Amazon is under scrutiny for its response to a data breach involving stalkerware applications Cocospy, Spyic, and Spyzie. These operations have been found to upload and store photos exfiltrated from individuals’ phones on Amazon Web Services (AWS). Despite being notified about the breach, Amazon has continued to host the data, affecting approximately 3.1 million people. This situation has sparked concerns about Amazon’s decision-making and adherence to its own policies.
Amazon confirmed to TechCrunch that it was “following its process” after receiving a notice in February regarding the breach. However, Amazon has yet to take definitive action against the stalkerware operations responsible for the data exposure. The company acknowledged that it received notifications from TechCrunch on February 20 and March 10 about hosting the exfiltrated data, but the storage buckets used by Cocospy, Spyic, and Spyzie remain active.
Amazon’s Response and Policies
Ryan Walsh, an Amazon spokesperson, stated that AWS has clear terms requiring customers to comply with applicable laws.
“AWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content.” – Ryan Walsh
Despite this assertion, Walsh did not provide specific comments on the status of the servers used by these applications. He directed TechCrunch to an abuse reporting form but mentioned that no report had been received through that link.
Amazon’s acceptable use policy broadly outlines what customers are permitted to host on its platform. The company does not appear to dispute the prohibition of spyware and stalkerware operations from uploading data to its platform. Still, Amazon’s inaction on the matter raises questions about its commitment to enforcing these policies.
Commercial Interests vs. Ethical Obligations
Amazon Web Services reported a profit of $39.8 billion in 2024, highlighting its significant commercial interests. The company’s reliance on paying customers might contribute to its reluctance to act decisively against these stalkerware operations. However, this approach could undermine its ethical obligations to protect users’ data and privacy.
The vast resources available to Amazon, both financially and technologically, should enable the company to enforce its policies effectively. Ensuring that bad actors do not exploit its services is crucial for maintaining trust with its clientele. Critics argue that Amazon’s decision not to act on the information it received may indicate a prioritization of profits over privacy.
As of the time of publication, the storage buckets used by Cocospy, Spyic, and Spyzie remain active. This ongoing situation amplifies concerns about data security and privacy for millions of individuals affected by these stalkerware applications. The failure to address the issue promptly could have lasting implications for those whose data has been compromised.
Casey McGee, another spokesperson for Amazon, acknowledged that the company is aware of the continued uploading of exfiltrated photos on AWS but did not provide further comment on any potential actions Amazon might take.
Author’s Opinion
Amazon’s inaction in the face of clear violations of its policies concerning stalkerware is alarming. Despite clear evidence that sensitive data is being exploited and hosted on its servers, Amazon has failed to take swift and meaningful action. The company’s refusal to act promptly not only puts users’ privacy at risk but also tarnishes its reputation. While commercial interests might play a role in this delay, Amazon’s size and influence should place it in a position where it can prioritize ethical standards and the protection of its users over immediate profits
