[HN Gopher] Amazon Assistant lets Amazon track your every move o...
___________________________________________________________________
Amazon Assistant lets Amazon track your every move on the web
Author : staktrace
Score : 92 points
Date : 2021-03-08 13:06 UTC (9 hours ago)
(HTM) web link (palant.info)
(TXT) w3m dump (palant.info)
| drewda wrote:
| Wasn't this the shtick of the "toolbar" plugins offered by AOL,
| Yahoo, and even Google at one point over the years?
| space_ghost wrote:
| My first thought was BonziBuddy: a free "assistant" program
| that was monetized by capturing and selling your personal data
| and displaying ads directly.
| KoftaBob wrote:
| "Still, I was astonished to discover that Amazon built the
| perfect machinery to let them track any Amazon Assistant user or
| all of them: what they view and for how long, what they search on
| the web, what accounts they are logged into and more.
|
| Amazon could also mess with the web experience at will and for
| example hijack competitors' web shops. Amazon Assistant log with
| a borg eye Image credits: Amazon, nicubunu, OpenClipart
|
| Mind you, I'm not saying that Amazon is currently doing any of
| this."
|
| This goes for any browser extension you install if you don't
| limit which websites it's allowed to read data from.
|
| In both the title and beginning paragraph, the author essentially
| describes the privacy risks that would apply to any browser
| extension, but words it in a way that implies Amazon is actively
| abusing those privacy holes, before finding any evidence for it.
|
| I really wish people would stop giving views to blatantly
| manipulative and slimy clickbait like this.
| tantalor wrote:
| > before finding any evidence for it
|
| Did you see the screenshot with the Amazon ad popup obscuring
| Google ads?
| palant wrote:
| That's actually legitimate functionality of this extension.
| :-)
|
| Note: I am the author of this article.
| tantalor wrote:
| Covering up your competitors ads with your own sounds a lot
| like "mess with the web experience at will and for example
| hijack competitors' web shops".
|
| Disclaimer: I work for Google Shopping, but not the ads
| part :)
| palant wrote:
| The whole extension is all about "let's see when
| customers go to competition and try to bring them back."
| That's rather shady but it's exactly the advertised
| functionality. And I've already got the first comment on
| the blog essentially saying "I don't care what else they
| do, this extension gives great suggestions and I love
| that." :-)
| palant wrote:
| You could also read the article before commenting. It's one
| thing when an extension could do something but its code can be
| inspected to verify that it doesn't. It's an entirely different
| thing if it delegates its privileges to a web service that
| could do anything and that nobody can inspect.
|
| Note: I'm the author of this article.
| KoftaBob wrote:
| I stand corrected, I must not have read the article carefully
| enough my apologies!
| scubazealous wrote:
| This is a greater issue with the extension/app ecosystem.
|
| This morning I wanted to find a android app which would help me
| time exercises, specifically planking.
|
| It should be simple, set up countdown times for front and each
| side with 5 second breaks in between, playing a tone to let me
| know when I can move on or I am done with the exercise.
|
| I looked through at least the top 20 apps on the play store and
| all of them require at least full network access and to run at
| startup. Many were so invasive as to request location and to be
| able to record audio and take pictures.
|
| Being able to monetize these apps is an important thing for
| developers but it is becoming a real problem I do not see
| getting any better soon.
| bobthepanda wrote:
| Stronglifts has a nice app that I don't remember being overly
| intrusive. I just wish it were easier to use for other
| lifting programs.
| antattack wrote:
| Seems to me that browser extensions need better access control.
| Why isn't it possible to restrict it to just amazon.com itself,
| for example?
| spideymans wrote:
| Browser extensions being enabled for all webpages by default is
| bad practice for security and privacy. Often the user only
| wants to use the extension on _specific_ webpages. For example,
| if I have a video downloader extension, chances are that I only
| want to use that extension on the page with the specific video
| I want to download.
|
| Extensions should be disabled by default upon install. If the
| user wants to use the extension, the user should be able to
| click on the extension to active it for this specific page for
| one time only. None of the major browsers are capable of this
| (so far as I'm aware), so I always have to remember to disable
| an extension when I'm done using it.
| navanchauhan wrote:
| I'm not familiar with Chrome/Firefox extensions, but for Safari
| Web Extensions you can indeed restrict extensions. [0]
|
| Edit: Looks like this feature is present in Chrome/Firefox
| extensions as well but for all these platforms (Safari included
| I think), this needs to be implemented in the code itself[1]
|
| [0]
| https://developer.apple.com/documentation/safariservices/saf...
|
| [1] https://stackoverflow.com/questions/10504239/limit-chrome-
| ex...
| fosefx wrote:
| It's at the core of the WebExtensions APIs permissions
| system:
|
| https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
|
| WE are implemented both by Chromium and Firefox (with
| nuances)
| palant wrote:
| Most of its functionality is meant to work on other websites.
| There is probably little reason to install it for amazon.com
| only.
|
| Note: I'm the author of this article.
| pkaye wrote:
| The assistant should play the tune of "Every Breath You Take" by
| The Police when its doing this.
| kevinsundar wrote:
| This is clickbait. The authors argument is that the extension has
| enough privileges to track you, not that it actually does.
|
| For example, uBlock Origin has similar privileges but I doubt the
| author would bat an eye.
|
| EDIT: I take back my comment :)
| ziddoap wrote:
| Not only did you miss the point of the article, you must have
| missed where in these very comments the author replies to
| someone else who just barely skimmed the article.
|
| I will copy/paste it for you.
|
| "You could also read the article before commenting. It's one
| thing when an extension could do something but its code can be
| inspected to verify that it doesn't. It's an entirely different
| thing if it delegates its privileges to a web service that
| could do anything and that nobody can inspect.
|
| Note: I'm the author of this article. "
| cronix wrote:
| > It's an entirely different thing if it delegates its
| privileges to a web service that could do anything and that
| nobody can inspect.
|
| Would it be more accurate then to say it _potentially_ lets
| Amazon track you? Without the word "potentially," or
| similar, it makes it sound like they are in fact doing it
| when you just said it "could."
| ziddoap wrote:
| To be clear, I'm not the author so I cannot answer on their
| behalf.
|
| In my opinion though, "could" is so close to "potentially"
| in definition that it seems rather pedantic to hinge the
| entire article and its conclusions on that single choice of
| word.
| palant wrote:
| If Amazon does track some users of their extension right
| now, we wouldn't know. It's a web service, nobody can tell
| whether it behaves the same for everyone. It has all the
| privileges, and I can look into what it does with these
| privileges in _my_ case, but I cannot tell whether it works
| the same for you.
|
| Note: I am the author of this article.
| kevinsundar wrote:
| All right upon closer reading you are correct. I seem to have
| missed the point of the article. There are some good points
| that the author brings up.
|
| However I still think the title could be better. There are
| lots of things that applications "can" do. I put more trust
| into random applications that run on my system.
| palant wrote:
| Yes, you put considerable trust into applications running
| on your system. But I hope that you don't just install
| random applications. You probably choose only vendors where
| you can reasonably assume that they don't want to accept
| the backlash of having shipped a malicious application.
|
| Now shipping a malicious application is always a risk. This
| application release is evidence of misbehavior, should
| someone choose to analyze it. This risk is almost non-
| existent with dynamic web applications. It would have to be
| the one targeted user who analyzes megabytes of code.
|
| To sum up: there is a good reason why websites are
| sandboxed and don't get any access to your system.
|
| Note: I am the author of this article.
| TedDoesntTalk wrote:
| > Putting these JavaScript files into the extension would have
| been possible with almost no code changes
|
| The AMO team at Firefox used to outright ban addons with remote
| script injection. I guess it matters who you are -- like on the
| Apple App Store, big names just need to pull the right strings or
| call the right people for a free pass. Rules are not applied
| equally. The playing field is NOT level.
___________________________________________________________________
(page generated 2021-03-08 23:01 UTC)