top | item 37556395

(no title)

netsroht | 2 years ago

Being logged in while making search queries in search engines poses significant privacy risks. The searches can paint a comprehensive profile of the user, and these data often remain stored for extended periods. There's a chance this information might be shared with third parties. Coupled with other user data, these logged-in searches can pave the way for targeted advertising, sophisticated predictive analysis, and potential exploitation by governments or malicious entities. In the event of data breaches, the user's logged-in search histories can be exposed. Furthermore, users typically don't have clear insight into how their data is utilized when logged in.

I hope Kagi introduces an anonymous access feature. For instance, it could incorporate zero-knowledge proofs (ZKPs). These are cryptographic techniques where one party (the prover) can confirm to another (the verifier) that a claim is accurate without disclosing any additional information. This is especially beneficial for authentication scenarios where it's essential to avoid sharing extra details.

To implement zero-knowledge authentication for quota API access:

1. Token Creation:

- Each month, users receive a token tied to their identity and quota.

- The token can be split for use on multiple devices using cryptographic methods.

2. API Access:

- Clients present a zero-knowledge proof (ZKP) to confirm they have a valid token and haven't used up their quota. The server verifies this without seeing the exact details.

3. Client Synchronization:

- Each client tracks its quota usage.

- Synchronization can be peer-to-peer or through a centralized, encrypted server to prevent double spending of the quota.

4. Quota Renewal:

- Monthly, old tokens expire, and new tokens are issued.

Challenges:

- ZKPs can be resource-intensive.

- Token security is crucial; there should be a way to handle lost or compromised tokens.

- The system should prevent quota "double-spending" across devices.

- If a centralized server is used for synchronization, it should operate with encrypted data.

This way Kagi would only know who their customers are but not what kind of searches they make.

discuss

freediver|2 years ago

Kagi already provides a way to search anonymously via a random email address (we do not really verify it or need it for anything) and Bitcoin/Lightning payment [1].

Since you are interested in cryptography, there is a discussion on Kagi feedback site along the same lines as your idea, about possible ways to achieve this without the need for cryptocurrency. [2]

[1] https://blog.kagi.com/accepting-paypal-bitcoin

[2] https://kagifeedback.org/d/653-completely-anonymous-searches...

netsroht|2 years ago

Thanks for the links. Using a disposable email with crypto payments and occasionally generating a new account to unlink from previous searches could be a viable intermediate solution.

Also, I found this link [1] in the thread you mentioned. They seem to have implemented something like that.

[1] https://metager.de/keys/help/anonymous-token

boredpudding|2 years ago

Any system that can check balance, can link searches to a user. There's no way around it. In your case, Kagi would need to trust the client with the balance, which would be insecure.

There's only one solution, and that is that you need to put a bit of trust in Kagi. Compared to the major one, Google, you can chose between one that promises to not store data, and one that promises it does (and does a lot).

It's always a bit sad that here on HN, when companies try to do better than bigger players, there's always people who think it isn't enough. It has to be absolutely impossibly perfect.

smsm42|2 years ago

> Any system that can check balance, can link searches to a user.

I don't think it's true. I can immediately see at least two ways how it can be done without identifying the user.

1. Each user gets X tokens at the beginning of the month. When searching, user supplies a token, which is immediately burned. The token does not contain the user identity, just signature validating it's a valid token.

2. Variation of the above: each user gets a token good for X searches at the beginning of the month. When searching, the system will return a token good for N-1 search each time token good for N searches is presented. Again, no need to contain user identity anywhere in the system.

Of course, both solutions have their downsides (sync between multiple devices, stealing tokens, losing tokens, etc.) but it id definitely possible. And I am sure if somebody spent a little time thinking on it, these ideas can be seriously improved to eliminate the downsides without introducing the need to identify the user.

netsroht|2 years ago

I'm not a cryptography expert, but from my research, shouldn't it be possible to verify quota on ZKPs server-side? Essentially, the server doesn't need to know the specifics of the user's identity, just that they possess a valid token and haven't exceeded their quota.

You can use search engines like Google without being logged in. When combined with tools like uBlock Origin and Cookie AutoDelete, it becomes more challenging for them to build a singular profile about a user, especially one tied to payment methods such as credit cards.

I genuinely appreciate what Kagi is doing, and I'd absolutely be willing to pay for their service, because if you're not paying for a service, you're the product. I trust companies to uphold their privacy promises, but "Trust is good, but proof is better." ;)

yencabulator|2 years ago

> Any system that can check balance, can link searches to a user.

For what it's worth, you can buy a physical Mullvad gift card and use that to create a very anonymous account for VPN use.

Even if you buy your gift card from a major online retailer, it comes from a stack of gift cards, nothing tracks which one was sent to whom. You can also exchange gifts among friends.

EA-3167|2 years ago

I'm not searching for anything terrifyingly illegal, and for the rest Google and MS already scrape and compile every byte of data I've ever generated. Why would it suddenly be a problem when a more reliable and less vicious company is doing a fraction of that?

You have to understand that most of us aren't fighting some battle for "perfect privacy," I just want a search engine that works for me, rather than advertisers, at the level of the search results themselves.

netsroht|2 years ago

I get your perspective. A lot of us just want a search engine that serves the user first, not advertisers, especially at the results level. It's about function over strict privacy for many--everyone has their own privacy threshold.

But it's also about digital data autonomy. It's not just about avoiding surveillance over sensitive searches, but having control over our data's destiny. Even mundane data, in aggregate, can sometimes be used in ways we can't predict.

carlosjobim|2 years ago

What is counted as "terrifyingly illegal" changes without a moments notice on the whims of your rulers. So even if you're not googling on how to bomb the government, there are hundreds of other subjects and opinions that could in the future make the majority of your neighbours, family and workmates think you deserve to be shunned, fired, in prison, or worse. That is why people want to protect their privacy.

andrewinardeer|2 years ago

> Being logged in while making search queries in search engines poses significant privacy risks. The searches can paint a comprehensive profile of the user, and these data often remain stored for extended periods. There's a chance this information might be shared with third parties. Coupled with other user data, these logged-in searches can pave the way for targeted advertising, sophisticated predictive analysis, and potential exploitation by governments or malicious entities. In the event of data breaches, the user's logged-in search histories can be exposed. Furthermore, users typically don't have clear insight into how their data is utilized when logged in.

This reads and smells like ChatGPT / AI.

idonotknowwhy|2 years ago

Was thinking the same thing. Not even gpt4

SkyPuncher|2 years ago

I’ve gotten tired of these boogey man arguments.

There are sooooo many other ways to fingerprint than an account.

Oh look, this MacBook with X by Y resolution from this IP address has had 100 searches for the past 2 hours. Oh no! He switched to incognito.