Completely anonymous searches unlinked to the account (blind tokens)

Browsing6853

Idea: allowing users to activate a super anonymous mode where they will lose their custom setup (e.g. boosted domains, custom lens) and have 100% private searches (i.e. same as a search engine without accounts).

Recent advances in zero-knowledge cryptography are allowing to create applications where users can prove their identity (i.e. paid user) without compromising their privacy (i.e. which user it is). The most promising idea/implementation for Kagi seems to be what Cloudflare is doing with Privacy Pass, which is a protocol thought for web usage and is currently in the process of being standardized by the IETF.

Personally, I'm not so eager for this feature because custom search is basically why I use Kagi today, but I understand there will be people who disagree.

Privacy Pass:
https://privacypass.github.io/
https://blog.cloudflare.com/cloudflare-supports-privacy-pass/

Vlad

Thia is a great, thanks for surfacing it.

One potential problem with this would be that it would imply that we are linking searches to an account otherwise (which we don't) so that the users have to use a special mode to circumvent that.

We'd rather spend resources to educate the users that we do not link searches to an account, and that we do not need to do that (because we sell subscriptions, not user data) and that we do not want to do that (because it is just a liability with non-zero cost, but with zero benefit to us, wth would we do with user's searches?).

Basically the above is a complex solution to a non-existing problem.

bribri

I am just such a user that would not want to use a search engine whose searches could technically be tied to my account and my identity. However much Kagi (or any other company) assures me that my data is private or is not being tied to my identity, it still requires me to put my trust in them, and some users such as myself are not willing to do that for something as sensitive as search engine queries.

However, with the sort of blind signature / zero-knowledge proof method that Privacy Pass uses, trust is not required. The system works by making it impossible to associate someone's payment information with their account. It would work something like this:

1) A user uses your payment system to make a payment, but without specifying their Kagi account
2) You get a notification that the payment was successful, and sign a special a token for the user without actually knowing what the token is
3) The user uses the signed token on their Kagi account to prove they paid for it, but due to the nature of the token, it's not possible to link it back to their payment

Voilà, their account is now able to be anonymous without requiring trust. (Though it would still be up to the user to use an anonymous email address, or even mask their IP address using something like a proxy or VPN.)

I think there's a lot of privacy conscious people out there who would appreciate companies like Kagi providing a method that guarantees that their data (in this case searches) are truly private. I won't speak to how many there are, but I'm at least one of them. And I think there's a lot of symbolic significance to implementing such a system, because it would demonstrate how committed you are to user privacy.

xpbx7

@Vlad I wholeheartedly agree with bribri and @Browsing6853.

Respectfully, I disagree with your assessment that this is a non-existing problem, it's one potential technical measure out of many that would give credibility and weight to your promises to safeguard user data. Words are cheap and we've all seen companies promise one thing and then sell out their users when it became convenient to do so, time and time again.

Asking users to trust you so that you don't have to spend resources on technical measures ensuring their privacy is I think, a very unfair thing to ask for, especially when you're branding yourself as a premium, privacy-friendly alternative. The well has been poisoned and words just don't cut it anymore.

You often suggest that we have nothing to worry about because our incentives are aligned and while this may be true right now, it won't be when someone offers you a life-changing amount of money in exchange for your company. As users we don't have any control over that so our incentives aren't nearly as aligned in the long term as you suggest.

I hope that you reconsider your approach to privacy and seriously consider implementing at least some of the many suggested privacy enhancements, e.g. https://kagifeedback.org/d/493-enable-anonymous-payments-ala-bitcoinmonero/15

Vlad

We need to address a few issues here

Having a special 'high privacy' mode would indicate that the default search in Kagi is not 'private'. It is. Privacy is either respected or not.
Even an "anonomity" mode would rely on users trusting us it was (correctly) implemented
Everything falls down to trust at the end. (unless I do not understand what the suggestion is proposing, I did not go into technical details of implementation).
Privacy and anonimity are being used interchanegably here although these are two different things - lets clarify what the goal is
Ultimately this is a very complex technical endevor that requires significant change to billing system.
Even crypto payments are poposed which adds additional complexity/billing infrastructure/legal challanges
Is it worh spending next few months on this when we just spent 3 months with the new pricing. Only 5 upvotes does not dicate broader interest in this level of anonymity.

This is just my brain dump, open to have a discussion.

kf

I feel unsafe using Kagi and cannot subscribe to the service until there is a non-Strip / non-credit card method for payment. It is simply inappropriate to even facilitate the potential of associating financial data with any information such as search with the current state of society and the direction of government and such patterns that are clearly evident.

Vlad

Appears Metager is using blind signature too https://metager-de.translate.goog/keys/help/anonymous-token?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US

bribri

The competition is doing it too! Don't want to be left behind 😉

This sentence (automatically translated) from your link pretty much sums up why I think it's a good idea: "Even if we don't do that, of course, trust would still be necessary to be sure of his anonymous search. So that we not only have to promise anonymous searches, but can also prove them, we introduced anonymous tokens."

Vlad

bribri Not matter of wanting or not, but of resources and prioritization. Would you pay more to have this as a feature?

bribri

Vlad Being a software developer myself working with a couple of small companies with limited resources, I certainly understand the importance of prioritizing features. Lord knows there's lots of stuff I've had to put on the backburner in the course of my own work due to just not having the time and resources to work on it.

Personally the idea of having to pay more for trustless anonymous payments doesn't sit well with me. It feels like it would be saying "you have to pay more just to know for sure your searches are anonymous, but if you just take our word for it then you can pay what everyone else pays". That doesn't inspire confidence. That said, it's not unusual for some payment methods to include a small flat fee in order to offset the cost of something like payment processor, and while I would certainly prefer to pay less rather than more, something like that wouldn't dissuade me.

ruihildt

Vlad Not only would I pay more, but also all privacy conscious people uncomfortable having their search potentially linked to their identity through their payment would consider it.

Trust is something hard to get and easy to lose, making move to enhance privacy will make you gain some and more.

The signal you send is important.

Iiff you say "blind signature", payment unlinked to account, then you send good signal and win trust.

Vouchers are a great way to unlink searches and payment, and probably easier to implement.

Vlad

As you may have seen already we implemented Bitcoin/Lightning payments as an alternative way to achieve anonimity.

https://blog.kagi.com/accepting-paypal-bitcoin

Leaving this stil open as it would be a cool to have a technology solution that achieves the same without the need for cryptocurrency.

ruihildt

Would you still consider selling physical voucher as well?

Vlad

ruihildt We are not lacking the ideas or the will, just the resources to execute all these new ideas. Think about how difficut of an operation is to organize something like physical vouchers for billing that will work world wide and then consider everything else on our plate. Besides we already support anonymous payments with Bitcoin/Lightning so this is not a priority.

Lets keep this thread on topic though as it is about using cryptography.

happy-dude

Using "blind tokens" to further anonymize users and their authenticated activity.

Some prior art and references:
[1] https://blog.cloudflare.com/privacy-pass-the-math/
[2] https://privacypass.github.io/protocol/
[3]
[4] https://en.wikipedia.org/wiki/Blind_signature
[5] https://www.rfc-editor.org/rfc/rfc9474.html

From the Cloudflare blog post:

In summary, this browser extension allows a user to generate cryptographically ‘blinded’ tokens that can then be signed by supporting servers following some receipt of authenticity (e.g. a CAPTCHA solution). The browser extension can then use these tokens to ‘prove’ honesty in future communications with the server, without having to solve more authenticity challenges.

The ‘blind’ aspect of the protocol means that it is infeasible for a server to link tokens token that it signs to tokens that are redeemed in the future. This means that a client using the browser extension should not compromise their own privacy with respect to the server they are communicating with.

From Cathie Yun's blog post:

Blind signing is exactly what it sounds like: a protocol where someone signs something without knowing (being blind to) what they are signing. This concept was first described by Chaum in 1982 in his paper, Blind Signatures for Untraceable Payments. Basically, blind signing allows you to decouple the signing step (since the signer is blind) from the redemption step, giving nice privacy guarantees. The concept might seem a bit contrived, but is actually useful in a few situations, including digital cash schemes and voting protocols. For a really good explanation of how this works using the voting analogy, see the Cloudflare blog post on Privacy Pass; if you like talks more, I explained the concept in my talk at 0x0G.

This feature improves the security on the backend and should be (nearly) transparent to the user.

The only thing the user would change slightly is passing an authenticated session token for addon extensions in private-browsing searching.

Vlad

Stumbled upon this today https://github.com/cloudflare/pp-browser-extension