Days earlier than Christmas, on the peak of the last-minute vacation buying rush, an ominous message appeared on Amazon.com. It warned customers who used a preferred browser extension known as Honey that the service, which guarantees to trace costs and low cost codes, was “a safety threat.”
“Honey tracks your non-public buying conduct, collects knowledge like your order historical past and objects saved, and may learn or change any of your knowledge on any web site you go to,” the message learn. “To maintain your knowledge non-public and safe, uninstall this extension instantly.” It was adopted by a hyperlink the place customers may find out how to take action. Screenshots of the warning have been posted to boards and social media by Honey customers, like Ryan Hutchins, an editor at Politico.
Honey isn’t some obscure browser extension from an unknown developer. Based in 2012, the Los Angeles-based startup now boasts over 17 million customers. It finds low cost codes to save lots of customers cash at tens of 1000’s of on-line retailers, together with Amazon. In November, PayPal agreed to buy Honey for an eye-popping $four billion, its largest deal ever. The acquisition was accomplished this week.
Amazon’s warning, which started showing on December 20, confused and angered a lot of Honey’s customers, a few of whom complained on its official social media channels. The browser extension has been suitable with Amazon because it was based, and it’s a important a part of Honey’s attraction. Amazon is among the hottest retailers on the earth and the place the place most Individuals start when on the lookout for a product on-line.
Amazon declined to elucidate why it determined to label Honey a safety threat so all of the sudden final month. “Our purpose is to warn clients about browser extensions that gather private buying knowledge with out their information or consent,” a spokesperson for the corporate mentioned in a press release. They declined to reply follow-up questions in regards to the foundation for that declare.
When individuals set up the Honey extension of their browser, they consent to the corporate’s phrases of use and privateness and safety coverage. Whereas these sorts of agreements will be dense and tough for the common individual to interpret, Honey doesn’t look like amassing client data with out asking, as Amazon implied to WIRED. Its privateness coverage states that it doesn’t “observe your search engine historical past, emails, or your shopping on any web site that isn’t a retail web site.”
“We solely use knowledge in ways in which straight profit Honey members—serving to individuals save time and money—and in methods they might anticipate. Our dedication is clearly spelled out in our privateness and safety coverage,” a spokesperson for Honey advised WIRED.
Honey additionally says that it doesn’t promote the buying knowledge it gleans from clients. The corporate makes cash by charging some retailers a small share of gross sales made with the coupons it finds—however Amazon has by no means been one in every of them.
Amazon’s safety warning final month caught Honey without warning, and the corporate scrambled to reply. It was compelled to briefly disable a number of of Honey’s options—like Droplist, which tracks the value of particular objects—to stop the message from showing to extra individuals. The adjustments weren’t introduced in an official weblog publish or message to customers.
“We’re conscious that Droplist and different Honey options weren’t accessible on Amazon for a time period. We all know these are instruments that folks love and labored shortly to revive the performance. Our extension is just not—and has by no means been—a safety threat and is secure to make use of,” a Honey spokesperson mentioned.
Browser extensions will be extremely invasive, and it’s nonetheless a superb apply to be cautious of any that you simply set up in your browser. Amazon warned Honey customers that the extension can “learn or change any of your knowledge on any web site you go to,” however this can be a primary performance of many extensions—which is why putting in solely ones you possibly can belief is necessary. The truth is, Amazon has a browser extension of its personal known as Amazon Assistant. It additionally tracks costs, identical to Honey, and means that you can evaluate objects on different retailers to these on Amazon. When customers set up Amazon Assistant from the Chrome Retailer, Google additionally notifies them it could actually “learn and alter all of your knowledge on the web sites you go to.”
Honey says it often engages with safety companies to evaluate its protections. Final summer time, researchers from the cybersecurity agency Threat Based mostly Safety documented a vulnerability in Honey’s extension that malicious web sites may exploit to steal consumer data. However the bug didn’t concern Honey’s personal data-collection practices, and it was patched on Firefox and Google Chrome in early 2019, in keeping with Threat Based mostly Safety. “If ever a person or unbiased researcher contacts us a few potential vulnerability, we have interaction with that individual to know and treatment the problem (if there may be one),” the Honey spokesperson mentioned.
There’s nonetheless the chance that Amazon discovered a respectable safety downside with Honey, but it surely received’t say what. WIRED additionally reached out to Google and Firefox, which every host extension shops for his or her well-liked internet browsers, however neither firm may instantly remark.
Amazon is extraordinarily protecting its buying and buyer knowledge. Whereas Honey might not have been a priority when it was solely a small startup, it is now owned by the monetary behemoth PayPal, which was a part of eBay, an Amazon competitor. Amazon nonetheless doesn’t settle for PayPal as a direct fee choice. Within the e-commerce world, there’s no incentive to play good.