Amazon's Kindle Fire Brings Hidden Security, Privacy Risks
|
|
A Kindle Fire showing Ashley Madison, the dating site for married people who want to have affairs, as the most recently viewed content. CREDIT: Laptop magazine |
The Kindle Fire is Amazon's big holiday offering for 2011 — a small Android-based device that gives users convenience and a tablet-like experience at less than $200, far undercutting Apple's $500 iPad. Amazon says it's been selling about a million Fires per week since they went on sale Nov. 14.
But Fire buyers may also have to deal with the fact that Amazon will know quite a lot more about them than they might be comfortable with, and that security on the device is a bit of a mixed bag.
The problem is the way Amazon has set up the Kindle Fire, which is really designed to deliver content (books, magazines, apps, music and video) from Amazon rather than being a full-fledged tablet computer. The company has taken some steps to address user concerns, but some experts say Amazon needs to be more transparent about what it does with user data.
Put this on my tab
The security problem has several components. One is that each Fire is "assigned" to an individual user. The one-click ordering process that is so convenient on a PC can become a double-edged sword if someone else picks up your Fire and starts ordering away.
There is an option to set a password for the device, but it may not be used by people who'd want to share their Fire with family members. So handing your Fire to your kids means a very real possibility of a big bill. (In its Dec. 20 software update, Amazon added an option to cut off Wi-Fi access without a password.)
The problem of poor multi-user management isn't unique to the Kindle Fire. The iPad 2 has similar issues, though it requires a password to access the iTunes App Store itself.
Michael A. Davis, chief executive of Savid Technologies, a computer security firm in Tinley Park, Ill., says the problem with the Kindle Fire stems from whom it is marketed to.
"The demographic is less educated," Davis said, explaining that the iPad, even with Apple's famously simple interface, is geared to a more technophilic user base.
The more we know, the more we can serve you
The other major issue with the Kindle Fire is privacy. Amazon gathers a lot of aggregate user data — it's what the company website uses to suggest books, movies or music for you to buy.
Amazon's browser for the Fire, called Silk, also aggregates data; the browser "learns" a user's preferences and anticipates the next page a user might want. It's similar to what Amazon already does within the confines of the online store when it offers recommendations to users.
Such recommendations may be convenient and helpful, but they raise concerns about just how much data Amazon is gathering and what that data will be used for.
"It's like someone telling me they are recording my phone calls to tell me if there is any trouble on the line," said Chester Wisniewski, senior security adviser with Sophos Labs in Vancouver, British Columbia.
Wisniewski notes that as it treads into dicey territory regarding user privacy, Amazon is running into the same public-relations and political problems that have dogged Google and Apple recently. Amazon is now getting letters from congressmen asking for a full accounting of how Kindle Fire customer data is used.
Less serious, but potentially more embarrassing, is that Amazon didn't entirely think out the "Carousel" feature. On the Kindle Fire's "home" screen, Carousel shows you everything that you've recently viewed, read or downloaded. It's handy if you want to pick up where you left off, but not so good if you don't want the kids to see that Mom and Dad were reading the Kama Sutra or watching an R-rated movie .
Users have posted workarounds that show how to remove some of the items from Carousel, and Amazon's Dec. 20 update added controls to Carousel, but it wasn't clear whether the feature can be turned off completely.
Eye in the sky
Another hiccup came when Amazon said it would be using its Elastic Compute Cloud (EC2), a vast array of linked online servers, to help make Silk run faster.
EC2 basically offloads a lot of the processing that an ordinary browser does at the desktop level. For example, when loading a page, a regular computer might send dozens of requests to the website in order to download all the images or Javascript files.
Mobile devices operate on slower networks and have slower processors, however, so having EC2 act as a virtual machine by doing a lot of Silk's processing theoretically makes webpages load more quickly and easily. (Whether Silk actually does speed up browsing is debatable.)
The privacy issues enter because Silk, by default, sends almost all Web traffic through Amazon's servers and keeps records of what users have been browsing. The Terms and Conditions page for Silk says the servers record the URLs of visited sites for 30 days, but doesn't say exactly what the criteria are for deleting them. (It says "generally" keeps data that long).
When Amazon introduced the Kindle Fire and Silk in September, it also said it would be routing secure Web traffic — such as communications with banking or shopping sites — through its own servers. That implied that Amazon would be recording those sessions as well.
Since then, the company has changed its privacy policy to address user concerns. The Terms and Conditions page now says that Silk "routes secure (SSL) webpage requests directly from the Kindle Fire to origin servers so they do not pass through AWS [Amazon Web Service] servers. As an additional security measure, Amazon Silk encrypts all web traffic between the Kindle Fire and our AWS infrastructure, even where traditional browsers would not encrypt."
On the brighter side, Amazon is using a new networking protocol called SPDY in the Silk browser. Originally developed by Google, SPDY (not an acronym, but an abbreviation of "speedy") offers somewhat better security than straight HTTP. Wisniewski noted that when the Fire is used on an open Wi-Fi network — as will frequently happen — the security against "man in the middle" browser-based attacks is somewhat better thanks to SPDY.
For users who are really concerned about security and privacy, it is possible to take Silk into "off cloud" mode, which largely avoids Amazon's EC2 system.
Workplace woes
Davis noted that the Kindle Fire could cause headaches for corporate IT departments. Like many other mobile devices, the Fire will ask for access to company Wi-Fi networks. But unlike smartphones or even iPads, there's little case to be made that the Kindle Fire, dedicated as it is to Amazon content, can be used for work-related purposes.
The Kindle Fire's appeal lies in price and convenience. Apple's iPads are not as common as they might be because they're expensive. The Fire could be a game-changer if the low price prompts lots of people to buy them. But for office IT managers, dealing with a few iPads is one thing; having every single person in an office bring in his or her Kindle is another.
Many companies, Davis said, enforce security by trying to get control of the devices on the network — for example, by allowing only certain approved devices such as company laptops. But if lots of people begin carrying Kindle Fires, it might be easiest to simply allow everyone onto the office Wi-Fi for Internet access while barring them from internal networks.
With the Kindle Fire, "you aren't likely to need wireless access [to the company server] in the office," Davis said. (The Fire is not set up to interface with Microsoft Exchange email servers.)
Amazon has taken some steps to make the Kindle Fire more secure, and it has even managed to partly satisfy the privacy watchdog Electronic Frontier Foundation. Yet the sheer amount of information about browsing habits that the company will be collecting from Silk increases the likelihood that "anonymized" data can be traced back to individual users.
It's worth bearing in mind that the Kindle Fire isn't supposed to be a multipurpose tool the way an iPad is. Rather, the Fire is a device for selling content from Amazon. That means Amazon's first priority will be that functionality, not serving users' privacy or security needs.
- 10 Things You Didn't Know Could Be Hacked
- Smartphones and Privacy: Are We All Overreacting?
- 2011 Best Tablets Review
