Amazon Assistant lets Amazon track your every move on the web (opens in new tab)

> Rules are not applied equally. The playing field is NOT level.

That's true, always has been.

> big names just need to pull the right strings or call the right people for a free pass

I'd be curious if that's the case.

For the most part in B2B, "the rules" generally only apply when the risk of a client doesn't out weight the benefit of that client. T&C and Contracts are always negotiable, it's just a matter of if it's worth it to both parties.

Amazon has more street cred than say, me, as a developer. And Amazon has a lot more to lose from their Add-On doing a bunch of evil things that I would if I decided to do evil things with mine. Amazon is big enough to assume liability for both itself and Mozilla if something goes wrong, I can't.

The AMO team used to review every submitted add-on. They no longer do, now it just says “This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.” on virtually every add-on. They still enforce this policy, but usually only when someone reports an add-on violating it. I reported this add-on, we’ll see now when/how they take action.

Note: I’m the author of this article and a former AMO reviewer.

Being Amazon, updating it to "Every break you take" feels more appropriated.

Some smartass developer at Amazon is going to make it console.log that.

Browser extensions being enabled for all webpages by default is bad practice for security and privacy. Often the user only wants to use the extension on specific webpages. For example, if I have a video downloader extension, chances are that I only want to use that extension on the page with the specific video I want to download.

Extensions should be disabled by default upon install. If the user wants to use the extension, the user should be able to click on the extension to active it for this specific page for one time only. None of the major browsers are capable of this (so far as I'm aware), so I always have to remember to disable an extension when I'm done using it.

Most of its functionality is meant to work on other websites. There is probably little reason to install it for amazon.com only.

Note: I’m the author of this article.

If the dominant web browser wasn't an ad company, browser extensions would not exist in the way they do today. Because any responsible security engineer would nuke browser extensions from orbit, but currently everyone who isn't an ad company has to maintain feature parity with the ad company for competitive reasons.

They are by far the most risky thing one could possibly put on a PC. They essentially remove any alleged benefit to HTTPS/encryption or anything of the sort, because they live inside your web browser and have post-decryption access, often to every website you visit and everything you enter into them.

Do not use browser extensions. Ask your IT person to restrict the ability to install browser extensions.

I’m not familiar with Chrome/Firefox extensions, but for Safari Web Extensions you can indeed restrict extensions. [0]

Edit: Looks like this feature is present in Chrome/Firefox extensions as well but for all these platforms (Safari included I think), this needs to be implemented in the code itself[1]

[0] https://developer.apple.com/documentation/safariservices/saf...

[1] https://stackoverflow.com/questions/10504239/limit-chrome-ex...

My first thought was BonziBuddy: a free "assistant" program that was monetized by capturing and selling your personal data and displaying ads directly.

The Google toolbar specifically had a privacy settings popup with a big fat red "PLEASE ACTUALLY READ THIS" notice, explaining what it does, and letting you choose between a mode that only worked locally (unless you were making a search or explicitly triggering some other online feature of course) vs. one that sent some data to Google with each visit (with PageRank display being tied to sending the data).

Users weren't pushed to choose one or the other. Both buttons had the same size and color. It was VERY clear that the developers wanted users to make a meaningful, free choice vs. "just click approve".

The benefit for Google was that installing the toolbar made it easier for you to do Google searches, driving usage up.

Edit:

https://searchengineland.com/turning-the-tables-on-the-googl... has a history of these screens, going from the above-mentioned exemplary "please read" screen to an increasing amount of dark patterns.

Unfortunately, that’s only your word. The way this system is designed, nobody will notice if Amazon chooses to be less obsessive about it. Or if their systems are hacked. Are you certain that these web services are secure? I’m not (one obvious vulnerability has been reported). If someone compromises one of these services, the results will be disastrous.

Note: I am the author of the article above.

I work on a shopping assistant type browser extension and I am very confident that if I proposed an architecture and implementation such as the author identifies here I would be turned down immediately: having good intentions around privacy is one thing but deliberately designing your application in a way that allows to bypass almost entirely the review process required on submission to the store is something that should be answered for.

> protecting customer privacy

Does "privacy" mean Amazon will spy on their customers, but won't share that data further?

I remember, years ago, installing the amazon app on my phone.

And one day I was browsing a web page in safari and boom - it auto-launched the amazon app and opened it there?

That's when I learned about deep linking, where apps can snoop on ios website activity (in safari, in messages, in mail, etc).

Except he gives technical proof how this is done.

No, it's not possible to see what Amazon does with this information but it's clear they can do way too much. And, they can change the behaviour at any moment without the user getting notified within these existing wide permissions. At the very least it's very poor design.

Not only did you miss the point of the article, you must have missed where in these very comments the author replies to someone else who just barely skimmed the article.

I will copy/paste it for you.

"You could also read the article before commenting. It’s one thing when an extension could do something but its code can be inspected to verify that it doesn’t. It’s an entirely different thing if it delegates its privileges to a web service that could do anything and that nobody can inspect.

Note: I’m the author of this article. "

You could also read the article before commenting. It’s one thing when an extension could do something but its code can be inspected to verify that it doesn’t. It’s an entirely different thing if it delegates its privileges to a web service that could do anything and that nobody can inspect.

Note: I’m the author of this article.

This is a greater issue with the extension/app ecosystem.

This morning I wanted to find a android app which would help me time exercises, specifically planking.

It should be simple, set up countdown times for front and each side with 5 second breaks in between, playing a tone to let me know when I can move on or I am done with the exercise.

I looked through at least the top 20 apps on the play store and all of them require at least full network access and to run at startup. Many were so invasive as to request location and to be able to record audio and take pictures.

Being able to monetize these apps is an important thing for developers but it is becoming a real problem I do not see getting any better soon.

> before finding any evidence for it

Did you see the screenshot with the Amazon ad popup obscuring Google ads?