Restore DuckDuckGo #84
Comments
|
I'm not sure how trustworthy they are either. Specifically because they seem more secretive about certain topics instead of open like one would expect (see here under "DuckDuckGo and Yahoo"). |
|
+1 value point re: american company subject to american law (national security letters, etc) |
|
+1. IF DDG remains, StartPage should at least be added. "DDG Privacy Policy", "We may add an affiliate code to some eCommerce sites (e.g. Amazon & eBay) that results in small commissions being paid back to DuckDuckGo when you make purchases at those sites" |
|
@justafatalerr0r Could you elaborate further on that quote? What's the problem with adding their affiliate tag to links in search results? |
|
@bakku Good point. I have no problem with removing DDG. Should it be replaced with StartPage? |
|
Could someone take a look at this discussion? As far as I can see these requests should be blocked by most adblockers but it still made me think if SP is as trustworthy as they'd like you to believe. On the other hand they could probably hide this data collection from the user if it really were problematic. (?) |
|
@IDKwhattoputhere Interesting. I will have a deeper look at this and come back here when I have some results |
|
I've replaced DDG with StartPage for now. |
|
Hi, I'm a bit confused by this assessment. We (at DuckDuckGo) believe we are as private as you can get in terms of search. Responding to some things in the thread: While we are headquartered in the US, our situation is different than other companies because we do not collect any personal information at all. US laws in this area are generally are about requesting existing business records of some kind (metadata or underlying content), as opposed to creating significant new source code to surveil. That's why the Apple case was such a big deal. As a result, services where you actually store personal information are in very different situations than those where no personal information is stored (like us). Additionally, if you're worried about US organizations like the NSA in particular, you should note that inside the US they have legal restrictions (they cannot spy on US citizens) that prevent them from taking certain actions, but outside the US they have no such legal restrictions, and are therefore free to operate clandestine operations without any similar threat of legal recourse. In other words, any server or network outside the US that is an interesting target is much easier for the NSA to compromise. With regards to Amazon, all traffic sent to DuckDuckGo is encrypted (A+ at SSL Labs including PFS - https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com), and that encryption protects your query in transit to our servers, which are solely controlled by us. Additionally, all sites need to be hosted somewhere, and as I mentioned above, those hosted outside the US operate under less legal protection from US surveillance organizations. DuckDuckGo also has servers around the world, and if you are in Europe you will be connected to our European servers. With regards to Yahoo, I've reached out to the author of that article and he is presently revising it. We have never sent any personal information to Yahoo or any other partner, and we of course do not collect any ourselves. Those pages the mentioned article references were removed because our implementation actually did change on the backend, and they are no longer relevant. Similar to needed to being hosted anywhere, any private search engine needs to work with similar partners to get a full set of results. I'm happy to answer any questions. |
Why do you say that when it doesn't appear to be true?
More: Also you're talking about citizens when DDG is a company. Am I misunderstanding something here? |
|
The central point around the NSA is that if you're worried about the NSA, you are arguably less protected outside the US where they have absolutely no restrictions on their actions. Additionally, US surveillance laws are generally about turning over existing business records with personal information, and DuckDuckGo has none. The bigger point though is that the US is just one country, and as privacytools.io notes, many countries share intelligence and have their own surveillance operations. Really all relevant countries' legal situations need to be analyzed to get a full threat assessment on a particular attack vector. That's why to me it is an important distinction if there are services that can operate without collecting any personal information at all, which is the case in search, and what we do at DuckDuckGo. |
|
Hello @yegg, First of all we could now argue about which citizens of a country are more under surveillance and which are less but I think we can presume that we are all under surveillance, no matter where but this is not really the topic here.
I read your privacy policy and your philosophy is really great. You furthermore stated that it does not generally happen that the national agencies request to implement new code for surveillance. But history has shown that it can happen and it also can happen in a way in which you are not allowed to tell your users. Now we could argue like you did that we should analyse every countries legal situation since maybe this might happen somewhere else as well and you are right. That's why any person who has found out legal information about a country can post an issue to privacytools.io to further improve the site. It's just that we already have experienced this with the US.
For me I can't see a problem where Amazon could collect data from DuckDuckGo and their servers since you don't collect it but also I can't imagine the power they have actually. The problem is generally that Amazon can not be trusted at all since they sold themselves to the CIA. I know that AWS is handy but why does a company which has such a great privacy philosophy then use the services of a company whose opinion on this is totally the opposite. |
|
Some stuff on DDG: https://8ch.net/tech/ddg.html |
|
Thank you for your recommendation of our privacy policy. We try to set an example because we believe in services putting forth straightforward privacy explanations that spell out clearly the benefits you get as a consumer for giving up particular pieces of personal information. In our case of course, we collect no personal information, but in the general case we believe services should collect the minimum possible. Our vision is to raise the standard of trust online and we do that through our donations to privacy organizations (https://duck.co/blog/post/303/2016-foss-donations-announcement) and our mission to be the world's most trusted search engine. If we believe we could do something to better protect our users' privacy, we would do it, and are more than willing to entertain suggestions. The argument put forth here seems to be that anything touching the US or Amazon is less trustworthy than anything that doesn't touch them. I know this is not the case, and that it is a much more nuanced reality. And in our particular case, it is actually more clear cut since we do not collect any personal information. I thought that you perceived these nuances since you already recommend many organizations with these properties, but if you're going on this essentially ontological bogeyman argument, there isn't really any more I can say here. The bottom line is if you'd like to recommend a private search engine, I whole heartedly believe you can do no better than DuckDuckGo. I believe everybody should adopt a private search engine, and so I do not engage in debates maligning other private search engines, but I know that if you analyze completely the full threat assessments in reality, you will find DuckDuckGo to be just as private, if not more, than any other provider. |
|
After having read all this, I am a little more sceptical on using DDG, however i'm still going to use it. It's not perfect, but comparing features, security, and how dodgy it looks, it's my favourite! Yes it's based in the US, but being outside the US, provided I connect to EU servers, i really dont care. Yes, amazon are known to share data with government bodies, but depending on how their network is setup on AWS (information that obviously isnt public), it's possible it's not all bad. My largest complaint is with the afffiliate links from search pages. subtly injecting this into URLs worries me, especially seeing as there's no way to disable this. I'd much prefer being served an ad based on my search query (provided it was done securely / anonymously), than having affiliate links links. I'd happily take this as a choice in the settings between ads and affiliate links. |
|
@RealOrangeOne thank you. With regards to affiliate links, there are no privacy issues with them whatsoever. The only programs we use are Amazon and eBay because those are the only two programs I know of that can used completely anonymously. From https://duck.co/help/company/advertising-and-affiliates:
With regards to EU servers, as said above, we do operate EU servers and so you should be interacting with them directly by default if you are in the EU. For people in the US, using EU servers doesn't really get you anything since your traffic has to physically flow through the US, and we do not store personal information in any case. |
|
Long time DDG user. I am also using Qwant (mostly for french stuff):
What do you think of it? I am for keeping DDG but with a caveat and a link to their privacy policy. We cant trust promises, but they are better than nothing. |
|
I vote keep DDG |
|
I think DDG should be put back. It's fine to put StartPage and Qwant alongside too. All of the three are private enough and I think we should ultimately let the user decide. |
|
SIte says about another services/products: Should apply on all services/products. |
|
Also, consider that StartPage is really a meta search engine ultimately. That means that it ultimately has a dependency on Google's search results. It doesn't affect our privacy directly but it does mean that the problem remains fundamentally unresolved. DuckDuckGo on the other hand is relatively independent and therefore represents a somewhat cleaner alternative. |
|
The important questions for me now are:
I personally use DDG and would like DDG to be on the list but it's up to the project and what it's intentions are. |
|
You are totally right @xdtnguyenx. |
|
I will copy-paste a comment here from the reddit discussion that is taking place about this.
Link to original comment - https://www.reddit.com/r/privacy/comments/5j5pwy/interesting_discussion_with_the_ceo_of_duckduckgo/dbe67ld/ I think it makes sense to include DDG considering that they don't have any data about the user in the first place + all of the above. |
That really depends though, doesn't it? Not only on if they don't find a way around restrictions or get green-lit by a secret court but also on how closely they're watching for example. It's not like the NSA spies on the US just a little and on every other country a lot (see, found this interesting too). |
|
@IDKwhattoputhere there is a good discussion on the reddit thread referenced above on how NSLs do not apply to DuckDuckGo in any straightforward manner because we do not collect any personal information.
|
|
I don't think that comment is entirely correct. Specifically the backdoor part:
|
|
It is funny to read this:
Because Cloudflare was subject of a major security flaw. Here is what the Google engineer who discovered the flaw had to say about it:
News article: https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/ Official report: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ Reference for the comment of the Google engineer: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 List of websites potentially affected: https://github.com/pirate/sites-using-cloudflare |
|
@woctezuma DuckDuckGo did not have any of the Cloudflare services enabled that would cause dataleaks for that specific issue. The cloudflare is mostly protection against DDoS attacks. |
|
DDG was used to find the leaks and was not affected. |
|
Qwant is miles ahead in result quality IMO. Is there still a need to recommend a US based service when as good or better services are out there? Trying to have some privacy and recommending US based services feels like shooting yourself in the foot before you are even started. Sure, they might be safe for now, but ultimately the chance of them not being so or not staying so are higher than with any non-US based service. |
|
Reviewing this thread, it seems the consensus is to restore DDG. Can I get a vote 👍 / 👎 of the current consensus? Would anyone with reservations please reiterate them? I want to make sure DDG has a chance to respond to any outstanding objections. |
|
upvote to keep or upvote to remove? |
|
|
|
👍🏼
John Wunderlich,
Sent frum a mobile device,
Pleez 4give speling erurz
"...a world of near-total surveillance and endless record-keeping is likely to be one with less liberty, less experimentation, and certainly far less joy..." A. Michael Froomkin
…________________________________
From: Joseph Anthony Pasquale Holsten <[email protected]>
Sent: Sunday, July 30, 2017 4:03:22 PM
To: privacytoolsIO/privacytools.io
Cc: Subscribed
Subject: Re: [privacytoolsIO/privacytools.io] Remove DuckDuckGo (#84)
* 👍 restore Duck Duck Go
* 👎 keep Duck Duck Go removed
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://github.com/privacytoolsIO/privacytools.io/issues/84#issuecomment-318925794>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADTJ9lP-aQGUpSd1LJ4oShX9tHKvmSHTks5sTOGJgaJpZM4KnkPO>.
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
|
|
👍🏼 |
|
@Shifterovich "I suggest adding DDG with a note that it's based in the US." I could live with that. |
|
Heya, sorry for necroing, but judging by the votes on the post by @josephholsten, I think that giving DDG a spot in the top search engines (and not just keep it as a "Worth Mentioning") or at least moving it higher in "Worth Mentioning" list is a better move than just keeping it at the end of "Worth Mentioning". |
|
@Shifterovich |
|
I'd move Qwant to Worth Mentioning, StartPage to 2nd and DDG to 3rd. |
|
Sounds good to me. |
|
Alright, I'm preparing a PR. Should I link to this discussion when mentioning that it's based in US? |
|
I'd link to #ukusa. |
Moved qwant to Worth Mentioning, SP to 2nd and DDG to 3rd as discussed on #84
ghost
mentioned this issue
Request to reopenThis ticket was closed but there are several unaddressed issues. Please reopen this to remove (or make changes to) DuckDuckGo's inclusion. Trust has no merit
In this particular case those promises are useless. When it comes to trustworthiness of DuckDuckGo it has been pointed out in this thread that @yegg's previous project entailed privacy abuse. So the community needs to be convinced that he has reformed and redeemed himself. However, DDG is currently partnered with privacy abusers. What is the merit in trustworthiness here? deception as well: DDG has actually scrubbed their Yahoo relationship from public view, showing further that they cannot be trusted. Some may recall that DDG previously had “In partnership with Yahoo!” on their search page and quietly removed it. When pressed on the issue they used some ridiculous weasel wording in their attempt to create a false distance from Yahoo. DDG has also removed details about that yahoo relationship, breaking URLs like This is not good for trust. DDG is untrustworthy. Follow the moneyPrivacy advocates don't solely care about the privacy of their immediate search. They also need reassurance that they are not doing something that indirectly causes privacy abuse. When we follow the DDG money trail we see that it leads to privacy abuse. Ethical privacy activists boycott privacy abusers. When DDG is presented on a trusted website like privacytools.io it misleads privacy activists and this is harmful.
@uncertainquark
StartPage and DuckDuckGo are both proxy search engines and both get paid results from privacy abusers (Google and Yahoo respectively). If I had to choose I'd favor supporting Google before the Verizon, Yahoo, and AOL corporate conglomerate (whose privacy abuses are criminal) along with Amazon. Google is also more transparent about it's privacy abuses than Verizon et al. Luckily this is hypothetical and we need not choose between them in the face of Searx. Direct privacy compromiseDDG search results are rich in CloudFlare sites. CloudFlare is one of the top privacy abusers on the web. What good is it to have an allegedly untracked search when the results of the search contain malicious referrals leading users unwittingly straight to CloudFlare, who logs the user's IP address and sees their traffic among other abuses like DoS against Tor users? DDG vs. Qwant
The CAPTCHA hell that Qwant puts Tor users through is noteworthy. However, Qwant is still better for privacy than DDG. My comparison:
Qwant is more favorable than DDG in terms of overall privacy. OTOH, Qwant's CAPTCHA does more direct damage to privacy-embracing users as the inconvenience is sufficient to drive users off Tor or off Qwant. ProposalRemove DDG as a recommendation. If DDG is mentioned at all then it's only responsible to also document the shortcomings (https://github.com/privacytoolsIO/privacytools.io/issues/729) and let users decide in an informed manner. Presenting DDG as a blind recommendation without the anti-features does a disservice. |
ghost
mentioned this issue
|
Don't forget, DDG is reported to use US dollars, and the US is well known for invading peoples privacy, to say nothing of engaging in warfare, so we can't support them! Of course, @libBletchley did made his proposal on a site operated by Microsoft, so let's entirely ignore whether he would cut off his nose to spite his face. |
ghost
mentioned this issue
ghost
mentioned this issue
Hi guys,
Recently I began searching for a search engine (pun intended). Certainly I came across DuckDuckGo and searched for information since a lot of people regard it as a search engine which respects privacy.
I came across a few problems (relevant source, sadly in german: http://www.zeit.de/digital/datenschutz/2014-01/duckduckgo-startpage-ixquick-nsa) :
I suggest removing DuckDuckGo from the list and maybe taking startpage.com as a candidate. I have not found information regarding startpage which shows that it is not trust worthy regarding privacy
EDIT: I would be delighted to create a PR if others agree
The text was updated successfully, but these errors were encountered: