Are Amazon Sidewalk’s privacy protocols ready for the real world?

Last week, Amazon opened its Sidewalk protocol to third-party developers. Sidewalk is a large mesh network that draws on people’s home internet connections across the US. It’s a service that requires a lot of trust, and so far, most of the devices on it happen to be Amazon’s own products. But that’s about to change — and as a result, Sidewalk’s privacy safeguards are about to be tested at a much larger scale.

No connected device is ever truly 100 percent private or secure. But so far, despite some initial concerns, Sidewalk has avoided any major privacy disasters. Here’s a rundown of how Sidewalk works, the risks it might pose to you as a user, and what we know about Amazon’s plans to defuse them.

Sidewalk feels like it should be a privacy nightmare. It uses your Amazon Echo or Ring camera as a bridge to siphon a small portion of your internet bandwidth, which is then pooled together to create a mesh network. The more Sidewalk bridges in your neighborhood, the better it works.

Why would you want this? It’s a way to ensure your smart devices work even if there’s no stable Wi-Fi connection. Say you stick a Ring floodlight on your garage door, way out of your router’s range. That device could instead tap into Sidewalk to stay connected. Sidewalk is also similar to Apple’s Find My network when it comes to Bluetooth item or location trackers. Before adding Sidewalk compatibility, Tile trackers were mostly limited to your phone’s Bluetooth range. That’s fine if you lose your keys at home but isn’t quite as helpful if you lose them on the street. Now, certain Tile trackers can tap into the Sidewalk network to notify owners of their last known location — even if you’re miles away.

Your devices connecting to and sending data across a network made from bandwidth borrowed from strangers? Sounds fishy. However, experts say they aren’t too worried about Amazon’s Sidewalk privacy and security protocols, which include three layers of encryption to secure data. (You can read more about them in this white paper.)

“Everybody who’s looked at the [Sidewalk privacy] protocol has said it’s a good protocol,” says Jon Callas, director of public interest technology at the Electronic Frontier Foundation. “There are no major flaws.”

Amazon Sidewalk was quietly announced in 2019, but a privacy brouhaha began in earnest before it launched in June 2021. It centered around the fact that Sidewalk was an opt-out service. If you had an Echo or Ring that could act as a bridge when Sidewalk launched, it was enabled by default via an over-the-air update. Amazon said it sent users an email detailing how to opt out, but who among us has read every e-commerce email in their inbox? It didn’t help that the setting was — and still is — hard to find in the Alexa app. The better option for privacy and security would have been to make the service opt in. Instead, the backlash was fierce, and Sidewalk made a less than stellar first impression.

Since then, Amazon has stated that you’ll be asked if you want to enable Sidewalk the first time you set up a compatible device. It still isn’t completely opt in, however. In its white paper, Amazon also says that if you don’t complete setup, Sidewalk will be enabled by default unless you’ve previously opted out.

There were also concerns that Sidewalk was effectively stealing internet bandwidth. The fear was that users would end up with higher than expected internet bills and slower speeds, potentially without having given consent. While Sidewalk does “borrow” bandwidth, it caps usage to 500MB per month. That shouldn’t be an issue if you have wired broadband and, at that amount, is unlikely to slow down your service.

Until now, the majority of Sidewalk-enabled devices have been Amazon Echo and Ring products, with a handful of other partners like Tile. Adding third parties will increase the number of Sidewalk-compatible products and hubs, but it inevitably means uncovering bugs and other vulnerabilities that Amazon and experts haven’t thought of. Sidewalk’s privacy and security protocols look good on paper, but they haven’t been tested under these conditions.

“It has not met with reality yet. When all of these things meet with reality, there are problems that surface,” says Callas, referring to Sidewalk. “I am sure that there is going to be at least one embarrassing bug in the system because everybody has at least one embarrassing bug.”

We’re still waiting on key information about Sidewalk, too. Apple, Google, and other tech giants all make developers meet certain criteria to use their APIs, and there aren’t many details about Sidewalk’s certification process or how it plans to ensure developers comply with Sidewalk’s privacy policies. Likewise, Amazon hasn’t detailed its plans to handle bad actors. We don’t know yet how quickly Amazon will respond to reported threats or how quickly it will patch bugs and vulnerabilities. And the fact is, we won’t know until it happens.

“Developers who want to participate in Amazon Sidewalk will go through the Works with Amazon Sidewalk qualification program (WWAS),” Amazon spokesperson Jill Tornifoglio tells The Verge. The WWAS program, which is currently live, will purportedly test third-party designs for compliance with Sidewalk protocol requirements such as timing, packet structure, and size requirements. “We also verify that devices connect with the Sidewalk network following the registration process,” Tornifoglio says.

Tornifoglio also clarified that Sidewalk has multiple layers of encryption, and those standards will also apply to third-party applications. Third parties will also be able to issue unique identities to link devices to their apps to prevent unauthorized access.

“We believe technology can and should be used for good, but recognize bad actors can misuse many different kinds of technology. Abuse of any kind is unacceptable and subject to termination under our terms of service,” Tornifoglio says, adding that Amazon has the capability to remove bad actors and malicious devices from the network.

At this point, it boils down to how comfortable you are with uncertainty. So far, there are no major reasons to be wary — aside from your personal feelings about Amazon’s trustworthiness. That’s fair since Amazon botched how it handled Alexa voice recordings. The company also doesn’t have the best record with regard to Ring cameras and surveillance. However, it should also be noted that Amazon’s AWS cloud services are considered to have excellent security measures.

If you’re concerned about Sidewalk, opting out is the only way to ensure it won’t impact your privacy whatsoever. (Here’s how.) But if you’re already an avid Amazon Echo or Ring user and you like the idea of Sidewalk as a whole, you should feel free to participate until you’re given a reason not to.

“I wouldn’t sweat the details,” says Callas. “All of these voice things like Echo, I don’t use them, but I don’t feel like people who do are somehow endangering themselves.”