A new Amazon transparency report issued this week offers unprecedented detail from the company on information requests it has received so far this year, but the report offers little reassurance for Amazon Web Services customers.
In the report, which Amazon will update biannually, the total number of subpoenas, search warrants and other court orders are tallied, along with how Amazon responded. However, data is not broken out for whether any of the legal requests applied to Amazon Web Services (AWS) customers versus Amazon.com retail customers.
It's also not known how many of the requests were for "non-content" information such as an Amazon Prime subscriber's name and email address, and how many were for "content" information on data files stored in customer accounts, though Amazon's report defines these terms.
The Amazon transparency report is a step in the right direction, but a split between Amazon.com retail customers and AWS would have been much more useful to enterprises deciding whether or not to put data in Amazon's cloud, said Edward Haletky, CEO and principal analyst with The Virtualization Practice, LLC, in Austin, Texas.
"AWS customers are worried about whether their data is disappearing or being read," Haletky said.
Amazon has not been as forthcoming as other major technology vendors. Google, for example, provides a spreadsheet which counts legal requests and shows country of origin, the type of request, and how many customers were affected (which, in some cases, can be thousands at a time).
Microsoft goes a step further in its transparency report from the second half of 2014, in which an FAQ states that Microsoft received three requests from law enforcement for 32 users associated with an enterprise cloud customer; that in two cases, the requests were rejected or law enforcement was redirected to the customer; and that in the third case, the customer was notified of the legal demand and the customer directed Microsoft to provide information to law enforcement.
Some enterprise IT pros, however, are skeptical of any of these reports given what's known about recent U.S. national security programs. They point to a number in the Amazon transparency report that isn't a number at all, but rather a range indicating the rough number of national security requests it has received. In Amazon's case, that range is 0-249, which covers so much ground it is almost meaningless.
"It's great that they're doing this, and I'm sure philosophically they would like to do more," said Jared Reimer, co-founder of Cascadeo Corp., an IT consulting firm located in Mercer Island, Wash. "But I don't believe the government allows them to disclose the full story – it's hard for me to put much stock in this report."
Amazon transparency report reassurances?
One thing the Amazon transparency report does demonstrate is that legal requests of any kind for Amazon customers are relatively rare – only 813 subpoenas were received, for example, compared against a million AWS customers and hundreds of millions of customers on the retail side.
"The numbers seem lower than I would have expected," Haletky said.
It will also interest enterprise customers, particularly in Europe, that Amazon Chief Information Security officer Stephen Schmidt unequivocally denied any participation by Amazon in the U.S. National Security Agency's PRISM program in a blog post about the Amazon transparency report last week.
Amazon has also come under fire recently for its lack of transparency around environmental policy, but this transparency report along with a recent product change reflect an increasingly responsive stance to similar criticism for Amazon, Haletky said.
Last week, Amazon said it will make network flow logs available for customers running in a Virtual Private Cloud (VPC) without requiring agents on EC2 instances, making it easier for customers to audit their own environments for security purposes.
"It's incredibly important," Haletky said. "It shows Amazon is giving customers more and more data."