloud, the same protection does not apply to items housed solely in a device's physical storage.

Astute observers on Web have also pointed out that there is no small measure of hypocrisy evident in Amazon's decision. The company uses copious amounts of Digital Rights Management software in order to ensure that users cannot make unauthorized copies of its content, or share its files without company consent. If every broadcast of Transparent gets thorough encryption because doing otherwise could threaten Amazon's livelihood, asking its users to do otherwise is simply baffling.

At present, Amazon Fire users have but two options, and they are both, in terms of security, terrible. The first is to do as Amazon suggests, and not accept the Fire OS 5 update if you want to keep encryption. This is a little bit like installing a lock on your front door that you cannibalized from your back door. Yes, encryption will keep your files safe, but when Amazon patches security bugs, it's not at all uncommon for those bugs to become common knowledge, especially if they exist in other Android systems. Hackers can reverse-engineer these exploits easily, so your encrypted files may be cold comfort when your system gets hijacked by a malicious app or a hole in your browser.

The other is to accept the update and lose the ability to encrypt files. This is probably the safer option, but not by much. One vulnerability out in the wild could put your easily readable files into the hands of someone who probably shouldn't have them.

In this Scylla-or-Charybdis case, Tom's Guide cannot provide any strong recommendations between the two options. Instead, if you don't own a Fire product yet, don't buy one unless this problem gets sorted out. If you do own one, contact Amazon as soon as possible, and let it know that removing encryption is not acceptable for a system that may contain sensitive materials. If the company does not relent, get tablet from a different manufacturer. This is admittedly an extreme recommendation, but Amazon's anti-consumer actions have been equally extreme. Taking security options out of users' hands sets a dangerous precedent, and probably won't do your files any good, either.