While Amazon has approached Sidewalk, an endeavor in connecting smart devices to a neighborhood mesh Wi-Fi, in a "sophisticated way" with privacy in mind, experts are still wary of how effective this project will be from a security standpoint.

Amazon announced last week that customers have until June 8 to opt-out of its latest project to keep smart devices connected at all times by using a mesh Wi-Fi system. If you don't want to participate here's how to opt-out on Echo devices and Ring devices.

The program, which was initially announced in September 2019, uses a low-bandwidth shared network that will use part of your home Wi-Fi to connect to Amazon Echo devices, Ring security camera and lights, and Tile Bluetooth trackers. The mesh Wi-Fi is helpful when your device loses connection, at which point it will automatically connect to the neighborhood Wi-Fi over the 900Mhz channel.

According to the company's privacy and security whitepaper, the project was "carefully designed" with privacy protections in mind, specifically on how it collects, stores, and uses metadata.

For example, each user device at registration to the program will have a "unique session key" with the Sidewalk Network Server (SNS) and Application server. Once the device has been identified and is part of the system, the SNS won't be able to identify a user, and makes it "difficult for anyone, including Amazon, to piece together activity history over time."

Information is wrapped in layers of protection, but nothing is 'zero-risk'

Amazon also notes that information for devices to work on the network will travel in, what it calls, a "packet" that will have three layers of encryption protection. The encryption is done to "ensure data is visible only to the intended party."

"This approach to encryption means that Amazon will not be able to interpret the content of commands or messages sent through Sidewalk by third party services or endpoints (applications," Amazon writes.

John Verdi, vice-president of the Future of Privacy Forum, an industry-backed nonprofit based in Washington, D.C., said in an interview what makes this program strong from a privacy front is that only Amazon devices can participate as well as trusted partners. He added that users can't just add a trusted device to the program like an iPhone or a user's personal laptop.

"What that means is that Amazon can limit the physical hardware devices that connect to Amazon manufacturer devices and trusted partners. Not just any device can connect. There's the validation of the device itself," he said.

Verdi also added that the program wouldn't use a lot of data that is typically used for streaming video. Sidewalk would only use up to 500MB of bandwidth a month, a relatively small amount — though not insignificant for people on a fixed-bandwidth connection.

"The Sidewalk mesh network [likely] doesn't use bandwidth that will materially impact the owner's online experience," he said.

Verdi added that there is no "obvious or straightforward way" in which a third party could manipulate the system.

"Now, nothing is zero-risk. There's always a chance that a novel exploit or a novel method performed by a malicious actor could come to light. We don't know. But when you look at the safeguards that are in place, they are serious technical safeguards. They are not trivial," he said. "There's a risk with any product, but having said that, does the risk look well mitigated? Yes."

Whitepaper is full of complicated jargon