Question: Privacy implications of each person using their own YouTube (Google) API key

elliotwaite / thumbnail-rating-bar-for-youtube

A Chrome and Firefox extension for YouTube that adds a rating bar (likes/dislikes ratio) to the bottom of every thumbnail.

https://chrome.google.com/webstore/detail/youtube-thumbnail-rating/cmlddjbnoehmihdmfhaacemlpgfbpoeb

MIT License

250 stars 15 forks source link

Question: Privacy implications of each person using their own YouTube (Google) API key #19

Open Gitoffthelawn opened 5 years ago

Gitoffthelawn commented 5 years ago

What are the privacy implications of each person using their own YouTube (Google) API key?

When everyone was sharing a few keys, if people were not logged in to Google, then I think the most Google could track was the calling IP address (and browser fingerprint, if not obscured). If the user used a different IP address, Google could no longer track them.

With people all using their own YouTube (Google) API keys, it seems like it will be trivial for Google to track people across IP addresses.

Is this correct? Is there anything that can be done to prevent it?

elliotwaite commented 5 years ago

Correct. If you visit a youtube.com URL and have this extension enabled with your personal YouTude Data API key set in the settings, Google will receive an API request that contains both your API key and your IP address, so they will be able to associate the two. If anonymity is a concern, then you probably want to avoid using this extension with your own API key.

The only potential solution that comes to mind is if you could somehow set up your network settings to make all your API requests (requests for URLs starting with https://www.googleapis.com) get routed through a VPN or something, but I'm not very familiar with this area of knowledge.

FatOrangutan commented 5 years ago

@elliotwaite Have you considered using Invidio.us' API? E.g. https://invidio.us/api/v1/videos/aqz-KE-bpKQ?fields=rating

elliotwaite commented 5 years ago

@FatOrangutan Thanks for pointing that out, I hadn't heard about invidious before. I added the option to use their API by setting the API key on the extension's settings page to "invidious", however, because their API doesn't allow for bulk video requests, and you have to request the data for each video one at a time, it is much slower than the YouTube data API. However, this does add an alternative for people with anonymity concerns.

I also opened a feature request for invidious to add support for bulk video requests (https://github.com/omarroth/invidious/issues/936), which, if implemented, would probably make using the invidious API a very good alternative.

Thanks for the suggestion.

SolveAllProblemsRightNow commented 5 years ago

google doesnt care, g has way more than enough data, they dont care about you

did the steps
looks you dont need cookies on for this to work
looks like you dont have to be logged in
now i can see how much quota i use, curious