In a letter to Congress, Amazon assured lawmakers that its Silk Web browser used by the Kindle Fire tablet doesn't violate user privacy.
The Silk browser will only aggregate browsing activity across all users and browsing activity would not be linked to individual Kindle fire users, Paul Misener, vice president for global public policy at Amazon, wrote in a two-page response to questions from Rep. Edward Markey (D-Mass). Markey's office released the copy of the Nov. 3 letter on the Congressman's Website on Nov. 29.
Markey's Oct. 14 letter to Jeff Bezos, CEO of Amazon, asked for clarification on how the Silk Web browser on the Kindle Fire tablet would protect user privacy while routing all user traffic through Amazon Web Services. User privacy needs to be protected and safeguards are in place so that consumers know how their personal information is being used, Markey said. The Kindle Fire, announced in September, started shipping mid-November.
"Amazon's responses to my inquiries do not provide enough detail about how the company intends to use customer information, beyond acknowledging that the company uses this valuable information," Markey said, adding that he plans to ask additional questions.
To speed up the user's Web browsing experience on the Kindle Fire, Amazon has implemented the SPDY protocol to route all requests through its cloud infrastructure, which caches various parts of Websites, pre-renders and pre-fetches content, and performs some server-side processing. The Silk browser can be switched to "off-cloud" mode to behave like a regular Web browser with Web requests hitting target servers directly, but the redirect through Amazon servers is the default behavior.
With Web requests from Kindle Fire users routing through Amazon, the online retail giant would have access to a treasure trove of data on users' Internet activity. Misener likened the process to the type of Web acceleration performed by "Internet service providers and similar services that enable access to the Web."
Markey was concerned about what kind of information was being cached and what Amazon was going to do with the information. "Consumers may buy the new Kindle Fire to read -1984', but they may not realize that the tablet's -Big Browser' may be watching their every keystroke when they are online," Markey said in the initial letter.
Amazon will cache Web content on its servers only if the Website owner has enabled caching on the site through caching headers and only the content that has been explicitly identified, the company said in its letter. All encrypted SSL traffic will continue to go directly from the tablet to the Website servers and not pass through Amazon's infrastructure, Misener wrote, quoting the Silk browser FAQ almost verbatim. This means private data, such as login information into banking Websites, will not be visible to Amazon.
Misener also wrote that Silk encrypts all Web traffic between the Fire and the Amazon Web Services infrastructure, "even where traditional browsers would not encrypt."
"This means you actually gain some privacy and security when using unencrypted public WiFi at the airport, cafe or hotel," wrote Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.
Web addresses will be logged for 30 days and will not be associated with specific customers, Amazon wrote in the letter. Amazon had previously told the Electronic Frontier Foundation the logs will contain only the URL, a timestamp and a session identifier token. This will give Amazon only aggregate information about Internet browsing habits, but the company did not specify how it will be used beyond saying it had no plans to sell or rent the data.
"Customer information is an important part of our business and an important driver of customer experience and future invention," Amazon said.
The Silk Terms and Conditions said the Kindle Fire would send crash reports to Amazon with identifiers such as IP and MAC addresses. Misener said these reports are not associated with the aggregate browsing history. Amazon has previously assured the EFF there was no way to associate the logged information with a particular user or account.
Amazon is collecting a "massive amount of information" and it has a responsibility to be transparent, Markey said.
Markey, co-chairman of the bipartisan Congressional Privacy Caucus and a senior member of the Energy and Commerce Committee, introduced the "Do Not Track Kids Act" bill in the House of Representatives to protect online privacy of children and teens earlier this year.