Amazon Kindle Fire’s Silk browser sounds privacy alarm bells


Amazon Kindle FireAmazon announced the newest addition to their Kindle line today named Fire. The Fire is a tablet based on the Android software stack with a customized Amazon interface layered over the top.

The focus appears to be on a very rich media consumption experience, similar to the iPad.

The real news isn’t just another Android tablet though, it’s the new mobile browser Amazon introduced called Silk. Amazon has crafted Silk to both increase the speed of mobile browsing and increase battery life.

How does it work? Silk relies on the Amazon Elastic Compute Cloud (EC2) to behave as an intelligent proxy. The concept is to use the power of EC2 to retrieve web pages and pre-render any objects (or reduce their size) in a way that lowers the burden placed on the tablet.

All web connections from your tablet will connect directly to Amazon, rather than the destination web page. Amazon will keep this connection between your Kindle Fire and EC2 open indefinitely while you are actively surfing, reducing the latency and connection times to retrieve web pages.

Hopefully you can start to see the problem here. All of your web surfing habits will transit Amazon’s cloud. If you think that Google AdWords and Facebook are watching you, this service is guaranteed to have a record of *everything* you do on the web.

In fact Amazon Silk’s terms and conditions notes that URLs, IP addresses and MAC addresses will be logged and can be retained for 30 days.

The Silk FAQ also makes confusing statements regarding HTTPS connections as well. It states:

What about handling secure (https) connections?
We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g.

Amazon Silk will facilitate a direct connection between your device and that site. Any security provided by these particular sites to their users would still exist.

It sounds as if Amazon will install a trusted certificate in the Silk browser allowing them to provide a man-in-the-middle (MITM) SSL proxy to accelerate your SSL browsing as well.

As Amazon is a US based company this would enable a US court order to intercept and record your secure communications.

No cloudFortunately Amazon will support an “off-cloud” mode for Silk. This lets users opt-out of the benefits of using EC2 while retaining the traditional privacy benefits of connecting directly to remote web sites.

While most of us roll our eyes when confronted with long privacy policies and pages of legalese, privacy risks lurk around every corner. If you buy a Fire device, think carefully as to whether your privacy is worth trading for a few milliseconds faster web surfing experience.

Update: A spokesperson for Amazon contacted me this morning to clarify their position. They stated “usage data is collected anonymously and stored in aggregate, and no personal identifiable information is stored.”

This does not prevent Amazon from capturing your traffic if ordered to do so, but suggests that the logging they perform may not be useful for invading someone’s privacy.