I think that a class of people, who ask kind of questions that need absolute guarantee of anonymity (I am thinking terrorists, drug dealers, traffickers etc) are:
- Looking for a different thing (because anonymity is not the same as privacy)
- Are probably looking at tools that cost much more than Kagi does
We are not even interested in serving that market.
Having said that:
- Kagi does not store search queries nor by definition it is then possible to associate something that does not exist with an account
- In general, Kagi does not store or mine user data in any way. Our privacy policy is pretty detailed, I recommend checking it out https://kagi.com/privacy
The strongest guarantee I can realistically give you that the above is true, is that our business model is simply not dependent on mining or selling user data. And the premise of our entire business would fall apart if the opposite turned out to be true. In other words the alignment of incentives here is as good as it gets.
We are not interested in your identity or searches, we are interested in providing the best search product for you, so we can keep you as a paying customer as long as we can. The moment either of the above is not true, you will walk away. It is wonderful to be in this position from a product/business perspective.
I would expect 99% of us not wanting our search history revealed or just even logged. Specially with English as a second language, I've searched for things (to learn what they are) that are just horrible, think blue pancake/muffin/whatever it was.
Or just plainly searching about legal or medical issues to learn/get informed can yield some very questionable queries taken out of context as well.
I understand the pedagogical example as a stark contrast, but this choice is immediately turning me off the product. Startups and the companies they grow into have spent decades helping themselves to data to track and identify and write clauses into their policies and terms of use to be able to stockpile behavioral data for a potential future "pivot" if nothing else.
We are living in a world where it is more based in fact to assume that companies will help themselves to this kind of information under a variety of pretenses than that they won't. The only reason people will assume differently is if they trust the company, the product and the people behind it. The policy seems to be doing its part, but trust needs to be built by every conversation with a potential future customer. If the question that pops up is "how can I be anonymous if I pay you each month", the resulting argumentation should not be able to be construed as "we're sorry, but we're not going to help be your burner phone", which the comment I'm replying to is toeing dangerously close to.
People search for many things and it could detail their interests, their current location, their financial troubles. The commitment needs to be "we will never, never, never, ever, do anything like this", and not just "it doesn't make sense for us to do this". Because if someone wanted to build in that sort of tracking, it could "make sense" from a business standpoint to do this in that the data, if collected, has a lot of value on the market.
Even if the incentives are indeed aligned to keep the paying customer pleased, we also need to know that if we do walk away, that at that point there will not possibly be anything left as an artifact that a future buyer could do anything with. This assurance will be most effective if it's rooted in trust and values rather than in practical concerns; the practical concerns are valid, but only if they are restraints that have been applied in search of an objective by yourself, instead of "it is not currently in our business plan". (As an extreme example, consider a bank saying "we'd never pick items out of our customers' safe deposit boxes and sell them; it would simply be too much work".)
Basically, the facts seem reasonable enough. But you need to work on not coming off like the parent saying "well I'm sorry you want to hide things from me", which is what unprompted bringing up the covering up of criminal activity in response to questions of anonymity and privacy does. I understand that those concerns do come up in thinking responsibly about a product like this from all angles, but making it a part of a discussion with a potential customer disrespects and denigrates their fundamental needs enormously, the same needs that would make them attracted to the product in the first place.
I understand I could have better communicated my message and thanks for bringing it up.
My point is that none of "us" require anonymity in normal circumstances of using a search engine. But we all absolutely require our privacy respected (and many people still conflate privacy with anonymity).
Kagi is 100% privacy respecting by default, and examples I gave illustrate not only that, but that certain (almost total) level of anonymity can be obtained by Kagi too (because searches are not logged, so they can not be logged with an identity). In a paid service environment where you need to authenticate the user, help them restore their account etc, it is very difficult, I dare say impossible, to achieve total anonymity guarantee from a technical standpoint and I want to be transparent about it.
I think a better sort of guarantee is exactly the one that I gave - our business model does not incentivize and sort of privacy invasive behavior.
> The commitment needs to be "we will never, never, never, ever, do anything like this"
Perhaps you have not read our privacy policy, but this is exactly what is says there, and I took it for granted. This is probably my mistake and I should have assumed that people submitting inquiry will not have read it.
In my mind "there is no need for us to do it" is a much more powerful driving force than simply stating we won't. Stating something is easy but not substantial as witnessed by many big tech companies. The reality is that their business model forces them to twist reality away from privacy statements like those. Our business model does exactly the opposite, and has a positive feedback loop reinforcement in relation with the customer (we cheat you -> you take your wallet elsewhere).
Rereading this very answer I have a feeling it will not be the most satisfying again, so I hope that with your help, we can come to an answer that will satisfy your inquiry.
> How would you solve the issue of self-censorship when the exact identity of a searcher is known?
What do you mean with that?
> Can you Guarantee the privacy of searches and that you will never sell search history data?
I think that’s literally impossible to do?
FWIW, selling data would probably not be worth it, and ruin them. It’s supposed to be pretty expensive (early discussions are around $10-$20 a month) while only having a tiny amount of users (10s of thousands). At least for me, that aligns their incentives properly. And of course, they are bootstrapped without any VC money.
Self-censorship is the behavior where one does not perform certain searches because their interest in the topic will become known to others. This might include health information, sexual interests, political views or other sensitive topics. The fact that the search engine has your name, address, and payment info means that they can associate you with 100% certainty to everything you search for which can have negative consequences for the user under different scenarios.
In regard to selling the data, I've seen businesses where they sell user info just as a side project to balance the sheets. It will b an issue only if one is caught. Somewhere there I looked around the website but I couldn't even find where is the HQ and under which jurisdiction they operate. The privacy policy had lots of technical details, but not legal one.
It would be interesting if like Signal they can validate an user but provenly cannot associate the account with any actions. This might be an issue for billing and tiered plans though.
I pinged their devs, especially regarding their location. I’d assume US as that’s where their founder is according to his personal website [0], but I agree it would be better to have that information there.
Thanks for the explanation. I can only repeat that I don’t think this is solvable. Unlike Signal, which uses E2E this is not possible here, so whatever promises Kagi makes will always have to stay promises as they’ll need to know the content of your search and for what account it is (as your settings influence the results) to give the right reply. At least that’s how I understand it.
1st Allow users to share the token by which they are identified.
2nd Implement a 3rd party website that offers a 'free tier' via token roulette.
That will generate noise in search results, making it hard to pin a particular search on someone. Optimally users would be able to decide how much 'noise generating searches' they allow.
Off course that would only work if paying users would be volume / rate limited.
Could potentially go the Mulvad approach and allow mailing in of cash for an anonymous user ID (numbers only) and then you enforce DoT and DoH everywhere? Kagi itself would still have access to your search queries and could identify you buy your public IP but it would be a decent step in the right direction
I think that a class of people, who ask kind of questions that need absolute guarantee of anonymity (I am thinking terrorists, drug dealers, traffickers etc) are:
- Looking for a different thing (because anonymity is not the same as privacy)
- Are probably looking at tools that cost much more than Kagi does
We are not even interested in serving that market.
Having said that:
- Kagi does not store search queries nor by definition it is then possible to associate something that does not exist with an account
- In general, Kagi does not store or mine user data in any way. Our privacy policy is pretty detailed, I recommend checking it out https://kagi.com/privacy
The strongest guarantee I can realistically give you that the above is true, is that our business model is simply not dependent on mining or selling user data. And the premise of our entire business would fall apart if the opposite turned out to be true. In other words the alignment of incentives here is as good as it gets.
We are not interested in your identity or searches, we are interested in providing the best search product for you, so we can keep you as a paying customer as long as we can. The moment either of the above is not true, you will walk away. It is wonderful to be in this position from a product/business perspective.