32

  • Completely anonymous searches unlinked to the account (blind tokens)

  • SuggestionsDone

@Vlad I wholeheartedly agree with bribri and @Browsing6853.

Respectfully, I disagree with your assessment that this is a non-existing problem, it's one potential technical measure out of many that would give credibility and weight to your promises to safeguard user data. Words are cheap and we've all seen companies promise one thing and then sell out their users when it became convenient to do so, time and time again.

Asking users to trust you so that you don't have to spend resources on technical measures ensuring their privacy is I think, a very unfair thing to ask for, especially when you're branding yourself as a premium, privacy-friendly alternative. The well has been poisoned and words just don't cut it anymore.

You often suggest that we have nothing to worry about because our incentives are aligned and while this may be true right now, it won't be when someone offers you a life-changing amount of money in exchange for your company. As users we don't have any control over that so our incentives aren't nearly as aligned in the long term as you suggest.

I hope that you reconsider your approach to privacy and seriously consider implementing at least some of the many suggested privacy enhancements, e.g. https://kagifeedback.org/d/493-enable-anonymous-payments-ala-bitcoinmonero/15

    7 days later

    We need to address a few issues here

    • Having a special 'high privacy' mode would indicate that the default search in Kagi is not 'private'. It is. Privacy is either respected or not.
    • Even an "anonomity" mode would rely on users trusting us it was (correctly) implemented
    • Everything falls down to trust at the end. (unless I do not understand what the suggestion is proposing, I did not go into technical details of implementation).
    • Privacy and anonimity are being used interchanegably here although these are two different things - lets clarify what the goal is
    • Ultimately this is a very complex technical endevor that requires significant change to billing system.
    • Even crypto payments are poposed which adds additional complexity/billing infrastructure/legal challanges
    • Is it worh spending next few months on this when we just spent 3 months with the new pricing. Only 5 upvotes does not dicate broader interest in this level of anonymity.

    This is just my brain dump, open to have a discussion.

    16 days later

    I feel unsafe using Kagi and cannot subscribe to the service until there is a non-Strip / non-credit card method for payment. It is simply inappropriate to even facilitate the potential of associating financial data with any information such as search with the current state of society and the direction of government and such patterns that are clearly evident.

      23 days later

      The competition is doing it too! Don't want to be left behind đŸ˜‰

      This sentence (automatically translated) from your link pretty much sums up why I think it's a good idea: "Even if we don't do that, of course, trust would still be necessary to be sure of his anonymous search. So that we not only have to promise anonymous searches, but can also prove them, we introduced anonymous tokens."

      • Vlad replied to this.
        5 days later

        bribri Not matter of wanting or not, but of resources and prioritization. Would you pay more to have this as a feature?

            Vlad Being a software developer myself working with a couple of small companies with limited resources, I certainly understand the importance of prioritizing features. Lord knows there's lots of stuff I've had to put on the backburner in the course of my own work due to just not having the time and resources to work on it.

            Personally the idea of having to pay more for trustless anonymous payments doesn't sit well with me. It feels like it would be saying "you have to pay more just to know for sure your searches are anonymous, but if you just take our word for it then you can pay what everyone else pays". That doesn't inspire confidence. That said, it's not unusual for some payment methods to include a small flat fee in order to offset the cost of something like payment processor, and while I would certainly prefer to pay less rather than more, something like that wouldn't dissuade me.

                20 days later

                Vlad Not only would I pay more, but also all privacy conscious people uncomfortable having their search potentially linked to their identity through their payment would consider it.

                Trust is something hard to get and easy to lose, making move to enhance privacy will make you gain some and more.

                The signal you send is important.

                Iiff you say "blind signature", payment unlinked to account, then you send good signal and win trust.

                Vouchers are a great way to unlink searches and payment, and probably easier to implement.

                  4 months later

                  As you may have seen already we implemented Bitcoin/Lightning payments as an alternative way to achieve anonimity.

                  https://blog.kagi.com/accepting-paypal-bitcoin

                  Leaving this stil open as it would be a cool to have a technology solution that achieves the same without the need for cryptocurrency.

                  Would you still consider selling physical voucher as well?

                  • Vlad replied to this.

                    ruihildt We are not lacking the ideas or the will, just the resources to execute all these new ideas. Think about how difficut of an operation is to organize something like physical vouchers for billing that will work world wide and then consider everything else on our plate. Besides we already support anonymous payments with Bitcoin/Lightning so this is not a priority.

                    Lets keep this thread on topic though as it is about using cryptography.

                        3 months later
                        Vlad changed the title to Completely anonymous searches unlinked to the account (blind tokens) .

                          Using "blind tokens" to further anonymize users and their authenticated activity.

                          Some prior art and references:
                          [1] https://blog.cloudflare.com/privacy-pass-the-math/
                          [2] https://privacypass.github.io/protocol/
                          [3]
                          [4] https://en.wikipedia.org/wiki/Blind_signature
                          [5] https://www.rfc-editor.org/rfc/rfc9474.html

                          From the Cloudflare blog post:

                          In summary, this browser extension allows a user to generate cryptographically ‘blinded’ tokens that can then be signed by supporting servers following some receipt of authenticity (e.g. a CAPTCHA solution). The browser extension can then use these tokens to ‘prove’ honesty in future communications with the server, without having to solve more authenticity challenges.

                          The ‘blind’ aspect of the protocol means that it is infeasible for a server to link tokens token that it signs to tokens that are redeemed in the future. This means that a client using the browser extension should not compromise their own privacy with respect to the server they are communicating with.

                          From Cathie Yun's blog post:

                          Blind signing is exactly what it sounds like: a protocol where someone signs something without knowing (being blind to) what they are signing. This concept was first described by Chaum in 1982 in his paper, Blind Signatures for Untraceable Payments. Basically, blind signing allows you to decouple the signing step (since the signer is blind) from the redemption step, giving nice privacy guarantees. The concept might seem a bit contrived, but is actually useful in a few situations, including digital cash schemes and voting protocols. For a really good explanation of how this works using the voting analogy, see the Cloudflare blog post on Privacy Pass; if you like talks more, I explained the concept in my talk at 0x0G.

                          This feature improves the security on the backend and should be (nearly) transparent to the user.

                          The only thing the user would change slightly is passing an authenticated session token for addon extensions in private-browsing searching.

                            Merged 1 post from Anonymize searches and other authenticated actions via blind tokens.
                              a month later
                              a year later

                              Vlad that’s fab! Is the extension you mentioned earlier something we can implement with relative ease?

                                  9 days later

                                  It's great to see this seems to now be a planned addition, this would be a significant improvement to privacy and anonymity that would make Kagi an easy recommendation to many privacy-conscious users.

                                    a month later
                                    No one is typing