Still trust DuckDuckGo? | www.alexanderhanff.com

archived 26 Jun 2013 19:49:07 UTC

You are here

Home»Still trust DuckDuckGo?

Still trust DuckDuckGo?

Submitted by AlexanderHanff on Sat, 06/22/2013 - 13:20
In my resent blog post PRISM - Where do we go from here? I made the point that using services such as DuckDuckGo on the presumption that they are safe, is a dangerous thing to do and explained why. I have also been explaining to people on Twitter that using DuckDuckGo on the assumption that their searches will be private was a misunderstanding of who DuckDuckGo are and what they do and pointed them to the previously mentioned blog post. I even had a short conversation with DuckDuckGo's CEO via Direct Message (DM) on Twitter explaining my reasons and suggesting he move operations to Europe in order to escape the US Surveillance machine - at which point I would be happy to support them:
"You guys should consider moving all your business to the EU and setting up new exclusively EU corp (no ties to US), then I can support you."
Upon further investigation over the following days, I discovered that DuckDuckGo were not complying with their own Privacy Policy which states:
Another way that your searches are often tied together at other search engines are through browser cookies, which are pieces of information that sit on your computer and get sent to the search engine on each request. What search engines often do is store a unique identifier in your browser and then associate that identifier with your searches. At DuckDuckGo, no cookies are used by default.[Emphasis Added]
Yet they do store a cookie by default - this cookie is called "user_segment" and is valid for 1 month after it is first set.
Furthermore, they state in their privacy policy that they do comply with law enforcement requests and then attempt to offset concerns by saying they don't log anything - what they don't tell you is they can be compelled to log your searches as a result of those law enforcement requests, so admitting they comply with such requests is also an admission that they cannot guarantee they will not log your searches.
To make matters worse, they also attach unique identifiers to certain search results in order to obtain commission payments should you make a purchase on an affiliate site (where they get their revenues) - this identifier's sole purpose of existence is to track users between DuckDuckGo and affiliate web sites.
I have been making these points clear to people wrongfully assuming and telling other that DuckDuckGo is a good search engine if you seek privacy - not because I have anything against DuckDuckGo, simply because I want people to be fully informed about the risks posed by the services they use.
Today DuckDuckGo responded, with an illustration of exactly how much they value peoples' privacy. They sent me a tweet with the following:
DuckDuckGo @duckduckgo
@alexanderhanff thanks for sharing @duckduckgo! An easter egg in your honor duckduckgo.com/?q=alexanderha… -- bottom right corner :)
If you visit the link you will see they have setup a custom search for my name with my picture at the bottom right corner of the page. They did this purely out of spite because I was making people aware of my concerns regarding their service. They did this because they don't care a hoot for peoples' privacy. On the plus side, at least we have now seen their true colours - somehow I don't think the people behind Startpage.com and Ixquick.com would ever resort to such spiteful actions and of course, they have been audited and certified by Europrise something DuckDuckGo cannot claim about their own services.

UPDATE

DuckDuckGo have now removed the custom search and image linking back to my Twitter account, I guess they were afraid of people seeing them for who they truly are - too late DuckDuckGo the horse has already bolted.

Update 2

DuckDuckGo have now responded to this post the link is in the comments below but I wanted to clarify a few things by updating the original post.
First of all, DuckDuckGo have admitted that the cookie did exist and was being set by a 3rd party (desk.com) - they have since removed the cookie which is why people are no longer able to find it, this is as a result of my exposing the issue.
Second, DuckDuckGo insist that they cannot be compelled by the courts to provide access to user data which crosses their networks or touches their servers - they even claim they are exempt from Communications Assistance for Law Enforcement Act (CALEA) - this is misleading. They may be exempt from having to pre-install technologies providing the ability to "wiretap" (intercept) data on their networks but they can still be compelled to do so:
Notably, a U.S. court can compel any provider to provision a wiretap, even if the provider is exempt from CALEA. But exempt providers need not necessarily adopt tools in advance to meet CALEA's specifications for immediate and unobtrusive interception, with high-quality data streams and without infringing on others' privacy.
[Source]
Furthermore, they can be compelled to decrypt the encrypted data (HTTPS) since they are the origin of the encryption and have the capability to decrypt it:
"Covered providers are not required to decrypt communications unless they initially provide the encryption service, and, moreover, have the means to decrypt."
[Source]
When you understand this and include the fact that in their Privacy Policy, DuckDuckGo state they will comply with law enforcement requests, it becomes pretty clear that their "We don't log anything." statement offers absolutely zero protection and their claims that they are immune to being compelled to intercept and/or log are patently false.

Comments

Oli (not verified)
Sat, 06/22/2013 - 18:00

No cookie

Hi,
I tried to make a search with DuckDuckGo and I haven't any cookie stored...
Where did you find the user_segment cookie ?
Regards
WebMaster
Sat, 06/22/2013 - 18:53

All I have ever done on their

All I have ever done on their site is read their Privacy Policy, read their news page and do 1 search and I have the cookie, it was set on 19th June and expires on 19th July and is called user_segment
micah (not verified)
Sat, 06/22/2013 - 18:57

logging

Hi,
"... they can be compelled to log your searches as a result of those law enforcement requests..." -- Can you specify how that can happen, a citation or something would be nice, because it is my understanding that a subpoena for information can only ask you for what you have and cannot require you to make changes to your configuration in order to gather data in the future.
WebMaster
Sat, 06/22/2013 - 20:34

As I explained on DDGs forum,

As I explained on DDGs forum, the data they choose not to log still comes in to their network and servers and is stored in RAM and page files in routers, switches and servers. Just because they claim they don't log it it doesn't mean that FISC can't compel them to give access to it. Given FISAAA orders are secret, difficult to produce a citation but I will try to find one and post it when I do.
Pomax (not verified)
Sat, 06/22/2013 - 19:01

personalised twitter thing

While fair points, that "easter egg in your honor" is a generic thing they send to pretty much anyone that tweets about them. I'm all for getting to the truth of things, but that also means not jumping to conclusions like "They did this purely out of spite". (I got one of those notices too, weeks ago, for tweeting about them, months ago)
WebMaster
Sat, 06/22/2013 - 20:36

The fact is the CEO knows

The fact is the CEO knows full well I was not recommending them - we had discussed issues directly in DM - I found it offensive that he then decided (several days later) to post the tweet (suggesting I was recommending them) and setting up the Easter Egg - I found it offensive - maybe you don't that is fine, but I did and that is what matters.
Gabriel Weinberg (not verified)
Sat, 06/22/2013 - 19:20

DuckDuckGo response

Hi, this is Gabriel Weinberg, the founder and CEO of DuckDuckGo. I responded to these allegations on our forum.
BiteTheDust (not verified)
Sat, 06/22/2013 - 20:12

dukgo.com

Are you sure the cookie isn't for .dukgo.com, which is their separate help/community site?
WebMaster
Sat, 06/22/2013 - 20:38

No the cookie was for

No the cookie was for duckduckgo.com root domain and the CEO has admitted on their forum (see comment above yours) that it was set by the third party desk.com
Quite how a 3rd party managed to set a 1st party cookie is still a mystery and no explanation has been given. This makes the situation worse, not better.
Anonymous (not verified)
Sat, 06/22/2013 - 20:38

No cookie

I confirm that says Oli, there are no cookie on DuckDuckGo.
You can have it with the settings.
Or in their press website (duckgo.com).
I found here tracker, and more than one cookie.
So please don't say that duckduckgo.com and duckgo.com are the same.
I think too that DuckDuckGo can be hosting where he wants : he didn't store information about us (the name is « Metasearch_engine ») → https://en.wikipedia.org/wiki/Metasearch_engine
So they can respect the law.
About twitter :
> They did this because they don't care a hoot for peoples' privacy.
Your profile is public, so they can share a link with a picture f you're twitter account.
And about privacy, targeted advertising in Twitter arrive.
WebMaster
Sat, 06/22/2013 - 20:55

As I stated above, the

As I stated above, the question of the cookie is indisputable their CEO has already admitted that desk.com were setting a 1st party cookie under the root duckduckgo.com domain - go and read the link he posted in response to this article if you don't believe me. How desk.com were able to do that is still in question and no answer has been provided by DuckDuckGo on this - which as I stated above, raises even more concerns about their security and privacy claims.
The cookie is no longer being set - because I exposed it, that is why you cannot see it.
WebMaster
Sat, 06/22/2013 - 21:53

Still think they can't be

Still think they can't be compelled?
"Notably, a U.S. court can compel any provider to provision a wiretap, even if the provider is exempt from CALEA. But exempt providers need not necessarily adopt tools in advance to meet CALEA's specifications for immediate and unobtrusive interception, with high-quality data streams and without infringing on others' privacy."
whomever (not verified)
Mon, 06/24/2013 - 00:37

Still trust DuckDuckGo?

Hey buddy!
Thanks for interesting and educational reading here and over at their board. Do you care to comment on the other new inflation of "privacy" tools promoted all the time. For example the Mozilla - FireFox add-ons and their reliability.
br
WebMaster
Mon, 06/24/2013 - 11:46

I am just one person, I

I am just one person, I couldn't possibly write about every privacy "service" or addon out there, but I am planning to write a lot more about these issues over the coming months, so keep an eye on the blog.
Mr. X (not verified)
Mon, 06/24/2013 - 03:00

DDG is COMPLETELY UNSAFE - IT HAS A MAJOR SECURITY HOLE

Duck Duck go is not safe at all.
WHY? I am tired of posting and re-posting this ;)
It's because the PRISM folk can spy on your IP address as it connects to duckduckgo and then it can spy on the query it receives from duckduckgo on the Bing search engine. DDG sends all its queries to bing because it is not a search engine, it is a query-relay service. Then they can track the query to about one of 20 or so IPs that were querying ddg at the time. Then if you refine your query or fix a spelling error, etc., they got you! now they have two lists each of about 20 IPs and they take the interesection and it's your IP. more detail here: https://www.gigablast.com/privacy.html (and yes i am a competitor privacy search engine that has its own index so i don't suffer from this, but who else would have caught such a glaring hole in ddg's security model???????)
WebMaster
Mon, 06/24/2013 - 11:45

You need to understand that

You need to understand that you are subject to exactly the same problems as DDG are - you are based in the US therefore you can be compelled under CALEA/FISAAA/PATRIOT to collect information about your users. So your argument about DDG may well be valid, but it doesn't really make you any better with regards to vulnerability to draconian surveillance laws. I will give you the same advice I gave to DDG, move your operations out of the US - preferably to Europe, if you want to protect your users from the US surveillance machine - just not the UK, because they are even worse.
dp (not verified)
Tue, 06/25/2013 - 14:36

are there any trustworthy email providers?

Thank you for your efforts on the issue of duckduckgo. It is always hard to know which companies to trust on these matters.
On a different but related topic, I wonder if there are any better email alternatives to google and yahoo out there.
WebMaster
Wed, 06/26/2013 - 11:32

Startpage are releasing an

Startpage are releasing an email service this summer which I have already had the benefit of using. It will incorporate some very strong protections for privacy and security making it unique compared to other services out there. You can sign up for the beta at www.starmail.com

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
3 + 7 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
© 2013 Alexander Hanff - All Rights Reserved
Based on the Drupal Skeleton Theme, a Project of More than (just) Themes. Original design by Simple Themes.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%