
Duck Duck Go: Illusion of Privacy (2013) - awaisraad
http://etherrag.blogspot.com/2013/07/duck-duck-go-illusion-of-privacy.html
======
sfRattan
I think DuckDuckGo is unfairly singled out here. They do more than most
companies to protect privacy, and most of their users are specifically trying
to deprive Google of more feed for its data silo. Of course they can't protect
you from the NSA. Extremely few actors can.

If your threat model includes actors within the US Federal Government
(especially the intelligence community), run. Yesterday. That's a statement
about our times, not about any particular company.

The solution ought to be browbeating the US Government for unethical
practices, not browbeating a company that does privacy better than most, and
not as well as would be necessary to stand toe-to-toe with some of the most
powerful and far reaching organizations in the world.

~~~
ehsankia
I don't get why Google is always singled out either. When was the last time
Google leaked your data. As you said, very few actors can protect your data
from the NSA, so the next best thing is to have it protected from hackers and
leaks. Every other company out there keeps on getting hit left and right, but
for their size, Google is only of the only company who has never messed up
with user data, and you know they are probably one of the most targeted,
especially by state actors such as china and russia.

~~~
notenas2neon
>When was the last time Google leaked your data[?]

According to the State of California Department of Justice [0], the last
publicly acknowledged data breach from Google was March 9th, 2017. Before that
it was August 10th, 2016, and before that March 29th, 2016.

[0]
[https://www.oag.ca.gov/privacy/databreach/list](https://www.oag.ca.gov/privacy/databreach/list)

~~~
scarhill
According to the notification letters on that site, those three incidents all
involve Google employees' information being leaked by third parties, not
Google leaking users' data.

Here's a quote from one of them:

"We recently learned that certain hotel reservations made for Google business
travel were among the many reservations affected by a security incident
impacting a third-party provider’s electronic reservation system that serves
thousands of travel agencies and hotels. This did not affect Google’s systems.
However, this incident impacted one of the travel providers used by Googlers,
Carlson Wagonlit Travel (CWT)."

------
apatters
My beef with this article is that it's unreasonably reductionist to conclude
that DDG provides an "illusion" of privacy based on the fact that they're as
vulnerable to being targeted by the NSA as anyone else. The issue of privacy
is so much bigger than that.

If you use Google Search and someone obtains access to the data they have on
you, legally or illegally, they could end up obtaining many years of your
browsing history. If you use DDG they have nothing, and the most they can do
(as the article states) is start collecting your search habits from that point
onward.

I don't want huge companies to amass giant archives of data about me. There
are so many ways it can be abused by a multitude of actors. It's a selling
point to me when a service retains little or no information, and if it needs
to retain something, it requests limited permission in clear and simple terms.

------
pdimitar
The only conclusion I can make from this article is to avoid services hosted
in the USA but even that is not guaranteed to work -- having in mind that US
agents have been known to go abroad to request access to foreign company's
servers. (They were even supposedly thrown out from Iceland once -- assuming
that wasn't a honey pot propaganda operation to lure people to host stuff in
Iceland, of course.)

What's left for the people who aren't criminals but don't like being spied on?
PGP and keys that are exchanged physically, by hand?

If somebody can physically spy on the infrastructure cables that your traffic
goes through, will SSL protect you? As written in the article -- no it will
not, because the certificate can be obtained, even if it takes some time and
strong-arm effort to do so. But when a country can order you to give up
private keys and keep quiet about it, really, what can you do?

At this point, full decentralization, mesh networking and something times
better than Tor encoded in 100% of the network code seems to be the only way
out. Maybe a combination of IPFS and FreeNet, full packet-level encryption and
keys that expire in 1 minute and are auto-generated for every transaction?

~~~
stinkytaco
I've argued here at HN before that I don't think this is a technological
problem, but a social one. There is nothing that stops a powerful enough actor
from breaking encryption with a rubber hose, except for a strong stigma
against that kind of behavior. We need to give digital privacy the same social
protection. The other problem with making a purely technical solution is that
you leave out people who are not capable of using that solution because they
do not have the resources, education or capability.

~~~
fiatjaf
Solving the problem with technology is 1000000 times easier than solving it
from the "social" side.

~~~
confounded
Is it? For who?

Do you think people's data would be more secure at the border if

\- You kernal-hacked iOS so that it booted into a vanilla account upon entry
of a certain passcode, and encouraged people to install your hack from GitHub,
potentially borking their phones

\- People couldn't be compelled (or face being denied entry) to allow search
of their electronic devices

?

What about trying to do everything via a VPN and spoofed UA strings vs. PII
being banned from sale, heavily taxed, or a meaningful opt-out existing? Or
even just DNT having a legal basis?

~~~
blfr
_Is it? For who?_

For HN readers. And probably in general.

As for your questions, I would definitely like to first use software which
doesn't compromise my privacy and security and only as a very distant second
have some bureaucrat who would maybe in the best case scenario fine a company
which leaks my data.

The vote I cast by running a Tor relay is much more meaningful and valuable
defence of privacy than a vote in the general elections. By orders of
magnitude.

~~~
confounded
Don't get me wrong, I'm all for using technology to preserve privacy.

> _The vote I cast by running a Tor relay is much more meaningful and valuable
> defence of privacy than a vote in the general elections._

I kind of agree, but, not if the new leader outlaws using Tor tomorrow, as
they have in China and Iran, and are attempting to do in Russia and _France_.

> _bureaucrat who would maybe in the best case scenario fine a company which
> leaks my data_

You may be selling the power of legislation short. It has the power to
entirely transform the default business model of the Internet away from
surveillance capitalism, for example. In terms of privacy, this would
eliminate entire classes of "threat".

We frequently under-estimate our power as technologists to influence these
things; we have very much more than a single vote. The narrative of
'technology' in the media is almost entirely that of billionaires and spies,
and the media are gradually starting to realize that they're being led along.
Getting the voice of technologists to explain the societal impacts of
technology policy is a problem that we need to identify with as group.

------
kasbah
Recently I have been using the free and open source Searx more and more
(admittedly mostly using the !searx shortcut from DDG). Results seem better
than DDG sometimes. Would be interesting to try and host my own instance or
write something that picks a random public instance.

[https://asciimoo.github.io/searx/](https://asciimoo.github.io/searx/)

~~~
KGIII
Along that same line is YaCy.

[https://yacy.net/en/index.html](https://yacy.net/en/index.html)

~~~
kasbah
I think YaCy didn't give me very good results last I tried it. It's not a fair
comparison, as it has been a few years for sure, but if I had to guess then I
would say that Searx, being just a search engine aggregator (it doesn't do
crawling), gives better results.

~~~
KGIII
I tried it last about six months ago. It was a marked improvement over what it
was a couple of years prior. I like that it is decentralized and stores no
private data. To me, the decentralized part is important. But, I'm not sure
I'd say it's ready for prime time.

With Searx, you still need the regular search engines. I suspect that your
traffic can still be identified, say through timing requests or from piecing
together behavioral data. I haven't really dug that deep to investigate the
risks.

I will give it a shot tomorrow, just to try it out. I've seen it in passing
but you're the first person I've seen, in the wild, that uses it. I'll give it
a test run.

------
alsadi
To be fair here is ceo response quote

Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe
we can be compelled to store or siphon off user data to the NSA or anyone
else. All the existing US laws are about turning over existing business
records and not about compelling you change your business practices. In our
case such an order would further force us to lie to consumers, which would put
us in trouble with the FTC and irreparably hurt our business.

We have not received any request like this, and do not expect to. We have
spoken with many lawyers particularly skilled and experienced in this part of
US and international law. If we were to receive such a request we believe as
do these others it would be highly unconstitutional on many independent
grounds, and there is plenty of legal precedent there. With CALEA in
particular, search engines are exempt.

There are many additional legal and technical inaccuracies in this article and
I will not address all of them in this comment. All our front-end servers are
hosted on Amazon not Verizon, for example.

~~~
asmdev
Here is the link to the CEO's response for those interested:
[http://etherrag.blogspot.in/2013/07/duck-duck-go-illusion-
of...](http://etherrag.blogspot.in/2013/07/duck-duck-go-illusion-of-
privacy.html?showComment=1373764601583#c337630469341123253)

~~~
justin66
The amount of unearned confidence the author of the blog displays in his reply
is kind of embarrassing. "I read a CNET article once that contradicts what
you're saying!"

He created that blog account just to write that article and it's the only one
up there. Stuff like this makes me wonder what motivates some people.

------
feelin_googley
Like Google, by default DDG tracks what results the user clicks on. URLs are
prefixed with a DDG URL. Users HTTP requests are forwarded through DDG
servers.

By default, DDG "lite" does not set cookies or use Javascript. However, if the
user wants to change the default "settings" (HTTP has no state so this is a
fiction), then AFAICT she has to enable Javascript and accept cookies. Privacy
conscious users do not want Javascript or cookies.

DDG could achieve the same result by simply providing an alternate URL,
something like /lite2 in addition to /lite.

Whether DDG saves this data I have no idea. But one has to wonder why, if
privacy is a goal, DDG is collecting it to begin with.

If DDG believes it is doing this for the benefit of users, it is not
convincing because there are alternative ways to achieve the same benefit that
do not require prefixing URLs, Javascript or use of cookies.

For example, browser settings already allow the user to control HTTP Referer
headers, assuming queries were submitted using GET. The user can change the
settings in the browser so that no referer is sent, or to send a custom
referer of her choosing.

Another example is if DDG accepted queries via POST method in addition to GET.
No search terms would be leaked in the URL or in any HTTP referer.

~~~
tagawa
DuckDuckGo staff here - just want to clarify a couple of points:

* We don't track result clicks. URLs are no longer prefixed with a DDG URL by default except for old browsers (although this is controllable in the settings: [https://duckduckgo.com/settings#privacy](https://duckduckgo.com/settings#privacy) ), but even if this is in effect we don't store which sites users visit. We started stripping search queries in referrer headers in 2010 and you're right, current web standards make it possible to do this without us having to redirect through our own servers.

* We have an alternative non-JavaScript URL - [https://duckduckgo.com/html](https://duckduckgo.com/html) \- which tries to offer a fuller search experience than the minimalist [https://duckduckgo.com/lite](https://duckduckgo.com/lite)

* Cookies are used to store settings but if users prefer to block them, preferences can still be "saved" by using URL parameters, listed here: [https://duckduckgo.com/params](https://duckduckgo.com/params) These can be used either to form a local bookmark/start page or anonymously in the cloud with a password only (no username or other data).

> But one has to wonder why, if privacy is a goal, DDG is collecting it to
> begin with.

I'm not sure which data this is referring to but we don't collect or share
personal information. There's more on this in our privacy policy:
[https://duckduckgo.com/privacy](https://duckduckgo.com/privacy)

~~~
tagawa
I forgot to add that we do accept POST request queries as an alternative to
GET, again from the settings.

------
belorn
Most of the points is arguing that NSA could compel the company Duck Duck Go,
Inc to install equipment and then forbidding the company from disclosing that
fact.

Doing so does carry quite a bit of political risk. There have been quite a few
lawsuits from EFF and ACLU in regard to do so, and as the comment from CEO of
Duck Duck Go says in the comment thread, all existing cases has been about
turning over records. Going the extra step of compelling people to install
hardware and keeping the operation going would be a further step.

I doubt ddg is currently worth the political risk. There is likely much easier
targets to attack first in order to get 100% of the worlds search data.

*down votes? Explanation?

~~~
pmoriarty
I'm not sure if they really need to compel DDG in the first place.

I know if I was a three letter agency, I'd start a "secure" service like DDG
myself as kind of a honeypot.

Not that I'm saying that such an agency is actually behind DDG -- I have no
way of knowing. But I would be very surprised if a large number of services
promising "security" and "privacy" weren't run by such agencies or their
agents.

That's why I believe that frequent, independent third-party auditing (by
multiple trusted groups like the EFF) would be necessary to gain any kind of
confidence in such services. Even then, it'll be no guarantee that they're not
compromised, but it would just make such compromise significantly more
difficult and less likely to be effective.

~~~
belorn
While that is always possible, I think its more plausible that they then
simply buy out key companies rather than found a bunch of new companies in
hope that one will succeed. The question then is, what is the likelihood that
NSA is the secret owner and operator of Microsoft, Apple or Yahoo, which each
would likely be the cost effective choice if one wanted access to all search
queries done on the Internet.

Independent third-party auditing is useful. There is the occasional fund
raising for auditing of software (Truecrypt comes in mind), but I don't recall
hearing one about search engines.

~~~
pmoriarty
_" I think its more plausible that they then simply buy out key companies
rather than found a bunch of new companies in hope that one will succeed."_

How many new search engines were focusing on privacy and security as their
main differentiator from the competition?

I know of only one: DDG

~~~
belorn
Here is a meta article with the clicky _5 best search engines that respect
your privacy_ with the lesser clicky official title: _Privacy Search Engines
2017 Group Review_. :"[https://www.bestvpn.com/privacy-search-
engines/](https://www.bestvpn.com/privacy-search-engines/)

[https://en.wikipedia.org/wiki/List_of_search_engines](https://en.wikipedia.org/wiki/List_of_search_engines)

That list is long and show that there has been quite a few people have tried
to get momentum in the search engine space. Would be interesting if anyone did
a meta study to see how many uses the words "security" and "privacy" as
marketing to gain users.

I think we should also include open source search engines and p2p, since if
NSA developed them they could build backdoors in them. Most of them seems to
have "privacy and security" as explicit goals.

------
mighty_bander
Recently I had a series of unfortunate plumbing mishaps at my home that set me
back a bunch of money. I did very minimal google searching (just confirming
the spelling of the plumber's name), but ads offering emergency home loans
have started popping up in my browser.

If I can go to a search engine that doesn't sell the fact of possible
financial problems to whatever loan shark is willing to pay the most to get to
me, I see that as a win.

------
runningmike
Privacy requires full transparency. We're is documented with what foss
software ddg works and where can I find trusted audit reports?

~~~
hdhzy
Even if they were completely open source how would you verify that they are
using the same software on their servers? That the hardware is not
compromised?

Audit reports? How trustworthy are they if Symantec was able to provide good
reports for such a long time for their certificate issuance when things were
clearly not ok.

~~~
fghtr
For example if they used AGPL software, it would be much harder for them to
cheat. But you can never get 100% confidence.

------
bad_user
Duck Duck Go is a company that I want to succeed, as they are clearly making a
stand on user privacy.

However it never made sense to me why people would use those DDG bangs.

I mean privacy is the main selling point, so why in the world would you send
the searches you make on other websites to DDG, when the browser is perfectly
capable of being configured for " _search keywords_ ".

In Firefox, go to amazon.com (or any website you want), right click on their
search bar and select " _Add a Keyword for this search..._ ". Add " _!a_ " or
whatever you want. There, you've got your own bangs.

~~~
dredmorbius
Not all browsers are configurable to search keywords (particularly on mobile).

DDG is consistent across hosts / browsers / OSes.

DDG maintain (and fix) the bang searches as they break (which ... happens).

I appreciate being able to !bang away in my Android browser(s) navbars. There
are other options. Surfraw (a Linux CLI utility) is an example, though my
problem is that 1) I can't remember the aliases and 2) they interfere with
other commands I use (there are ... a _lot_ of surfraw elvi).

------
jerheinze
If you're worried that DDG may log your IP you can simply use it with the Tor
Browser (it's the default search engine) or use their onion service
([https://3g2upl4pq6kufc4m.onion/](https://3g2upl4pq6kufc4m.onion/)) for
increased security and anonymity.

~~~
jacquesm
Tor is _far_ from perfect and there are several ways in which one could
connect traffic at some endpoint with a user at a specific IP. Do not rely on
Tor if you _really_ want anonymity.

~~~
wolco
Tor offers a layer of protection. It is possible to stay anon on Tor.

~~~
jacquesm
> It is possible to stay anon on Tor.

That is an extremely dangerous statement to make and one I do not agree with.

Keep in mind that:

\- you will have to trust that a large chunk of the nodes is not in the hands
of someone that you count as your enemy

\- that even if your enemy is not in charge of a substantial part of the
network they may still be monitoring entry and egress and that that alone can
be enough to figure out who is talking to who

\- that any data present at egress that can be intercepted might still reveal
who you are

So no, Tor is not 100% secure and it is very well possible that even if you
use Tor your identity will be connected with some activity or even all of your
activity while using the network.

~~~
fish_fan
You didn't actually disagree with your parent comment. It is possible to be
anonymous on TOR. It does not come for free.

~~~
jacquesm
Well, if you want to trust your anonymity to luck or not being monitored then
yes, you can be anonymous on Tor. But that's little comfort. It's possible to
cross a highway blindfolded too. But it isn't smart to do so and it is even
less smart to assume that it will always work just because you can't see the
danger with your silly blindfold on.

~~~
fish_fan
Thankfully, none of your assumptions are true if you consider TOR one part of
anonymity as your parent comment did.

Not to mention, you conspicuously avoid comparing degrees of anonymity.
Obviously TOR is better than SSL, which doesn't provide any anonymity.

~~~
ZenoArrow
If you use Tor as part of a group of privacy measures then you can protect
your privacy online, but it's useful to know what the potential weaknesses of
Tor are so you know what other measures to take.

------
indefenseofddg1
The issues brought up in this post apply to every single service operating
online, and it only applies to DuckDuckGo in any special way because of their
increasing size. This includes "client" encrypted webmail and similar
applications: they can be forced to deliver malicious JS that gives up your
keys, or the JS client delivery can be MitM'ed.

Many people seeking enhanced privacy from DuckDuckGo are seeking privacy _from
Google_ , not from state actors. For that, you'd need additional measures like
Tor, for which DuckDuckGo provides a convenient .onion service. Even if DDG is
secretly tracking all our searches, they have less data to correlate it with.

My current privacy complaint on DuckDuckGo, combined with browser search UI
issues (looking at you, Chrome) is over the !bangs. If you're doing "!w
[sensitive topic]" instead of tabbing to Wikipedia search in your browser and
searching that way, you're risking DDG or anyone who's compromised DDG seeing
your Wikipedia searches, when the search should go straight to Wikipedia,
Twitter, Stack Overflow, and so on.

~~~
kilceem
DDG has [https://DuckDuckGo.com/lite](https://DuckDuckGo.com/lite)

For non js. There are of course other vectors and many not even search engine
dependent.

~~~
tagawa
Thanks for that. We also have
[https://duckduckgo.com/html](https://duckduckgo.com/html)

(Disclaimer: DDG staff)

------
patkai
I use Duckduckgo because I don't like monocultures.

~~~
whipoodle
Very noble.

------
fghtr
I am participating in a peer-to-peer search engine based on free software,
[http://yacy.net](http://yacy.net). But I am not sure it can save us from
NSA... We have to take political steps against them anyway.

------
cyphunk
comparison of using DDG vs Google over tor is enlightening (GIF):

[https://twitter.com/cyphunk/status/849615910545620992](https://twitter.com/cyphunk/status/849615910545620992)

~~~
dredmorbius
Google's anti-bot measures DoS the service for me rather frequently.

(Perhaps I am a robot?)

------
Sidious
Collecting meta-data is not benign at all, it's trivial for the usual suspects
to de-anonymise, and profile based on browsing habits.

Fat protocols should marshal the true web 2.0 along with DAOs.

------
bitmapbrother
So does DDG produce a transparency report and if not then why not?

------
wakkaflokka
This is something that's always been fascinating to me. In any thread about
privacy, there's always a comment along the lines of "if your threat model is
a nation-state, then you're screwed." You hear it about DDG, Tor, client-side
but web-delivered encrypted email, etc.

What if your threat model is a nation state? What's the proper way to ensure
your privacy _that does not require abstaining from the internet_? Is a high
degree of privacy even possible?

~~~
jokoon
Privacy from the state never really existed, even before the internet.
Paperwork always allowed the state to know things. Information has always been
power, and information is an important tool for governments so they can be
able to work. I think it always has been.

I'm more worried about privacy from private interests. The issue is what the
governments do with data, and if the government let private parties access it,
and where do you draw the line between the government having right to access,
and companies being allowed to access it, because you will often have
situations where things are not clear.

To be honest I will always have a problem with the whole privacy/surveillance
debate, because there are things the government should know, but only because
it is the government. Private companies are now being able to track people and
have the same kind of data the government has.

So there is a big nuance, and it is often shut out by the outrage, which
frankly comes from a libertarian agenda, which I have a problem with.

------
known
I wrote my own search engine and using it. Not very difficult.

~~~
ZenoArrow
Is it a proxy to other search engines or do you search your own database of
websites?

~~~
known
Sorry for the delay in my reply.

I search from my own 1GB database; It covers 80% of my needs;

~~~
ZenoArrow
Interesting. Thanks for your reply.

