Amazon Silk offers users a choice between fast browsing and privacy, not both

Amazon Silk offers users a choice between fast browsing and privacy, not both

Summary: Privacy issues relating to Amazon's Silk service.

SHARE:
TOPICS: Legal, Amazon, Security
26

One of the most interesting announcements to come out of Amazon announcement yesterday wasn't new hardware but a software/cloud feature - Amazon Silk.

Amazon Silk is an implementation of Amazon's Elastic Compute Cloud (EC2) that allows the company's vast cloud presence to act as an intelligent proxy server for the Kindle Fire Android tablet. The EC2 will be used to fetch (and pre-fetch) web pages and compress objects such as images for delivery to the tablet, minimizing bandwidth usage, reduce latency and improving speed.

Here's a video explaining what Amazon Silk is.

Good idea ... but ...

The problem is that everything you do will go through Amazon's EC2 cloud, and Amazon will have a record of everything you do on the web. Here's what Amazon's Silk T&Cs say:

Amazon Silk also temporarily logs web addresses  known as uniform resource locators ("URLs")  for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues. We generally do not keep this information for longer than 30 days.

But what about secure SSL/HTTPS connections? The T&Cs say nothing but there is this in the Silk FAQ:

What about handling secure (https) connections?

We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://siteaddress.com).

Amazon Silk will facilitate a direct connection between your device and that site. Any security provided by these particular sites to their users would still exist.

What does this mean? According to Chester Wisniewski, Senior Security Advisor at Sophos Canada, it means that Amazon will install a trusted certificate in the Silk browser allowing them to provide a man-in-the-middle (MITM) SSL proxy to accelerate SSL browsing too. This means that Amazon will have a record on these communications too (although not the content, as this would still be encrypted).

Also: Amazon's Kindle Fire Silk browser has serious security concerns | Amazon's Kindle Fire: The ultimate integration, services channelMicrosoft and Amazon: Two browsers, two clouds and two different paths takenAmazon Silk - The biggest Kindle innovation is not hardware, it's software

There's more being sent to Amazon. First are crash logs, but you do get the choice not to send these. Another is search queries. All text you enter in Amazon Silk's address bar is sent to a default search engine. The default search engine is chosen by Amazon Silk, and may change. You can, however, choose to use a different search provider as your default search engine. The privacy policy of the selected default search engine applies to information sent to it.

Don't want Amazon's SkyNet EC2 watching your every move? Your only choice is to switch to basic or "off-cloud" mode. This from the T&Cs:

You can also choose to operate Amazon Silk in basic or "off-cloud" mode. Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers. As such, it does not take advantage of Amazon's cloud computing services to speed-up web content delivery.

So, if you get your hands on a Kindle Fire, will you be using Silk, or switching to 'off-cloud' mode?

[poll id="686"]

Topics: Legal, Amazon, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • UK precedent

    There was a very similar service in the UK - BT introduced PHORM technology without users' permission, tracking users' preferences and offering up targettted ads. - but it was abandonded, indeed may have been declared unlawful if it had not been withdrawn.

    Be interesting to compare the regulations around the world ...
    jacksonjohn
    • I knew

      @Adrian: I knew you were coming: the Apple knight attacking any device could be "confused" with a tablet, or such device's features.
      markbn
  • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

    I am sorry but I am in the technology and know they do not need to do it this way - we are being lulled here. Everything is about marketing ... they want your dollar :(

    I really hope this bombs and someone else comes up with a secure connection alternative.

    Just in case you dont understand - their support is probably in India/China and they will have access to these logs.
    skwalker59
    • And the'll be safe if kept on the U.S....

      ...considering the Patriot Act, Sarbanes-Oxley, HIPAA, etc. etc.

      Keep dreaming....
      cosuna
      • They have to have a warrant to get the data

        @cosuna
        Patriot Act requires that a federal warrant be granted before gaining access to the data. And before anyone starts complaining about how "permissive" the permission might be...teh government have had the ability *for decades* to use warrants to gain access to your private financial records, phone call histories, real estate purchases, etc., via a warrant. Patriot Act just opened up access to more records & record formats.
        spdragoo
  • Yes but everything you transmit already passes through someone

    If you don't want someone to see what you're transmitting, then use SSL. This is no different than someone arbitrarily deciding they want to sniff your network traffic and they happen to work for your ISP. In essence what you're saying is, someone at Amazon has a greater interest in looking at your network traffic than say Comcast (or pick your ISP)... which frankly is nonsense.<br><br>-M
    betelgeuse68
    • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

      @betelgeuse68 I agree, the issue isn't security more privacy ... do you want Amazon knowing what you're looking at?
      Adrian Kingsley-Hughes
      • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

        @Adrian Kingsley-Hughes
        that is fairly visible to anyone. You ISP, proxy services. It isnt that hard to see what people visit.
        tiderulz
      • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

        @tiderulz
        Well, your ISP may not record and keep your banking and other sensitive information for a long time. ISP just routes the information to and fro, but here Amazon logs it and keeps it for 30 days and work as Man in the middle.
        Ram U
      • And Amazon *can* see your HTTPS content, since its Silk engine builds the

        @Rama.NET: ... page that it sends to the tablet (or PC, shortly). The data which is SSLed is only secured on its way to Amazon, and from Amazon to the user. However, <b>the data is decrypted on Amazon</b> (or otherwise their engine would not be able to build/draw the "secured" internet page).

        So Amazon's solution does not provide neither privacy, nor security -- you can not even begin to compare it to ISPs, which never see your secured data decrypted (only you see it raw on your device).
        DDERSSS
      • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

        @DeRSSS<br>+1. I totally agree with you.
        Ram U
    • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

      @betelgeuse68 I'm pretty sure it's different because the ISP can see where you go, but Amazon can see where you go and what you see. The silk browser trusts Amazon EC2's SSL Certificate as a man-in-the-middle. As I understand it, that means they can read everything you send and everything you see, passwords and all. Your ISP can't do that, because your desktop browser doesn't trust your ISP, so it would warn you about the SSL certificate. That's what Amazon means when they say they will "establish a secure connection on your behalf". I securely send them my banking password, and, on my behalf, they securely send it to my bank. I wouldn't trust a corporation with that kind of knowledge.
      mrmikeprogrammer
      • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

        @mrmikeprogrammer

        Alright so don't do your banking on it. While the iPad doesn't have this issue since there's no man in the middle when I browse, it's never once crossed my mind to work against my bank with it.

        This whole debate is a "tempest in a teapot". If people think they're anonymous, they're naive. It's the world we live in now. If people want to be mostly anonymous, they can go live in the middle of nowhere "off the grid".

        -M
        betelgeuse68
      • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

        @betelgeuse68
        How many of the users would know that and how many would effectively use alternative browsers on tablets, not much.
        Ram U
    • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

      SSL is meaningless. Most likely, the site your on is doing HTTPS inspection anyhow. PII data and payload, you hope is left encrypted or not recorded, but there's certainly no guarantee. Anyhow, Flash cookies, Google Search, etc. - just assume someone is mining what you do online.
      beevee
    • @betelgeuse68 .. i'm with you on this

      .. ZDNet have a bunch of hypocritical bloggers that will on one day say "we need to protect ourselves from prying eyes and malware". The very next day they'll spout on about how great Google Chrome .. or the iPhone .. or any other tech' app or device is (..and that, incidentally, often doubles as a stealth tracking / RDP / reporting mechanism.

      If we're not discussing the iPhone's ability to track position or Chrome's spyware capabilities or svchost.exe's phone-home abilities via RPC and the like, then it's plain to see it's futile and completely useless trying to pretend that the average citizen can completely hide their whereabouts, activities - or frankly, anything at all they do online. All you online activities are subject to channelling via an ISP and (by proxy): consequently, those communications will pass through the wider, BGP-based world that interconnects us through different portions of the 'www'.

      ZDNet - and pretty much anyone else that tries to say we can hide our transmissions - is selling false hope and simply misleading the reading public.

      So it's like this, get used to the reality that if you use the Internet, you will definitely leave an indelible (proverbial) 'footprint' that can and often is tracked by one source or another. So Jane & Joe Average, if you dislike that reality, you could always yank the cable out from modem / router and disconnect entirely ... just sayin'.
      thx-1138_
  • Re: Amazon can see your passwords

    You said that when using the cloud "content ... would still be encrypted," but I'm pretty sure a man-in-the-middle SSL proxy can read the content. With a MITM SSL Proxy, there is a secure connection between the client and the proxy and a secure connection between the proxy and the server, but in the middle, the proxy decrypts and re-encrypts the whole message. Otherwise, they couldn't do any of fancy pre-fetching and image compression speed-up stuff because they couldn't see the page content. If I'm right, then Amazon could read, for example, your online banking password, which is a much bigger issue than just tracking where you go.
    mrmikeprogrammer
  • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

    Isn't that exactly how Opera Mini works?
    aep528
  • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

    Doesn't the Opera Mini web browser do something similar?
    dsf3g
  • RE: Amazon Silk offers users a choice between fast browsing and privacy, not both

    I guess it comes down to whose motives you are willing to trust your online persona with, Google, Amazon, Apple, and so on. Our online life and our real life are merging more and more everyday. We need to ask ourselves "why" these entities exist and what we are getting in return for creating a relationship with them. Is it worthwhile? Is there value? What am I giving up?
    CowLauncher