I've long deleted my Facebook account. Tried LinkedIn recently, thinking it won't suck much time and will be a bit more privacy respecting than Facebook and the like--but boy was I wrong. I found LinkedIn more aggressively attention and details grabbing. I felt that it nags us to comment on others post and update our profiles recently. The e-mail notification frequency was so high that I thought to delete the account right away but then found out that we can turn it off selectively. I don't know the plight of Facebook now but it shows us even more reasons to glue to our profile/upgrade to the premium plan like "You've been searched X times this week". The more data and attention they get, more can they make from premium accounts. It's no better from Facebook and such from these two perspectives(attention and privacy).
> For example, when you do a search on Ecosia we forward the following information to our partner, Bing: IP address, user agent string, search term, and some settings like your country and language setting.
So when a search is done, our IP address is send to Bing.
I really love the idea of planting trees from profit, and have nothing against ecosia. Just commented to inform readers.
<edit>
Before getting downvoted into oblivion, I would like to make it clear that I'm not saying ecosia is unethical or that everyone should stop using it because of this. For some it matters, for some it doesn't and ecosia seems a great choice for those whom this doesn't matter. I'm just posting it so that those who do care(about their IP being send to Bing) can be aware(since I wasn't for a few months).
</edit>
I'm a strong advocate for digital privacy and opposed to the majority of data collection that occurs, but this comment is FUD. None of the info that you listed would be private if you used Bing normally, so if you're worried about them having that info you'd need to stop using search engines all together
>So when a search is done, our IP address is send to Bing.
Explain why you believe that's a negative? If you use Bing normally they would know your IP as well
>user agent string
Again, using bing normally will allow them to see this information
>search term
Obviously required to be sent to bing
>some settings like your country and language setting
Again, this is information that would be available to Bing if you use their service normally
>Explain why you believe that's a negative? If you use Bing normally they would know your IP as well
I'm a bit uncomfortable in letting MicroSoft associate my IP with what I search daily. I use GitHub and Linkedin and most of the time I'm logged in to at least one of those services. Now I don't know for sure if Bing associates these searches to my account based on the IP(someone can shed some light on this?). StartPage and DuckDuckGo both use third party searches but they don't share user IP(https://support.startpage.com/index.php?/Knowledgebase/Artic...)
For other details like search term, country etc... I absolutely understand that they are needed to be send. I just quoted them as a sentence.
If it wasn't for the IP sharing, I would be a happy ecosia user :)
I definitely understand the desire to not have one's IP tied to their search history/browsing in some cases, but as this service makes no mention of being an anonymous or private search engine I don't think your critique is an actual issue with the service. Your use case simply doesn't match the purpose of this search engine
You're right, privacy is not their selling point. But they do have many phrases like "We don’t store your searches permanently" and "We don’t sell your data to advertisers" in their website, which are technically true but I misunderstood that they don't store my IP either because of those. I came across the text I quoted in the parent comment months later when I came across a thread in r/privacy and I passed it on. StartPage and DuckDuckGo still makes money from ads and doesn't share user IP. It would have been great if Ecosia functioned similarly, and in that case many people like me who are concerned about sharing IP with Bing(or other services) can join Ecosia for search.
I would assume they send the IP so that Bing will return location specific search results for weather, local businesses and such. I see no reason to assume malicious intent.
What’s stopping them from performing an offline IP location lookup and requesting location specific search results without sharing the IP with Microsoft?
Yeah their documentation is dreadful, but they could just append loc:countryCode to the query before making the API request: e.g. ‘attractions loc:dk’.. at least that works for me despite some people mentioning this filter is no longer supported.
Not sure how DDG and other search engines that rely on Bing does it, but it’s certainly possible without sharing the users’ IP with Microsoft.
If anyone is wondering why they send Bing the IP address, it's most likely because the Bing API uses the searchers IP address if you want location specific search results like weather, local restaurants, etc.
> Results are customized to the location or market of the user. The location or market can be determined implicitly (via IP address) or configured explicitly.
> We don’t create personal profiles of you based on your search history. We actually anonymize all searches within one week.
> Many web services collect user data in order to sell it without asking your permission. We don’t sell your data or your searches to advertising companies.
> We protect your searches from potential eavesdroppers with a securely encrypted connection. This way we make sure that nobody between you and us can see your searches.
If they’re just handing everything off to Bing wholesale, are these quotes either misleading or straight up lies? The first one I’m confused about with the “anonymize all searches within one week”. I don’t know what that means. The second seems like Bing could still do those things. And the last one would be a lie considering Bing can see it.
I absolutely agree that they should be criticized for it, or at least explain their deal with Bing. If one can trust Google not to create ad profiles from Google Analytics data, one can also trust Bing to not use ecosia data to build user profiles. But for that to be a trust decision, we'd need to know whether they actually have any such deal with Bing.
> And the last one would be a lie considering Bing can see it.
How would that be a lie. They protect from eavesdroppers, as in someone intercepting the connection and trying to extract data being transmitted within a system. Bing is part of the whole system, not a third party trying to eavesdrop.
Finally, they say they don't allow anyone between you and them - which is different from allowing between them and a third party, but I'm sure they would use an encrypted connection even when communicating with Bing.
That’s true. I guess I jumped the gun on that one. However, “nobody between you and us” still feels disingenuous because you have to dig quite a bit to find out that they use Bing on the backend and then leave concluding that “us” also includes Microsoft as the responsibility of the user. The average user isn’t going to make that connection because they’re not likely to be reading through the privacy policy or digging through the FAQ to discover they use Bing.
I think their page touting “privacy” should clearly indicate that they use Bing and that your privacy is ultimately beholden to Microsoft, not Ecosia, especially since Ecosia is happy to send unique identifiers to Bing for personalized search results as default.
It feels like a deftly move to offload their own responsibility to then be able to tout privacy as a selling point because they themselves don’t do anything with your information, Microsoft does.
Their value proposition is planting trees and not privacy. They get a cut of the Bing ad revenues and a cut of that is invested in trees. Its a simple model. I learned about it 1-2 years ago and was expecting more of these ‘feel good’ labelled search engines.
Which search engine are you using now instead of Ecosia?
I'm much more comfortable to give some information to Microsoft then giving more information to Google so they can add it to my profile they already have.
It is not. I've been using DuckDuckGo before switching to them, for me privacy is a big deal. When I first saw ecosia, I thought it was similar to DDG in terms of privacy(Probably because they had pro-privacy phrases).
I know it's not a problem for most, especially if they are using search engines like Bing or Google. And I believe it's better to use ecosia than using say, Bing or Google.
The 17-Year old bug linked in the article seems to be be fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=141061
The problem proposed in the article is that a local html file can access other local files. But the linked(and fixed) bug can be used to remotely exploit the user.
There are many easy to use libraries specific to different languages(like https://www.phpcaptcha.org/ for php) and frameworks. These are not as secure as recaptcha, but in most cases does the trick.
There are also services similar to recaptcha like solve media and hcaptcha. I believe hcaptcha is a drop-in replacement(https://hcaptcha.com/docs).
> "If you have a Google account it’s more likely you are human"
So, in the future if we don't keep signed into our google account(and let google know every article we read and every website we browse), we'll be cut off from the half of the internet or even more.
The amount of control a handful of companies have over the internet is suffocating to know!
https://hcaptcha.com/ seems to be a viable alternative. If you are a developer, please consider using something other than reCaptcha. Not only is it annoying, but a privacy nightmare as well.
No, it is similar to recaptcha -- users select pictures to given description. In case of recaptcha, the work is free labor to google whereas in this case, it is paid to the site owner.
If you have a brand new dataset, couldn't bots assess the first few thousand images randomly and get through (since there is little or no basis for what is an accurate selection)? And if they do, how would that affect future real human selections (assuming it learns over time what selections are accurate)?
Another concern is that it's very likely that Google's existing Cloud vision ML could handle most classification challenges your clients are trying to train (since you're basically working against a much wider-deployed mechanical turk dataset, recaptcha). High-profile websites (such as ecommerce sites) may have attackers (such as those with stolen CC's) willing to spend the money needed to run all of your images through Cloud Vision. So I guess my question is: are other data points collected to prevent bots from getting through?
I would understand if you can't answer some of these as they may fall under "trade secret" territory.
I work on bot detection, so I should be careful not to leak all of our approaches, email me at amir@imachines.com and we can have a more in depth offline conversation.
Since our captcha provides an opportunity for website monetization, we expect different uses aside from just bot detection, for example as a replacement for the "disable ad-blocker" popup or replacing paywalls with micropayments. This means there will be a broader set of users who are not strictly focused on attacking our dataset and polluting it with bad results. This allows us to have a confidence model initially based purely on the site.
Having a state-of-the-art AI is table stakes for a captcha product. We already run our datasets through visual recognition systems and run our captcha with an AI model-in-the-loop. In beta now, we offer websites under attack offline bot data in the background, currently as a batch report, and soon as a webhook. This approach has a game theoretic advantage of not leaking results to attackers, and allows us to run non-causal analysis of different attacks over a wide period of time. By combining this approach with a variety of rotating challenges we can identify patterns of behavior consistent with bots as they continue their attack strategy against only the mix of challenges they have seen.
There are also services where you can pay for people to solve captchas for you and this is a different sort of attack from bots, since they are in fact humans signing up for hundreds of accounts. If your goal was to prevent fraudulent signups, or to host a give-away for example, then we can have days of time to perform an extensive analysis offline, and perform an epidemic analysis of the traffic.
thanks, I work on hCaptcha, we are hoping to provide a unbiased bot-detection system with different incentives from an advertising company. Let me know if you have any questions.
