I stopped using DuckDuckGo when it introduced its email relay service. This service had (and I think still does have) the peculiar requirement that the user must install a browser extension in order to use it.

I can think of no valid reason why a (supposedly privacy-respecting) email relay service should require a browser extension to be installed.

This made me realize DuckDuckGo may not actually value privacy. I stopped trusting all of its services.

> I can think of no valid reason why a (supposedly privacy-respecting) email relay service should require a browser extension to be installed.

I can answer this one: they're fine with not knowing who anyone is, but they're trying to make sure that each account maps to one real person — they're trying to prevent spammers from registering thousands of accounts to use to send spam, and from continuously registering more accounts whenever they get banned.

A browser extension that feeds their service a heartbeat packet every once in a while from a particular IP address, is a Proof of Identity. It ties the email account accessed through that browser, to a browser installation of the extension, such that you can only actively use as many email accounts as you have devices x installed browsers (which might be a surprisingly high number to you, a normal person with legitimate use-cases for multiple email accounts; but is still a problematically low number compared to the number of accounts the average spammer wants to register — especially when most of those accounts get banned in short order.)

This is a workaround for the fact that there's as-of-yet no such thing as an "anonymous identity verification service" — something like an OAuth IdP that deduplicates users on the client-to-IdP side through strong identity verification on registration (photo of your passport, webcam picture with this hand gesture, you know the drill); but then protects client anonymity on the IdP-to-service side. If you had to SSO to your DDG email through such a service, then they very likely wouldn't be asking you to install the extension.

I have two email relays from DDG and have never installed their extension nor even knew they had an extension when I got their relays. (I know now but at the time I didn't) If you download the app on your phone, you can get a relay and then immidiately uninstall the app.

Yes, but you had to install an app. Why? They already have your email. They're forwarding email to you as part of the service. And you probably had to verify your email with them when you started using it. So why should you be required to also install either an app or a browser extension?

Doesn't the very act of installing something on your devices increase their technical ability to collect information about you and your devices? That doesn't sound very privacy-oriented.

Reading your comments made me realize how a service like DDG could never succeed. The only people who care about its advantages are the same users they lose for anything that remotely helps the company grow.

Apple is a regular company and gets points for adding privacy features. DDG? “Nah, F that, they suggested I run code on my device for a brand-new unrelated service. Reprehensible.”

Apple does add privacy though. The company does not collect and sell your data. Folks regularly read the ToS and freak out, without understanding why the ToS says what it says.

Most privacy oriented companies don't care about your data, but they need to be able to see diagnostic information about your session for when things don't work. Oh and guess what? Things don't work for many users due to all kinds of crazy stuff, with viruses, proxies, crap internet, crap browsers, crappier browser extensions, or just plain user stupidity causing 99% of it.

Diagnostic data and basic telemetry allows software engineers to find the root cause.

Most likely a feeble attempt to avoid the domain from getting blacklisted from most services by restricting the amount of relays a user can have by device.

Companies like DDG and Apple don’t do privacy. They do privacy theatre. Just that Apple is too big with too much of a PR/marketing budget and has an ultra/rabidly loyal fanbase so it works for them.

There are companies that do privacy but they’re usually too small to be noticed outside the crowd of extremely privacy conscious people.

Mozila is a famous one though. Yup, even after their Pocket fiasco and some more I do believe they try to real and long term privacy. DDG is just hustling to stand apart and then maybe hope for a financial exit. (Have had a really bad experience with the company, other than using their product - their search is unusable though - that told me they do not have a respectable culture as an organisation either).

The same Firefox that gets most of its funding by funneling search to Google?

It also funnels all your nearby access point names to Google, and it does that for free!

Can you describe the difference between “privacy” and “privacy theater”?

Does Amazon have a policy guaranteeing it won't ship items sourced from commingled inventory with its sellers when you purchase "Ships by and Sold by Amazon.com"?

I heard that you can get items from random small sellers (including counterfeit items and used items being packaged as new) even when you think you are purchasing only from Amazon. I haven't bought anything on Amazon since.

I don't know. Some claim that up until 3 years ago, Amazon was still commingling their own inventory, but they have stopped since then. However I can't find any authoritative source to confirm this.

It strikes me that a company like Kagi should be able to craft a legally enforcable agreement with its customers which expressly forbids the company from selling ads and conducting surveillance.

The agreement could be carefully written by a skilled lawyer to define the things Kagi cannot do, the proof customers must present in order to proceed with a valid lawsuit, and even the maximum damages that the customer may sue for.

In that case, if Kagi was found at some point to be using customer data for these purposes, it could be sued very easily and by many parties.

People are calling for regulation for data privacy. In the meantime, Kagi can create its own regulation it will hold itself to for the benefit of its users, can it not?

I found a blog post (https://safing.io/blog/2022/09/06/spn-vs-vpns/), but you have to go fairly far down the page (to the header "Cryptographic Identity Protection") to begin to get the gist of what it is.

"This was originally invented for Tor and is called Onion Routing. This way, every server in the chain only knows the previous and the next hop. No server ever knows who you are AND where you are going to."

"As VPNs are centralized, all their servers are operated by only one entity - the VPN provider itself. They can, therefore, monitor all you traffic and see what you are up to. This is why they tout their “No Logging” policies so loudly, because they know they can see everything."

"SPN on the other hand invites the community to join the network and strengthen it by adding diversity to the operators of the network. This way - in addition to the cryptographic protections - it is made almost impossible that anyone will ever be able to track you through the SPN."

It sounds like it is a next-gen VPN service which addresses the shortcomings of the current VPN services by splitting the service into relays and exits, each with limited knowledge and each potentially operated by different parties.

CTO of Safing here.

Came back to answer the question and you beat me to it! Thanks!

SPN (Safing Privacy Network) aims to fill the area between VPNs and Tor. VPNs provide very little real privacy and Tor is (outside Tor Browser) very difficult to setup and configure.

With the combination with the Portmaster (which is also firewall), we provide superior privacy to any VPN and offer a 1-click install for a software that you cannot mis-configure.

If you have any questions, please ask!

I'd really like to see more technical discussion of Safing's SPN idea and implementation (https://safing.io/spn/). If I've understood it correctly, it seems to be in-line with the general trajectory of where Cloudflare is going with DNS privacy and Apple is going with its relay service.

It seems obvious that VPN services should be split into Relay and Exit services so that you don't have to necessarily trust a single company not to collect and sell all your internet traffic.

The SPN (Safing Privacy Network) aims to fill the area between VPNs and Tor. VPNs provide very little real privacy and Tor is (outside Tor Browser) very difficult to setup and configure.

Yes, you are correct, there are similarities there. Except of course that SPN is open source.

We do have a white paper: https://safing.io/files/whitepaper/Gate17.pdf

And YES! I'd love to see more technical discussion of the SPN too. So many things to unpack, to learn and improve.

From a DNS privacy perspective, ODOH (Oblivious DNS over HTTPS) seems to achieve this at protocol level, with interoperability between providers. While there are tunnelled VPN (separate entry and exit), they always seem to be with the same provider. The iCloud private relay design appears to avoid this.

It would be interesting to see where SPN goes, and more on how it works, as you say.

It doesn't even define the acronym!

Sorry about that. It's "Safing Privacy Network".