Amazon reiterated its intentions to not track Kindle Fire customers' Web browsing habits even though the new Silk browser routes all traffic through its cloud servers.
In a letter to Congress, Amazon assured lawmakers that its
Silk Web browser used by the Kindle Fire tablet doesn't violate user privacy.
The Silk browser will only aggregate browsing activity
across all users and browsing activity would not be linked to individual Kindle
fire users, Paul Misener, vice president for global public policy at Amazon,
wrote in a two-page
response to questions from Rep. Edward Markey (D-Mass). Markey's office
released the copy of the Nov. 3 letter on the Congressman's Website on Nov. 29.
14 letter to Jeff Bezos, CEO of Amazon, asked for clarification on how the Silk
Web browser on the Kindle Fire tablet would protect user privacy while routing
all user traffic through Amazon Web Services. User privacy needs to be
protected and safeguards are in place so that consumers know how their personal
information is being used, Markey said. The Kindle Fire, announced in
September, started shipping mid-November.
"Amazon's responses to my inquiries do not provide
enough detail about how the company intends to use customer information, beyond
acknowledging that the company uses this valuable information," Markey
said, adding that he plans to ask additional questions.
To speed up the user's Web browsing experience on the Kindle
Fire, Amazon has implemented the SPDY protocol to route all requests through
its cloud infrastructure, which caches various parts of Websites, pre-renders
and pre-fetches content, and performs some server-side processing. The Silk
browser can be switched to "off-cloud" mode to behave like a regular
Web browser with Web requests hitting target servers directly, but the redirect
through Amazon servers is the default behavior.
With Web requests from Kindle Fire users routing through
Amazon, the online retail giant would have access to a treasure trove of data
on users' Internet activity. Misener likened the process to the type of Web
acceleration performed by "Internet service providers and similar services
that enable access to the Web."
Markey was concerned about what kind of information was
being cached and what Amazon was going to do with the information. "Consumers
may buy the new Kindle Fire to read -1984', but they may not realize that the
tablet's -Big Browser' may be watching their every keystroke when they are
online," Markey said in the initial letter.
Amazon will cache Web content on its servers only if the
Website owner has enabled caching on the site through caching headers and only
the content that has been explicitly identified, the company said in its
letter. All encrypted SSL traffic will continue to go directly from the tablet
to the Website servers and not pass through Amazon's infrastructure, Misener
wrote, quoting the Silk
browser FAQ almost verbatim. This means private data, such as login
information into banking Websites, will not be visible to Amazon.
Misener also wrote that Silk encrypts all Web traffic
between the Fire and the Amazon Web Services infrastructure, "even where
traditional browsers would not encrypt."
"This means you actually gain some privacy and security
when using unencrypted public WiFi at the airport, cafe or hotel," wrote
Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked
Web addresses will be logged for 30 days and will not be
associated with specific customers, Amazon wrote in the letter. Amazon had
previously told the Electronic
Frontier Foundation the logs will contain only the URL, a timestamp and a
session identifier token. This will give Amazon only aggregate information
about Internet browsing habits, but the company did not specify how it will be
used beyond saying it had no plans to sell or rent the data.
"Customer information is an important part of our
business and an important driver of customer experience and future
invention," Amazon said.
Silk Terms and Conditions said the Kindle Fire would send crash reports to
Amazon with identifiers such as IP and MAC addresses. Misener said these
reports are not associated with the aggregate browsing history. Amazon has
previously assured the EFF there was no way to associate the logged information
with a particular user or account.
Amazon is collecting a "massive amount of
information" and it has a responsibility to be transparent, Markey said.
Markey, co-chairman of the bipartisan Congressional Privacy
Caucus and a senior member of the Energy and Commerce Committee, introduced the
"Do Not Track Kids Act" bill in the House of Representatives to
protect online privacy of children and teens earlier this year.