Hacker News new | past | comments | ask | show | jobs | submit login
DuckDuckGo Founding Member in Global Privacy Control Standards Effort (spreadprivacy.com)
143 points by tagawa 56 days ago | hide | past | favorite | 62 comments

“This would provide a key component that’s called for in the California law, which is a simple way for consumers to invoke their right without having to go to each website and find the button,” said Ashkan Soltani, a privacy researcher who helped lead the effort [ as well as the previous DNT effort ]

"The new specification won’t become legally binding until the California attorney general blesses it."

So it seems the started with the Law first, instead of Do not Track which tried to lead with code.


It is ironic that every new preference meant to enhance privacy only adds more bits of information by which to fingerprint you.

But maybe fingerprinting is unavoidable. As far as I understand, to avoid fingerprinting, you would need to not have any browser cache at all.

Yeah, strange that they don't focus on the legalities of the already existing dnt header, and instead added a new "Sec-GPC" header. https://globalprivacycontrol.github.io/gpc-spec/#the-sec-gpc...

If DNT is a setting and respected by the website, how is this fingerprinting? My understanding is fingerprinting you need multiple metrics to compare to ensure someone is unique and thus you couldn't fingerprint purely based on a single setting (DNT) alone. (Obviously if it is not respected it becomes one more metric to add to enable better fingerprinting)

Check out EFF's Panopticlick demo. You basically answered your own question in your final parenthetical.

But part of this article is about giving DNT some teeth. The parenthetical statement was to show I understand that without the legal teeth it is another metric. But by ignoring the legal part you're ignoring the entire point of the post and my comment.

It's far from just the browser cache. Consider things like network location, download speed, interaction path, browser parsing edge cases, script enabled, privacy add-ons enabled, etc...

At last we see the end of the funnel. Both sides of an argument push 'progress' for a desired result.

If Bing ever drops DuckDuckGo, will there be a search engine they can fall back on?

Gigablast, Mojeek, and Yandex (already a source of DDG results in Russia I believe) all have their own search indexes and APIs to access them.

For a completely independent search engine, Gigabalst is surprisingly good in terms of index and relevance. Not as good as Google or Bing, but I think it is a one-man operation. Mojeek also just received an investment to build out their index.

At Runnaroo, I partially use Google as the backend, but I have done a good amount of testing on the above options in case Google or Bing stop being options.

Just as important as the search results, Bing provides the monetization for DDG through their ad network, so DDG is dependent on Bing for two critical parts of the business. I don't think Bing will ever kick them off because it must be very profitable for them and they need to do everything they can to get marketshare against Google.

That's my main concern. Duckduckgo is used more than Bing in many countries and Microsoft might just cancel their access some day.

There is always Yandex I guess

Why would Bing cancel, they're presumably making money off of the arrangement. And DDG-users would likely not migrate to Bing, but to Google: if you have to use a product by an anti-privacy-corporation, might as well use the good one.

>might as well use the good one

While I do believe Google has the superior search engine, there may also be an argument for denying them the "vertical integration of identity". That is, if you use Gmail and Google Search, Google can figure out more about you (in theory) than if you use just Gmail. Same reason I never -ever- use Facebook SSO for logging into non-Facebook sites.

Your google point is pretty valid, they’d be removing a source of income and sending users to a competitor. I think DDG is fine for the time being.

Well, the fact that DDG gets more users than Bing would be embarrassing for Bing.

Eh, was it embarrassing when Chrome was built on Webkit and they had more usage than Safari? I don't think so.

Someone might strongly suggest the idea to them.

they use bing only for some stuff, not as their backend. they will do just fine without bing.

It's difficult to say as they are not open about it.

Personally, I think they would suffer. Their API https://duckduckgo.com/api shows what they can provide as result. I believe the reason why it's missing a lot, most of the actual results, is because Microsoft Bing doesn't allow to offer a public API to redistribute the results from the Bing API.

Do you have any source? They have always avoided the question of how much they were dependent on Bing.

No one has a source for “DuckDuckGo is just Bing” either. We know that they use Bing, but not for what, people have just asserted that DDG is just Bing (or Yandex), but no one seems to be able to provide at source to back up the claim.

>To do that, DuckDuckGo gets its results from over four hundred sources. These include hundreds of vertical sources delivering niche Instant Answers, DuckDuckBot (our crawler) and crowd-sourced sites (like Wikipedia, stored in our answer indexes). We also of course have more traditional links in the search results, which we also source from multiple partners, though most commonly from Bing (and none from Google).[0]

Seems pretty clear their standard search results come from Bing. It even used to say "multiple partners like Bing, Yahoo, etc" but Yahoo was also powered by Bing. They like to change the wording to make themselves sound less reliant on Bing even though if Bing were to cut off access, DuckDuckGo would immediately cease working.

[0] https://help.duckduckgo.com/duckduckgo-help-pages/results/so...

I’ve read that multiple times, and no, that’s not clear. At best we can read it as “Results from Bing are mixed into their search results”. Most likely a high percentage, but we don’t know.

Mission accomplished then because they don't want to make it clear. If you really care that much, go back through all the different revisions of that statement through the Internet Archive and see how many times they've been dancing around saying the exact same thing: it's just fucking Bing. Their own crawler returns results for very specific limited topics in their segregated boxes. If they had even one source for one specific query, say "purple cats" that they didn't use Bing for, they could technically claim it's only "mostly" Bing.

We can infer some things about DDG based published data on crawler and bot activity. DDG's index is pretty comparable to both Google and Bing, but their bot is no where to be found in activity stats. So it's pretty reasonable to think that at minimum their index is primarily derived from 3rd parties.

https://deviceatlas.com/blog/most-active-bots-and-crawlers-w... https://www.imperva.com/blog/most-active-good-bots/

In my opinion, I don't think it should matter too much that they might not be crawling for their own index as long as they're reordering the results. But I do think there is some stigma where metasearch engines aren't looked at with as much prestige.

What kind of ranking can you do for a page on the internet if you didn't crawl its contents? It has to rely on other signals.

AFAICT, other than those information boxes that turn up on the top of searches, the actual search results are almost entirely powerer by bing, although as you said, they've always dodged the question.

I mean, searching something on DDG and then on Bing gives almost identical results.

Just did a search for tempest on bing, duck duck go, and google, and ddg was closer to google than bing. Which is fairly common, they are each the odd one out on some searches. Though I think google’s personalized search results make it seem very different to some people.

Pick something really odd like “Purple car teacup” and google seems to give really bad results. 3 links to amazon, 2 to Pinterest, and 2 to EBay. They all link to thepurpleteacup.com, but only google has a Yoycart link, it also wants to replace car with cat. I think Bing started off with the best image search and ddg the worst, though bing wanted to ignore teacup for the bottom half of it’s results.

Try a more complex query. e.g.

"difference between wet and dry suit" bing and ddg web site results are almost identical, only ranking differences. Youtube results on the page are identical. Google is quite different.

"average temperature of a dog" Again bing ddg very similar, Google completely different.

"average lifespan of a domestic cat" "list of medication that has interactions with grapefruit".

Just try more complex theories. The importance of ddg / bing relation is something they specifically and actively try to hide behind smoke and mirrors.

“average temperature of a dog“

Bing and ddg are somewhat closer, but far from identical. Include the second page of googles results, and all three have vetinfo.com etc, but bing and google have two links to www.quora.com where ddg doesn’t have any. I only bring that up because of you compare results under the assumption that bing and ddg are identical it’s easy to overstate the similarities.

I didn't say identical. They apparently use the same index, not necessarily the same ranking algorithm or the same version of it.

I mean, what IS the average temperature of a dog?

A trick I use to identify the source of unknown search results is to compare the SERP to a search engine that I know uses the primary source (usually Bing or Google) indirectly.

So for example, instead of comparing unknown results directly to the Bing SERP, I will compare it to Ecosia's SERP because it is powered by Bing will generally be less manipulated (i.e. closer to what Bing just returns in their API). Bing also adds a lot of other information to their own SERP which they might not make available in their API.

It's definitely not a fingerprint, but the source of organic SERPs are almost always identifiable.

Is this a "commoditize your complements" thing?

I don't mean to discourage governments and groups trying to do what they can in regulating business. But surely privacy is a software feature not a corporate policy. Relying on others to not use the information at there disposal seems destined to fail.

> .. “do not sell or share” GPC signal

What about storing, using for making user profiles, using for targeted ads ?


Maybe he's changed. Is there any evidence to suggest DDG is anything but honest?


I don't have any particular trust in them. However, they've staked their entire business model on privacy. That would be foolish if their intent is to sell user info, because doing that is unlikely to stay private for long.

Their entire business model is [selling advertisements][0], same as Google.

[0]: https://help.duckduckgo.com/company/advertising-and-affiliat...

DDG is using a very old version of Google’s business model: they serve ads based on your search string. That’s it. No search history mining. No email reading. No broadly deployed analytics snippets and browser logins to reconstruct your whole browsing history.

I’m already sending my search query to DDG for them to give me search results. They don’t ask for any additional data. They just allow advertisers to bid on the first few results for a particular topic.

I’m ok with that.

Innocent until proven guilty. By your logic no new company can ever build anything which preserves privacy.

You cannot prove a service preserves your privacy. You can only prove that it does not preserve it.

How do you prove that you’re privacy focused? You have to somehow prove that there’s something you did’t do. That’s kinda hard, and not much different from keeping it a secret.

Just read their privacy policy: https://duckduckgo.com/privacy.

Facebook and Google has a privacy policy too. Even the NSA has a privacy policy : https://www.nsa.gov/terms-of-use/#privacy

In practice these documents don't really relate what the company is actually doing with your data. It's just something that has to be there on a website.

It's not about having the privacy policy, it's about what it says. DuckDuckGo says it does not collect anything. What do others say?

So why do you trust what they say? If Google or MS says it it's irrelevant but if a small company without any supervision says it it's true?

It's like ppl saying Telegram is private just because they say so.

> Telegram is private just because they say so.

Can you give one instance where Telegram lied about privacy?

It is very clear it is not e2ee on their website. They are private. Many privacy features on Telegram do not exist on other platforms.

> If Google or MS says it it's irrelevant

Google and MS say that they do collect a lot of data. I indeed trust them here... What’s the point?

I'll bite. How are DDG and Brave not helping to protect your privacy?

Copying from https://news.ycombinator.com/item?id=24710306 because so many people are repeating the same misleading “hijacking links” FUD:

What does that have to do with privacy? I don’t use Brave (I won’t use anything Chromium-based while it has such dangerously high market share), but I think that controversy was exaggerated. All they where doing was adding redundant metadata (already present in the useragent string), IUUC not tied to any identity other than their own (not just an “anonymized” identity, no unique user identifier at all) to get some non-privacy-violating profit. And the phrase “hijacking links” is quite misleading — they didn’t change any actual links on pages, only added affiliate codes to the suggested omnibar completions you could choose to accept.

(Edit:) DDG I would be careful about. I still use it but try not to recommend it without mentioning https://github.com/asciimoo/searx — which I think is worthy of trust, being Free/Libre — because of https://news.ycombinator.com/item?id=23708166.

Brave is known to be hostile. Please do not put them in the same bucket. DDG still have the benefit of doubt

Brave indeed should not be trusted: https://news.ycombinator.com/item?id=23442027.

What does that have to do with privacy? I don’t use Brave (I won’t use anything Chromium-based while it has such dangerously high market share), but I think that controversy was exaggerated. All they where doing was adding redundant metadata (already present in the useragent string), IUUC not tied to any identity other than their own (not just an “anonymized” identity, no unique user identifier at all) to get some non-privacy-violating profit. And the title of that post is quite misleading — they didn’t change any actual links on pages, only added affiliate codes to the suggested omnibar completions you could choose to accept.

As long as we go and just criticize, or say X should not be trasted, I think we are not helping move things forward on the privacy front. It's a good thing that people make tools. Some are OK, some are not doing the job. Eventually, overall, there'll be some progress. At least, there is a discussion and awareness.

> Google and Microsoft Edge are more private even though neither has any privacy.

This line in their post gives away how overblown that stance is. There's simply no way for DDG to be as bad as Google, much less worse than Google.

Still, I know Brave got caught hijacking links but DDG is, among all well-known search engines, the most privacy-friendly without a doubt. Especially coupled with a good browsers and some add-ons. I'm talking specifically about Firefox but I'm sure people here have some more unusual solutions they prefer.

Brave is good. HN just loves Firefox too much.

I use FF as default. Brave as secondary.

Brave also still hijacks links and Braves tor implementation actually makes it easier to track you. Also generally the team has ignored fingerprinting issues since years that allow unique identification despite Eich saying they are so easy to fix (see my history on HN Eich even replied yet all those bugs are still open since multiple years)

> still hijacks links

No. They removed the sketchy affiliate thing.

No offence but going to need some links given your HN account is in the negative.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact