In case you hadn’t seen, Amazon is buying router maker Eero. And in case you hadn’t heard, people are pretty angry.
Deluged in a swarm of angry tweets and social media posts, many have taken to reading tealeaves to try to understand what the acquisition means for ordinary privacy-minded folks like you and me. Not many had much love for Amazon on the privacy front. A lot of people like Eero because it wasn’t attached to one of the big tech giants. Now it’s to be part of Amazon, some are anticipating the worst for their privacy.
Of the many concerns we’ve seen, the acquisition boils down to a key concern: “Amazon shouldn’t have access to all internet traffic.”
Rightfully so! It’s bad enough that Amazon wants to put a listening speaker in every corner of our home. How worried should you be that Amazon flips the switch on Eero and it’s no longer the privacy-minded router it once was?
This calls for a lesson in privacy pragmatism, and one of cautious optimism.
Don’t panic — yet
Nothing will change overnight. The acquisition will take time, and any possible changes will take longer. Eero has an easy to read privacy policy, and the company tweeted that the company will “continue to protect” customer privacy, noting that Eero “does not track customers’ internet activity and this policy will not change with the acquisition.”
That’s true! Eero doesn’t monitor your internet activity. We scoured the privacy policy, and the most the router collects is some basic information from each device connecting to the router that it already broadcasts, such as device name and its unique networking address. We didn’t see anything beyond boilerplate language for a smart router. And there’s nothing in there that says even vaguely that Eero can or will spy on your internet traffic.
Among the many reasons, it (mostly) couldn’t even if it wanted to.
Every single time you open an app or load a website, most now load over HTTPS. And most do because Google has taken to security-shaming sites that don’t. That’s an encrypted connection between your computer and the app or website. Not even your router can see your internet traffic. It’s only rare cases like Facebook’s creepy “research” app that forces you to give it “root” access to your device’s network traffic when companies can snoop on everything you do.
If Eero starts asking you to install root certificates on your devices, then we have a problem.
Fear the internet itself
The reality is that your internet service provider knows more about your internet activity than your router does.
Your internet provider not only processes your internet requests, it routes and directs them. Even when the traffic is HTTPS-encrypted, your internet provider for the most part knows which domains you visit, and when, and with that it can sometimes figure out why. With that information, your internet provider can piece together a timeline of your online life. It’s the reason why HTTPS and using privacy-focused DNS services are so important.
It doesn’t stop there. Once your internet traffic goes past your router, you’re into the big wide world of the world wide web. Your router is the least of your troubles: it’s a jungle of data collection out there.
Props to the spirited gentleman who tweeted that he trusts Google “way more with my privacy than Amazon” for the sole reason that, “Amazon wants to use the data to sell me more stuff vs. Google just wants to serve targeted ads.” Think of that: Amazon wants to sell you products from its own store, but somehow that’s worse than Google selling its profiles of who it thinks you are to advertisers to try to sell you things?
Every time you go online, what’s your first hit? Google. Every time you open a new browser window, it’s Google. Every time you want to type something in to the omnibar at the top of your browser, it’s Google. Google knows more about your browsing history than your router does because most people use Google as their one-stop directory for all they need on the internet. Your internet provider may not be able to see past the HTTPS domain that you’re visiting, but Google, for one, tracks which search queries you type, which websites you go to, and even tracks you from site-to-site with its pervasive ad network.
At least when you buy a birthday present or a sex toy (or both?) from Amazon, that knowledge stays in-house.
Knock knock, it’s Amazon already
If Amazon wanted to track you, it already could.
Everyone seems to forgets Amazon’s massive cloud business. Most of the internet these days runs on Amazon Web Services, the company’s dedicated cloud unit that made up all of the company’s operating income in 2017. It’s a cash cow and an infrastructure giant, and its retail prowess is just part of the company’s business.
Think you can escape Amazon? Just look at what happened when Gizmodo’s Kashmir Hill tried to cut out Amazon from her life. She found it “impossible.” Why? Everything seems to rely on Amazon these days — from Spotify and Netflix’s back-end, popular consumer and government websites use it, and many other major apps and services rely on Amazon’s cloud. She ended up blocking 23 million IP addresses controlled by Amazon, and still struggled..
In a single week, Hill found 95,260 total attempts by her devices to communicate with Amazon, compared to less than half that for Google at 40,527 requests, and a paltry 36 attempts for Apple. Amazon already knows which sites you go to — because it runs most of them.
So where does that leave me?
Your router is a lump of plastic. And it should stay that way. We can all agree on that.
It’s a natural fear that when “big tech” wades in, it’s going to ruin everything. Especially with Amazon. The company’s track record on transparency is lackluster at best, and downright evasive at its worst. But just because Amazon is coming in doesn’t mean it’ll necessarily become a surveillance machine. Even Google’s own mesh router system, Eero’s direct competitor, promises to “not track the websites you visit or collect the content of any traffic on your network.”
Amazon can’t turn the Eero into a surveillance hub overnight, but it doesn’t mean it won’t try.
All you can do is keep a close eye on the company’s privacy policy. We’ll do it for you. And in the event of a sudden change, we’ll let you know. Just make sure you have an escape plan.