While Apple continues to fight the court order requiring it to develop a new firmware so that the FBI can more easily hack a terrorist's phone, another major tech company has taken a surprise step back from protecting its customers privacy through encryption.
In the latest Fire OS Bellini 5.1.1 update, Amazon has removed device encryption from the OS.
Update: And as of Friday night, Amazon promised to bring encryption back. "We will return the option for full disk encryption with a Fire OS update coming this spring," I was told.
The change won't impact Kindle or Fire phone owners, but it will impact millions of owners of Fire tablets running the latest version of Amazon's OS, including the models launched last year as well as the Fire HD6 and Fire HD7. Both tablets are due to receive updates to Fire OS 5.1.1.
Device-level encryption, or full disk encryption, is the process of protecting all user data on an Android device using an encryption key. This is a core feature of Android 5.0 Lollipop, and once this option is enabled user-created data is automatically encrypted before being saved to a disk (it is disabled by default).
The change was first noticed by Rick Dillon, who wrote last week:
Even as the debate about whether the All Writs Act of 1789 can be used to compel a company to write new software that compromises the security of its own devices continues, Amazon has quietly removed all support for full disk encryption in their latest version of Fire OS, based on Android 5.0 ‘Lollipop’ (which has native encryption support). I discovered this while attempting to upgrade my 4th generation Kindle Fire, but got an error message indicating that I needed to backup all my data, do a factory reset on my device to remove encryption, and then install the update, since Fire OS 5 does not have support for encryption. Amazon did link to a page on their site explaining this, but it appears to not be indexed and I haven’t been able to find it again. Amazon’s removal of such a core privacy feature is somewhat surprising, since it represents a bit of a break from other high-tech firms like Google, Facebook and Twitter who have forApple’s stance that it will not subjugate the privacy of its users to government whims.
— David Scovetta (@davidscovetta) March 3, 2016
This is a shocking move for Amazon; the retailer has always put its customers first, so you would think that Amazon would at least give us the option of device-level encryption.
Both Apple and Google adopted device-level encryption in the wake of revelations of wide-spread illegal spying by the US government, and Apple even took the next step of making the encryption mandatory (it is still optional on Android).
And now Amazon is taking a step in the wrong direction, a move which makes no sense given that it follows only days after Amazon CTO Werner Vogels gave an impassioned speech at MWC in Barcelona where he said:
We have a very strong opinion on this. We believe that you cannot have a connected business, or an Internet-connected business and not make security and protection of your customers your number one priority.
Encryption plays a very, very important role in that. To be honest, it is one of the few really strong tools we have so customers know that only they have access to their data and nobody else.
I have reached out to Amazon for more information, and I will update this post with their response.
Update: Here's Amazon's response:
"In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using," Amazon said in a statement. "All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security including appropriate use of encryption."
So Amazon is saying Fire OS 5 never had device-level encryption. It's funny how no one notices that before now, but I suppose it is possible.