Is the OCR-extraction performed in the client? if its transferred to a server then people should be aware of this so sensitive data from documents/pdf is not submitted.
> All uploaded images and the extracted text are deleted immediately
Until they are served with a subpoena for a particular client, or a sweeping subpoena to store everything forever, or the company is sold and the new parent has different values, or the company decides to mine customer data for advertising uses, or there's a bug in the software, or there's a long-lived cache of the data, or it gets into their backups accidentally or deliberately, or they don't keep the data but keep "just" the meta-data, or they do statistics or analytics before deleting the data, or they are hacked, or they simply change their minds.
In terms of privacy, even a non-free non-open-source local app with DRM or license management is better than a server app with a "strict privacy policy". With a good firewall setup, you can be pretty sure that the local app won't betray you.
"The best way to avoid privacy breaches is not to formulate a detailed privacy policy; it's to reduce your capabilities so that you're unable to violate anyone's privacy."
No, however the description of the plugin should make it clear data will be uploaded to a third party server for recognition so the user can make a choice about that.
I don't find that clear at all. And this is also important to non-developers.
Also, for nearly all documents I ever need to scan, if they're important enough to require scanning, they're important enough that a third party should have nothing to do with them.
The majority of exceptions to the above being, ironically, documents without text, sketches, doodles, etc.
Why did you end up going with a .space domain? We blocked that whole TLD because we were getting massive amounts of spam from it when it first came out.
That's one of the problems with cheap domains in the sub $5 range. Some gTLD registries (.space included) thought it was a good idea to offer them really cheap, but what they got were mostly spammers which puts you in a bad neighborhood.
> Why did you end up going with a .space domain? We blocked that whole TLD because we were getting massive amounts of spam from it when it first came out.
From your comment:
> I know spam is a hard problem, but I wish you wouldn't label me a spammer simply because of the TLD I chose.
The author is not "labeling you a spammer". They're simply stating a fact about their experience. And in fact, it doesn't even mention you.
I'm not taking offence nor am I taking it personally. I was hoping my tone was clear on that (i.e. "I know [you have reason], but ..." and "I wish ...", which is just an expression of hope). Sorry, if it came off as aggressive.
I only tried to hightlight that they have, in effect, labeled everyone in .space (not just me, but me included) as a spammer.
It's heavy handed, but I understand there are sometimes pressing needs for quick solutions, like when having your mailboxes flooded with SPAM. Hence, the "I know ..." clause.
It's a deal breaker because THAT'S NONE OF YOUR DAMN BUSINESS, and that also goes for Copyfish. It smells fishy to me, and _promises_ never kept prying eyes away secret documents. People who handle confidential documents should never use SaaS. It's an issue of trust, and Copyfish deserves none.
Okay, don't use it then. They make no claims of enhanced privacy and frankly it's unreasonable to presume a service such as this would do all processing locally unless you're paying a premium for that ability. Or did I miss the "Great for confidential documents!" banner? For most peoples' use-cases, this is not a concern.
There is simply no good OCR engine available that can run inside a Chrome or Firefox extension. The best available is Tesseract.js. And while this engine is fantastic as a project, its recognition rate does not come close to what is available server side.
Promotion - Yes.
Shameless - No. (This is what I think)
I am just curious. I sure love the idea of this extension. If I need to use something like this I atleast know a handy extension for this now.
What is the business model of free extensions like these? Is it all spyware/malware?
It looks like many free extensions either have malware in them from the start or get sold to malware companies later on, who then deploy the malware via updates:
Why does everything have to have a business model? Sometimes people like to create things for the sure enjoyment of creating things or they have an itch to scratch and think others might have the same need. Not everything is nefarious.
Exactly for the reason they said. The concern isn't that extensions are necessarily nefarious, but that people often want something in return for their work, which might be money by whatever means.
As is evident, what their "partner extension" does is in fact maliciously hijacking and replacing ad-space on websites visited by the user.
Strangely, searching for their name among the issues on GitHub does not show other such results. I guess they usually make contact directly and that the person at that company who filed this issue did not realize it would be visible to the public.
Here is the full text of the issue:
> Adnow is interested in byuiing your extension traffic #1
> Dear Kyong Tsu,
> My name is Anastasia, I am a manager from international advertising network Adnow.
> Extension traffic is a hot trend nowadays, and we are interested in buying traffic from Facebook Video Downloader extension and the others. We are ready to share an idea of monetization extensions with you and give you a method.
> We offer:
> * high payouts
> * 100% fill rate (we buy traffic from all over the world)
No need to use third-party extensions if you have a Google cloud account. You can download https://github.com/kaneshin/pigeon and just run it from command line - protects privacy and more secure compared to relying on third-parties.
We need to evolve a grammar for describing privacy implications, because proper classification of this software would allow it to be marked as malware/spyware.
It is beyond irresponsible for mozilla to do nothing to prevent this malware from being recommended on their platform.
It uploads everything to a commercial OCR service. Which provides these CPU cycles 'for free'.
Who owns this data? Do you have a privacy agreement with ocr.space? Can you trust them as far as you could spit?
It doesn't matter that this is documented though. Unless it had a popup banner EVERY TIME YOU USED IT saying "Your data will be sent to a cloud service for OCR, which may keep/index/sell you data without restriction."
I think you are going a bit too far with your requirement for a popup banner every time you use it. Do you expect a popup banner every time you click a link on a web page taking you to a third party website, because they are going to be able to run javascript code on your computer?
As long as the plugin is clear that they are using a third party service that will recieve your images, I think it is fine to leave it at that. Not everyone feels that is a deal breaker, and they shouldn't be annoyed by a pop up just because their deal breaker is different than yours.
In reply to you first question, no, because it is my computer, it runs with same origin policy in the sandbox. And I've chosen to enable js for that site. So it couldn't do what this extension does, which is cross site data transfer.
If the end user clicks the 'do not show again' checkbox on the message, sure. But it should still be graphically represented whenever you use an insecure cloud plugin, e.g. via an unlocked padlock sub icon if it doesn't use TLS, maybe a cloud sub-icon to represent someone else's computer.
A link shouldnt get a pop up but, if running JavaScript had required at least a one-time user approval for each individual script link from the day off it's inception, the web would be a much friendlier place.
Do you really think so? I think in practice, if every website you visited made you click 10-50 pop ups the first time you went to the site, people would start to blindly click without reading, and it would be even easier to slip a malicious pop up request by a user.
While you might want to believe that a user would actually think about what they are accepting, reality is almost all don't. Even the more security minded people among us will start to get numb to the requests. Only the most paranoid would pay attention to all of them, and those people are probably already doing things that would make that sort of pop up redundant.
I think this is a very common trap we fall into, where we want to provide MORE warnings to people and let them use their judgement. However, there is such a thing as 'alert fatigue'.
In California, companies that produce carcinogens took advantage of this aspect of human nature; when California wanted to place warning signs about cancer causing substances, they realized they couldn't win the fight against the warnings. Instead, they fought for MORE warnings; they wanted warning signs for even very slight risk carcinogens. They knew that if the signs were EVERYWHERE, people would stop paying attention to them.
It worked. Basically every building in California has a warning that 'substances known to cause cancer or birth defects are present'. Since every building has the same warning, I have no way of knowing which ones are ACTUALLY dangerous.
No, I don't expect most users would care. Most users wouldn't care if sites could execute native code as root on their machine. I think, if there was a prompt, content providers that cared, even a little bit, about presentation would think real hard before introduction that prompt. The way it works now, providers very rarely think twice about adding it. And I think ad networks, trackers and all the other useless, JS based, user hostile tools of the web, would have a much harder time convincing site owners to drop in a snippet of JS when there were actual consequences for doing so.
However, I don't believe for a second, without some kind of law, punishable by death, a requirement like that would have lasted. It would take only one browser to default "Never prompt for permissions to run JavaScript". Typical users would flock to it (because sites would say they only work with it) and compliant browsers would have to copy to compete. Users ruin everything.
It could easily build a profile of everything you get scanned/translated. I don't know if it uses https, so maybe it encrypts, maybe everyone listening can see what you get scanned.
It is good that it isn't scanning everything, i.e. complete exfiltration, but that is a low bar. It leaks every time you use it.
There are a ton of these now. Google provides OCR as part of their machine vision API. AWS has similar with Rekognition. As others have mentioned, there are dozens of others on less well known platforms.
Actually, based on my tests, there are only a few good services:
Abbyy (best recognition rate but by far most expensive), Google Cloud Vision (second best recognition rate), Microsoft OCR and... our OCR.space service with a very generous free tier and a competitive priced PRO tier.
Like a9t9 said, ABBYY, Microsoft and Google offer this.
If your images however differ from the typical text document, recognition from those services will fail. OCR is highly dependent on the particular application and the kind of images that you're dealing with. Preprocessing and segmentation are very important.
If you need a custom solution, my email is in my profile.
Hmm, I've seen a few apps and extensions like this before. I think Project Naptha was a heavily advertised one that did the same thing a few years back.
But how's the accuracy here? Cause when I used previous plugins for this functionality, I often found they'd return gibberish if the text was even slightly ambiguous looking in image form.
How does it compare to the other plugins doing the same thing here?
The text on the linked page actually compares this to Project Naptha:
> For extension gurus: You might have heard of Project Naptha, a great addon that applies state-of-the-art computer vision algorithms on every image you see while browsing the web. Copyfish solves the same problem, but it takes a different user interface approach. It does not try to alter the website. Instead, it lets you mark the text in the image that you want to extract. As a result Copyfish works with every website, even videos and PDF documents.
Doing it yourself with Tesseract is pretty hard (time consuming, error prone). It's something I would only consider doing once my project was build, viable, and the costs of an API were an issue.
On my phone so I don't have a chance to give it a shot, but what I find has been most irritating in the past about ocr is the accuracy. If your extension has better accuracy you might call that out.
I saw the heading on HN and thought "I wonder if it works with Chinese".
I saw the first example screenshot on the page was a Chinese movie and thought "Great, it does"
I saw the enlarged version of the screenshot and the Chinese subtitles contain multiple mistakes: "Nice try, but maybe not so great after all for the use case I'd personally be interested in".
Well, at least this confirms that the screenshots are not manipulated ;)
The tricky part for the OCR in this example is the diverse background, as the Chinese characters are directly inside the movie.
Your comment is interesting, as the original motivation for creating the Copyfish extension was to help me watch Chinese movies. So I can confirm that for this purpose, it works fine. Of course, once in a while it gets some characters wrong but it works ok with many movies.
Here is a screencast of Copyfish doing subtitle OCR:
> as the Chinese characters are directly inside the movie.
Yep, same with TV shows, and soft-copies of transcripts are difficult to come by, hence my interest in something like this.
I just watched the video. When used on a video does it keep a history of all OCRed text?
Finally, you might also like to try posting this on http://www.chinese-forums.com If it mostly works well for TV and films, I'm sure there will be quite a few people there who are interested in it.
> Not yet - but this feature is already on my todo list ;)
Another interesting feature would be to do some sort of statistical analysis of Chinese text being OCRed and then combining that with possible characters suggested by the OCR. This would almost certainly prevent the mistake in the last two characters of the Chinese movie screenshot.
So, to answer the question mentioned above, the document storing the text is sent to an off-site server (https://ocr.space/) which does the OCR and returns the results.
I guess it auto defaults to English then? Running Tesseract on Scandinavian texts gives AAO instead of ÅÄÖ in my experience if you don't supply the correct language training set. That's quite the hen and the egg problem. Can't language identify without the text can't get the text without the right language identified.
