Question: does anyone actually know what DDG does with user data? Like they market themselves as a "privacy respecting" search engine, but how much of this is truth?
I'd imagine there's good money in convincing people they have privacy because then they'll provide more interesting data.
Has the company ever been audited? Why should they be trusted to not compromise user privacy? Imo at least Google is honest: you know when you use their products as intended you have no privacy, and they don't try to hide this
Edit: since DDG isn't open source like searx, how do we know there is ANY truth to their marketing claims?
Edit: Just for accuracy, the browser extensions are open source. But as far as I know, the actual search engine isn't
Edit: They made over 100 million in 2020. They clearly can (and should) get an independent audit. It's shocking that they haven't had a single audit. Even startpage has
> Question: does anyone actually know what DDG does with user data? Like they market themselves as a "privacy respecting" search engine, but how much of this is truth?
It doesn't matter.
Why? Because when going through the exercise of identifying risks in the system one can't assume the actors are benevolent and won't ever use the access+data they have for evil.
That's not at all to say all actors are evil and will always do the most harm possible. Many risks are never exploited in practice. But that doesn't mean the risk doesn't exist. It still does! And it might be exploited in the future (with companies, all it takes is a reorg that puts someone less ethical in charge).
Thus, when doing your threat modeling exercise, for the purposes of identifying risk, assume the various actors could do as much damage as they possibly could with the access they have.
So concretely, when I evaluate risk on google vs. DDG: I won't take into consideration any "privacy respecting" marketing, that's not important. What matters is how much damage can each party do, which one is less risky?
Both get my search queries which is inevitable for a search engine. So there's that risk but it's a wash.
But google has its tendrils woven into far more points from which they can and will correlate data. Google analytics, AMP, gmail/gsuite, chrome (for people using that), also most people have an active login session with google most of the time, etc.
DDG has a much smaller footprint on the internet from which to correlate data.
Therefore, even assuming both parties are equally evil, DDG presents a smaller risk.
I read about a Github issue [1] where someone reports that all websites a user clicks on to DDG servers. Reading the employee's response was eye opening.
They literally do not care if it has a bad look, they just say "we don't collect your personal information."
What??? They are literally admitting to collecting domains in the feed of the Github issue but then just copy and paste their manifesto and expect us to think it's fine. I seriously do not understand this.
>since DDG isn't open source like searx, how do we know there is ANY truth to their marketing claims?
You wouldn't know this even if it was open source. Open source does nothing here. Looking at the source code will not tell you their data retention policies or what is actually stored in their databases. It will also not guarantee the source that you see matches what is on their servers.
I used them nearly exclusively and recommended them to all my friends. Once they started censoring content for political reasons (Ukraine), that ended instantly.
If Duck really collects user data, the moment this is found out, they’re dead, so for that reason alone, they probably don’t do it. The alternative is that they’re betting everything on nobody ever finding out which sounds crazy.
You're right to be skeptical. They are essentially a client state of Microsoft. Their results come from Bing and they are hosted at Azure. Their privacy policy is just vague enough to not rule out the possibility that Microsoft collects all the stuff that DDG says they don't collect.
Something feels off about DDG, especially once I found out that they funnel you into downloading their iOS app in order to sign up for their new browser’s waitlist.
It’s like a dark pattern that an advertiser would use, not a privacy-focused search engine.
Duckduckgo could easily be fully owned and operated by some three letter agency. The NSA is already able to go onsite and tap into the data that passes through corporations and they've been doing exactly that for decades (see Room 641A) and they can force corporations to keep silent about it using national security letters. You should already assume that every US based company is sending every scrap of data you give them to the state.
With no way to avoid your data from going to the state, what are you left with? Worries over companies collecting, selling, and using your data against you. That's a very real and perfectly valid concern.
We know that other search engines are doing those things, so it's best not to use them if we can avoid it. Duckduckgo might be doing those things, which at least gives us a chance, and even if they are it'd be better to hand your data over to several different companies than to give them all to one source (like Google for example) because the more data points any one company has on you the more control they have over you.
The worst case scenario would be that Duckduckgo is actually secretly run by Google and the data being collecting from the service is being used to help fill your dossier at Google but if that's the case we're never going to know about it until a whistleblower comes forward.
As defeatist as this all sounds, I do believe in taking steps to try to protect your privacy where you can, and I take many steps that go far beyond what most people are willing to, but we also have to accept the reality of the situation we have where our laws and regulations do not protect us, and there is very little we can do to protect ourselves but depend on others to do what they say.
That's why I use duckduckgo right now. not because it's trustworthy (we can't know that), but because they might be and that's (sadly) the best option we have at the moment.
It's amazing how much collateral damage is caused by our horrible copyright laws. Mostly just so the MPA/RIAA can protect their roles as gatekeepers of what we're allowed to see and hear.
They can put enormous pressure on even the wealthiest and most powerful companies to act as copyright police on their behalf. Even Google is afraid of them. ISPs are forced to spend huge amounts of time and money working for them. Now duckduckgo is being strong armed into doing a bunch of free work for them too? Maintaining lists of websites and domains to block and removing links to even non-infringing material like youtube-dl just to keep from being sued into the ground.
I don't know what it'll take to rein in these guys, but I doubt the courts will be the ones to do it. So far courts seem fine with the idea that ISPs must permanently ban users from their service over nothing but repeated unsubstantiated claims of infringements which is an insane amount of power to give any industry.
Has any US politician ever run on a platform that includes copyright reform?
There is no political will in the US to change the copyright system. Aside from some technologists, I haven't seen anybody who actually wants that. You will anger basically everyone else in the information business. Writers, researchers, artists, architects, musicians, composers, filmmakers, actors, podcasters, even a lot of software developers, you name it. These people all depend on copyright enforcement to get paid.
That to me is the worst thing about repeated phrasing of this as some kind of evil special interest groups against everyone else. The "special interests" here are the people who produce the copyright material you want to access. You have to play ball with them or they will simply not be able to produce those things anymore.
Also, _come on_; if someone gives up after one search term, which also includes advanced site-restricting syntax, there's no way they'd be able to operate youtube-dl anyway: https://duckduckgo.com/?q=youtube-dl&ia=web
Yeah idk why someone would type in the full URL of a site and not just the term they're looking for in a search engine...what a dumb way to test that on their part.
I use DDG as my default search engine, along with NoScript in the browser. Often when I visit a new website, I peruse the (long) list of domains that the site is trying to pull javascripts from.
I keep most of those source sites in UNTRUSTED status (including some of the big names in search/ads/etc). But I've always had DDG in the TRUSTED category because I had only seen its javascript before on the main DDG website.
(Unfortunately NoScript has a limitation that you can't tell it to "only TRUST javascript from example.com when I'm visiting example.com").
But recently I started noticing some websites pulling javascript from DDG (I don't remember which sites).
So now I was wondering if DDG is getting into the tracking business, since they're now having their javascripts load from third party sites.
Obviously this is anecdotal. But does anyone know if they are indeed beginning to track?
> (Unfortunately NoScript has a limitation that you can't tell it to "only TRUST javascript from example.com when I'm visiting example.com").
uMatrix (which I'm using in desktop Firefox) works exactly like this. Plus it allows you to forbid/allow cookies, styles, images, scripts, media, XHR, and iframes separately (for each origin/domain).
I run uMatrix and have noticed some DDG showing up on other sites as well. The sites in question appeared to be (at least ostensibly) using it as a "can I reach the internet" sort of check. If I blocked requests, it would say something to the effect of "no connection detected." I wish I could remember which sites they were, but I do remember seeing at least one call to improving.duckduckgo.com from a 3rd party.
> So now I was wondering if DDG is getting into the tracking business
Anecdotal of course, but I've been seeing more and more DDG billboards. Those things aren't cheap, and my trust in them has declined the more I see them advertise in the traditional market.
Running a hidden service is just so jolly gentlemanly. And it works in
the total absence of JavaScript and no matter what utter lies I tell
it about my randomised-per-request UA, and cookie black holes. The
obvious dark side is that it's closely connected to Amazon.
beacons and pings fired upon activating a link, happen after the document change, so ublock associates them with the new document, even though they are initiated by the old document
I suspect this is largely due to DDG using Bing under the hood, which has led to similar weirdness in the past, eg all major porn sites disappearing from the results in Singapore (while Google still showed them, mind you!).
Still super disappointing though, and yet another reason why trying to build a better search engine on top of someone else's tech is a non-starter.
Someone should make a search engine that only indexes sites that Google and DuckDuckgo do not index. It would serve sort of the same purpose as like, lists of banned books.
Funny how the narrative on DDG has changed. I used to get downvoted to oblivion for merely mentioning they used Bing under the hood. Where are all the people that used to defend them so vigorously? I wouldn't be surprised if it's the same people now hating on them.
Serious Question: How is the DDG search structured? Is it a cosmetic skin over Bing, or is it aggregating from other sites like Yahoo, ecosia etc additionally?
If it is just Bing under the hood, how does it exist as business entity. I am sure MS will take some action to consolidate their search share rather than seeing splintered.
DDG is Bing, they use its API to get the search results. They augment it with other sources to provide the "value added" part, but that's a tiny part. DDG doesn't want you to know that it is Bing, but Bing is what it is.
HN constantly mentions DDG is really just Bing in disguise and they're essentially the same. However, that can't be entirely true because they produce different results for the same search term.
DDG does run ads just like Bing and Google, so it's just a way for Bing to get more search ad inventory out there.
Once upon a time there were other sites that did the same thing with Google, but eventually Google decided they didn't need third parties to drive search traffic.
I'm just waiting for the day they announce an NFT or a "trusted partners" program with establishment media entities. Come on, DDG, you've come this far, so truly jump the shark for our amusement.
And here goes my reason to use DDG. Not because I pirate stuff, but because I hate censorship. Its only a matter of time till they implement the same filters as GGle.
DDG sucks in many ways. Besides the engine performing quite poorly, it also relies on third parties and so will return filtered results they may not even control. They also never supported IPv6 and are hosted at Microsoft or Amazon.
If I search for something, and the search engine does not tell me about things which ARE there, then that is a defective search engine.
It's fine to keep kids from getting ahold of any sharp objects but if I need a knife I need a knife and it's ridiculous for anyone else to decide to lie to me about the existence of knives.
We are doing the Chinese firewall to ourselves just a bit slower.
I'm continually surprised by the amount of attention that HN gives DDG. They have no unique or interesting technology. The "privacy" claims are all self-attestation.
[+] [-] derevaunseraun|4 years ago|reply
I'd imagine there's good money in convincing people they have privacy because then they'll provide more interesting data.
Has the company ever been audited? Why should they be trusted to not compromise user privacy? Imo at least Google is honest: you know when you use their products as intended you have no privacy, and they don't try to hide this
Edit: since DDG isn't open source like searx, how do we know there is ANY truth to their marketing claims?
Edit: Just for accuracy, the browser extensions are open source. But as far as I know, the actual search engine isn't
Edit: They made over 100 million in 2020. They clearly can (and should) get an independent audit. It's shocking that they haven't had a single audit. Even startpage has
[+] [-] jjav|4 years ago|reply
It doesn't matter.
Why? Because when going through the exercise of identifying risks in the system one can't assume the actors are benevolent and won't ever use the access+data they have for evil.
That's not at all to say all actors are evil and will always do the most harm possible. Many risks are never exploited in practice. But that doesn't mean the risk doesn't exist. It still does! And it might be exploited in the future (with companies, all it takes is a reorg that puts someone less ethical in charge).
Thus, when doing your threat modeling exercise, for the purposes of identifying risk, assume the various actors could do as much damage as they possibly could with the access they have.
So concretely, when I evaluate risk on google vs. DDG: I won't take into consideration any "privacy respecting" marketing, that's not important. What matters is how much damage can each party do, which one is less risky?
Both get my search queries which is inevitable for a search engine. So there's that risk but it's a wash.
But google has its tendrils woven into far more points from which they can and will correlate data. Google analytics, AMP, gmail/gsuite, chrome (for people using that), also most people have an active login session with google most of the time, etc.
DDG has a much smaller footprint on the internet from which to correlate data.
Therefore, even assuming both parties are equally evil, DDG presents a smaller risk.
[+] [-] s3p|4 years ago|reply
They literally do not care if it has a bad look, they just say "we don't collect your personal information." What??? They are literally admitting to collecting domains in the feed of the Github issue but then just copy and paste their manifesto and expect us to think it's fine. I seriously do not understand this.
[1] https://github.com/duckduckgo/Android/issues/527
[+] [-] throwaway82652|4 years ago|reply
You wouldn't know this even if it was open source. Open source does nothing here. Looking at the source code will not tell you their data retention policies or what is actually stored in their databases. It will also not guarantee the source that you see matches what is on their servers.
[+] [-] colordrops|4 years ago|reply
[+] [-] zagrebian|4 years ago|reply
[+] [-] jeffbee|4 years ago|reply
[+] [-] winrid|4 years ago|reply
[+] [-] thayne|4 years ago|reply
Their use of cookies is fairly easy to inspect, although that doesn't prove they aren't doing fingerprinting or ip tracking.
[+] [-] GycDH6mb|4 years ago|reply
`! mdn window.postMessage` .. so easy!
[+] [-] charcircuit|4 years ago|reply
This isn't true. Google's privacy policy is not lax as you suggest it is.
[+] [-] ecf|4 years ago|reply
It’s like a dark pattern that an advertiser would use, not a privacy-focused search engine.
[+] [-] autoexec|4 years ago|reply
Duckduckgo could easily be fully owned and operated by some three letter agency. The NSA is already able to go onsite and tap into the data that passes through corporations and they've been doing exactly that for decades (see Room 641A) and they can force corporations to keep silent about it using national security letters. You should already assume that every US based company is sending every scrap of data you give them to the state.
With no way to avoid your data from going to the state, what are you left with? Worries over companies collecting, selling, and using your data against you. That's a very real and perfectly valid concern.
We know that other search engines are doing those things, so it's best not to use them if we can avoid it. Duckduckgo might be doing those things, which at least gives us a chance, and even if they are it'd be better to hand your data over to several different companies than to give them all to one source (like Google for example) because the more data points any one company has on you the more control they have over you.
The worst case scenario would be that Duckduckgo is actually secretly run by Google and the data being collecting from the service is being used to help fill your dossier at Google but if that's the case we're never going to know about it until a whistleblower comes forward.
As defeatist as this all sounds, I do believe in taking steps to try to protect your privacy where you can, and I take many steps that go far beyond what most people are willing to, but we also have to accept the reality of the situation we have where our laws and regulations do not protect us, and there is very little we can do to protect ourselves but depend on others to do what they say. That's why I use duckduckgo right now. not because it's trustworthy (we can't know that), but because they might be and that's (sadly) the best option we have at the moment.
[+] [-] autoexec|4 years ago|reply
They can put enormous pressure on even the wealthiest and most powerful companies to act as copyright police on their behalf. Even Google is afraid of them. ISPs are forced to spend huge amounts of time and money working for them. Now duckduckgo is being strong armed into doing a bunch of free work for them too? Maintaining lists of websites and domains to block and removing links to even non-infringing material like youtube-dl just to keep from being sued into the ground.
I don't know what it'll take to rein in these guys, but I doubt the courts will be the ones to do it. So far courts seem fine with the idea that ISPs must permanently ban users from their service over nothing but repeated unsubstantiated claims of infringements which is an insane amount of power to give any industry.
Has any US politician ever run on a platform that includes copyright reform?
[+] [-] throwaway82652|4 years ago|reply
That to me is the worst thing about repeated phrasing of this as some kind of evil special interest groups against everyone else. The "special interests" here are the people who produce the copyright material you want to access. You have to play ball with them or they will simply not be able to produce those things anymore.
[+] [-] rglullis|4 years ago|reply
[+] [-] mardifoufs|4 years ago|reply
[+] [-] mdaniel|4 years ago|reply
Also, _come on_; if someone gives up after one search term, which also includes advanced site-restricting syntax, there's no way they'd be able to operate youtube-dl anyway: https://duckduckgo.com/?q=youtube-dl&ia=web
[+] [-] muhammadusman|4 years ago|reply
[+] [-] maxk42|4 years ago|reply
[+] [-] chimeracoder|4 years ago|reply
[+] [-] zodzedzi|4 years ago|reply
I keep most of those source sites in UNTRUSTED status (including some of the big names in search/ads/etc). But I've always had DDG in the TRUSTED category because I had only seen its javascript before on the main DDG website.
(Unfortunately NoScript has a limitation that you can't tell it to "only TRUST javascript from example.com when I'm visiting example.com").
But recently I started noticing some websites pulling javascript from DDG (I don't remember which sites).
So now I was wondering if DDG is getting into the tracking business, since they're now having their javascripts load from third party sites.
Obviously this is anecdotal. But does anyone know if they are indeed beginning to track?
[+] [-] mormegil|4 years ago|reply
uMatrix (which I'm using in desktop Firefox) works exactly like this. Plus it allows you to forbid/allow cookies, styles, images, scripts, media, XHR, and iframes separately (for each origin/domain).
[+] [-] freedomben|4 years ago|reply
[+] [-] z3c0|4 years ago|reply
I was under the impression that the custom option allowed this. Am I misunderstanding the point of this option?
[+] [-] stjohnswarts|4 years ago|reply
[+] [-] zionic|4 years ago|reply
Anecdotal of course, but I've been seeing more and more DDG billboards. Those things aren't cheap, and my trust in them has declined the more I see them advertise in the traditional market.
[+] [-] nonrandomstring|4 years ago|reply
duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/
Running a hidden service is just so jolly gentlemanly. And it works in the total absence of JavaScript and no matter what utter lies I tell it about my randomised-per-request UA, and cookie black holes. The obvious dark side is that it's closely connected to Amazon.
[+] [-] yegg|4 years ago|reply
[+] [-] asojfdowgh|4 years ago|reply
beacons and pings fired upon activating a link, happen after the document change, so ublock associates them with the new document, even though they are initiated by the old document
[+] [-] thematrixturtle|4 years ago|reply
Still super disappointing though, and yet another reason why trying to build a better search engine on top of someone else's tech is a non-starter.
[+] [-] Apreche|4 years ago|reply
[+] [-] Kiro|4 years ago|reply
[+] [-] srvmshr|4 years ago|reply
If it is just Bing under the hood, how does it exist as business entity. I am sure MS will take some action to consolidate their search share rather than seeing splintered.
[+] [-] HigherPlain|4 years ago|reply
[+] [-] calibas|4 years ago|reply
https://duckduckgo.com/?q=obscure+search+term&ia=web
https://www4.bing.com/search?q=obscure+search+term
That being said, when Bing censored "tank man", DDG's image search also produced 0 results for "tank man".
[+] [-] cato_the_elder|4 years ago|reply
They provide an alternative branding, targeted at "privacy-aware" users and hipsters.
[+] [-] guyzero|4 years ago|reply
Once upon a time there were other sites that did the same thing with Google, but eventually Google decided they didn't need third parties to drive search traffic.
[+] [-] cpach|4 years ago|reply
If you want better results from pirate sites, try Yandex.com. Quite good for finding torrents.
[+] [-] babypuncher|4 years ago|reply
YouTube-DL comes up just fine in search results (https://duckduckgo.com/?q=youtube-dl&t=h_&ia=web).
So does Pirate Bay (https://duckduckgo.com/?q=pirate+bay&t=h_&ia=web).
The headline is outright false.
[+] [-] ravenstine|4 years ago|reply
[+] [-] barnabee|4 years ago|reply
Can anyone recommend a decent non-Google alternative.
[+] [-] pojzon|4 years ago|reply
And in no way those filters stop dedicated ppl.
[+] [-] Chalbroth|4 years ago|reply
IMO, there is no credible search engine today.
[+] [-] aunty_helen|4 years ago|reply
Have a look at a 50 day average and you can see their mistakes come to light. I've shifted off them recently.
I used to be DDG for everything, then it became anything non-work related, then on phone with FF focus, now nothing.
VPN and clearing cookies after browser close except for a few certain sites has replaced them.
[+] [-] Brian_K_White|4 years ago|reply
If I search for something, and the search engine does not tell me about things which ARE there, then that is a defective search engine.
It's fine to keep kids from getting ahold of any sharp objects but if I need a knife I need a knife and it's ridiculous for anyone else to decide to lie to me about the existence of knives.
We are doing the Chinese firewall to ourselves just a bit slower.
[+] [-] tandav|4 years ago|reply
https://github.com/searx/searx
[+] [-] slig|4 years ago|reply
[+] [-] TheWill|4 years ago|reply
[+] [-] xnx|4 years ago|reply