“We only use data in ways that directly benefit Honey members—helping people save money and time—and in ways they would expect. Our commitment is clearly spelled out in our privacy and security policy,” a spokesperson for Honey told WIRED.
Honey also says that it doesn’t sell the shopping data it gleans from customers. The company makes money by charging some retailers a small percentage of sales made with the coupons it finds—but Amazon has never been one of them.
Amazon’s security warning last month caught Honey by surprise, and the company scrambled to respond. It was forced to temporarily disable several of Honey’s features—like Droplist, which tracks the price of specific items—to prevent the message from appearing to more people. The changes weren’t announced in an official blog post or message to users.
“We’re aware that Droplist and other Honey features were not available on Amazon for a period of time. We know these are tools that people love and worked quickly to restore the functionality. Our extension is not—and has never been—a security risk and is safe to use,” a Honey spokesperson said.
Browser extensions can be incredibly invasive, and it’s still a good practice to be wary of any that you install in your browser. Amazon warned Honey users that the extension can “read or change any of your data on any website you visit,” but this is a basic functionality of many extensions—which is why installing only ones you can trust is important. In fact, Amazon has a browser extension of its own called Amazon Assistant. It also tracks prices, just like Honey, and allows you to compare items on other retailers to those on Amazon. When users install Amazon Assistant from the Chrome Store, Google also notifies them it can “read and change all your data on the websites you visit.”
Honey says it regularly engages with security firms to assess its protections. Last summer, researchers from the cybersecurity firm Risk Based Security documented a vulnerability in Honey’s extension that malicious websites could exploit to steal user information. But the bug didn’t concern Honey’s own data-collection practices, and it was patched on Firefox and Google Chrome in early 2019, according to Risk Based Security. “If ever an individual or independent researcher contacts us about a potential vulnerability, we engage with that person to understand and remedy the issue (if there is one),” the Honey spokesperson said.
There’s still the possibility that Amazon found a legitimate security problem with Honey, but it won’t say what. WIRED also reached out to Google and Firefox, which each host extension stores for their popular web browsers, but neither company could immediately comment.
Amazon is extremely protective of its shopping and customer data. While Honey may not have been a concern when it was only a small startup, it’s now owned by the financial behemoth PayPal, which used to be part of eBay, an Amazon competitor. Amazon still doesn’t accept PayPal as a direct payment option. In the ecommerce world, there’s no incentive to play nice.
More Great WIRED Stories