If your threat model includes actors within the US Federal Government (especially the intelligence community), run. Yesterday. That's a statement about our times, not about any particular company.
The solution ought to be browbeating the US Government for unethical practices, not browbeating a company that does privacy better than most, and not as well as would be necessary to stand toe-to-toe with some of the most powerful and far reaching organizations in the world.
> “By not storing any useful information, DuckDuckGo simply isn’t useful to these surveillance programs,” says Weinberg. “We literally do not store personally identifiable user data, so if the NSA were to get a hold of all our data, it would not be useful to them since it is all truly anonymous.”
DDG is "unfairly singled out" for good reason, namely that company representatives made an incorrect assertion. DDG is still useful for ongoing surveillance, as the article pondered:
> But what if DuckDuckGo provided a splitter-feed to the NSA? DuckDuckGo can claim without lying that they store no personal information, but that speaks nothing of a collaborating partner storing it.
Obviously, DDG isn't perfect. I'm not naive. But for me there's some value in trying not to succumb to Google's desire to have us all assimilate.
Not to mention they don't need to provide anything themselves. Unless DDG has their own cables to users homes, after DDG connect to the internet backbone and before the user connects to DDG, the various agencies have all kinds of opportunities to get their feeds. It surely isn't SSL that will prevent them.
If DDG isn't any better than maybe nobody is, so we might as well get used to the lack of privacy. Why switch if you're just going to get worse results, expend more energy, and not actually get increased privacy? You might just as well give up the struggle...
Fortunately, I'm not a conspiracy theorist,
Of course there are nutty conspiracy theories but there are nutty math and physics papers too. I feel like the blanket ridicule of any notion of conspiratorial action is meant to discourage any form of investigative journalism or deeper probing below the surface of the narrative.
Your hypothesis is reasonable and plausible.
It's true, however, that they don't want to share it. It may even be true that they specifically don't want the NSA etc to steal it from them. And indeed, I recall an unofficial Google response to Snowden's leaks:
> Fuck these guys.
> I've spent the last ten years of my life trying to keep Google's users safe and secure from the many diverse threats Google faces… But after spending all that time helping in my tiny way to protect Google -- one of the greatest things to arise from the internet -- seeing this, well, it's just a little like coming home from War with Sauron, destroying the One Ring, only to discover the NSA is on the front porch of the Shire chopping down the Party Tree and outsourcing all the hobbit farmers with half-orcs and whips.
https://www.theverge.com/2013/11/6/5072924/google-engineers-...
So anyway, DDG arguably gives users some privacy from Google. But neither has a better claim to providing privacy from the NSA etc. Indeed, maybe it's Google that does, given their greater resources.
If you want more than that, use some mix of VPNs and Tor. Or if you're not feeling lucky, stay off the Internet ;)
According to the State of California Department of Justice [0], the last publicly acknowledged data breach from Google was March 9th, 2017. Before that it was August 10th, 2016, and before that March 29th, 2016.
Many users are paranoid about ToS and how companies (esp the big guys) make money either by learning your behaviors (search preference, sites you visited) or selling your data to a partner (Foursquare, although they claim to only sell location data which are anonymous). We have a blind-trust with service providers. We let service providers to collect everything about ourselves, but internally they can decide whether to discard "sensitive data" early on or not during data processing (but web logs would have the trace).
Has anyone every inspect the traffic, or reverse the API in <your wearable device> (e.g. Fitbit?) What about file sharing companies? Are they storing your data in a secure way and without reading what's in your file? What about sites that let you compare prices across multiple stores? What about medtech startups? What about when the company is acquired?
Because the giants are more eye-catching, we don't see the smaller guys; but we are willing to give away sensitive and private data to the smaller guys because? If the argument is "well the big guys should have known better and have more resources to do the right thing", then I argue that by 2017 the new startups are doing the right things (not making the same well-known security flaws for example). I have doubt; I doubt many achieve 50% of what is on the imaginary checklist. The claim "we build MVP" is the equivalent of the big guys saying "we know what we are doing, don't worry."
No, we don't know better. No, your MVP should be secure enough so users can trust you. I almost never try a newly launched service because I really don't want to be a lab rat. I am sorry if that sounds cynical, but I don't trust myself doing everything right. If you let me choose between a new file sharing startup vs others, I'd go with either Dropbox, Google Drive or OneDrive (FWIW, Google is replacing Drive with a new service). Why? Because if the big guy is compromised, well, shit, thousands or millions will be affected. The least cynical version is, well, they are too big to do stupid things (of course not true in reality).
Our biases create illusions.
I think it is less about who you should trust to do the right thing and more of how much you trust an individual group to be able and willing to maintain the security of the data they have.
That is to say: it is more about the ratio of <stored data>/<security of stored data> rather than either of those values.
Google stores more data than I personally trust anybody to be able to store. Largely because they make themselves a huge target.
Equifax is a great example of storing WAY too much data. Sure, their practices are to blame, but I'd argue that them storing half the information they do is better than doubling their security (whatever that means). This is due to the compounding effect of being a smaller target.
DDG at least claims to not store as much of that information.
> When was the last time Google leaked your data.
If Google has one major leak, does the historical quantity of leaks matter?
EDIT: more thoughts.
That Google has your search or email data and that they can always sell it, or that the NSA has a direct link to them, those are separate discussions.
I don't care about "NSA has decided to invest $10 million to make me personally miserable." At that point, they will simply fabricate the evidence they need.
If someone at the NSA wants to come after me, I simply want someone to actually have to sign a piece of paper--cut a check, file a warrant, send a human being, etc.--rather than just write a script in Python.
If someone in a bureaucracy has to sign their name and take responsibility, I'm fairly safe. Simply the possibility that something might cause political fallout will stop 99.9% of all such actions.
What's left for the people who aren't criminals but don't like being spied on? PGP and keys that are exchanged physically, by hand?
If somebody can physically spy on the infrastructure cables that your traffic goes through, will SSL protect you? As written in the article -- no it will not, because the certificate can be obtained, even if it takes some time and strong-arm effort to do so. But when a country can order you to give up private keys and keep quiet about it, really, what can you do?
At this point, full decentralization, mesh networking and something times better than Tor encoded in 100% of the network code seems to be the only way out. Maybe a combination of IPFS and FreeNet, full packet-level encryption and keys that expire in 1 minute and are auto-generated for every transaction?
Furthermore, spies aren't stopped by social stigma. Even if the whole planet agrees in one voice wiretapping shouldn't be done (never gonna happen) the spies can always deny that they're spying. It's not like any of us can actually prove that any agency is indeed wiretapping.
Morality is, in the technical sense, optional. It cannot be enforced. Thus it's unreliable.
Also, we all know about Intel ME, right? It's baffling how most people using PCs have hardware-level backdoor and the world hasn't lost its shit. It's a very sad epoch we live in. :(
A solution right now is to simply not get on the state adversaries' bad side, maybe. And utilize the blockchain for anonymity, I guess.
The thing is, there are absolutely no guarantees it's any better in other countries : the fact that NSA activities were revealed doesn't mean other countries don't do as bad.
It's probably still a good idea to segments services across countries, though, so that it's not a single country who have access to all data.
I was thinking something else, lately (and it was really weird to me, since I'm a webdev): why do we need webapps for everything? Maybe we wouldn't have so many problems if we weren't centralizing so much data. There are probably many apps for which native apps and p2p would do.
(1) Business who are familiar with web tech and for them it's simply good business to not invest in entirely new (for the dev teams in there) stacks and data formats.
(2) Political pressure -- we know that NSA successfully pushed a broken crypto once in the past, so it's not a stretch to theorize that influential people were whispering in the right ears at the right time.
Even though #2 is just as likely as #1, please note that I think #2 probably happened much, much less than #1. We should never attribute to malice that which can be attributed to incompetence and short-sightedness.
EDIT: There are several very good candidates for data formats out there which are much more efficient than JSON. Adoption is seldom an issue; if one corporation pushes for the format, it's a matter of several months at the most before that format becomes widely supported. Replacing JS might be much harder but efforts continue even today.
So feel free to build a company in Sweden, but the US is actually legally permitted to wiretap the crap out of it.
Example: make a strong standardized crypto (I still have to workaround API requests to several servers and hardcode TLS v1.2 as a requirement which is not okay!), then work on making a Tor-like net tech, then integrate the blockchain in the picture so anonymity is stronger, then probably put all that in mesh networking, etc. etc. The current internet is broken, many of us know it.
I am not an expert so my example might be naive and stupid -- but recently I am very interested in the area and I'd contribute. After I educate myself first, though.
Doing so does carry quite a bit of political risk. There have been quite a few lawsuits from EFF and ACLU in regard to do so, and as the comment from CEO of Duck Duck Go says in the comment thread, all existing cases has been about turning over records. Going the extra step of compelling people to install hardware and keeping the operation going would be a further step.
I doubt ddg is currently worth the political risk. There is likely much easier targets to attack first in order to get 100% of the worlds search data.
*down votes? Explanation?
I know if I was a three letter agency, I'd start a "secure" service like DDG myself as kind of a honeypot.
Not that I'm saying that such an agency is actually behind DDG -- I have no way of knowing. But I would be very surprised if a large number of services promising "security" and "privacy" weren't run by such agencies or their agents.
That's why I believe that frequent, independent third-party auditing (by multiple trusted groups like the EFF) would be necessary to gain any kind of confidence in such services. Even then, it'll be no guarantee that they're not compromised, but it would just make such compromise significantly more difficult and less likely to be effective.
Independent third-party auditing is useful. There is the occasional fund raising for auditing of software (Truecrypt comes in mind), but I don't recall hearing one about search engines.
Far more viable to let someone else take those risks, then provide a compelling case for them to assist you in your inquries and/or interests.
You don't need to do anything like that. DDG doesn't crawl the web itself, it uses API providers like Bing (Microsoft/NSA) and Yandex (Russian/FSB). They're legally required to disclose that on their site.
It's possible to identify people solely through anonymised credit card transactions[0] so doing the same for search results is pretty much the same.
DDG isn't private, it just gives the illusion of privacy, same as TOR. That said though if you're a high profile target then there's much more direct means to track what you're searching.
[0]http://www.sciencemag.org/lookup/doi/10.1126/science.1256297
No one made such claim, not even the Tor Project themselves.
> and there are several ways in which one could connect traffic at some endpoint with a user at a specific IP.
DDG traffic is e2e encrypted especially if you use their onion service since it wont use exit nodes, the best they can know is that someone did some unknown search on DDG.
> Do not rely on Tor if you really want anonymity.
Tor is the best solution low-latency anonymity system currently.
By default, DDG "lite" does not set cookies or use Javascript. However, if the user wants to change the default "settings" (HTTP has no state so this is a fiction), then AFAICT she has to enable Javascript and accept cookies. Privacy conscious users do not want Javascript or cookies.
DDG could achieve the same result by simply providing an alternate URL, something like /lite2 in addition to /lite.
Whether DDG saves this data I have no idea. But one has to wonder why, if privacy is a goal, DDG is collecting it to begin with.
If DDG believes it is doing this for the benefit of users, it is not convincing because there are alternative ways to achieve the same benefit that do not require prefixing URLs, Javascript or use of cookies.
For example, browser settings already allow the user to control HTTP Referer headers, assuming queries were submitted using GET. The user can change the settings in the browser so that no referer is sent, or to send a custom referer of her choosing.
Another example is if DDG accepted queries via POST method in addition to GET. No search terms would be leaked in the URL or in any HTTP referer.
* We don't track result clicks. URLs are no longer prefixed with a DDG URL by default except for old browsers (although this is controllable in the settings: https://duckduckgo.com/settings#privacy ), but even if this is in effect we don't store which sites users visit. We started stripping search queries in referrer headers in 2010 and you're right, current web standards make it possible to do this without us having to redirect through our own servers.
* We have an alternative non-JavaScript URL - https://duckduckgo.com/html - which tries to offer a fuller search experience than the minimalist https://duckduckgo.com/lite
* Cookies are used to store settings but if users prefer to block them, preferences can still be "saved" by using URL parameters, listed here: https://duckduckgo.com/params These can be used either to form a local bookmark/start page or anonymously in the cloud with a password only (no username or other data).
> But one has to wonder why, if privacy is a goal, DDG is collecting it to begin with.
I'm not sure which data this is referring to but we don't collect or share personal information. There's more on this in our privacy policy: https://duckduckgo.com/privacy
Source: https://duckduckgo.com/privacy
Audit reports? How trustworthy are they if Symantec was able to provide good reports for such a long time for their certificate issuance when things were clearly not ok.
Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe we can be compelled to store or siphon off user data to the NSA or anyone else. All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business.
We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt.
There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example.
He created that blog account just to write that article and it's the only one up there. Stuff like this makes me wonder what motivates some people.
Many people seeking enhanced privacy from DuckDuckGo are seeking privacy from Google, not from state actors. For that, you'd need additional measures like Tor, for which DuckDuckGo provides a convenient .onion service. Even if DDG is secretly tracking all our searches, they have less data to correlate it with.
My current privacy complaint on DuckDuckGo, combined with browser search UI issues (looking at you, Chrome) is over the !bangs. If you're doing "!w [sensitive topic]" instead of tabbing to Wikipedia search in your browser and searching that way, you're risking DDG or anyone who's compromised DDG seeing your Wikipedia searches, when the search should go straight to Wikipedia, Twitter, Stack Overflow, and so on.
For non js. There are of course other vectors and many not even search engine dependent.
(Disclaimer: DDG staff)
However it never made sense to me why people would use those DDG bangs.
I mean privacy is the main selling point, so why in the world would you send the searches you make on other websites to DDG, when the browser is perfectly capable of being configured for "search keywords".
In Firefox, go to amazon.com (or any website you want), right click on their search bar and select "Add a Keyword for this search...". Add "!a" or whatever you want. There, you've got your own bangs.
DDG is consistent across hosts / browsers / OSes.
DDG maintain (and fix) the bang searches as they break (which ... happens).
I appreciate being able to !bang away in my Android browser(s) navbars. There are other options. Surfraw (a Linux CLI utility) is an example, though my problem is that 1) I can't remember the aliases and 2) they interfere with other commands I use (there are ... a lot of surfraw elvi).
(Perhaps I am a robot?)
What if your threat model is a nation state? What's the proper way to ensure your privacy that does not require abstaining from the internet? Is a high degree of privacy even possible?
I'm more worried about privacy from private interests. The issue is what the governments do with data, and if the government let private parties access it, and where do you draw the line between the government having right to access, and companies being allowed to access it, because you will often have situations where things are not clear.
To be honest I will always have a problem with the whole privacy/surveillance debate, because there are things the government should know, but only because it is the government. Private companies are now being able to track people and have the same kind of data the government has.
So there is a big nuance, and it is often shut out by the outrage, which frankly comes from a libertarian agenda, which I have a problem with.
If you use Google Search and someone obtains access to the data they have on you, legally or illegally, they could end up obtaining many years of your browsing history. If you use DDG they have nothing, and the most they can do (as the article states) is start collecting your search habits from that point onward.
I don't want huge companies to amass giant archives of data about me. There are so many ways it can be abused by a multitude of actors. It's a selling point to me when a service retains little or no information, and if it needs to retain something, it requests limited permission in clear and simple terms.
If I can go to a search engine that doesn't sell the fact of possible financial problems to whatever loan shark is willing to pay the most to get to me, I see that as a win.
Fat protocols should marshal the true web 2.0 along with DAOs.
