Privacy concerns with 3rd party data API providers

[hondogitsune]

I have noticed connections being made to a new domain: returnyoutubedislikeapi.com

Whilst I reviewed your change to a new data provider to be able to show dislikes, and don't find anything particularly worrying about it at the current time, I don't feel comfortable about it in the long term use.

Past experience showed that despite promises, extensions and their data sometimes get sold: https://www.businessinsider.com/evidon-sells-ghostery-data-to-advertisers-2013-6

Whilst I am not making a pretrial judgement about the new data API and its operators, it is within the realm of possibilities. And we can discuss it for a minute if you feel like.

Their current reasoning is they have old dislike data before the YT v3 api removed the dislike field from their calls.

What point am I making? It is simple: Even though more prone to errors, I'd prefer an additional option not to use this 3rd party service and use a local JS solution in the addon to estimate the like to dislike ratio.

For videos to be uploaded in the future no old data can exists pre-shutdown of the official API field. So my argument here is, that all future youtube videos would only run a mere guess based on view-to-like ratio anyway, which can be implemented locally.

I'll continue to use the new service in the meantime, but for understandable reasons, long term I'll have to make a decision to opt out if there is no local solution. I want to limit 3rd parties from also having my view history. It is only contemporary to be concerned about data reduction and data economy.

Thank you for hearing me out.

[sup2069]

I feel the same way and came here to see if others agreed. I will be watching this closely before updating.

[elliotwaite]

Understandable, thanks for the suggestion.

Just to be clear, the only data that is currently being sent to returnyoutubedislikeapi.com is the video ID of each thumbnail that is shown on any YouTube page you browse, along with the standard data sent along with an HTTP request, such as your IP address (unless you're using a VPN for location spoofing) and the user-agent data for your browser (e.g. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36).

Also, while the Return YouTube Dislike estimates may currently be based only on past data, in the future, they may also be able to incorporate a limited amount of current data. For example, they may allow creators to sign up to voluntarily share their channel's dislike data. Also, they may collect the likes/dislikes of the users that use their extension, which could be used as a sample of the actual data even for new videos.

Also, I don't think a local-only option would be possible since I would think a request to some API has to be made to at least get the likes data. However, the YouTube Data API could be used for this as it was before, but this would require users to set up a personal YouTube Data API key to use this option. This is another benefit to using returnyoutubedislikeapi.com over the YouTube Data API, it doesn't require an API key, which simplifies the extension.

There is also another issue open about adding a Likes-to-Views option (https://github.com/elliotwaite/thumbnail-rating-bar-for-youtube/issues/56), so maybe if some kind of Likes-to-Views option is added, then there could also be an option that would let users choose between which API to use for it, the Return YouTube Dislike API or the YouTube Data API.

[hondogitsune]

The IP would often be enough for a company, in the second example here: https://www-kuketz--blog-de.translate.goog/tracking-durch-identitaetsprovider/?_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=de core_id is a high entropy hash, identical in two different browsers with fresh sessions. This is just an example how much a company would profit from buying such a service. Youtube watch history could be highly interesting for marketers.

I know your addon is safe and https://returnyoutubedislike.com/ is likely safe as well, the latter for some time. However they provide no privacy policy on their webservice as they need in compliance with the EU's GDPR and the Californian CPRA, as a user stated in the 2nd addon's comments.

Also, I don't think a local-only option would be possible since I would think a request to some API has to be made to at least get the likes data.

Local in terms of performing the same estimate that returnyoutubedislikeapi.com says they perform on videos that have no historical data points before the shutdown of that API field.

I am speaking of trying to avoid 3rd parties, not to make a point against Google or Youtube. I enjoy their free API and their clear privacy policy public for everyone. This is strictly speaking long term and hypothetically: What if the returnyoutubedislike addon may be sold in the future? How long do they log IPs and the associated youtube IDs of their users?

I have the highest respects for either you @elliotwaite and the developer of returnyoutubedislike. However it would be nice to keep this strictly an exchange of data with Google owned services, as Google knows anyways what Youtube movies I watch.

An estimated dislike count can totally be calculated locally from view-to-like-ratio with the new limitations of the official Google API. It should not require a 3rd party. I respect their work for saving datapoints of old videos in the time before the shut-down.

It's a proposal and no priority, I am speaking in dimensions of months for an option in the menu à la: [x] Calculate dislike estimate locally (Google API only), which is the only option anyway for videos uploaded past the 13th December 2021.

Just thank you for your addon, no matter how you decide on this subject! Right now there is trust on my end for this 3rd party service. I just don't expect people to offer such a service for free in the long run. Unless donations make it a profit.

Even acme.sh was eventually sold. Which came to me as a slight shock when the certificates were by a different company out of a sudden, rather than letsencrypt. https://community.letsencrypt.org/t/acme-sh-failed-twice-since-zerossl-bought-it/165663

Anyway, long rant over. I value your openness towards my opinion!

[elliotwaite]

Sounds good, understood. I'll try to figure out the likes-to-views option first.

[hondogitsune]

Sounds good, understood. I'll try to figure out the likes-to-views option first.

Thank you lots, because I think I'm already getting rate limited, especially when refreshing large grids like all uploads on a channel. Unexpected popularity of a free service easily leads to bottlenecks :)

[elliotwaite]

I'm going to have to delay working on this for now. Some other important projects have come up and I'm time is currently limited. But if someone else wants to submit a PR for this, I'd be open to reviewing it. And maybe I'll have more time to work on this in the future.

[hondogitsune]

I feel you, coding in ones free time and unpaid should not take up too much lifetime. Whilst I cannot help with a pull request, I give it some thought. Perhaps returnyoutubedislike will open up their backend code some day (their algorithms for guessing dislikes) and even share the DB.

[hondogitsune]

¯_(ツ)_/¯