Publishing Perspectives has a guest post discussing BookShout, a startup that currently works in conjunction with three of the Big Six publishers (it’s in discussions with the other three), plus Wiley, to allow importation of your Amazon and Barnes & Noble e-book purchases into its own e-reader apps. It does this by you giving it your Amazon and Barnes & Noble log-in IDs and passwords. It then logs in on your behalf, and slurps down your e-book purchase records.
I first saw this mentioned a couple of weeks ago on FutureBook, where Baldur Bjarnason pointed out what a “phenomenally bad idea” this is:
Amazon is a payment processor. Every single Amazon account is backed by one or more credit cards. Handing [your Amazon account and password] over to any third party service is like handing your credit card over to a stranger and letting them take it into a back room where you can’t see what they’re doing with it.
Now, for all I know, Bookshout may have a secure solution where no human eyes ever see your information—perhaps it’s used automatically and discarded, as with credit card numbers for Web purchases. Certainly if I were creating such a system, that’s how I would do it. But can you be sure of that? And even if BookShout is perfectly safe, how can you know that the next such outfit that comes along will be? Training people to be blasé about handing over their log-in information to anything isn’t a great idea, let alone when it involves their personal payment information.
I also don’t think it’s a terribly good idea in this particular instance. I’m pretty sure that handing your log-in information over to a third party for this sort of use has to be some sort of violation of your terms of service, and we’ve already seen how quick Amazon is to punish such violations. And while I wouldn’t think Amazon would want to court the sort of public outcry that would come from disabling dozens of users’ accounts over something like this, I wouldn’t have thought they’d have wanted the outcry from zotting hundreds of unauthorized copies of Orwell, either. Who can know how Jeff Bezos thinks?
* * *
If one wanted to get the benefit of that “slurping of data” without the risk one’s credit history being slobbered over, surely there’s a simple solution; delete your credit card data on Amazon, change your password, hand the data over to BookShout, let it import your purchase data, then change your Amazon password again and add your credit card back in.
Or am I missing something?
Do we know that the password is being handed over to Bookshout? I’ve written a utility (not yet released) for authors that pulls their sales stats in from Amazon, B&N, Smashwords, etc., for a consolidated look at their performance across all channels. This of course requires their usernames and passwords; however, these are never transmitted to me. The app itself logs in directly from the author’s computer and gathers the information it needs. I don’t need nor do I want to know anyone’s private credentials.
It remains to be seen whether I can communicate this effectively to authors. I don’t know why they should believe me unless they know how to sniff their own network traffic and verify that no servers are contacted besides those that should be. Nonetheless, such a utility is too useful to keep to myself, so I’ll put it out there anyway and hope it can benefit someone.
If Bookshout is transmitting user credentials to its own servers and logging in from there, that’s very bad indeed. If Amazon or BN see a number of connections to numerous accounts originating from a single or a few IP addresses, they might reasonably assume the accounts had been hacked and disable access to them.
Bookshout’s site is “currently unavailable”. Interesting…