I’m not insinuating for even a second that Kagi actually do this, but as a general rule, isn’t any privacy claim dubious at the moment given that more and more governments appear to be able to compel companies to identify their users (especially those searching for illegal content) and further forcefully insist they not disclose it?
It’s disheartening to think the great progress we’re making in this sector could be undermined in a few seconds against any companies efforts with a trivial backdoor.
It depends on how hard those companies work beforehand to prevent themselves from being able to comply with such requests beforehand. Signal is a good example of this, Kagi seems to be onboard also.
I haven't looked closely enough at this token thingy Kagi is doing but it seems on the surface like it might scratch the itch by letting them decouple the accepting-payment part of their service from the providing-results part such that they know that you've paid, but not which payer you are.
Government's power over companies does not negate cryptographic privacy protections. For example, one criminal who used ProtonMail got caught because ProtonMail handed over their recovery GMail address to the law enforcement after they were compelled[1]. However, that means end-to-end encryption worked: that was the only thing they could hand over. I think the same principle applies here.
The government forces companies to backdoor their systems and use compromised implementations of what would otherwise be private and secure systems (see for example https://en.wikipedia.org/wiki/Lavabit). It's also worth noting that the only thing preventing your searches being linked to your account via IP address and browser fingerprinting is to use Tor which conveniently will also not protect your from the US government either. Account settings can also link a person's searches to their account.
The good news is that while the NSA will absolutely be tracking everything you search for while using Kagi they also do the exact same thing with every other search engine you use so what difference does it make.
The difference is cost. Pervasive and unhindered surveillance is way cheaper than coordinating an individual to be targeted through court orders and all the bureaucracy and potential legal battles that come with it. That’s why EU/UK is trying to coerce Apple to disable end to end encryption[1]. If it hadn’t made any difference, we wouldn’t be seeing any complaints from governments.
I think the idea here is that it literally can't be traced to the user – at no point is there anything passed that would allow Kagi to make the association between the user and the query.
Thanks, yes completely agree! I guess the part I’m concerned with is the politically side whereby they could be potentially compelled to change the method slightly after the fact and be forced to slip something in somewhere in a quite technical process now making it possible.
I’d love to assume this will never happen, I’m just concerned that even if it did I’d never find out - Because unfortunately the more popular this service gets for bad actors, the more of a target it becomes for the government with identification of users.
I guess as a search engine, we could assume the government may leave them well alone and still just focus on content creators.
The best that we can do is to continue working on FOSS solutions that make it technically impossible to backdoor. I haven't grok'd the protocol yet, but it seems to claim you only have to trust the client. The client is open source, so it would be hard for it to be backdoor'd without the community noticing.
Cryptography is a literal godsend for people living under oppressive regimes.
Definitely suggesting the method is secure, assuming the company does all the things they’ll say they do, which I also agree they’ll do. I’m just concerned the government can destroy this all, just by compelling them not to, and change a well intentioned method at any moment.
But what would the government compel them to do? If the method is secure, you don’t need to trust the server. And if they backdoor the open source client, people could notice it in an audit.
I think you’re right, perhaps I’ll do some more reading about it - It seems like it all relies on what the extension does, and if this extension is open source someone will notice as you said. Thanks for the clarity!
The method is secure until they change it. Their docs mention that generating a token is not anonymous, but using a token is. Considering they already know who generated it, it could be trivial for them (to change something server side where the validation occurs, if compelled) to link a particular search to a user.
You don’t get the token itself from the server though, you get something so you can make your own token for which the server doesn’t know who created it. So they can do whatever they like on the server, they can’t identify you.
It’s disheartening to think the great progress we’re making in this sector could be undermined in a few seconds against any companies efforts with a trivial backdoor.