Amazon took some people aback when they said Honey, a company recently bought by Paypal, was a security risk. That raised some questions. Is the Honey Chrome extension safe? Is Honey a security issue? Let’s dig into it.
While it may be difficult or impossible to pinpoint any specific security issue in Honey, that doesn’t necessarily give it the green light. Regardless of how secure it may be, Honey definitely has privacy concerns, and that’s why security experts have concern about it.
Amazon vs Paypal
Amazon and Paypal don’t exactly compete directly. But for years Paypal was an Ebay subsidiary, and Amazon and Ebay certainly do compete. Paypal remains the preferred, promoted way to pay on Ebay, even though they’re no longer the same company. So there was never any reason for Amazon and Paypal to be friends. With Paypal’s purchase of Honey, though, Paypal went from being something its competitor uses to being something that interferes, to a degree, with Amazon’s business model.
Now, I’m not exactly a fan of Amazon’s recent security track record. I haven’t written much, if anything, about Amazon’s Ring subsidiary here, but I’ve certainly said a few things about it on social media. I just don’t have 600 words to say about Ring. I have three. Don’t buy one. And I’m a bit annoyed that Amazon kicked me out of their affiliates program over a political squabble with my state government, and now that that’s resolved, I can’t get back in.
And what can I say about Paypal? When you buy something on a non-Amazon affiliate link on this blog, the payment comes to me through Paypal. I like it.
So I agree with Paypal, that Amazon’s out of line. Right?
Nope.
Honey’s privacy concerns
My beef with Honey is virtually the same as my beef with Ring. I don’t want every aspect of my life recorded, and those two businesses record two aspects I really don’t want recorded. If I’m thinking about buying something and have the Honey extension loaded, Honey knows about it. For that matter, Honey knows pretty much everything I look at online. The whole reason I switched back to Firefox was because too many companies knew too much about what I do online.
And that’s why, when I asked one of my coworkers about it, he had a pretty severe reaction. He didn’t cite any specific security concern either. He went straight to the privacy.
Honey’s appeal is that it can save you money. You shop like you always do, and Honey scours the web for any coupon code and applies the best code for you automatically. You stand to save a fortune. Retailers don’t like it because those coupon codes are meant to attract new business, not reduce prices for people who already were going to buy your stuff anyway. But marketers love Honey because it allows you to build a detailed profile of every consumer who uses it.
Old vs new advertising
In the old days, you bought ads in magazines and newspapers that people like your target audience were likely to read. Black and Decker probably didn’t advertise in Woman’s Day. Sure, there are women who use power tools, but women who use power tools aren’t Woman’s Day’s core audience. They’re more likely to read Family Handyman. But you don’t know specifically who’s reading Family Handyman, just that it’s a magazine that people who use tools are likely to read.
That’s how advertising used to work. Today, you can target much more surgically via in-browser advertising. That’s why I saw ads for Honda Accords for weeks, starting the very day I started shopping for a car.
But there are limits. With traditional browser advertising, you can track people from site to site to a degree, but the trail runs cold eventually. There are limits to what you’re able to do.
How a browser extension changes that
Honey goes beyond cookies, because part of the way it works is by having full access to every web page you view. It has a privileged place inside your browser that regular cookies can’t get to.
Imagine what you know about me if you’re in my browser. I write about DIY stuff quite a bit, so you already know I own some power tools. But if you’re in my browser, you know (or can infer) where I live because I visit map sites sometimes to get directions. You can save all that too, in case those destination addresses might be valuable. You know which hardware or home improvement store web site(s) I visit. You know which ones are close to me. You probably know my preferred tool brand, or can infer that.
Knowing that, I could start seeing some pretty oddly specific ads. If Home Depot knows I’m a Ryobi guy, they could even serve me ads about a “sale” where the product is a higher price than normal, knowing they’re 10 minutes closer to me than any competing store and that’s what I normally buy anyway. Reverse coupons!
Lowe’s and Menards could either decide not to bother with me, or, knowing it’ll take a pretty significant discount to lure me in, lure me in with a good sale when they need a boost at the end of the quarter.
And since I use Ryobi, maybe I never see ads for other brands of tools, except maybe when I seem to be in the market for a new drill. And then suddenly I’m bombarded with ads for DeWalt and Milwaukee, trying to convert me.
But now we’re crossing a line into manipulation. This could get out of control fast.
So is the Honey Chrome extension safe?
That’s why I’m not going to say the Honey Chrome extension is safe. It’s not what I think a hacker might be able to do with it. It’s what could be done with what Honey is collecting on you.
We used to call what Honey does spyware. The difference is that 20 years ago, all you had to do to get people to install it was to give them some dumb game. Today you’ve gotta save them a few bucks.
I haven’t seen the data that Honey has collected on me, because I don’t use it. I have seen the dossier that Facebook and Twitter built on me, and I’ve even written about the Twitter one. The data is oddly and frighteningly specific, and they see a fraction of what Honey is able to see. For example, they both know what cars I considered buying the last two times I bought cars. The most recent one was almost four years ago.
Imagine visiting your dealer’s web page to book an appointment for an oil change, and clicking on a car while you were there out of curiosity. Then, two nights later, you’re watching The Good Place on your Roku and you see ads for that car in heavy rotation.
How to use the Honey browser extension safely
If you’re hooked on the money you’re saving but don’t want Paypal to know your full browser history and sell oddly specific details to advertisers, there’s a workaround. It’s a little clunky and inconvenient, but it limits the damage.
Don’t install Honey in your main browser. Install it in a secondary browser that you only use when you make a final purchase. Use a different browser, ideally Firefox, for your everyday browsing. Firefox lets you isolate Facebook so it can only see what you do on Facebook, and not on other sites so that’s why I recommend it. Extra privacy. Use it, and install the Facebook container even if you don’t use Facebook. Yes, Facebook gathers information on non-users too.
Shop around in your other browser without Honey, and when you’re ready to buy, launch the other browser that does have Honey, visit the web site, let Honey find your coupon code, then make your purchase and close the browser.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.