Amazon's Silk browser raises privacy, security eyebrows
- 30 September, 2011 06:39
Amazon's new Silk browser has raised some eyebrows among privacy and security experts.
"This makes Amazon like your ISP," said Aaron Brauer-Rieke of the Center for Democracy & Technology (CDT), Washington D.C.-based advocacy group. "Every site, everything you do online [through Silk] will go through Amazon. That's a new role for someone like them, and I don't think it's at all clear that Amazon can step into that, or that it will be apparent to consumers."
On Wednesday, Amazon introduced its new Kindle Fire touch-based tablet, and the browser that will run on the Android-powered device: Silk .
The browser, which is based on the open-source WebKit engine -- the same that is the foundation of both Google's Chrome and Apple's Safari -- will by default connect to the company's cloud service, which will handle much of the work of composing Web pages, pre-rendering and pre-fetching content, and squeezing the size of page components. That, claimed Amazon, will speed up browsing and let low-powered processors like those in the Fire render sites faster than other mobile browsers and devices.
To do that, Amazon will maintain an open connection between Silk on the Fire and its Elastic Compute Cloud (EC2) service, and will act as a middle-man proxy on all page requests.
In other words, said Chet Wisniewski, a security researcher for Sophos, "Web connections from your tablet will connect directly to Amazon, rather than the destination web page."
In a short FAQ about Silk, Amazon intimated that it will also handle the encrypted traffic between consumers and websites secured with SSL (secure socket layer), such as log-in pages, other shopping sites and online banking sessions.
"We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL," Amazon said.
Wisniewski interpreted that to mean that Amazon will install a trusted certificate in Silk that lets them provide a man-in-the-middle SSL proxy to accelerate users' SSL browsing.
Brauer-Rieke, a former Web developer who is currently a Fellow at CDT, applauded the technology Amazon's described.
"This sounds like a potentially very smart proxy that uses the cloud service to make intelligent decisions, that can predict what site you'll visit," said Brauer-Rieke. "But there is a proxy under this, and that is something new."
And that's why he has questions.
"I have a lot of questions, not about collecting personal information, because Amazon has said it will not do that, but about aggregate information collection," he said.
In the Silk terms and conditions statement that Amazon has published on its website, it has acknowledged that it will temporarily log URLs for the pages it serves, as well as record the originating IP (Internet protocol) or MAC (media access control) addresses, which would identify the network used by the browser, or the individual Fire device.
"We generally do not keep this information for longer than 30 days," said Amazon.
"Amazon is familiar to consumers as an e-merchant, but [Silk's connection to EC2] is really drastically different," said Brauer-Rieke.
Users will, however, be able to run Silk without the connection to Amazon's servers if they want, the company confirmed in its FAQ.
"It was a great move to include that option," said Brauer-Rieke. "It shows that they understand the privacy implications."
What will be crucial, Brauer-Rieke continued, is how Amazon explains this new technology and its consequences to consumers. "They're going to need to inform people about this fundamental change in their browsing," he said. And how they do that will be where the privacy rubber meets the road.
The Electronic Frontier Foundation (EFF), another digital privacy advocacy organization, declined to comment in detail on Silk, but a spokeswoman acknowledged that the group "think[s] there are some worrisome privacy issues," including those revolving around browsing history.
"We'll definitely be following the developments, as browser history is very sensitive information, including data about your interests, your concerns, and your private life," the EFF spokeswoman said in an email Wednesday.
Brauer-Rieke kept returning to the similarities between Silk's link to Amazon's servers and the traditional role of ISPs.
"This is ultimately like an ISP," he said, "but at the same time, ultimately more ambitious. Will consumers understand that?"
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com .
Read more about browsers in Computerworld's Browsers Topic Center.
- World Quality Report - The State of Quality 2012
- Redbook - WebSphere Application Server V8.5 Concepts, Planning, and Design Guide
- Tranzqual Improves User Experience for Mobile Workforce
- Making Smarter Manufacturing Decisions With Business Intelligence
- Benefits of Deploying Microsoft Exchange Server 2010 on Dell Compellent with Data Progression
Philip's 'smart' lightbulbs hit Australia
Bitcoin finding its feet at first Silicon Valley conference
Australia lags Mongolia in Internet speeds
Salesforce.com to buy Clipboard, shutting down service
Investor tips on how to propel a startup