Kindle Spying
Jul 8th, 2009 by sherri
Josh Wright recently purchased a new Kindle. Surprisingly, when he downloaded one of his books onto the new Kindle, it offered to open it to the page where he had left off on his old Kindle. In other words, Amazon tracked not just the books he was reading, but specifically which sections of the book he was looking at.
Josh (author of SANS’ excellent Wireless Ethical Hacking class) eloquently describes his encounter and privacy concerns below:
“When I started my DX for the first time, I saw an entry “Archived Items”, which was all the books I had previously purchased. When I downloaded my copy of “ZigBee Wireless Networks and Transceivers” on the DX, I was surprised to see it open on the page where I had left off on my previous Kindle.
“Thinking it through, it makes sense: Amazon knew the e-book market would expand to multiple readers, and they added the functionality to synchronize to the last page read, apparently with a firmware update to the Kindle 1st gen right before the 2nd gen was released. I recently grabbed the Kindle app from the Apple iPhone store, and it prompted me to sync to the last page read on the identified device (see screenshot).
“My problem with this situation is this: how is Amazon using this information? Knowing what page I’m currently reading on my e-book could be useful marketing for them, but a significant privacy concern for me. Amazon is able to determine what pages I’ve read and which I’ve skipped (useful feedback for a publisher, should Amazon decide to sell to that market). They can determine the pages I’ve re-read (such as the hacking U3 drives section in my Kindle copy of Hacking Exposed), which could potentially be used against me as evidence in a court of law, for example. They could even monitor how much time I spend reading, and when (useful information for an employer who might want to know when their employees are slacking off and not working).
“I’d like to find out what Amazon’s privacy policy is about this data, and what they are retaining long-term. Do they record only the last page read for each of my books, purging this information after a period of time, or is it more nefarious?”
Josh Wright is the author of SANS 617 – Wireless Ethical Hacking.
| Sherri Davidoff |
| PGP-signed text: 2009-07-08 (current) |
Another concern is the possibility of this information being subpoenaed and used against you in court. The court may find it interesting that the night of an alleged crime you were skimming through the chapter on “how to get away with stuff without getting caught.”
The amount of marketing interest in our behaviors is staggering. All of what Josh explains is certainly feasible. And while it is not involving sensitive information, it does involve my ability to live without someone watching over my shoulder or essentially having a camera over me. The more plugged in (and more electronic/virtual) we become, the more easily we become monitored.
Then again, someone could bring up web surfing and the various detailed logging that may accrue. Is it bad that you might see me refresh this page a few times to read follow-up comments?
This sort of stuff is why, while I still use Google as my main search engine and email, I have zero loyalty or trust in them anymore. Mining this data and behavior is $$ and being public, they *will* capitalize any time they can get away with it. Same with Amazon or Apple or…
@Nathan: As long as the information is obtained through a subpoena or legal search, how is it different than checking your house for meatspace books that have bookmarks in the chapter on “how to get away with stuff without getting caught”?
@mogradin: One difference is that you can’t dragnet everybody’s houses looking for particular books and bookmarks. Personally I’m not worried about subpoenas so much as that information getting sucked into some sort of Total-Information-Awareness-style project. It’s only a matter of time.
this is an advertised feature of the kindle, when you have multiple kindles attached to one account you can not only share books between them, you can also share how far into the book you have gotten.
there are conditions where this gets pushed up to the central servers without your attention (I think it’s when you remove an item from the kindle), but there is also a menu entry to push this data up so that it’s available to all other kindles.
[...] Check out Sherri's post on this topic on philosecurity.com. [...]
I’m a big privacy advocate, and my primary concern is how Amazon is going to profit from my use of my Kindles. I realize this is a useful feature for people with multiple e-readers, but it’s not clear to me what Amazon’s policy is on the use of the reading behavior of their customers.
I’ve posted some additional thoughts on willhackforsushi.com including a presentation I gave earlier this year about how wireless use introduces new privacy threats.
-Josh
Does anyone else think this is taking paranoia a little too far? As security professionals we are trained to see any opportunity for privacy loss, but now we are talking about something so commonplace, the humble bookmark, as if it is a loss to our freedoms.
Quite frankly I applaud Amazon for having this feature, so you don’t lose the page.. and I’m still waiting for an example where reading positions of a particular book, or a book mark, is used on court. I’m sure the presence of certain books in a personal library can be used, but a book mark? seriously?
Um, Noah: Let’s put on our Thinking Caps, shall we?
If Amazon has your bookmark, they know not only what you read, and where you left off, they can track your reading habits PAGE by PAGE, minute by minute, day by day. They know *when* you read what you read. They know what sections you skip, and which sections you read twice.
How comfortable would you be if some anonymous stranger was physically standing in your living room, watching over your shoulder, observing you and taking notes as you spent your evening reading a book? Or more precisely, hanging around your books, waiting for you to pick one up, in order to record your reading behaviors?
It is exactly no different. Personally I’d be creeped out at a minimum. More than likely I’d ask the stranger to leave, and call the police if he refused. I don’t own a kindle, and won’t be getting one. There are enough strangers recording my behaviors already.
/jonathan
Oh, and I’m perfectly capable of remembering what page I’m on in any book I’m reading, all by myself (I’m a Big Boy Now).
/jonathan
Rather interesting. Has few times re-read for this purpose to remember. Thanks for interesting article. Waiting for trackback
How about a less extreme example,
You are sitting in a book-store reading a book. Each book you buy is recorded by the store.
Each page you turn is recorded by the in-store CCTV.
So what?
Show me a real-life example where knowing the seller (not some ‘anonymous stranger’ ) knowing what page you are up to can be used against you. Sure, what books you read could be used against you, but if you just bought the book from me, maybe I have an idea what you read?
For starters, the library where I check out books, certainly has a list of books that I have checked out. Whether I read them or not is beside the point. Perhaps I check out a book detailing an airplane hijacking technique. Some time later I buy a ticket to fly to Atlanta. Does TSA now have my name and wonder if I was just reading for entertainment or information? Keep your Kindle. I still like holding the book in my lap.
I enjoy the syncing feature. Don’t like technology, read paper books, period.