
DuckDuckGo: illusion of privacy? - ziodave
http://etherrag.blogspot.jp/2013/07/duck-duck-go-illusion-of-privacy.html
======
glurgh
_If you are specifically targeted in an investigation [...]_

The purpose of services like DDG is to reduce the amount of casually
collected, personally-identifiable private data you might be strewing about -
data that might potentially be recovered and might potentially be used against
you or used in ways that you don't like.

If you are specifically targeted by an investigation, a law-enforcement agency
like the FBI, armed with probable cause and warrants can tap your phone,
search your house, track your location, log your keystrokes, etc, etc. DDG
can't help you there, you'd also be vulnerable even when using a service
provider which really doesn't have access to your data, like tarsnap. DDG is
not going to magically protect you from targeted (and perfectly legal,
civilian, non-NSA-related) surveillance if you happen to have the bad luck of
being a subject of such an investigation. It's a silly standard to hold any
service provider to.

~~~
brown9-2
Were these features of DDG ever it's _purpose_ or merely an incidental
feature?

~~~
superuser2
It was supposed to be Google except with privacy.

------
beloch
1\. Since the U.S. government has given itself both the power to compel U.S.
corporations to spy for them and the power to prevent them from revealing
this, we can't take the claims of any U.S. corporation at face-value.

2\. DuckDuckGo is a U.S. based company.

~~~
blumentopf
Problem is, even if DDG would be hosted in, say, Europe, the NSA would still
be able to snoop on the traffic. As has been recently revealed, the German BND
may siphon off up to 20% of the traffic at DE-CIX (Internet exchange in
Frankfurt) and on average siphons off 5% [1]. The BND closely cooperates with
the NSA. As we've seen in the last couple of weeks, Europe is basically a US
colony and Germany in particular is not a true sovereign state. [2] What to
do? Host in Russia, Latin America?

(Disclosure: I am German and DDG is my default search engine.)

[1] [http://h-online.com/-1909989](http://h-online.com/-1909989)

[2] [http://sz.de/1.1717216](http://sz.de/1.1717216)

~~~
grhino
DDG searches are delivered over HTTPS. It doesn't matter if the NSA can siphon
off DDG traffic.

~~~
ville
It does matter and the article has reasoning about why it does. "The NSA could
get the DuckDuckGo master cert in one of three ways:

1\. Be given the cert

2\. Physical access to servers or load-balancers

3\. Remote access to servers or load-balancers"

~~~
grhino
If they can get direct access to the DDG servers, then it doesn't matter if
they can siphon off traffic at the ISP level. They can just access the data.

~~~
ville
But wouldn't that require constant access to the server, whereas the key they
could steal once with short access to server and use until it expires without
the victim noticing?

------
yk
I like the blog post, but I think that it is somewhat unfair against DDG since
the argument works against any internet company. The argument rests
essentially on two points:

1\. Client/Server architecture has a single point of failure, namely the
server. ( Or the network equipment directly upstream of the server.) So that
whatever nasty surprise is embedded directly at the server, or in the
jurisdiction the server is in, affects whoever is using the server.

2\. We do not have a treat model for the NSA, they are somewhere between a
usual state level attacker and Cthulhu. We do not really know, what the NSA
can or can not do, can they crack the discrete log or factor large numbers? Or
do they 'just' have a assorted 0day collection? Is it realistic that they can
coerce anyone into revealing public keys? And if they can actually break TLS,
can they also break all TLS or does this require some not insubstantial effort
on their part?

So both of these are real problems and the combination is potentially
undermining the trust into the entire internet. But it is not really about
DDG.

~~~
MarkHarmon
"... it is somewhat unfair against DDG since the argument works against any
internet company"

What other search engines are being suggested for use as a safer alternative
to the major search engines? Did any of those companies respond by affirming
their ability to protect your privacy in a way that is not technically
possible?

The author's point is that you can't dodge the NSA's scrutiny, and if you
think you can then you are either lying or uneducated about the NSA's
capabilities.

UPDATE: What I'm trying to say is that the article doesn't really work when
directed at Google or Yahoo because we already know that our privacy is
compromised there.

~~~
Amarok
What about startpage? I know they're still dependent on google, but in terms
of privacy they seem to be at the same level as DDG. At least they're smaller
than DDG, so it's less likely that the NSA will bother with them

~~~
MarkHarmon
We need a definitive answer on whether PFS is truly perfect. If
ssl->vpn->https->anon-dns->tor->tls2->no-logging-search is safe then our
searches for weird porn might be private.

------
cinquemb
_" Option 2 Many smaller internet companies, including DuckDuckGo, do not
operate their own data-center, but instead are “hosted” in another provider’s
datacenter. In DuckDuckGo’s case, they are hosted by Verizon Internet
Services. We’ve all learned about the cozy relationship between the NSA and
Verizon, it is quite imaginable that Verizon would simply give them access to
a DuckDuckGo server, or the load-balancer which is likely owned and operated
by Verizon and upon which the SSL decryption key is installed. They don’t need
continuous access, 30 seconds is all that would be necessary to copy the
cert."_

And Gabriel's response to that: _" There are many additional legal and
technical inaccuracies in this article and I will not address all of them in
this comment. All our front-end servers are hosted on Amazon not Verizon, for
example."_

Might as well %s/Verizon/Amazon/g…

I also found what Gabriel said here to be interesting:

 _" We have not received any request like this, and do not expect to. We have
spoken with many lawyers particularly skilled and experienced in this part of
US and international law. If we were to receive such a request we believe as
do these others it would be highly unconstitutional on many independent
grounds, and there is plenty of legal precedent there. With CALEA in
particular, search engines are exempt."_

So apparently speaking to a couple of lawyers who are probably not upon the
FISA court (who apparently pretty much just stamp what has been decided) now
have a say in whether such actions can be taken by the NSA and whether they
are unconstitutional are not?

Don't get me wrong, I've been using DuckDuckGo for a couple of years now, but
that's laughable.

~~~
denzil_correa
Probably the lawyers are experts in the FISA court.

~~~
cinquemb
Contact with lawyers with access to closed hearings and classified
proceedings?

I wonder if Google talked with those lawyers too…

------
evolve2k
Response from DuckDuckGo CEO from the article comments:

"Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe
we can be compelled to store or siphon off user data to the NSA or anyone
else. All the existing US laws are about turning over existing business
records and not about compelling you change your business practices. In our
case such an order would further force us to lie to consumers, which would put
us in trouble with the FTC and irreparably hurt our business.

We have not received any request like this, and do not expect to. We have
spoken with many lawyers particularly skilled and experienced in this part of
US and international law. If we were to receive such a request we believe as
do these others it would be highly unconstitutional on many independent
grounds, and there is plenty of legal precedent there. With CALEA in
particular, search engines are exempt.

There are many additional legal and technical inaccuracies in this article and
I will not address all of them in this comment. All our front-end servers are
hosted on Amazon not Verizon, for example."

------
coldcode
The beauty of the NSL system and the NSA acting outside the constitution is
that no matter what anyone says there is no way to prove any statement made
about receiving or not an NSL. In fact it wouldn't surprise me that if the NSA
wanted the data they could compel someone lower in the company and the CEO
might never know. How do you prove you are NSA-free if you are the CEO of an
American based company? Really the only thing statement that people would
believe today is actually showing your NSL publicly and telling the NSA to
stuff it. If you haven't been targeted (or someone in your organization was)
there is no way to prove it.

------
Tloewald
The key thing about Google et al is that they maintain user accounts and try
to get you to stay logged in which means (a) they maintain huge data stores
that are (b) tracked by user. While DDG can be required to turn over its
records, could theoretically hand its unencrypted traffic over to the NSA, and
in any event the NSA could simply pluck the packets off the air en route, it
would then have to figure out which packet was from whom and join the dots
itself. This is essentially no different from what I assume the NSA can do
with any damn website, foreign or domestic, it likes.

As a further wrinkle, if you are logged into Google then it can watch your web
surfing activity onto any website with embedded google code (analytics,
adwords) which is pretty much most websites.

All of this comes down to Google is an advertising company. If DDG becomes an
advertising company, watch out.

~~~
Kylekramer
How is DDG not an advertising company already? One of the top hit on every
search I do on DDG is an ad (actually in my testing I found if I do an
informational search like "Barack Obama" I get an ad on DDG and none on
Google). If advertising itself is the problem, DDG has already doomed itself.

~~~
Tloewald
You're right of course about DDG selling advertising — I assume at much lower
cost than Google given their relative inability to gather intelligence about
users. The big question is whether they have a non-evil business model on the
horizon (sponsored links aren't bad of themselves, but they are the entrance
to the rabbit hole Google has long since gone down and expanded into a giant
underground complex).

------
samwillis
DDG have a tor hidden service for search [1] and so you can search annonamusly
through that, even if someone has access to the ssl privet key.

[1] [http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-
now-o...](http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-
a-tor-exit-enclave.html)

~~~
nly
This almost makes no sense. Hidden Services exist to hide the
location/identity of the server. You gain the same anonymity by visiting
ddg.com via Tor. It's cool that they're running a relay though.

~~~
stefantalpalaru
I think that connections to hidden services on the Tor network are encrypted
end-to-end.

~~~
4ad
They are not encrypted at all. Tor provides anonymity (nobody can say where
the captured traffic comes from), not encryption (nobody can read my trafic).
You should use independent encryption inside Tor.

I2P is similar to Tor, but encrypted AFAIK.

~~~
shawnz
Tor absolutely does provide encryption, except for the last link (unless it's
a hidden service) just like the parent poster said. More information is
available here:

[https://ssd.eff.org/tech/tor](https://ssd.eff.org/tech/tor)

[https://www.torproject.org/docs/hidden-
services.html.en](https://www.torproject.org/docs/hidden-services.html.en)

EDIT: To be clear, I am saying that tor DOES provide end-to-end encryption,
but only when you're using a tor hidden service -- which is also what the
parent poster said.

~~~
4ad
The parent said _end-to-end_ encryption, which Tor does not do. Yes,
information through a tor circuit is encrypted. No, it's not enough if you
need end-to-end encyption, the participants must arrange independent of tor
for that.

~~~
andrewaylett
But with a hidden service, the last unencrypted bit is all within the same
server. It's a very different scenario from accessing the general internet:
There's no exit server to worry about, except for the service you're
connecting to.

------
mtgx
> "DuckDuckGo can easily be compelled either under the Communications
> Assistance for Law Enforcement Act (CALEA), standard court orders, or by
> secret orders from the Foreign Intelligence Surveillance Court (FISA) to
> provide tap-on-demand"

Can they actually do that? I mean it's one thing to just "hand over the data"
you already have about the user, and maybe even compel the company to decrypt
it (although I still think that's BS [1] and companies should fight against
it), but can they actually _force_ a company to _spy for them_ , and change
their service in such a way that makes it possible? Does FISA and the Patriot
Acts actually imply that? Or does he mean it might be yet another one of their
"interpretations" of the laws?

Either way, if that's possible, just start using StartPage.com. They're based
in Norway.

[1] [http://paranoia.dubfire.net/2010/09/calea-and-
encryption.htm...](http://paranoia.dubfire.net/2010/09/calea-and-
encryption.html)

~~~
pjmlp
I think that a common misconception of the current discussions is that people
still expect NSA to obey some kind of law.

Never been to the US, but I grew up in a country trying to recover from a
dictatorship, so I never believe that secret services have any law to obey.

~~~
mtgx
> I think that a common misconception of the current discussions is that
> people still expect NSA to obey some kind of law.

I realize that, and I know many things they are doing are extra-
constitutional, and even extra-legal. But that was precisely my point. How can
the companies just stand to being bullied by law enforcement like that just
because "they say so", _especially_ when they think that what they're asking
them is at least unconstitutional.

And I know there's a difference between how easy this is in theory, and how
easy it is in practice, but come on - what are they going to do? Put Ballmer
or Larry Page in prison for not obeying them? The companies would have the
best 100 lawyers in the world fighting for them.

It just pisses me off that some companies seem to cooperate _way_ too easily
with the mass spying, either because they find no problem with it themselves,
or they're just too scared to try anything, even as big corporations.

~~~
amirmc
_"...what are they going to do? Put Ballmer or Larry Page in prison for not
obeying them?"_

Sure, why not? It may sound ludicrous but do you really think it's beyond the
realm of possibility? You should look up stories about the CEO of Qwest and
what he claims happened to him when he said no to the NSA (in 2007) [1].

[1] [http://www.businessinsider.com/the-story-of-joseph-
nacchio-a...](http://www.businessinsider.com/the-story-of-joseph-nacchio-and-
the-nsa-2013-6)

------
ziodave
If what's written in this article is true, that basically means that even
hosting a server in the US is basically a breach in privacy.

Do you think this is reliable information?

~~~
claudius
What makes you think that hosting a server in one of the world’s oldest
democracies, the country among the first to have a written constitution and a
strong bill of rights, the land of the free, would not be a breach of privacy?

Oh wait…

~~~
nine_k
One of the world's oldest democracies? You mean Switzerland? Well, hosting a
server _there_ might be a good idea.

~~~
claudius
‘one’ is still an indefinite, rather than definite, article, and the USA are
certainly one of the older, still-existing democracies (even though, of
course, there are even older ones).

------
brianwillis
Before drawing any conclusions from this, I recommend reading Gabriel
Weinberg's response in the comment section. I felt considerably better after
reading it.

~~~
DannyBee
I felt considerably worse, because he takes a very naive view of the legal
realm.

Let me expand a bit: I don't think Gabriel is lying/dumb/whatever. However,
the statement given essentially comes out to "If we had to, we would fight the
good fight and we very strongly believe we would win". I'm all in favor of
fighting as hard as you can against broad/illegal/user harmful orders/etc.

But at some point, you _will_ lose, even with the law and moral justice on
your side. This is a certainty. Google has lost. Yahoo has lost. Twitter has
lost. Microsoft has lost. Contrary to the belief that they are cooperative,
they don't want _anything_ to do with anything, and fought with more resources
and energy than DDG probably can muster (again, no offense to Gabriel).

Let's ignore for a second whether they have any data to give or not. The point
is that at some time in the future you will not just lose temporarily, you
will lose in a way that you have to make a choice because yourself/your
business/your livelihood and your users privacy.

Believing otherwise makes you naive in my eyes.

~~~
mortehu
> Google has lost. Yahoo has lost. Twitter has lost. Microsoft has lost.

Lost in what sense? The question here is whether service providers can be
compelled to send data that was never stored on disk to law enforcement. I've
seen the news that Skype calls are streamed (in accordance with their privacy
policy[1]), and I guess this can be viewed as Microsoft losing, but what about
the others?

1\. "Skype, Skype's local partner, or the operator or company facilitating
your communication may provide personal data, communications content and/or
traffic data to an appropriate judicial, law enforcement or government
authority lawfully requesting such information. Skype will provide reasonable
assistance and information to fulfill this request and you hereby consent to
such disclosure."

------
EGreg
MegaUpload, LastPass and others are provably not able to access your
information. Storing the encryption key yourself is the way to go.

But then the govt can capture you and make you give up the key. A
whistleblower can threaten to have more incriminating evidence disseminated
encrypted somewhere, and if he doesnt check in every 30 days it gets released
... but then the government can just torture him until it makes him give up
the key he uses to check in every 30 days. It wouls take a really stubborn guy
to persist and let the information be released. Since you dont have any
information like that anyway, just assume that if you can access your own data
the govt can compel you to do it for them.

~~~
dchest
_MegaUpload, LastPass and others are provably not able to access your
information_

Where can I find the proof you're talking about?

~~~
swaroop
[https://www.grc.com/sn/sn-256.htm](https://www.grc.com/sn/sn-256.htm)

~~~
DanBC
Gibson is about as credible as I am when it comes to security - ie, not very.

~~~
dchest
Credibility doesn't matter, as I'm not asking for a confirmation from an
expert: EGreg claims there is a security proof of some kind.

------
HistoryInAction
Hmm, CALEA is really not the right law to be referencing. CALEA generally
applies to wiretaps and specifically derives from telephony surveillance and
is more relevant—and worrying—to a Twilio or SendHub, rather then DDG.

It's more likely to be a portion of the PATRIOT Act (Sec. 215 and possibly
217, h/t to Marcy Wheeler for the education here: [http://www.aclu.org/free-
speech-national-security-technology...](http://www.aclu.org/free-speech-
national-security-technology-and-liberty/reform-patriot-act-section-215) and
[http://cyber.law.harvard.edu/privacy/Introduction%20to%20Mod...](http://cyber.law.harvard.edu/privacy/Introduction%20to%20Module%20V.htm))
or the specific update to it (Protect America Act of 2007, FISA Amendments
Acts of 2008 and most recently 2012) to bring the warrantless wiretapping
scandal back into "compliance," and seemingly updating PATRIOT for the current
round of surveillance, which was likely reauthorized Dec '12.

Now, the FBI recently floated a trial balloon of what we're calling CALEA II,
but that's focused more on compelling the providers of in-browser chat
products to create backdoors for surveillance:
[https://www.cdt.org/files/pdfs/CALEAII-
techreport.pdf](https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf) It's
not current law yet, and we're fighting to prevent the proposal from becoming
law.

It's a point of precision that doesn't detract from the author's main point.

Just as an update, the legal debate is continuing over both the NSLs
themselves and their related gag orders:
[http://www.networkworld.com/community/blog/fbis-national-
sec...](http://www.networkworld.com/community/blog/fbis-national-security-
letter-gag-orders-violate-1st-amendment-ruled-unconstitutional) I'm not sure
how or where this case escalated to, but the last time a court declared the
gag order to be unconstitutional, it took an act of Congress to reauthorize
it, which will be a difficult sell right now.

For a final note, here's a counter by the DoJ about how I'm wrong, for
whatever that's worth:
[http://www.justice.gov/archive/ll/subs/add_myths.htm](http://www.justice.gov/archive/ll/subs/add_myths.htm)

And for full disclosure: I consult with Center for Democracy and Technology
(CDT) on reforming Electronic Communications Privacy Act (ECPA) of 1986, which
is a similar but not directly related issue.

------
bombarolo
You don't even need to ask ddg for a private key, go straight to certification
authority.

~~~
JoshTriplett
I see this comment in so many stories lately.

Certification authorities do not, in general, have the private keys
corresponding to the public keys they sign. Some CAs will generate a key for
you and claim not to keep the private half once you download it, but any
security-conscious site will opt to upload a signing request for their own
public key instead.

So, that rules out the possibility of passive spying on HTTPS traffic.

As for active spying, a CA could certainly produce a certificate for a MITM
attack, but many modern browsers or browser extensions will rapidly detect
that, so doing it on a large scale will fail and be detected. The same goes
for most security exploits: a large scale systematic exploit will not pass
silently.

MITM or exploits on a small, targeted scale have some chance of working,
depending on the target, but if a government-scale entity targets you
_personally_ , you're pretty much screwed anyway. HTTPS still effectively
protects against a large, systematic, undetected dragnet of traffic.

~~~
blahbl4hblah
Yeah, but your "I know how SSL works" story is probably an NSA plant so that
the NSA can read my secretz. NSA NSA blah blah NSA

NSA

~~~
grey-area
You're really not helping improve the conversation by posting sarcastic
responses like this.

------
DoubleCluster
Thus article states that the NSA will get the information anyway. Even if this
is true it may be a good thing to choose a search engine that makes a point of
at least not tracking you itself. Sadly Google has much better search
results...

------
ekianjo
The article is completely missing the point. Of course the NSA can get
information from DDG, the point is that there is not much information to be
earned there in the first place, and the searches are not associated with your
google account, let's say.

------
p37307
Lots of comments here. Not sure if it is already covered or not. So I will be
brief.

DDG, hushmail, etc. Doesn't really matter does it if the NSA gets you at your
internet connection and reads what you are doing from your service providers
trunk?

You can DuckDuck and Go and hush your email. If they are grabbing it at the
point of your modem and your internet provider, the illusion is you are secure
but really you are not.

~~~
nine_k
Data for such services leave your computer encrypted with SSL.

Bugging your computer (and/or phone) is probably the best way to track your
communications clandestinely.

------
jister
>> Can they refuse to collaborate with the NSA if approached? What I would
like to know if they can really refuse when big corps such as Google,
Microsoft and others can't?

>> Gabriel Weinberg comment: We have not received any request like this, and
do not expect to. But if they receive such request can they just really say NO
while other big companies can't?

------
trotsky
EDITED: Thanks guys, it seems like I managed to paste over most of my post
with the clipboard filled with the last one. Thanks for being so nice pointing
it out. Sucks, the on topic one i destroyed was leaps above the banal content
that replaced it. Let something here to avoid you guys being orphaned. Sorry
for reducing the signal to noise ratio!

~~~
mikegioia
You posted this same comment here:
[https://news.ycombinator.com/item?id=6040733](https://news.ycombinator.com/item?id=6040733)

But added a section on DDG to the bottom...

------
Ihmahr
Also consider the holland based search engine www.startpage.com which has al
kinds of certificates.

------
edent
They also really hate it when people point out their privacy flaws. See
[http://www.alexanderhanff.com/duckduckgone](http://www.alexanderhanff.com/duckduckgone)

~~~
wyclif
Except those aren't privacy flaws. He's wrong about DDG setting cookies by
default, the easter egg issue, affiliate revenue, and US law. He got so much
wrong that I can't take the post seriously.

~~~
tomphoolery
He's so pretentious it makes me chuckle.

------
zobzu
the main argument of this page is "nsa can hack everything cuz google got
hacked by the chinese"

yeah thanks for the tip, that's so insightful.

------
fear91
This "blog" has one post and was specifically started to bash DDG.

I don't use the duck (yet?) but to me it looks like an attempt at black PR.

Even if the duck doesn't give full anonymity, I would still prefer it to
Google - the new leaked slides revealed that NSA has direct access to Google,
whereas with ddg, they'd have to snoop upstream.

~~~
tokyovapr
I am the author. I _did_ start that blog just for that post. I have never
blogged before in any substantial way, but the naivete of comments from the
CEO of DDG and the fact that users reading articles like in The Guardian might
be misled into believe they are protected from NSA monitoring by DDG,
motivated me to blog. No black PR. I don't work for any other search engine
company, I am an American working for a small software company in Tokyo,
Japan.

~~~
jasonlotito
> I am the author. I did start that blog just for that post.

Can you prove that you are not an agent of the NSA trying to dissuade people
from using services like DDG? I mean, you are using BlogSpot of all services,
so you are directly contributing to the tracking of individuals (heck, you are
encouraging it), so forgive me if your motives are suspect.

Frankly, that you cannot prove otherwise, I think you should say as much: that
you should not be trusted.

~~~
tptacek
Can you prove that you are not an agent of the NSA trying to dissuade people
from using services like Google? I mean, you're using HN of all services, so
you're directly contributing to the Silicon Valley culture that arms the NSA
with tracking tools (heck, you're encouraging it!), so forgive me if your
motives are suspect.

Frankly, that you cannot prove otherwise, I think you should say as much: that
you should not be trusted. I say good day, sir.

~~~
jasonlotito
Yeah that was the message. Not really sure if you got it, or missing the point
though.

------
_pmf_
Shhh, don't ruin the ongoing circle jerk.

------
angryasian
are we still all just forgetting the fact that DDG is just an aggregator of
other search engines. Specifically Bing.

------
berntb
How about the article writer test this before writing? Do DDG-searches about:

    
    
      - A violent political/religious subgroup.
      - Politician XXXX's opinions about said group
      - The future travel to your locality of XXXX
      - How to build bombs with YYYY.
    

Just make certain to wear a bullet proof jacket while reading... :-)

But seriously:

Sure, the NSA probably index searches on DDG. Of course. It is fully possible
DDG isn't aware of it, too. It is too obvious to be at the top of HN.

I might have followed the subject too shallowly, but it really surprises me
that I haven't seen the responsible politicians talk about the real problem
here.

You can make a good argument that pervasive monitoring is a good thing in the
short perspective (which the supporters do), but over a longer time?

After a long time of military or economic problems you get paranoid tendencies
(see McCarthy, Putin, 9/11). I have no idea how likely a 1984 scenario (or a
present day Russia!) is -- and neither do anyone else.

The people responsible should have answers to these questions _before_ making
the decisions. And now they should discuss that. (Or doesn't a risk exist if
it can happen after they are out of office? Or do they really think there will
never be any political/economic bad times again?)

~~~
exceptione

       Sure, the NSA probably index searches on DDG. Of course. 
    

Well the searches are encrypted so the nsa should have access to the servers
themselves right? I dont now if DDG provides forward secrecy though..

~~~
berntb
We are talking about the same (or a sister) organization that created the
viruses in Iran and the Middle East. Civilian search companies aren't as high
on the agenda as rouge states' nuclear weapon programs, but still.

------
decryptthis_NSA
_DuckDuckGo: illusion of privacy?_

His point is that if NSA wants they can do this and that. I suppose they can
also take you to a Romanian black ops site and beat you bloody till you cough
up your passwords. The idea is for average Joes and Janes to have a little bit
more privacy. When you search on Google, they try everything possible to have
you search while logged on and save your search history. All this is linked
to:

your real name, location (Android)

maybe credit cards (Google Play, Adwords)

emails sent

videos watched

books read

sites visited (Google Analytics, sites visited that serve Adsense, Google
hosted jQuery)

your private docs (G Drive, Documents)....

This is of course to make more money off you, they can charge more money to
advertisers, and all this info is ready to be siphoned by Booz Allen and
Hamilton employees and to be added to your file.

What do they get from DDG? Relatively speaking, nothing. The idea is to split
your activities to make it harder for them, which is great for an average
user. By using everything Google, it's even better than sending them a memo
detailing everything you did each night.

If you're a target, long live TOR, which is not really usable on Google.

------
blahbl4hblah
I'm surprised by how many world class super spy/hacker types there are on
HN...who knew that, besides just generally being snarky about shit that you
half understand, that you had so many secrets to protect?

~~~
quantumpotato_
I'm surprised you don't recognize the principle of the matter. There was an
article posted a while back about "in a world of perfect surveillance, legal
change would be impossible". Much of social progress came about because people
could communicate in secret.

