I’ve been using this search engine and I have to say I’m absolutely in love with it.

Search results are great, Google level even. Can’t tell you how happy I am after trying multiple privacy oriented engines and always feeling underwhelmed with them.

Have you tried it? What are your thoughts on it?

  • PopOfAfrica@lemmy.world
    link
    fedilink
    arrow-up
    6
    arrow-down
    3
    ·
    edit-2
    9 months ago

    If they don’t cache your search history to your identity, which they claim they don’t, then I’m not sure why that’s a problem.

    • Leraje@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      22
      ·
      9 months ago

      Because claiming they don’t is not the same as being able to verify they don’t by making their code open source.

        • Leraje@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          18
          ·
          9 months ago

          Deciding to trust a provider - any provider - isn’t just any one thing. So, the most basic step to me is all the relevant code being open source. The next step is getting their infrastructure audited. The step after that is seeing what happens if they get court ordered to provide data.

          They do none of that and I’m just too cynical to accept ‘trust me bro’ as a convincing sales tactic.

          • sudneo@lemmy.world
            link
            fedilink
            arrow-up
            6
            arrow-down
            1
            ·
            9 months ago

            They had a security audit, they have a canary on their website, they have a privacy policy which is legally binding, and they have a business incentive.

            If you so much suspect that they do collect searches and associate them with accounts (something which they claim they don’t do), you can make a report to the relevant data protection authority, which then can audit them.

            As someone else also commented, you can use an alias email and pay in crypto if you really wish to not associate your account with your searches. Just be advised that between IP addresses and browser fingerprinting it might always be possible to associate your searches together (even if not to you as an individual with name and surname), and this is something that big CDNs like cloudflare or imperva also provide for you. So you still rely in most cases on what the company says and what their business model is to determine whether you trust them or not.

            So far kagi has both a good policy (great policy actually) and a business model that doesn’t suggest any interest for them to illegally collect data to sell them.

            • Leraje@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              I don’t suspect or accuse them of anything. Quite the reverse - what I’m saying is that without things like open source code, privacy audits etc, we’re being asked to take their word for it all. They might well be the most privacy respecting company ever and they equally might not be. If you’re happy to take their word for it, that’s entirely your call. I’m not trying to change anyone’s mind, I’m just answering OP’s question with my own opinion.

              • sudneo@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                And I am saying that there are tools to increase this trust.

                I also want to stress that you have no tools really to verify. Open source code is useless, audits are also partially useless. I have done audits myself (as the tech contact for the audited party) and the reality is that they are extremely easy to game and anyway are just point in time snapshots. There is nothing that impedes the company tomorrow to deploy a change that invalidates what was audited. The biggest tools we have are legal protection (I mean, most companies that collect all kind of data disclose that they do nowadays) and economic incentive. Kagi seems to provide good reason to trust them from both these angles.

                Obviously, if that’s not enough for you, fair enough, but if you are considering a company to be intentionally malicious or deceptive, then even the guarantees you suggest do not guarantee anything, so at this point I really wonder if or how you trust anybody, starting from your ISP, your DNS provider, your browser etc.

                • Leraje@lemmy.blahaj.zone
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  9 months ago

                  Again, I’m not considering them to be intentionally malicious or deceptive, I’m saying without the basics in place, we’re being asked to just trust them.

                  I’m aware of the limitations you describe and you’re right that there’s no way to 100% guarantee anything, there has to be some element of trust. So the services/software I choose to use have done all the things I mention, or I run them locally. Does that mean they’re 100% perfect? No, of course not but the fact they’ve gone to great lengths to establish at least a basis for trust means a lot to me. Some of them have gone on to be tested in some sort of legal encounter where again, they performed well.

                  Trust is a personal thing, we all have different perceptions of what makes an org trustable - if Kagi match yours, good for you.

                  • sudneo@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    9 months ago

                    I am not understanding something then.

                    The basics in this case are a legally binding document saying they don’t do x and y. Them doing x or y means that they would be doing something illegal, and they are being intentionally deceptive (because they say they don’t do it).

                    So, the way I see it, the risk you are trying to mitigate it is a company which actively tries to deceive you. I completely agree that this can happen, but I think this is quite rare and unfortunately a problem with everything, that does not have a solution generally (or to be more specific, that what you consider basics - open source code and an audit - do not mitigate).

                    Other than that, I consider a legally binding privacy policy a much stronger “basic” compared to open source code which is much harder to review and to keep track of changes.

                    Again, I get your point and whatever your threshold of trust is, that’s up to you, but I disagree with the weight of what you consider “the basics” when it comes to privacy guarantees to build trust. And I believe that in your risk mapping your mitigations do not match properly with the threat actors.