New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restore DuckDuckGo #84

Closed
bakku opened this Issue Nov 2, 2016 · 72 comments

Comments

Projects
None yet
@bakku
Copy link
Member

bakku commented Nov 2, 2016

Hi guys,

Recently I began searching for a search engine (pun intended). Certainly I came across DuckDuckGo and searched for information since a lot of people regard it as a search engine which respects privacy.

I came across a few problems (relevant source, sadly in german: http://www.zeit.de/digital/datenschutz/2014-01/duckduckgo-startpage-ixquick-nsa) :

  • I don't know how up to date this is but DuckDuckGo uses Amazon Webservices for its service. Amazon works volunteerly together with the US government according to the source
  • DuckDuckGo is based in the US. On privacytools.io it states that people should not use US services and explains why. To me this seems like a contradiction

I suggest removing DuckDuckGo from the list and maybe taking startpage.com as a candidate. I have not found information regarding startpage which shows that it is not trust worthy regarding privacy

EDIT: I would be delighted to create a PR if others agree

@ghost

This comment has been minimized.

Copy link

ghost commented Nov 6, 2016

I'm not sure how trustworthy they are either. Specifically because they seem more secretive about certain topics instead of open like one would expect (see here under "DuckDuckGo and Yahoo").

@johnnagro

This comment has been minimized.

Copy link
Contributor

johnnagro commented Nov 11, 2016

+1 value point re: american company subject to american law (national security letters, etc)

@justafatalerr0r

This comment has been minimized.

Copy link

justafatalerr0r commented Dec 2, 2016

+1. IF DDG remains, StartPage should at least be added.

"DDG Privacy Policy", "We may add an affiliate code to some eCommerce sites (e.g. Amazon & eBay) that results in small commissions being paid back to DuckDuckGo when you make purchases at those sites"

@ghost

This comment has been minimized.

Copy link

ghost commented Dec 2, 2016

@justafatalerr0r Could you elaborate further on that quote? What's the problem with adding their affiliate tag to links in search results?

@BurungHantu1605

This comment has been minimized.

Copy link
Member

BurungHantu1605 commented Dec 5, 2016

@bakku Good point. I have no problem with removing DDG. Should it be replaced with StartPage?

@ghost

This comment has been minimized.

Copy link

ghost commented Dec 5, 2016

Could someone take a look at this discussion? As far as I can see these requests should be blocked by most adblockers but it still made me think if SP is as trustworthy as they'd like you to believe. On the other hand they could probably hide this data collection from the user if it really were problematic. (?)

@bakku

This comment has been minimized.

Copy link
Member

bakku commented Dec 5, 2016

@IDKwhattoputhere Interesting. I will have a deeper look at this and come back here when I have some results

BurungHantu1605 added a commit that referenced this issue Dec 17, 2016

#84
Replaced with StartPage
@BurungHantu1605

This comment has been minimized.

Copy link
Member

BurungHantu1605 commented Dec 17, 2016

I've replaced DDG with StartPage for now.

@yegg

This comment has been minimized.

Copy link

yegg commented Dec 19, 2016

Hi, I'm a bit confused by this assessment. We (at DuckDuckGo) believe we are as private as you can get in terms of search. Responding to some things in the thread:

While we are headquartered in the US, our situation is different than other companies because we do not collect any personal information at all. US laws in this area are generally are about requesting existing business records of some kind (metadata or underlying content), as opposed to creating significant new source code to surveil. That's why the Apple case was such a big deal. As a result, services where you actually store personal information are in very different situations than those where no personal information is stored (like us).

Additionally, if you're worried about US organizations like the NSA in particular, you should note that inside the US they have legal restrictions (they cannot spy on US citizens) that prevent them from taking certain actions, but outside the US they have no such legal restrictions, and are therefore free to operate clandestine operations without any similar threat of legal recourse. In other words, any server or network outside the US that is an interesting target is much easier for the NSA to compromise.

With regards to Amazon, all traffic sent to DuckDuckGo is encrypted (A+ at SSL Labs including PFS - https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com), and that encryption protects your query in transit to our servers, which are solely controlled by us. Additionally, all sites need to be hosted somewhere, and as I mentioned above, those hosted outside the US operate under less legal protection from US surveillance organizations. DuckDuckGo also has servers around the world, and if you are in Europe you will be connected to our European servers.

With regards to Yahoo, I've reached out to the author of that article and he is presently revising it. We have never sent any personal information to Yahoo or any other partner, and we of course do not collect any ourselves. Those pages the mentioned article references were removed because our implementation actually did change on the backend, and they are no longer relevant. Similar to needed to being hosted anywhere, any private search engine needs to work with similar partners to get a full set of results.

I'm happy to answer any questions.

@ghost

This comment has been minimized.

Copy link

ghost commented Dec 19, 2016

(they cannot spy on US citizens)

Why do you say that when it doesn't appear to be true?

In theory, the NSA is forbidden from spying on U.S. citizens. But in practice, a secret 2015 court ruling unsealed this week reveals that warrantless spying has been approved by the Foreign Intelligence Surveillance Courts for general investigations in the U.S. Furthermore, the NSA says it wants to share access to communications databases with other domestic law enforcement agencies, including the FBI.

More:
https://www.eff.org/nsa-spying
http://www.pbs.org/wgbh/frontline/article/with-or-without-the-patriot-act-heres-how-the-nsa-can-still-spy-on-americans/
http://www.huffingtonpost.com/2014/12/26/nsa-spying-report_n_6382572.html
http://www.dailydot.com/via/edward-snowden-nsa-americans-fourth-amendment/
http://www.vice.com/read/the-fbi-wants-to-wiretap-every-us-citizen-online
http://www.newyorker.com/news/amy-davidson/how-many-americans-does-the-n-s-a-spy-on-a-lot-of-them

Also you're talking about citizens when DDG is a company. Am I misunderstanding something here?

@yegg

This comment has been minimized.

Copy link

yegg commented Dec 19, 2016

The central point around the NSA is that if you're worried about the NSA, you are arguably less protected outside the US where they have absolutely no restrictions on their actions. Additionally, US surveillance laws are generally about turning over existing business records with personal information, and DuckDuckGo has none.

The bigger point though is that the US is just one country, and as privacytools.io notes, many countries share intelligence and have their own surveillance operations. Really all relevant countries' legal situations need to be analyzed to get a full threat assessment on a particular attack vector. That's why to me it is an important distinction if there are services that can operate without collecting any personal information at all, which is the case in search, and what we do at DuckDuckGo.

@bakku

This comment has been minimized.

Copy link
Member

bakku commented Dec 19, 2016

Hello @yegg,
it's really great that the CEO of DuckDuckGo joins this discussion, thanks!

First of all we could now argue about which citizens of a country are more under surveillance and which are less but I think we can presume that we are all under surveillance, no matter where but this is not really the topic here.

While we are headquartered in the US, our situation is different than other companies because we do not collect any personal information at all.

I read your privacy policy and your philosophy is really great. You furthermore stated that it does not generally happen that the national agencies request to implement new code for surveillance. But history has shown that it can happen and it also can happen in a way in which you are not allowed to tell your users.

Now we could argue like you did that we should analyse every countries legal situation since maybe this might happen somewhere else as well and you are right. That's why any person who has found out legal information about a country can post an issue to privacytools.io to further improve the site. It's just that we already have experienced this with the US.

Additionally, all sites need to be hosted somewhere, and as I mentioned above, those hosted outside the US operate under less legal protection from US surveillance organizations

For me I can't see a problem where Amazon could collect data from DuckDuckGo and their servers since you don't collect it but also I can't imagine the power they have actually. The problem is generally that Amazon can not be trusted at all since they sold themselves to the CIA. I know that AWS is handy but why does a company which has such a great privacy philosophy then use the services of a company whose opinion on this is totally the opposite.

@Kiyuubi

This comment has been minimized.

Copy link

Kiyuubi commented Dec 19, 2016

Some stuff on DDG: https://8ch.net/tech/ddg.html

@yegg

This comment has been minimized.

Copy link

yegg commented Dec 19, 2016

Thank you for your recommendation of our privacy policy. We try to set an example because we believe in services putting forth straightforward privacy explanations that spell out clearly the benefits you get as a consumer for giving up particular pieces of personal information. In our case of course, we collect no personal information, but in the general case we believe services should collect the minimum possible.

Our vision is to raise the standard of trust online and we do that through our donations to privacy organizations (https://duck.co/blog/post/303/2016-foss-donations-announcement) and our mission to be the world's most trusted search engine. If we believe we could do something to better protect our users' privacy, we would do it, and are more than willing to entertain suggestions.

The argument put forth here seems to be that anything touching the US or Amazon is less trustworthy than anything that doesn't touch them. I know this is not the case, and that it is a much more nuanced reality. And in our particular case, it is actually more clear cut since we do not collect any personal information.

I thought that you perceived these nuances since you already recommend many organizations with these properties, but if you're going on this essentially ontological bogeyman argument, there isn't really any more I can say here.

The bottom line is if you'd like to recommend a private search engine, I whole heartedly believe you can do no better than DuckDuckGo. I believe everybody should adopt a private search engine, and so I do not engage in debates maligning other private search engines, but I know that if you analyze completely the full threat assessments in reality, you will find DuckDuckGo to be just as private, if not more, than any other provider.

@RealOrangeOne

This comment has been minimized.

Copy link

RealOrangeOne commented Dec 19, 2016

After having read all this, I am a little more sceptical on using DDG, however i'm still going to use it. It's not perfect, but comparing features, security, and how dodgy it looks, it's my favourite!

Yes it's based in the US, but being outside the US, provided I connect to EU servers, i really dont care. Yes, amazon are known to share data with government bodies, but depending on how their network is setup on AWS (information that obviously isnt public), it's possible it's not all bad.

My largest complaint is with the afffiliate links from search pages. subtly injecting this into URLs worries me, especially seeing as there's no way to disable this. I'd much prefer being served an ad based on my search query (provided it was done securely / anonymously), than having affiliate links links. I'd happily take this as a choice in the settings between ads and affiliate links.

@yegg

This comment has been minimized.

Copy link

yegg commented Dec 19, 2016

@RealOrangeOne thank you. With regards to affiliate links, there are no privacy issues with them whatsoever. The only programs we use are Amazon and eBay because those are the only two programs I know of that can used completely anonymously. From https://duck.co/help/company/advertising-and-affiliates:

This mechanism operates anonymously and there is no personally identifiable information exchanged between us and Amazon or eBay. These links are regular organic links (like any other link in our results) and these programs do not influence our ranking or relevancy functions in any way. That is, they are not advertising like paid placements or paid inclusions, and we only generate revenue from them if you ultimately find them relevant enough to end up purchasing an item. For more details, check out our privacy policy.

With regards to EU servers, as said above, we do operate EU servers and so you should be interacting with them directly by default if you are in the EU. For people in the US, using EU servers doesn't really get you anything since your traffic has to physically flow through the US, and we do not store personal information in any case.

@aloisdg

This comment has been minimized.

Copy link

aloisdg commented Dec 19, 2016

Long time DDG user. I am also using Qwant (mostly for french stuff):

Qwant's philosophy is based on two principles: no user tracking and no filter bubble.
We do our best to respect the privacy of our online visitors while ensuring a secure environment and relevant results.
Here are our commitments for the user’s data protection :
If you wish to register or log on your Qwant account, or to send us a request via our contact form, we may ask you to disclose personal data. Thus, you are entitled to protection under the European data protection regulation.
This Privacy Policy aims to present our ethical positioning with regard to the collection and processing of data: we guarantee not to sell or disclose the user’s data in any way, especially for commercial purposes.

source

What do you think of it?

I am for keeping DDG but with a caveat and a link to their privacy policy. We cant trust promises, but they are better than nothing.

@jaredStef

This comment has been minimized.

Copy link

jaredStef commented Dec 20, 2016

I vote keep DDG

@uncertainquark

This comment has been minimized.

Copy link

uncertainquark commented Dec 20, 2016

I think DDG should be put back. It's fine to put StartPage and Qwant alongside too. All of the three are private enough and I think we should ultimately let the user decide.

@hovancik

This comment has been minimized.

Copy link

hovancik commented Dec 20, 2016

SIte says about another services/products:

Operating outside the USA or other Five Eyes countries. 
More: Avoid all US and UK based services.

Should apply on all services/products.

@uncertainquark

This comment has been minimized.

Copy link

uncertainquark commented Dec 20, 2016

Also, consider that StartPage is really a meta search engine ultimately. That means that it ultimately has a dependency on Google's search results. It doesn't affect our privacy directly but it does mean that the problem remains fundamentally unresolved. DuckDuckGo on the other hand is relatively independent and therefore represents a somewhat cleaner alternative.

@ghost

This comment has been minimized.

Copy link

ghost commented Dec 20, 2016

The important questions for me now are:

  • Where does this project stand on terms of privacy? Are we providing services that are usable privacy or are we going extreme privacy? If we are doing extreme privacy & not using any services from the US, UK, etc, then there are lots of services and projects still listed that use servers, etc from those locations.
  • We all know about the FBI & Signal event a little bit earlier this year (http://arstechnica.com/tech-policy/2016/10/fbi-demands-signal-user-data-but-theres-not-much-to-hand-over/). I'm betting Signal has servers in the US as well as in other countries as well. Is a service that is well designed but the developers & servers reside in the US < services that are not in the Five Eyes countries? Because if we are going full on boogieman, hate all services from Five Eyes countries, why are we using Cloudflare for protection, Github for this project, Reddit for discussion, recommending backup cloud services using AWS and all other projects that use Five Eyes servers? How paranoid are we?
    -I'm more interested in how DDG is implemented (being a software developer) over politics. Privacy policies, countries' laws & stances on digital privacy, etc cannot protect you. A well designed and implemented software will be able to protect you, not fear mongering of not using Five Eyes country services, or depending on certain countries. What if a country changes it's stance? Are we chopping off more services?

I personally use DDG and would like DDG to be on the list but it's up to the project and what it's intentions are.

@bakku

This comment has been minimized.

Copy link
Member

bakku commented Dec 20, 2016

You are totally right @xdtnguyenx.
After having a thought my opinion is that the most recommended way as far as possible would be what you called "extreme privacy" but there should be a place for alternatives as well which might not align perfectly with all privacy recommendations since otherwise this projects recommendations will just be useful for people who are willing to take huge sacrifices.
So in this case DuckDuckGo would be a totally valid choice for a search engine and I would take my initial statement back and at least have it shown on the "Worth mentioning" section.

@uncertainquark

This comment has been minimized.

Copy link

uncertainquark commented Dec 20, 2016

I will copy-paste a comment here from the reddit discussion that is taking place about this.

There seems to be a lot of "boogyman" statements here and on the discussion.
Heres the thing, you either trust or you dont.
Now i know a bit about how search engines work, and hiw netwirks communicate. The thing about ddg that i like is that you get a lot of good features that other private search engines dont offer.

  • turning your searches to GET requests or POST requests. This changes packet headers and shares less or more info about you as a user.
  • you can use ddg without cookies
  • no user accounts
  • search redirect ability so other sites dont get SentFrom or LinkedFrom information about you in the http packet header.
  • currently not required to retain data
  • legally protected from turning the project into a surveillance tool.

These are all things we know. These are able to be validated. We can play the "what if they are lying" game to the end of time... But we could make great use of occams razor here, and make the least amount of assumptions and look at real information instead.
We cant have discussion when anyone is a government agent, anything could have an open backdoor, anyone could be lying.
Instead look at what you can quantify, what you can verify, and what you can trust rather than blanket assumptions based on fear.
After looking into the service from my side many times, i can say that i trust ddg with my daily searching activity needs.

Link to original comment - https://www.reddit.com/r/privacy/comments/5j5pwy/interesting_discussion_with_the_ceo_of_duckduckgo/dbe67ld/

I think it makes sense to include DDG considering that they don't have any data about the user in the first place + all of the above.

@ghost

This comment has been minimized.

Copy link

ghost commented Dec 20, 2016

@yegg

The central point around the NSA is that if you're worried about the NSA, you are arguably less protected outside the US where they have absolutely no restrictions on their actions.

That really depends though, doesn't it? Not only on if they don't find a way around restrictions or get green-lit by a secret court but also on how closely they're watching for example. It's not like the NSA spies on the US just a little and on every other country a lot (see, found this interesting too).
Additionally it's easiest for them to send out an NSL which they can only do to US companies. If they had a better way they wouldn't be using NSLs in the first place.

@yegg

This comment has been minimized.

Copy link

yegg commented Dec 21, 2016

@IDKwhattoputhere there is a good discussion on the reddit thread referenced above on how NSLs do not apply to DuckDuckGo in any straightforward manner because we do not collect any personal information.

Even though NSLs can be issued without a judge's signature and can come with a gag order, they are just a legal tool that can be used to extract certain types information (such as subscriber information and maybe a little bit of transactional information) that a service provider already has stored on their servers. NSLs can't be used to force a service provider to start collecting data or build a backdoor. https://www.youtube.com/watch?v=YN_qVqgRlx4&feature=youtu.be&t=20m16s

@ghost

This comment has been minimized.

Copy link

ghost commented Dec 21, 2016

I don't think that comment is entirely correct. Specifically the backdoor part:

An example of this is Lavabit – a discontinued secure email service created by Ladar Levison. The FBI requested Snowden’s records after finding out that he used the service. Since Lavabit did not keep logs and email content was stored encrypted, the FBI served a subpoena (with a gag order) for the service’s SSL keys. Having the SSL keys would allow them to access communications (both metadata and unencrypted content) in real time for all of Lavabit’s customers, not just Snowden's.

@aloisdg

This comment has been minimized.

Copy link

aloisdg commented Feb 21, 2017

@Hillside502

This comment has been minimized.

Copy link

Hillside502 commented Feb 21, 2017

@GreenLunar

end-users...almost always press OK without reading and investigating anything

Terms of Service; Didn't Read
https://tosdr.org/

@aloisdg

This comment has been minimized.

Copy link

aloisdg commented Feb 21, 2017

@Hillside502 Alas most of them don't know tosdr either. 😢

@woctezuma

This comment has been minimized.

Copy link
Contributor

woctezuma commented Feb 28, 2017

It is funny to read this:

Because if we are going full on boogieman, hate all services from Five Eyes countries, why are we using Cloudflare for protection, Github for this project, Reddit for discussion, recommending backup cloud services using AWS and all other projects that use Five Eyes servers? How paranoid are we?

Because Cloudflare was subject of a major security flaw. Here is what the Google engineer who discovered the flaw had to say about it:

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

News article: https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/

Official report: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Reference for the comment of the Google engineer: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

List of websites potentially affected: https://github.com/pirate/sites-using-cloudflare

@kewde

This comment has been minimized.

Copy link
Collaborator

kewde commented Mar 4, 2017

@woctezuma DuckDuckGo did not have any of the Cloudflare services enabled that would cause dataleaks for that specific issue. The cloudflare is mostly protection against DDoS attacks.

@Atavic

This comment has been minimized.

Copy link

Atavic commented Mar 4, 2017

DDG was used to find the leaks and was not affected.

@Dustie

This comment has been minimized.

Copy link

Dustie commented Jun 23, 2017

Qwant is miles ahead in result quality IMO. Is there still a need to recommend a US based service when as good or better services are out there? Trying to have some privacy and recommending US based services feels like shooting yourself in the foot before you are even started. Sure, they might be safe for now, but ultimately the chance of them not being so or not staying so are higher than with any non-US based service.

@aloisdg

This comment has been minimized.

Copy link

aloisdg commented Jun 23, 2017

@Dustie for you maybe. I use it and like it but I still prefer ddg. I talked about it before

@josephholsten

This comment has been minimized.

Copy link

josephholsten commented Jul 29, 2017

Reviewing this thread, it seems the consensus is to restore DDG. Can I get a vote 👍 / 👎 of the current consensus? Would anyone with reservations please reiterate them? I want to make sure DDG has a chance to respond to any outstanding objections.

@aloisdg

This comment has been minimized.

Copy link

aloisdg commented Jul 30, 2017

upvote to keep or upvote to remove?

@Shifterovich

This comment has been minimized.

Copy link
Member

Shifterovich commented Jul 30, 2017

the consensus is to restore DDG

@josephholsten

This comment has been minimized.

Copy link

josephholsten commented Jul 30, 2017

  • 👍 restore Duck Duck Go
  • 👎 keep Duck Duck Go removed
@PrivacyCDN

This comment has been minimized.

Copy link

PrivacyCDN commented Jul 30, 2017

@jaredStef

This comment has been minimized.

Copy link

jaredStef commented Jul 31, 2017

👍🏼

@BurungHantu1605

This comment has been minimized.

Copy link
Member

BurungHantu1605 commented Jul 31, 2017

@Shifterovich "I suggest adding DDG with a note that it's based in the US."

I could live with that.

@Shifterovich Shifterovich changed the title Remove DuckDuckGo Restore DuckDuckGo Jul 31, 2017

@Shifterovich Shifterovich added TODO and removed research required labels Jul 31, 2017

@aveao

This comment has been minimized.

Copy link
Contributor

aveao commented Sep 15, 2017

Heya, sorry for necroing, but judging by the votes on the post by @josephholsten, I think that giving DDG a spot in the top search engines (and not just keep it as a "Worth Mentioning") or at least moving it higher in "Worth Mentioning" list is a better move than just keeping it at the end of "Worth Mentioning".

@kewde

This comment has been minimized.

Copy link
Collaborator

kewde commented Sep 17, 2017

@Shifterovich

This comment has been minimized.

Copy link
Member

Shifterovich commented Sep 17, 2017

I'd move Qwant to Worth Mentioning, StartPage to 2nd and DDG to 3rd.

@kewde

This comment has been minimized.

Copy link
Collaborator

kewde commented Sep 17, 2017

Sounds good to me.

@aveao

This comment has been minimized.

Copy link
Contributor

aveao commented Sep 17, 2017

Alright, I'm preparing a PR. Should I link to this discussion when mentioning that it's based in US?

@Shifterovich

This comment has been minimized.

Copy link
Member

Shifterovich commented Sep 17, 2017

I'd link to #ukusa.

Shifterovich added a commit that referenced this issue Sep 20, 2017

Merge pull request #336 from aveao/master
Moved qwant to Worth Mentioning, SP to 2nd and DDG to 3rd as discussed on #84

@kewde kewde closed this Oct 1, 2017

@libBletchley

This comment has been minimized.

Copy link

libBletchley commented Jan 20, 2019

Request to reopen

This ticket was closed but there are several unaddressed issues. Please reopen this to remove (or make changes to) DuckDuckGo's inclusion.

Trust has no merit

@aloisdg

I am for keeping DDG but with a caveat and a link to their privacy policy. We cant trust promises, but they are better than nothing.

In this particular case those promises are useless. When it comes to trustworthiness of DuckDuckGo it has been pointed out in this thread that @yegg's previous project entailed privacy abuse. So the community needs to be convinced that he has reformed and redeemed himself. However, DDG is currently partnered with privacy abusers. What is the merit in trustworthiness here?

deception as well:

DDG has actually scrubbed their Yahoo relationship from public view, showing further that they cannot be trusted. Some may recall that DDG previously had “In partnership with Yahoo!” on their search page and quietly removed it. When pressed on the issue they used some ridiculous weasel wording in their attempt to create a false distance from Yahoo. DDG has also removed details about that yahoo relationship, breaking URLs like https://duck.co/help/company/yahoo-partnership.

This is not good for trust. DDG is untrustworthy.

Follow the money

Privacy advocates don't solely care about the privacy of their immediate search. They also need reassurance that they are not doing something that indirectly causes privacy abuse. When we follow the DDG money trail we see that it leads to privacy abuse. Ethical privacy activists boycott privacy abusers. When DDG is presented on a trusted website like privacytools.io it misleads privacy activists and this is harmful.

Privacy Abuser DDG relationship
Yahoo DDG gets search results from Yahoo. DDG hides the details of how Yahoo is compensated for that, but DDG apparently pimps Yahoo-sourced ads.
Amazon DDG pays Amazon for data center use. Amazon is a big driver for facial recognition. No self-respecting privacy activist feeds Amazon's bottom line.

@uncertainquark

Also, consider that StartPage is really a meta search engine ultimately. That means that it ultimately has a dependency on Google's search results. It doesn't affect our privacy directly but it does mean that the problem remains fundamentally unresolved. DuckDuckGo on the other hand is relatively independent and therefore represents a somewhat cleaner alternative.

StartPage and DuckDuckGo are both proxy search engines and both get paid results from privacy abusers (Google and Yahoo respectively). If I had to choose I'd favor supporting Google before the Verizon, Yahoo, and AOL corporate conglomerate (whose privacy abuses are criminal) along with Amazon. Google is also more transparent about it's privacy abuses than Verizon et al. Luckily this is hypothetical and we need not choose between them in the face of Searx.

Direct privacy compromise

DDG search results are rich in CloudFlare sites. CloudFlare is one of the top privacy abusers on the web. What good is it to have an allegedly untracked search when the results of the search contain malicious referrals leading users unwittingly straight to CloudFlare, who logs the user's IP address and sees their traffic among other abuses like DoS against Tor users?

DDG vs. Qwant

@aloisdg

Long time DDG user. I am also using Qwant (mostly for french stuff):

The CAPTCHA hell that Qwant puts Tor users through is noteworthy. However, Qwant is still better for privacy than DDG. My comparison:

Factor DDG Qwant
server location US and EU (the US presence screws US users; plus the US HQ & influence can still be detrimental to EU users as we know from the Lavabit fallout) EU (perhaps even for US users?)
adverse partners Verizon + Yahoo, Bing, Amazon (notorious privacy abusers) Huawai, allegedly, accuracy and adversity unchecked
usability from Tor .onion site but results heavily polluted with CloudFlare links CAPTCHA hell

Qwant is more favorable than DDG in terms of overall privacy. OTOH, Qwant's CAPTCHA does more direct damage to privacy-embracing users as the inconvenience is sufficient to drive users off Tor or off Qwant.

Proposal

Remove DDG as a recommendation. If DDG is mentioned at all then it's only responsible to also document the shortcomings (#729) and let users decide in an informed manner. Presenting DDG as a blind recommendation without the anti-features does a disservice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment