Amazon: Fire Owners Didn't Care About Encryption

Amazon has pushed back at suggestions it's selling out Fire tablet users on data encryption, arguing that it was a Spring clean not a security lapse. The online behemoth faced vocal criticism this week over its Fire OS 5 software for its affordable Android-based tablets, which quietly removed support for encrypting data.

Although Fire OS 5 was released earlier this year, recognition of the changed feature set only really occurred when high-profile security researchers flagged the differences.

Fire OS 5 is based on Android 5.0 Lollipop, which in its native form supports FDE or "full disk encryption" as an option. That effectively allows users of Lollipop devices to choose to secure all of their own data with a passcode: without that, the 128-bit master key can't be accessed to read that data.

NOW READ: 8 things to know about the Apple/FBI fight

It means that, should a device fall into unwanted hands – whether they are those of thieves or, topical given the pressure Apple has faced in recent weeks by the FBI over unlocking an iPhone involved in a terrorist incident, law enforcement agencies – they would need the master passcode in order to read any of the information stored on it.

That's the theory, anyway: in practice, it requires users to actually turn the encryption on, and that's something Amazon says its Fire tablet owners weren't actually doing.

"In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren't using," an Amazon spokesperson told SlashGear. "All Fire tablets' communication with Amazon's cloud meet our high standards for privacy and security including appropriate use of encryption."

It's unclear how many Fire tablet owners actually were using pre-OS 5 encryption; we've asked Amazon for that breakdown and will update with the company's response.

Anyone who was relying on encryption will have to disable it if they want to use OS 5 or any subsequent version of Amazon's software. However, as the company points out, this affects local data not what is communicated between tablet and Amazon's cloud-based servers, such as payment information when making a purchase.

On the one hand, there's a solid argument that the target audience for a multimedia-centric tablet like Amazon's Fire series is understandably not going to be particularly concerned by this sort of data security talk. If the primary use is – as Amazon bills it – ebook reading, video and music streaming, and internet browsing, then that's a very different use-case to a device with corporate email access or other sensitive information.

Nonetheless, sometimes convenience – in this case, the convenience of not having to input a passcode whenever the device is turned on – arguably needs to take a backseat to sensible security precautions. The question, therefore, might not be "how many people were choosing to turn on encryption?" but more importantly "why wasn't Amazon enabling it by default?"