(Phys.org) —Most people assume that Amazon.com's massive online workforce is anonymous, but a study by researchers from The University of Texas at Austin and five other universities has uncovered a security vulnerability that makes it relatively easy to uncover many workers' personally identifying information.
"Even though many people aren't even aware that a huge online workforce like Amazon's exists," said Matt Lease, assistant professor in The University of Texas at Austin's School of Information, "a tremendous amount of manual data processing is being performed online by an international 'crowd work industry.' "
Crowd work is similar to "crowdsourcing" in that a large, global population is mobilized to complete tasks or offer information. The major difference is that crowd work offers pay for successfully completed activities. Crowd work includes a wide range of tasks and necessary skill levels—from micro-tasks such as data processing that take a few moments, to multi-hour jobs that require more demanding skillsets. Academic researchers can even post requests on some of these platforms to gather input or data for a study. In the case of Amazon, this "anonymous" workforce may also be customers of the company.
Called Amazon Mechanical Turk (AMT), the company's online workforce platform allows a "requester" to sign in and enter a job post. Any of the 500,000 workers that AMT now boasts can sign on and complete the task. The requester then assesses the work and, if it meets specifications, pays the worker without either knowing the identity of the other. The assumption has been that disclosure of the identities of employer and worker are not necessary or apparent.
According to Lease, the expectation of worker privacy on AMT was most strongly reinforced by the fact that AMT requesters and workers are identified to one another only by a 14-character sequence of letters and numbers.
Although these alphanumeric identifiers were widely believed to be unique to AMT, the fact is that Amazon links the same identifiers to all Amazon activities in which users engage. As a result, simply searching the Web for worker IDs often reveals allegedly private information about the workers such as products they've rated, product reviews they've written, their Amazon wish lists, and often even the workers' actual names and pictures.
"Besides the unexpected loss of privacy to many workers, this issue is of particular concern to universities that use AMT for human subjects research," said Lease. "Both participants and researchers have operated under the assumption that participants could not be personally identified, something we now know is possible. While this finding does not preclude future use of AMT for such research, both researchers and participants need to recognize and acknowledge the potential lack of participant anonymity in future studies, as well as those already under way."
Lease and his research colleagues have alerted the Institutional Review Boards at their universities to this AMT vulnerability and launched a grass-roots initiative to inform AMT workers and other academic researchers about the security concern.
Lease also has informed Amazon of the privacy issue. He stated that staff members there said they are unlikely to break the link between AMT worker IDs and its customer profiles and most likely will address the issue by better educating workers about the interconnectedness of their online information. Amazon also confirmed its continuing interest in helping academic scientists find effective ways to conduct research responsibly through AMT.
The findings regarding AMT's security vulnerabilities were made during the Association for Computing Machinery's Computer Supported Cooperative Work and Social Computing (CSCW) conference and published online to the Social Science Research Network on March 6.
In addition to disclosing AMT's specific privacy vulnerability, the paper also includes broader recommendations for how similar security breaches might be avoided in today's global marketplace of online crowd work.
Explore further: Fighting the next generation of cyberattacks