I run a part of the data request process at our company. This article is an example where people expect anything technology related to be magic.
We have to go through EVERY tech stack we own and look for that person's data. It's amazingly manual and tedious and takes about 6 people about an hour per request.
We're working to automate it, but needless to say we try not to broadcast it too broadly.
I hate that everyone jumps on any bad experience as a "dark pattern" when there's plenty of incompetence to share the blame.
> Given Amazon’s obsession with speed and eliminating friction to foster faster consumerism, the dawdling data solicitation process seems like it just might be intentional, designed to dissuade requests. A far simpler explanation comes through an invocation of Hanlon’s razor, the old adage to “never attribute to malice that which is adequately explained by stupidity.” Amazon whistleblowers cited by Politico have said that the company “has a poor grasp of what data it has, where it is stored and who has access to it.” If that’s the case, then it stands to reason that it can take a month or more for Amazon to process a data request. As former Amazon chief information security officer Gary Gagnon succinctly put it in an interview with Reveal, “we have no fucking idea where our data is.”
However, there are many dark patterns here unrelated to how long it took:
- Repeatedly trying to direct users away from a data request to their "Your Account" page, which has a tiny fraction of your data
- 6+ different pages and many many clicks required to make a request
- Data divided into ~100 different downloads (how many more days would it have taken to make one zip?)
Also, Amazon is an ad company. They have well-designed APIs and and tools for managing all this data because it's how they make money. When an advertiser accesses your data, they don't have to manually download 74 different zips.
I understand what you mean and I agree about everyone whining that the "sky is falling" but in my opinion, you shouldn't collect what you can't easily give me.
> I hate that everyone jumps on any bad experience as a "dark pattern" when there's plenty of incompetence to share the blame.
While I understand you; this is Amazon. It's laughable to think, for an organisation with the technology and resources of Amazon, that this is anything but laziness, "malicious compliance" or a deliberate "fuck you".
Having me forced to click over a hundred download buttons to get the data I requested is not ok for a company Amazon's size and is not because they couldn't spare the resources to have someone write a few lines of code to archive those into a single tar.gz/zip and provide one button to click, it's deliberate.
It's not magic. It's expecting compliance with the law.
When you make a car, you need to add safety belts and lights.
When you control data, you need to have a way to provide the data to the person who the data is about.
You don't get to complain because your company decided that it's easier to only add the lights and safety belts when someone complains in a cumbersome manual process.
It's revealing how hard this stuff is when Google's Data Liberation Front needed 4 years to release Google Takeout – which I consider to be best-in-class for personal data access.
I disagree. Google Takeout is a sham. It doesn't have all the data they collect about you. It's almost adequate for data portability, but not quite. It's useless for data transparency.
Google Docs keeps keystroke-level logs of everything you type, for example. That's not in Takeout. Neither are things needed to conduct a security audit (that's a paid service for Workspace customers). Neither is a lot of advertising profiling data.
It is a hard problem, but the GDPR went into effect 3 years and 10 months ago. That date didn't come as a surprise, but was known 6 years ago. Anything newer than that should have taken data requests into account from the design stage. Anything older than that has had ample time to adjust. More than that 4 years you quote for Takeout!
> We have to go through EVERY tech stack we own and look for that person's data. It's amazingly manual and tedious and takes about 6 people about an hour per request.
GDPR went into effect 5 years ago. If 5 years later you still haven't automated this...
Seriously, this is a direct result of Amazon failing to prioritize this. First off, blaming the customer for calling the architecture out as being bad is crazy. The customer has no say in the architecture - it's all on Amazon.
We have to go through EVERY tech stack we own and look for that person's data. It's amazingly manual and tedious and takes about 6 people about an hour per request.
We're working to automate it, but needless to say we try not to broadcast it too broadly.
I hate that everyone jumps on any bad experience as a "dark pattern" when there's plenty of incompetence to share the blame.