Six Lines

▶ The Privacy Implications of Amazon’s Silk Browser

Posted by Aaron Massey on 01 Oct 2011.

This week Amazon introduced their latest creation: the [Kindle Fire][1]. One of the features of the Kindle Fire is a new kind of web browser called Silk. Here’s a video explaining how Silk works: [Edit 09 March 2016: It appears that this video is now marked private.]

Silk effectively splits a traditional web browser into a front end that’s running on the local machine and a back end that’s running in the cloud. Chris Espinoza describes it thusly:

The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet. People who cringe at the data-mining implications of the Facebook Timeline ought to be just floored by the magnitude of Amazon’s opportunity here. Amazon now has what every storefront lusts for: the knowledge of what other stores your customers are shopping in and what prices they’re being offered there. What’s more, Amazon is getting this not by expensive, proactive scraping the Web, like Google has to do; they’re getting it passively by offering a simple caching service, and letting Fire users do the hard work of crawling the Web. In essence the Fire user base is Amazon’s Mechanical Turk, scraping the Web for free and providing Amazon with the most valuable cache of user behavior in existence.

From the technical descriptions of Silk that I’ve seen, this is pretty accurate. Espinoza later updated his post to say that he doesn’t believe this is a privacy concern:

(9/28 8:45 PST Removed “privacy and.” The piece is about data mining and aggregation, there’s no argument about privacy concerns at all, but people are reading that into it.)

I disagree. Only someone who doesn’t understand the current state of privacy law in the United States would make such a statement. Essentially, by splitting the browser such that all traffic flows through Amazon, they are operating as an ISP. ISPs have numerous privacy concerns. For example, what if the government asked Amazon to provide records of every user who visited a particular website? Currently, this request would fall under something called Third Party Doctrine. Tim Lee describes it as…

the legal principle that, in effect, you lose your Fourth Amendment rights when you relinquish information to a third party. The doctrine has become increasingly important with the rise of modern technology because we now entrust a host of private data — including our email, cell phone calling data, credit card transactions, and more — to private companies, and the third party doctrine would seem to suggest that Fourth Amendment protections would not extend to such information.

The government doesn’t need a warrant to obtain records disclosed to a third party. If it sounds incredible to you that the government wouldn’t need a warrant to obtain something as sensitive as everything you’ve done online with your new Kindle Fire, understand that the government can access your banking records without a warrant because your bank is a “third party” to the data. ISPs are third parties to Internet traffic, and Amazon would be a third party for all Internet traffic on your Kindle Fire. (For more information, please read Jim Harper’s description of how this situation came to be and what we could do about it.)

Om Malik, prompted by Espinoza’s post, got this response from an Amazon spokesperson:

Is Amazon able to peer into its customer usage behavior and use that to offer services based on that data. For instance if you see thousands of your customers going to buy SeeVees shoes from say a store like James Perse at a certain price, can you guys use that data to specifically tailor the Amazon store and offer up deals on those very same pair of shoes?” – the answer is no, as you can see in our terms and conditions, URLs are used to troubleshoot and diagnose Amazon Silk technical issues. Moreover, you can also choose to operate Amazon Silk in basic or “off-cloud” mode. Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers. As a reminder, usage data is collected anonymously and stored in aggregate, and no personal identifiable information is stored. It’s also possible to completely turn off the split-browsing mode and use Amazon Silk like a conventional Web browser.

Notice that Amazon says they can’t “peer into customer usage behavior and use that to offer services based on that data.” If this reminds you of Dropbox’s original privacy claim that “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password,” then you’re not alone. Christopher Soghoian showed that Dropbox could access your files. There are no technical limitations preventing Amazon from using customer usage behavior for whatever they want, just as there were no technical limitations preventing Dropbox from accessing your files. Amazon’s Silk browser will know what websites you visit and what you do on those websites. Amazon will have access to this data. What proof will users have that Amazon isn’t doing whatever they want with that data? Amazon’s terms and conditions basically amount to trust, but “trust me” isn’t enough. This data is too important: emails, financial records, medical records, relationships with friends, and everything else people do on the Internet.

Even if all your browsing data was anonymized prior to being sent to Amazon, anonymous data collection can still violate privacy principles. Bruce Schneier wrote a great article for Wired about anonymized data sets that were publicly released back in 2007. He made this point, which I think is particularly relevant for Amazon’s new Silk browser:

Like everything else in security, anonymity systems shouldn’t be fielded before being subjected to adversarial attacks. We all know that it’s folly to implement a cryptographic system before it’s rigorously attacked; why should we expect anonymity systems to be any different? And, like everything else in security, anonymity is a trade-off. There are benefits, and there are corresponding risks.

Security advocates don’t accept encryption algorithms that aren’t publicly available and haven’t gone through rigorous testing. Privacy advocates shouldn’t accept anonymization algorithms that aren’t publicly available and haven’t gone through rigorous testing. Arvind Narayanan and Vitaly Shmatikov demonstrated this well with the Netflix datasets.

Amazon also said that users could optionally cause Silk to operate as a conventional browser that wouldn’t use Amazon’s cloud to speed up the experience, but this option isn’t enabled by default. Defaults matter. Human psychology demonstrates this in numerous venues. Defaults are also particularly important for technology. The FTC has begun recommending a privacy by design approach, originally described by Ontarioʼs Information and Privacy Commissioner Anne Cavoukia, for technology companies like Amazon. Think tanks concur with this assessment. For example, the Center for Democracy and Technology said the following (emphasis mine):

The FTC should release a set of recommendations outlining the role that Privacy by Design can play in implementing a new set of comprehensive FIPs. These recommendations should emphasize the role of privacy impact assessments, privacy threshold analyses, the integration of PETs into product development, end-to-end lifecycle protection for data, and privacy as the default or as a clear, easy-to-understand alternative.

If Silk is set to the split-browser, cloud-based mode by default, then Amazon isn’t actively practicing privacy by design. No other browser operates like Silk. [Edit: This isn’t true. As Charlie pointed out in the comments, Opera Mobile and Opera Mini use a split-browser architecture.] This is new and different, and it has important implications for privacy. Therefore, the privacy by design approach would be to operate as a conventional browser by default and provide users with an option to enable the split-browser, cloud-based mode if they wanted. However, it doesn’t appear as if that’s Amazon’s intention based on their comments to Om Malik. Amazon has created a new technology with their Silk browser, and they should be applauded for building something new and different. Their Silk browser may speed up the web dramatically for Kindle Fire users, but users should know that there are tradeoffs involved to achieve that speed. In this case, the tradeoff is privacy. If the speed increase is substantial enough, then there are probably many people who would make that tradeoff when using their Kindle Fire. They could do their banking, emailing, or other sensitive surfing at a computer using their preferred security and privacy settings on a desktop browser. However, Amazon isn’t practicing privacy by design, and their terms and conditions are almost deceptive. Amazon should clearly state the technical safeguards put in place to ensure that user data is only used for trouble shooting, and the Silk browser should operate conventionally by default.