Amazon's Silk browser raises privacy, security eyebrows

The Kindle Fire browser's connection to Amazon's servers prompts concerns from experts

Amazon's new Silk browser has raised some eyebrows among privacy and security experts.

"This makes Amazon like your ISP," said Aaron Brauer-Rieke of the Center for Democracy & Technology (CDT), Washington D.C.-based advocacy group. "Every site, everything you do online [through Silk] will go through Amazon. That's a new role for someone like them, and I don't think it's at all clear that Amazon can step into that, or that it will be apparent to consumers."

On Wednesday, Amazon introduced its new Kindle Fire touch-based tablet, and the browser that will run on the Android-powered device: Silk.

The browser, which is based on the open-source WebKit engine -- the same that is the foundation of both Google's Chrome and Apple's Safari -- will by default connect to the company's cloud service, which will handle much of the work of composing Web pages, pre-rendering and pre-fetching content, and squeezing the size of page components. That, claimed Amazon, will speed up browsing and let low-powered processors like those in the Fire render sites faster than other mobile browsers and devices.

To do that, Amazon will maintain an open connection between Silk on the Fire and its Elastic Compute Cloud (EC2) service, and will act as a middle-man proxy on all page requests.

In other words, said Chet Wisniewski, a security researcher for Sophos, "Web connections from your tablet will connect directly to Amazon, rather than the destination web page."

In a short FAQ about Silk, Amazon intimated that it will also handle the encrypted traffic between consumers and websites secured with SSL (secure socket layer), such as log-in pages, other shopping sites and online banking sessions.

"We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL," Amazon said.

Wisniewski interpreted that to mean that Amazon will install a trusted certificate in Silk that lets them provide a man-in-the-middle SSL proxy to accelerate users' SSL browsing.

Brauer-Rieke, a former Web developer who is currently a Fellow at CDT, applauded the technology Amazon's described.

"This sounds like a potentially very smart proxy that uses the cloud service to make intelligent decisions, that can predict what site you'll visit," said Brauer-Rieke. "But there is a proxy under this, and that is something new."

And that's why he has questions.

"I have a lot of questions, not about collecting personal information, because Amazon has said it will not do that, but about aggregate information collection," he said.

In the Silk terms and conditions statement that Amazon has published on its website, it has acknowledged that it will temporarily log URLs for the pages it serves, as well as record the originating IP (Internet protocol) or MAC (media access control) addresses, which would identify the network used by the browser, or the individual Fire device.

"We generally do not keep this information for longer than 30 days," said Amazon.

"Amazon is familiar to consumers as an e-merchant, but [Silk's connection to EC2] is really drastically different," said Brauer-Rieke.

Users will, however, be able to run Silk without the connection to Amazon's servers if they want, the company confirmed in its FAQ.

"It was a great move to include that option," said Brauer-Rieke. "It shows that they understand the privacy implications."

What will be crucial, Brauer-Rieke continued, is how Amazon explains this new technology and its consequences to consumers. "They're going to need to inform people about this fundamental change in their browsing," he said. And how they do that will be where the privacy rubber meets the road.

The Electronic Frontier Foundation (EFF), another digital privacy advocacy organization, declined to comment in detail on Silk, but a spokeswoman acknowledged that the group "think[s] there are some worrisome privacy issues," including those revolving around browsing history.

"We'll definitely be following the developments, as browser history is very sensitive information, including data about your interests, your concerns, and your private life," the EFF spokeswoman said in an email Wednesday.

Brauer-Rieke kept returning to the similarities between Silk's link to Amazon's servers and the traditional role of ISPs.

"This is ultimately like an ISP," he said, "but at the same time, ultimately more ambitious. Will consumers understand that?"

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies