Amazon's Silk browser raises privacy, security eyebrows

The Kindle Fire browser's connection to Amazon's servers prompts concerns from experts

Amazon's new Silk browser has raised some eyebrows among privacy and security experts.

"This makes Amazon like your ISP," said Aaron Brauer-Rieke of the Center for Democracy & Technology (CDT), Washington D.C.-based advocacy group. "Every site, everything you do online [through Silk] will go through Amazon. That's a new role for someone like them, and I don't think it's at all clear that Amazon can step into that, or that it will be apparent to consumers."

On Wednesday, Amazon introduced its new Kindle Fire touch-based tablet, and the browser that will run on the Android-powered device: Silk .

The browser, which is based on the open-source WebKit engine -- the same that is the foundation of both Google's Chrome and Apple's Safari -- will by default connect to the company's cloud service, which will handle much of the work of composing Web pages, pre-rendering and pre-fetching content, and squeezing the size of page components. That, claimed Amazon, will speed up browsing and let low-powered processors like those in the Fire render sites faster than other mobile browsers and devices.

To do that, Amazon will maintain an open connection between Silk on the Fire and its Elastic Compute Cloud (EC2) service, and will act as a middle-man proxy on all page requests.

In other words, said Chet Wisniewski, a security researcher for Sophos, "Web connections from your tablet will connect directly to Amazon, rather than the destination web page."

In a short FAQ about Silk, Amazon intimated that it will also handle the encrypted traffic between consumers and websites secured with SSL (secure socket layer), such as log-in pages, other shopping sites and online banking sessions.

"We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL," Amazon said.

Wisniewski interpreted that to mean that Amazon will install a trusted certificate in Silk that lets them provide a man-in-the-middle SSL proxy to accelerate users' SSL browsing.

Brauer-Rieke, a former Web developer who is currently a Fellow at CDT, applauded the technology Amazon's described.

"This sounds like a potentially very smart proxy that uses the cloud service to make intelligent decisions, that can predict what site you'll visit," said Brauer-Rieke. "But there is a proxy under this, and that is something new."

And that's why he has questions.

"I have a lot of questions, not about collecting personal information, because Amazon has said it will not do that, but about aggregate information collection," he said.

In the Silk terms and conditions statement that Amazon has published on its website, it has acknowledged that it will temporarily log URLs for the pages it serves, as well as record the originating IP (Internet protocol) or MAC (media access control) addresses, which would identify the network used by the browser, or the individual Fire device.

"We generally do not keep this information for longer than 30 days," said Amazon.

"Amazon is familiar to consumers as an e-merchant, but [Silk's connection to EC2] is really drastically different," said Brauer-Rieke.

Users will, however, be able to run Silk without the connection to Amazon's servers if they want, the company confirmed in its FAQ.

"It was a great move to include that option," said Brauer-Rieke. "It shows that they understand the privacy implications."

What will be crucial, Brauer-Rieke continued, is how Amazon explains this new technology and its consequences to consumers. "They're going to need to inform people about this fundamental change in their browsing," he said. And how they do that will be where the privacy rubber meets the road.

The Electronic Frontier Foundation (EFF), another digital privacy advocacy organization, declined to comment in detail on Silk, but a spokeswoman acknowledged that the group "think[s] there are some worrisome privacy issues," including those revolving around browsing history.

"We'll definitely be following the developments, as browser history is very sensitive information, including data about your interests, your concerns, and your private life," the EFF spokeswoman said in an email Wednesday.

Brauer-Rieke kept returning to the similarities between Silk's link to Amazon's servers and the traditional role of ISPs.

"This is ultimately like an ISP," he said, "but at the same time, ultimately more ambitious. Will consumers understand that?"

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about browsers in Computerworld's Browsers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleapplicationsGoogleMobile Apps and Servicessecuritybrowserssoftwareprivacysophos

More about Amazon Web ServicesAppleC2CDTEFFElectronic Frontier FoundationetworkGoogleMicrosoftSophosTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts