Special Report: Can you trust Amazon Sidewalk and Apple’s Find My?

Last month, Amazon finally turned on its long-planned Sidewalk home-network augmentation service. The backlash was immediate. 

“Sidewalk … raises more red flags than a marching band parade,” wrote The Washington Post, a newspaper that happens to be owned by Amazon founder Jeff Bezos.

“Amazon is once more confirming that its true allegiances do not lie with its customers,” said the American Civil Liberties Union. “Instead, the company is moving to expand its already capacious surveillance infrastructure.”

“Unless you opt out, your Amazon devices will automatically start participating in this connectivity bacchanal,” said Wired.

“It’s only a matter of time before someone’s network gets hacked and data gets breached,” a digital-rights expert told the Los Angeles Times. (Sidewalk does not grant users access to other people’s Wi-Fi networks.)

Upon closer examination, however, it’s not entirely clear whether that alarm is justified, especially when Apple’s Find My network seems to work in much the same way. So is Amazon Sidewalk safe to use, or do you really need to turn it off to protect your privacy and your home network?

What is Amazon Sidewalk, and how to opt outHow to set up the Amazon Echo

How Sidewalk works

Sidewalk turns most Amazon Echo devices and some recent Ring cameras (also made by Amazon) into “bridges” that relay signals from low-power wireless devices, such as Tile tracking fobs and Level smart locks, to home Wi-Fi routers and the internet beyond.

Here’s a list of the Echo and Ring devices that work as Sidewalk bridges, including some models that are no longer sold:

Amazon Echo (3rd Gen)Amazon Echo (4th Gen)Amazon Echo Dot (3rd Gen)Amazon Echo Dot (4th Gen)Amazon Echo Dot (3rd Gen) for KidsAmazon Echo Dot (4th Gen) for KidsAmazon Echo Dot with Clock (3rd Gen)Amazon Echo Dot with Clock (4th Gen)Amazon Echo Plus (1st Gen)Amazon Echo Plus (2nd Gen)Amazon Echo Show (1st Gen)Amazon Echo Show (2nd Gen)Amazon Echo Show 5Amazon Echo Show 8Amazon Echo Show 10Amazon Echo SpotAmazon Echo StudioAmazon Echo InputAmazon Echo FlexRing Floodlight CamRing Spotlight Cam WiredRing Spotlight Cam Mount

The Sidewalk function was remotely activated by Amazon on June 8 on Echo and Ring devices that were already in people’s homes, although users can opt out. (More on that at the end of this story.)

Because of Sidewalk, you’ll now be able to locate a Tile tracking device (and whatever it’s attached to) that’s out of your phone’s Bluetooth range if there’s an Amazon Echo or Ring device within range of the Tile. (Amazon says Sidewalk-compatible tracking devices for pets and adults with dementia are on the way.)

tile mate

There’s a catch, though. Your Tile tracker doesn’t communicate with only your Amazon Echo or Ring devices. Sidewalk lets it communicate with ANY Amazon Echo or newer Ring device within range, whether that device belongs to your neighbor, your cousin or someone halfway around the world. 

This extends the useful range of Tile tracking devices and other Sidewalk-connected devices to the entire planet, theoretically. Likewise, other people’s Tile trackers will be able to communicate with your Echo or Ring and use up a little of your internet bandwidth to reach the rest of the world.

Sidewalk also serves as a backup network: If you lose internet connectivity at home, your smart lock will still work remotely as long as it can “hear” your neighbor’s Echo. All communications between Sidewalk-enabled devices will be encrypted, Amazon says.

Stealing your data?

This network-sharing aspect, and the fact that Amazon switched on Sidewalk without asking device owners first, has got people upset. 

“Amazon has helped itself to your Wi-Fi bandwidth and is allowing anyone nearby to use it while they’re in the neighborhood,” said AskCyberSecurity.com. “This may be enough for some to opt out [of] Amazon Sidewalk immediately.”

“This is uncharted territory for the privacy and security of devices like Alexa, Echo and Ring,” Connecticut’s state attorney general said. “Wireless networks are already notoriously vulnerable to hacks and breaches, and families need better information and more time before giving away a portion of their bandwidth to this new system.”

“Sharing your bandwidth with your neighbors is a great idea, said no one ever,” quipped one Twitter user in response to another who said he had no problem with Sidewalk. 

See more

None of this is quite accurate. Sidewalk does let low-energy devices piggyback on your home internet connection via Echo and Ring devices, but that’s not the same thing as giving your neighbors full access to your home Wi-Fi network. Those neighbors won’t be able to access your Tile device from their home network, or vice versa. 

Furthermore, the amount of data that is being used by these low-power, low-data devices is minuscule. 

“We’re talking about 100-200 bytes per message,” said Jon Callas, a renowned security, privacy and encryption expert who now works with the Electronic Frontier Foundation and recently wrote a detailed examination of Sidewalk. “That’s literally rounding errors for bandwidth.”

The transmission rate between a Sidewalk endpoint device and a Sidewalk bridge is capped at 80 kilobits per second, not much faster than a dial-up modem, and the overall data usage is capped at 500 megabytes per month, which Amazon says is “equivalent to streaming about 10 minutes of high-definition video.”

Most U.S. broadband subscribers have unlimited data caps, so an extra 500MB of usage over a month won’t be noticed. However, for people whose home broadband usage is capped, half a gigabyte might be significant.

That doesn’t mean that major American internet service providers (ISPs) are cool with Amazon Sidewalk, however.

“Amazon does not have the right to do this, full stop,” an unnamed representative for an ISP told The Wirecutter for a recent article. “It is not Amazon’s network to be sharing — they are putting their customers in violation of their agreements with their providers, and it is straight-up theft.”

Apple does the same thing with Find My

Yet Amazon Sidewalk isn’t the only such service that borrows your bandwidth in order to let low-power smart devices get online. A very similar service has been around since 2010, and few people complain about it. 

It’s Apple’s Find My network, which started out as a way to locate lost phones and has since grown into a way to find almost anything, including AirPods, Apple Watches and even high-end bicycles

Apple’s new AirTags use Find My to work in much the same way as Tile trackers do on Amazon Sidewalk. A lost AirTag will communicate via Bluetooth with any iPhone, iPad or Mac that happens to be within range. 

Find My then will use a small chunk of that Apple device’s cellular or Wi-Fi data to reach out to Apple’s servers, which then tell the AirTag’s owner where it is. 

The Find My network appears to be turned on by default on Apple devices, just as Sidewalk is on by default on Ring and Echo devices, and the estimated 2 billion Apple devices worldwide make Find My a truly global network.

Apple AirTag

Turning on data-sharing services by default can be a problem, as Luta Security founder Katie Moussouris pointed out.

“Vendors like Apple and Amazon should never enable new features that share any data or device access like Wi-Fi without getting user informed consent first,” Moussouris told Tom’s Guide. “Personally, I disable features that are designed to share data, even if it means less convenience.”

Nonetheless, there’s been much less of a privacy outcry about Find My. No one is recommending that you turn off Find My to protect your privacy, or that Apple should be paying you to use your cellular data.

Soon after AirTags were released this past April, it was found that despite Apple’s efforts to the contrary, you could indeed use AirTags to stalk or track people without their knowledge. But Apple quelled the bad publicity by fixing that problem with an over-the-air update. (Tile is doing the same.)

A matter of perception

So is there a double standard? Why does Apple get a pass for Find My when Amazon is raked over the coals of public opinion for doing the same thing with Sidewalk?

“Apple seems to have done more to earn the trust of journalists and data protection experts,” said Melanie Ensign, founder and CEO of Discernible, Inc. and an advisory board member at The Rise of Privacy Tech, a digital-privacy advocacy group. “The entrance of Amazon into this space is seen as more of a privacy concern because of the company’s long history of privacy violations.”

Ensign cited several recent examples of Amazon falling short on user privacy and having tight connections to government authorities. 

An Echo device sent a recording of a married couple’s private conversation to a friend; Ring used active-duty police officers to promote the company’s devices; Amazon Web Services was used by Immigration and Customs Enforcement to collect data on illegal immigrants; and Amazon may have to pay the European Union $425 million in fines for as-yet-unspecified violations of the General Data Protection Regulation.

A smart speaker listening to a couple's private conversation.

“It’s unsurprising that customers and privacy advocates questioned Amazon’s privacy and security commitments when it rolled out Sidewalk,” said Lourdes Turrecha, founder of The Rise of Privacy Tech. “Can customers trust that Amazon will not overcollect, misuse, or overshare customer data?”

Meanwhile, Apple has made privacy one of its chief selling points. That’s not just marketing: Apple has acted on those principles, engaging in a very public court battle with the U.S. government over decrypting an iPhone belonging to a terror suspect.

“Apple has built trust with its customers when it comes to their data,” said Turrecha. “This commitment to privacy comes from the top: Apple CEO Tim Cook.”

Technically, both Sidewalk and Find My are pretty safe

In terms of security and encryption, both Apple Find My and Amazon Sidewalk seem to be safe to use. Amazon has released a white paper detailing how Sidewalk works, and Apple has also released details about how the Find My network functions. Experts say there’s not much to worry about from a technical point of view.

“They sure do look remarkably similar to me,” Chet Wisniewski, principal research scientist at Sophos, told Tom’s Guide. 

“They are both well designed and both companies have a good track record securing their mobile/IoT devices,” he added. “Clearly there is a chasm between the privacy positions of Apple and Amazon, and that seems far more likely to result in this difference of public opinion.”

Wisniewski pointed out, however, that the expansion potential of the two networks is quite different. Apple’s Find My network is “practically a location beacon relay” that can send data only very slowly, limiting its prospects for future uses beyond locating devices. 

Meanwhile, Sidewalk, which uses stationary rather than mobile devices as relays, is “designed to be a pseudo-permanent connection and to be used for a larger array of low-bandwidth communications,” Wisniewski said.

That’s partly because some Sidewalk-enabled relays, such as newer Echo devices, have built-in 900MHz radios that can carry a decent amount of data — between 1 and 2 megabits per second, a bit faster than a DSL connection — for longer distances and through more walls and trees than Bluetooth can. Until Sidewalk was activated, those 900MHz radios lay dormant.

“You won’t be streaming your doorbell footage over Sidewalk,” said Wisniewski, “but it isn’t limited to things like location beacons and alerts the same as [Find My].”

Of course, that brings us back to the issue of your neighbors “stealing” your bandwidth. For the moment, that’s not much of a concern because Sidewalk’s usage of Wi-Fi networks is capped to low speeds and small amounts of data, as detailed earlier. 

That might change as the 900MHz network builds out, but for now, it’s Apple users who should be more upset about broadband borrowing, Wisniewski said.

“Apple’s bandwidth usage, while tiny, is more likely to use mobile bandwidth, which is often costly and metered,” he said. “Amazon Sidewalk is more likely to use broadband connections where there is no data cap, or one large enough that a few kilobytes a day is an uninteresting data point.”

A public-relations problem

The Electronic Frontier Foundation’s Jon Callas thinks that the bad publicity surrounding Sidewalk is a self-inflicted wound by Amazon.

“Amazon botched the announcement — that’s the center that everything else revolves around,” Callas said.

Amazon declared in May that all Echo devices, including those that had been sitting in customers’ homes for years, would have Sidewalk switched on by default in a matter of weeks. Then Amazon let the media convey that message to the public, along with a lot of misleading information, instead of doing it itself.

“Amazon never said, ‘We have a 900 MHz radio in these devices that we plan to use, and here’s how we’re gonna use it’,” Callas said. “Amazon’s 900MHz is actually a brilliant thing for home automation, [but] the way that we got told about it was, ‘You have 10 days before Amazon starts sharing your home internet.'”

Ring floodlight camera

By contrast, Callas observed, Apple has slowly built up Find My so that customers learn to trust it in stages as Apple incrementally adds more features.

“First there was Find My iPhone, then Find My iPad, then Find My Friends,” Callas said. “We have had over a decade to get used to it and understand what was going on.”

Even the backlash against Apple’s AirTags was an opportunity that Amazon missed, Callas pointed out. Amazon’s partner Tile certainly took notice.

“When [Apple] came out with AirTags, they built in some anti-stalking measures and fixed the problems,” he observed. “Amazon has been mostly silent. Tile came out and said there were problems, and said they would work on it.”

If Amazon had introduced Sidewalk to the public the way Apple unveils its own new features and services, Callas said, we might not be debating Sidewalk’s privacy and security.

“Everyone has a corner of their house where Wi-Fi doesn’t work,” he pointed out. “If Amazon had come out and said, ‘Here’s the solution,’ we all would have gone, ‘Wow, that’s brilliant,’ and there would be articles about how Amazon had taken away the lead in home automation from Google and Apple.”

A long-standing issue of mistrust

Still, Amazon’s trust problems seem to go deeper than just bad product rollouts. The close partnerships between Ring and local police departments has made civil libertarians suspicious of Amazon, and a wave of “hacks” of Ring devices (many of which were due to reused or weak passwords) got plenty of publicity a couple of years ago.

“As Apple has demonstrated, trust is built through consistent behavior over a long period of time,” Ensign said. “The backlash we’re seeing against Amazon indicates that in the eyes of the public, the company has not done enough to earn the trust they’re asking for.”

“Amazon cannot hope to win public trust with the design of a single product,” she added. “They will have to repeat this kind of development over and over and over.”

How to turn off Sidewalk or Find My

If you’re still worried about Sidewalk, it’s not that hard to opt out of using it. Check out our more in-depth explanation of how to turn off Sidewalk, but the basic steps are these. Unfortunately, you’ll have to do this separately for Alexa and for Ring.

For Alexa:

Open the Alexa app on your mobile device.Tap the More button.Tap Settings.Tap Account Settings.Tap Amazon Sidewalk.Tap the toggle switch to turn Sidewalk on or off.

For Ring:

Open the Ring app on your mobile device.Tap the three-line “hamburger” icon in the top corner.Tap Control Center.Tap Sidewalk.Tap the toggle switch to turn Sidewalk on or off.Confirm that you do indeed want to turn off Sidewalk.

There’s less concern about Apple’s Find My network, but turning it off on an iPhone is simple.

For Find My network:

Open Settings.Click on your name.Click on Find My.Toggle off Find My network.

Notice that you can leave Find My turned on for your iPhone while switching off the Find My network. (Here’s how to turn off Find My altogether.)

You’ll still be able to locate your iPhone as long as it’s powered on, but switching off the Find My network will no longer make it possible for your iPhone to be found if it’s turned off or out of battery power.

Today’s best Amazon Echo Dot (4th gen) dealsReduced PriceAmazon – Echo Dot (4th Gen)…Best Buy$49.99$44.99Reduced PriceAmazon Echo Dot 4Th…Bed Bath & Beyond$49.99$44.99Amazon Echo Dot (4th Gen)…The Home Depot$44.99All-new Echo Dot (4th Gen) |…AmazonPrime$49.99Show More DealsWe check over 250 million products every day for the best prices

相关阅读:

Posted in: 隐私安全