Just one day after its unveiling, Amazon’s Kindle Fire’s cloud-based web browser, Silk, is already under fire by security experts and privacy advocates for endangering the confidentiality of user data.
For many techies, the coolest part of the Fire isn’t the device itself, but the software, specifically Amazon Silk. The web browser uses the ultra-high speed connectivity of Amazon’s Elastic Cloud Computing (EC2) service to make page load times significantly shorter. When a user navigates to a webpage, Silk offloads a portion of the work to Amazon’s servers to speed up load time – which means that the user will connect to Amazon instead of directly to a website.
Amazon itself explains this in its Amazon Silk Terms & Conditions: "The content of web pages you visit using Amazon Silk passes through our servers and may be cached to improve performance on subsequent page loads.”
The problem? That also gives Amazon a complete record of your Web browsing history. Those same Terms & Conditions also reveal that, along with your browsing history, Amazon will log IP and MAC addresses, which it can store for up to 30 days.
What’s worse, even secure HTTPS connections, like online banking, will go through Amazon. Theoretically, there should be no interruption in the chain between you and any secure HTTPS site you visit. When you use Silk on the cloud (default mode on the Fire), Amazon will be a middleman even in these so-called secure connections.
Based on what we know so far, the security and privacy implications are frightening. Under the Patriot Act, Amazon is subject to government requests for information about any individual user who is under investigation. The Patriot Act has relatively low due process restrictions. Under the controversial law, enacted after the September 11 attacks, the government can even prevent Amazon from notifying targeted individuals that their data is being turned over to authorities.
Of course, government requests aside, the Silk browser still reveals a treasure trove of user data for Amazon to use as it wishes.
For every user that browses on Silk, Amazon will have access to his or her IP or MAC addresses, as well as a thorough account of each user’s browsing history and profile.
"Amazon Silk also temporarily logs web addresses known as uniform resource locators ('URLs') for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues,” Amazon writes in its Terms & Conditions. “We generally do not keep this information for longer than 30 days.”
“Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet,” writes one concerned blogger. “People who cringe at the data-mining implications of the Facebook Timeline ought to be just floored by the magnitude of Amazon’s opportunity here. Amazon now has what every storefront lusts for: the knowledge of what other stores your customers are shopping in and what prices they’re being offered there.”
But the revelations are enough to make many security experts wary. For now, potential Fire users should heed two pieces of advice: Amazon Silk’s default mode is cloud-based browsing, but the browser will come with an off-cloud mode, so people have the option of not sharing sensitive data. If you use the Fire, turn off cloud browsing.
"While most of us roll our eyes when confronted with long privacy policies and pages of legalese, privacy risks lurk around every corner. If you buy a Fire device, think carefully as to whether your privacy is worth trading for a few milliseconds faster web surfing experience.”
Husna Haq is a Monitor correspondent.