Amazon's new Silk browser, which has already raised concerns from security experts and legislators, got a mixed review from a major privacy advocacy group today.
The Electronic Frontier Foundation (EFF) said that discussions with Amazon have allayed some, though not all, of its worries about Silk. "We're happy with a lot of things that we were initially nervous about," said Dan Auerbach, a staff technologist with EFF. "But there are still some pretty serious remaining privacy concerns."
Amazon introduced Silk, the browser that will be built into the Kindle Fire tablet, late last month. The Fire, which is available for pre-order on Amazon for $199, will start shipping in mid-November.
Silk is based on the open source WebKit engine, the same that powers Google's Chrome and Apple's Safari, but takes a different tack than most rivals like Microsoft's Internet Explorer and Mozilla's Firefox. By default, Silk will connect to Amazon's cloud service, which will handle much of the work of composing web pages, pre-rendering and pre-fetching content and squeezing the size of page components. That, said Amazon, will speed up browsing and let low-powered processors like those in the Fire render sites faster than other mobile browsers and devices.
But routing user traffic that way prompted some security and privacy experts to question Amazon's move weeks ago. EFF, which declined to comment in detail last month, today said it had had questions, too, and had asked Amazon numerous questions about Silk's behaviour and what data the giant online retailer will collect.
High on the EFF's list was how Silk will handle encrypted traffic to sites using SSL certificates and the HTTPS protocol.
"They made it very clear that they absolutely aren't 'man-in-the-middling,'" said Auerbach, referring to a term that describes intercepting traffic between a browser and a destination website.
Amazon's director of Silk development, Jon Jenkins, told EFF that "secure web page requests are routed directly from the Kindle Fire to the origin server and do not pass through Amazon's EC2 servers," according to a blog Auerbach published earlier today.
"That was one of the main reasons why we asked [Amazon] questions," said Auerbach, "because their messaging on that was so unclear."
Last month, Amazon had said only, "We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL," a statement that some interpreted to mean that Amazon would use a man-in-the-middle SSL proxy to accelerate users' SSL browsing.
Silk will not accelerate SSL-encrypted browsing, said Auerbach, a win for users who may have been worried about Amazon seeing data used to log into secured sites, including banking, email and shopping websites.
Amazon also assured EFF that it will only log a limited amount of data received from Silk users, including the destination URL, a timestamp and a token that identifies a session. The data is retained for 30 days, Amazon said.
"We repeatedly asked if there was any way to associate the logged information with a particular user or Amazon account, and we were told that there was not, and that Amazon is not in a position to track users," said Auerbach.
Also on the plus side, said Auerbach, is that all traffic from Silk to its servers is encrypted, giving users some additional protection against snoopers when they're browsing from an unencrypted public Wi-Fi hotspot. But EFF didn't like everything it heard from Amazon, or more accurately, didn't hear.
"You're trusting Amazon with an incredible amount of your personal information," Auerbach said, pointing out that the URLs Amazon stores could be used to identify individual users through their search histories, and that the data Amazon does collect could be an attractive target for law enforcement.
Users can disable the cloud acceleration, and thus Amazon's interception of page requests from Silk, by toggling a setting. Amazon assured EFF that the off switch would be visible on the first page of the browser's setting pane.
"It's on by default, which is slightly irksome and something that we're not thrilled about," said Auerbach. EFF would prefer that users had to explicitly opt in to acceleration, rather than have to hunt up a setting to opt out.
And still unclear is how Amazon will explain Silk's new cloud-based browsing and the technology's consequences to consumers, a point others raised last month. "We would hope it would be very visible in the browser's UI [user interface]," said Auerbach, adding that Amazon did not share that information with EFF.
Auerbach declined to offer a recommendation on Silk, saying several times that it is important for users to understand the trade offs they must balance between faster browsing and privacy concerns.
"We encourage Amazon to be as transparent about this as possible, and for users to educate themselves," said Auerbach.