Hacker News new | past | comments | ask | show | jobs | submit login

Probably so that they may track which searches people are performing on DuckDuckGo



Genuine question, if I configure DuckDuckGo as my default search engine, would my key strokes still be sent to Google?


Yes. URL prediction & malware blacklisting "services" send keystrokes regardless of chosen search engine.


This is incorrect from Malware blacklisting purposes. I don't know about URL prediction.

For Safe Browsing protection, here's how it works (in progress): https://chromium.googlesource.com/chromium/src/+/refs/change...

[Disclosure: I'm the Software Engineer on Chrome who wrote parts of this Safe Browsing code, and that incomplete documentation linked above.]


> malware blacklisting "services"

If you're thinking of Google Safe Browsing (used by both Chrome and Firefox), you're wrong.

It works the other way around: Google sends you the list of undesired domains, and your client prevents you from visiting domains found on that list.

Nothing needs to be shared with a third party for that functionality.


The full details are in https://www.google.com/chrome/privacy/whitepaper.html#malwar... , but the short summary is:

A hash prefix list gets downloaded locally; Chrome checks locally against the prefix list. If a URL hits, Chrome will send the hash prefix (not the full hash and not the URL) to the server, the server will send back all full hashes that match that prefix, and then the client will complete the check locally.

In theory, if the server had a small number of matching full hashes, it could guess about what URL a client might be hitting, but in practice the system is designed as much as possible to avoid ever leaking data about what you're visiting to Google servers.


It's a little bit in the middle.

Clients download a database of partial hashes of malware URLs. If they get a hit on one of those partial hashes, they make a request for the full list of hashes with that prefix.

Google knows when a client makes one of those requests, but the exact URLs (or hashes) they're looking up are never revealed. The partial hash is 32 bits long, so there's enough collisions that making a request isn't especially revealing.

https://developers.google.com/safe-browsing/v4/update-api


I seem to recall reading it can be a mix of both, though generally the way you mentioned. A Bloom filter that filters locally, and if it's a hit then it sends over the URL to double-check. Would be nice if someone could confirm though.


Older versions were Bloom filters, but newer versions have moved away from that (and to a list of hash prefixes) because Bloom filters are hard to update.


Also check your DNS config for 8.8.8.8, 8.8.4.4, .... I’m not typing the IPv6.


Check it, then switch to 1.1.1.1; Cloudflare's service is free and excellent.


Can anyone explain the downvotes? Any issues with Cloudflare's DNS? (I'd prefer it over Google, and 1.1.1.1 is just as easy to remember as 8.8.8.8)


Or Quad9 (the easy to remember IPv4 address 9.9.9.9).


If your concern about Google is at that level (mine is), it's probably best to just use Brave or Firefox.


Or safari. It's pretty good too


I miss safari for windows


They had safari for windows?


“A Windows version was available from 2007 to 2012.” [1]

[1]: https://en.m.wikipedia.org/wiki/Safari_(web_browser)


Was that what Steve Jobs called "a glass of ice water for people in hell"? Or was that iTunes on Windows?



Not sure but my expectation is that at least they are sending back the address for the search results page so they'll know what you searched anyways.

I might be wrong, but this is obe of the reasons I don't use Chrome so if anyone has links that proves something else I'm interested.


Your visited URLs are in general only sent to Google if you have opted into sync and have "History" as an enabled datatype.


sad but true. I'd be interested to know if this data (i.e. non-Google search engine queries) is sent to Google. I'm assuming it is.


>> I'd be interested to know if this data (i.e. non-Google search engine queries) is sent to Google.

Because Chrome keeps a log of all your activity, your DDG searches are easy to find here: https://myactivity.google.com/myactivity

So if you're web based (like me) then activities such as sending an email, checking out YT, reading HN, watching Twitch, and jerking off, all end up as entries in that log file.


This relies on several things:

* Enabling Chrome Sync, which is opt-in

* Syncing history, which is on by default if you enable sync

* Not using a custom passphrase for sync data (not using one is the default)

* Having "My Activity" save "Web & App activity", which is opt-out

* Having synced Chrome history data sent to "Web & App activity", which is opt-out

For the last two bullets, the opt-outs are at https://myaccount.google.com/activitycontrols .


Chrome Sync is so sweet though. It's probably pretty close to impossible to live w/o Chrome Sync. It's my favorite tech feature. The USP for me is "As a user I want switch devices while I'm browsing, so whatever I was reading prior to having to go to the bath room I can seamlessly continue reading."


Am I missing something? Since I can do that with Firefox Sync too. Even more i can send a tab from my device to any number of other devices too.


Safari does it, too, I believe (I don't really use it... One man's "pretty close to impossible to live w/o" is another man's "eh? what?")


Unless you turned that off, or never enabled it in the first place.

Edit: And presumably you're using Incognito for... some of those activities, which wouldn't be captured regardless.


>> which wouldn't be captured regardless

They would be captured by the ISP.

Did you know that Google happens to partner up with a lot of ISPs? Hmm, I wonder what for. What could they possibly have that Google needs?

;)


Like most search engines DuckDuckGo uses https so your isp can’t see what you search for.


But they can know which domains you visit, which would strongly imply a number of searches using DuckDuckGo, which might be interesting to Google.


edge caching :-)


> They would be captured by the ISP.

Ever heard of https?


Yes. As you have pointed out, the ISP can only log a host name [0]. Well, if the user story is porn, then as it happens, host names are pretty darn telling. Also, looking at a list of host names in chronological order might help them to classify me as "closet this" or "closet that", as I find myself less and less inhibited by society's rules the closer I come to crescendo.

https://www.upturn.org/reports/2016/what-isps-can-see/

EDIT: spelling


So if you're web based (like me) then activities such as sending an email, checking out YT, reading HN, watching Twitch, and jerking off, all end up as entries in that log file.

Do you really think Google would have trained an AI to determine that last activity? How would they have trained the AI?


>> Do you really think

Yes!

>> How

How graphic do you want me to be? But isn't the real question: is there utility for an ad network to know about your preferences in porn? If there is such utility, you're best to believe Google implemented a way to get them.

If I was an ad network I would love to hear about your porn habits. I would absolutely love it.


How graphic do you want me to be?

If you know, you are obviously one of the people who has that data. If you don't know, you aren't.

If I was an ad network I would love to hear about your porn habits. I would absolutely love it.

Such networks don't have to know whether or not and the exact moment a given user jerks it. Though, it would actually be better if you were actively browsing around and not jerking it currently. I guess that's why discovery and AI are so bad on porn sites. It's actually better for their ad revenue!


Presumably you aren't visiting porn sites for the articles. Voila, no AI needed.


Since I've already outed myself as a porn consumer I might as well get this off my chest: the recommendation engines of the video sites I visit (all the big ones) have poor, very poor AI. It's like they don't know me as a customer. I'm out here busting my balls to find "The Perfect Clip" but it's a jungle and they are not making it easy on me.


I'm out here busting my balls to find "The Perfect Clip"

I think the causal order is flipped around here.


Presumably you aren't visiting porn sites for the articles. Voila, no AI needed.

Sloppy. How do they know I'm not preparing for actual intercourse? How do they know I'm not downloading porn for later? I could also be watching gun videos, since they've been hosted there.

Granted, it's probably 95% accurate.


Anything you do in Chrome is reported to google. Not necessarily the data, but the meta-data.


You mean if you opt-in (or haven't opted out), right? I was under the impression this was optional.


But you're an honest, decent citizen with nothing to hide, right? Why would you want to opt out?

And anyway, it's “to improve your experience”, so you can't opt out. It's for your own good. Remember, Big Brother loves you.


Google has a very different definition of optional.


Yes, see how they still tracked Android users' location, despite location setting being turned off.


They have designed the whole android interface to scatter the settings around so it is very difficult to turn off many of the privacy-invasive features. And even if you manage to turn them off, somehow they always end up turning themselves on again.

Everybody working for this company should be ashamed.


>> Not necessarily the data

Yes the data. The whole request and the whole response. They need it in order to properly train their ad-network.

</speculation>


> They need it in order to properly train their ad-network.

Given that they scoop up all this data I'd appreciate if their ad-network actually improved. Just the other day the dating site scams where back.

"We'll try not to show it again" they say. Well for vacuuming the market for the best and brightest they either don't try very hard or they are very dysfunctional because they fail as a group.


Is there a Chrome extension that shows to the user what information exactly Chrome is sending home?


Imagine that the only thing that is reported to the Chrome backend is a client ID and a URL, which would be the only thing needed to render this app: https://myactivity.google.com

Would you think of Google as trustworthy because they only gave their backend two pieces of data? I myself would not, because I'm pretty sure the actual request and response messages are looked up by client ID (in their Google Analytics data store).


Give Google some privacy of what is being sent home :)

Chrome (and Chromium) creates at start and maintains SSL connections to Google. It is not easy to sniff what is being sent. Even if you MITM it, like in enterprise transparent proxies, Chrome will throw an error because of cert pinning. google domains should be whitelisted: "we recommend that you avoid the use of transparent proxies." https://support.google.com/chrome/a/answer/3504942?hl=en


Seems like patching that out of binary would be trivial task.

But I doubt the Chrome extension that would do that patching could stay at Chrome store.



There's also Bromium and some other Chromium forks and patchsets. I was talking about Chrome.


Chrome has the all powerful "omnibox" that still sends stuff to Google. Since searches or URLs go through the omnibox there's a good chance Google gets (some of) the data.


I don't see how doing this helps them track DuckDuckGo searches any better than they already could in Google Chrome.

EDIT: Added italicized text for clarity.


It's probably not as sinister as I make it out to be but I can think of a few items of data that differ between using DDG's native UI and that of the Chrome search bar: the headers Chrome sends to DDG are different, and the autocomplete results that come back from DDG can now be monitored


Good point, I hadn't thought of the auto complete. I figured you were more referring to the actual query itself which Chrome already sends home to Google via it's cloud synced web history. In which case it does not matter whether you use the omnibar or visit the website directly as long as you have history sync enabled.


Maybe most of the DuckDuckGo users use Firefox and other non-Chrome browsers.


Right, I've edited my comment to clarify it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: