Forgot your password?
typodupeerror
Government Privacy Your Rights Online

DuckDuckGo: Illusion of Privacy 264

Posted by timothy
from the if-it-barks-like-a-duck dept.
An anonymous reader writes "With all of the news stories about users moving to DuckDuckGo because of NSA spying, this article discusses why the privacy provided by DuckDuckGo is more the privacy from third-party tracking (advertisers) but may do little, if anything, to prevent the NSA from tracking your searches."
This discussion has been archived. No new comments can be posted.

DuckDuckGo: Illusion of Privacy

Comments Filter:
  • FTFA (Score:5, Funny)

    by Anonymous Coward on Saturday July 13, 2013 @08:54PM (#44272693)

    "The NSA Can't Loose" ... Really?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Really. If they want the information, they get it. Either you turn it over willingly, or they take it forcefully via legal means or just go above you to your host. There is nothing you can do about it.

    • by ATMAvatar (648864)
      Well, you do have to be somewhat of a tight-ass to be a NSA spook...
    • Re:FTFA (Score:5, Informative)

      by rainmouse (1784278) on Sunday July 14, 2013 @04:25AM (#44275303)
      For those that don't want to actually read the loose blog post (its just an opinion from some unknown guy and backed up with no actual facts by the way. It's not actually news at all).
      In the comments is a reply apparently from DuckDuckGo :

      "Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe we can be compelled to store or siphon off user data to the NSA or anyone else. All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business. We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt. There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example."

      • by IamTheRealMike (537420) <mike@plan99.net> on Sunday July 14, 2013 @08:27AM (#44276213) Homepage

        Well that's convincing - not!

        Has this dude been living in a cave for the past month? We've just had a non-stop series of revelations about how governments (not just in the USA) routinely ignore their own laws or secretly redefine them into meaninglessness, in order to engage in dragnet surveillance. And his answer is "such a request would be unconstitutional". Yes, it would. It was unconstitutional for all the other search engines too. So what? That obviously doesn't matter.

        DDG is just a scam in so many ways. The entire site is basically a proxy for Bing. If Bing were to cut them off they'd have no search engine anymore. If Bing were to say "you pass through data on people or we cut you off", they'd either have to give up on their privacy guarantees or shut down completely. It's a completely self defeating business model, if they get popular they won't be able to sustain the reasons for it anymore.

        The fact that he thinks there's a difference between Amazon and Verizon with regards to NSA cooperation is especially amusing.

      • by MrEricSir (398214)

        This guy's response seems to show a lack of understanding of the entire NSA debacle:

        "All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business."

        If this were true, wouldn't Microsoft, Google, Apple, Verizon, etc. be in trouble with the FTC? What makes DuckDuckGo different?

        "We have not re

  • by Anonymous Coward on Saturday July 13, 2013 @08:57PM (#44272705)

    I started using DuckDuckGo because, out of all the other search engines out there, it's the only one I've found whose entire mission statement centers around _not_ collecting information on every goddamn thing you do. Yes it's probably still being tapped at the fibre optic cable level so it doesn't really matter, that's not the point. The point is to vote with your dollar, or in this case your page view, far more influential these days than one thinks.

    I don't use DuckDuckGo because it preserves my privacy. I use DuckDuckGo because they don't try to take it away from me.

    • Well, that's fine, but I keep pointing out I'm less concerned with whether Google knows I might want to buy Depends than that the NSA might be able to spy on political opponents to whoever holds their ear. "Make sure you fill out the warrant form, agent #4821 out of 17436." isn't much protection for a G. Gordon Liddy type.

    • by jovius (974690)

      The article misses the point. It's about getting rid of the Google sphere and search filtering.

      I'm using Startpage [startpage.com]at the moment.

    • by Sabriel (134364)

      Yeah, the fibre level is pretty hard to avoid. Here's something I spotted this afternoon, related to the reveal that the US was recording Telstra's Reach traffic:

      http://www.computerworld.com.au/article/520706/ludlam_demands_telstra_explain_role_us_spying/ [computerworld.com.au]

      Telstra issued a statement defending the agreement.

      “This Agreement, at that time 12 years ago, reflected Reach’s operating obligations in the US that require carriers to comply with US domestic law," a Telstra spokesman said.

      "It relates to a Te

  • by SuperCharlie (1068072) on Saturday July 13, 2013 @08:58PM (#44272709)
    At least for me its not, its about not feeding the beast directly. I jumped to Linux, Opera, and DDG as a way to add a few more cycles and maybe a few more man hours to the mess rather than hand it over directly with Windows, IE or Chrome, and Google. If anyone thinks they can really be anonymous in this ecosystem they are sorely mistaken. I do believe however there are less trodden paths and a little more pains in the rear that can be had, and as a silent protest, I chose to use them.
    • by PopeRatzo (965947)

      as a silent protest, I chose to use them.

      That's all good. I've tried https://startpage.com/ [startpage.com] but I'm not smart enough to know how effective it is at keeping my anonymous.

      It seems to keep Google from upskirting my private info, and maybe that's enough.

    • by hughbar (579555)
      I so agree with this, absolute privacy is an illusion. Even if 'they' [tin foil hats on, guys and gals] can't get at the text of your stuff, they can use traffic analysis to get a little insight into some of your social graph. So I also use DDG, encrypt stuff where I can, use Tor, anything to increase the levels of difficulty and make the system run hotter.

      Also, finally, they might work out that this is foolishness: http://qz.com/92207/simple-math-shows-why-the-nsas-facebook-spying-is-a-fools-errand/ [qz.com] and
  • DuckDuckNo (Score:2, Insightful)

    by Anonymous Coward

    While the NSA brand of privacy invasion will probably never be avoidable, unless you renounce all forms of data transfer, it's pleasing to have SOME control over your internet presence in so far as keeping advertising trackers off your back. I don't think it says anywhere at DuckDuckGo that it avoids NSA tracking. and anyone using the service who believes it does so is unaware of how the NSA programs work.

  • Credibility? (Score:5, Interesting)

    by karolgajewski (515082) on Saturday July 13, 2013 @08:59PM (#44272715) Journal

    I may be breaking the fundamental rules of Slashdot, but ...
    - the "article" is a single post on a recently created blog
    - they misspell "lose"
    - a quick google of Brett Wooldrige doesn't bring up anything exciting (a Forbes blog account with no content?)

    This is the very definition of "nothing to see here, move along".

  • Oh come on now... (Score:2, Insightful)

    by Anonymous Coward

    This is one, gigantic, "no shit, sherlock".

  • by Anonymous Coward

    Is it any safer? They bill themselves as "the world's most private search engine" but that doesn't really mean anything.

    • I don't know, but when I want to search using queries that may bring in potentially "illegal" search results, I just use Ixquick. To be honest though, I don't know what the difference (other than name) is between the two. Both Ixquick and Startpage are run by the same people, they both look practically identical, and you probably couldn't go wrong with either one. I just happened to find out about Ixquick first and saw a few more mentions of it on different websites so I just use it. Ixquick does not lo

    • They bill themselves as "the world's most private search engine" but that doesn't really mean anything.

      It means about as much as "the world's most virtuous whore".

  • VPN (Score:5, Informative)

    by xtal (49134) on Saturday July 13, 2013 @09:04PM (#44272749)

    Run your traffic encrypted through another country with actual privacy protections.

    It's not perfect, but it is another complication and barrier to direct monitoring.

    Ultimately, the NSA reveal is a good thing - it's going to drive demand for virtual private cloud services where you hold the keys, and perhaps, a move back to corporate controlled cloud services on-site. Great news if you're in IT.

    • Was that not part of the NSA spying reveal.
      The huge amount of cooperation between countries with laws that protect spying on their own citizens but not other nation's citizens?

      You route your data through a country with strict privacy laws, and that country intercepts it because their laws do not protect you, a non-citizen.
      They then allow access of that data to the NSA, and no one broke any laws.

    • by houghi (78078)

      It's not perfect, but it is another complication and barrier to direct monitoring.

      If it isn't perfect, it means it isn't useful.

      Moving to better privacy laws or to another country means nothing. Other countries have just not yet been caught doing this. What this should mean is better encryption.

      Unfortunately what we see is that nobody really cares. How many emails have you received that were digitally signed and send by a non-geek? Ask anybody if they would trust sending their private information on a postc

  • Ixquick? (Score:5, Informative)

    by rycamor (194164) on Saturday July 13, 2013 @09:05PM (#44272755)

    At least Ixquick is not a U.S. company: https://ixquick.com/eng/prism-program-revealed.html [ixquick.com]

    While their searches aren't as fast as Google's, I have found them to be pretty good quality-wise.

  • by Lawrence_Bird (67278) on Saturday July 13, 2013 @09:06PM (#44272761) Homepage

    DuckDuckGo, a search engine, has been prominent in the media since the start of the Snowden revelations due to its privacy policy which promotes anonymity. If the private key used by DuckDuckGo were ever compromised — for example if one of their servers were seized — all previous searches would be revealed where logged traffic is available. DuckDuckGo may be a particularly interesting target for the NSA due to its audience and the small volume of traffic (as compared to Google).

    This is because DDG does not use crypto algorithms which support perfect forward secrecy.

    When PFS is used, the compromise of an SSL site's private key does not necessarily reveal the secrets of past private communication; connections to SSL sites which use PFS have a per-session key which is not revealed if the long-term private key is compromised. The security of PFS depends on both parties discarding the shared secret after the transaction is complete (or after a reasonable period to allow for session resumption).

    So it would require significantly more work for NSA to deal with a site using PFS. Source: netcraft [netcraft.com]

    • by anagama (611277)

      I'm trying to understand PFS having not heard of it before -- If I understand correctly, it is a system wherein a unique public/private key pair is generated on demand using a long term key. Or to put it more simply -- a system that gives every session a new and unique set of encryption keys, thus making compromise of the private key hugely less of a bonanza. If that's the case, that sounds like a great system.

      Reading your linked article demonstrates that some sites already do this ... how do I make sure

  • Decrypting SSL (Score:4, Interesting)

    by BringYourOwnBacon (2808547) on Saturday July 13, 2013 @09:21PM (#44272837)
    I think the article brings up and interesting point about who's SSL certs the NSA has access to. It's reasonable to assume that they are capturing most if not all Internet traffic in the states (at the very least all packets entering or leaving the county.) What is unknown is how much of that encrypted traffic can be easily decrypted. If I were a three letter gov't agency intent on decrypting massive amounts of traffic, I would go straight for the keys. It's particularly of note that DuckDuckGo does NOT use session keys in its SSL implementation, meaning if their private key got compromised, all previous searches would also be compromised. I don't think it's too much of a stretch to assume that the NSA has found a way to that key, either through secret court orders, or good old fashioned nefarious means. Especially for a site like DDG, who makes promises of "privacy". Makes you wonder who else's keys they have access to.
  • DuckDuckGo Response (Score:5, Informative)

    by yegg (1908960) on Saturday July 13, 2013 @09:22PM (#44272845)
    Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe we can be compelled to store or siphon off user data to the NSA or anyone else. All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business. We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt. There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example. A couple other responses to things I've noticed in the comments already: --Our servers are already located around the world. European users are generally not hitting US-based servers, for example. --We do have PFS on our cert: https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com&s=50.18.192.251 [ssllabs.com]
    • by Khopesh (112447) on Saturday July 13, 2013 @09:56PM (#44272983) Homepage Journal

      Thanks, that was a nice official response to a crackpot article that should never have made it to slashdot.

      My read of that article was that nothing is really safe (which is true, but you have to be reasonable about these things) and that larger companies at least have accountability. It kindly forgets that this accountability isn't to users, it's to shareholders. DuckDuckGo protects against these larger companies, and DDG might just fly low enough under the radar to avoid the attention of the NSA.

      Keep up the good work, Gabe. If you're in the SF area, I'd love to buy you a beer.

    • by evilviper (135110)

      Wonderful response!

      I'd also like to throw-in the fact that DDG is a big proponent of SSL as well. Their website redirects you to their SSL site, and all their search results will send you to the HTTPS version of a site, if it exists (eg. Wikipedia). Things which other search providers do not do.

      So, in the context of the NSA tapping all internet communications (which we know for a fact they have been doing since 9/11/2001: https://www.eff.org/nsa/hepting [eff.org]), DDG also provides much more privacy and security t

  • I feel compelled to let anyone here who has not RTFA to not bother. It is a poorly written blog entry that's nothing but hyperbole and speculation. It's also badly researched and contains a lot of inaccuracies. One of the commenters is the CEO of DDG and he corrects some of the misinformation.

    I've been using DDG for 2 years and it is great. Not always as good as Google but a good alternative for most searches. Make sure you set it to your region (settings).

  • Larger picture... (Score:4, Insightful)

    by Shoten (260439) on Saturday July 13, 2013 @10:09PM (#44273043)

    So, the majority of the population now realizes that their activity is in some way monitored, and they wish to evade that monitoring. They need to consider this: they are amateurs playing for nickel stakes in this game. The NSA doesn't care about them, and the people aren't used to playing this game either, for their part. This game exists, at the moment, primarily between the most sophisticated intelligence apparatus in human history and a very small population that is doing everything they can possibly do to hide. We think that using airgapping a network and using USB drives simply to move data across the room is a powerful security measure...these guys used USB drives to move data between countries, and even that wasn't good enough to protect them. The average citizen merely worries about some amorphous knowledge of their habits...the real target population faces death, or perhaps even worse internment in a black site somewhere for years first. And that population has been working on hiding for quite some time now; this is not a new game just because the rest of us know it's being played now.

    So...with that context, why would anyone think that simply using a different search engine fucking matters?

    • > .these guys used USB drives to move data between countries

      Look, if anyone with any sense can bypass the snooping, they must know that. That only leaves *us* that they are snooping on.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      why would anyone think that simply using a different search engine fucking matters?

      It may not. But anything that makes more work for the secret police is a good thing.

      (If you object to the NSA being called "secret police", remember that they turn over any evidence of crimes that they find to other police agencies. They don't have "active" agents, they don't torture like the Gestapo, the US has other organizations to do that, they're more like a department of the Stasi.)

    • The NSA doesn't care about them

      Yeah, carry on and pay no attention to the man behind the curtain.

  • Apparently all you need to get front page on slashdot is an article with one link to a blog, that has only one post, created by a random user. Hell the 3rd paragraph of the article beings with 'TL;DR' a phrase I associate with image boards such as 4chan than I do actual journalism and news. While the article is somewhat interesting it's nothing more than an op-ed piece or a letter-to-the-editor at best or some anti-DDG fud created by some PR firm at worst.

  • They have an exit enclave for DDG search engine traffic and also hidden service at 3g2upl4pq6kufc4m.onion...
    So there at least they provide some additional layer of protection for those who are needed.
  • The source link for the article is a new blog with one (yes, count it, one) post?? I call fowl.
  • Sure, the NSA still gets what you search for and the results, but unless they have control over the Tor network (which is doubtful), they cannot associate that info with you.

  • The headers in my next protocol will use identifiers, like any ther protocol. except my identifiers will be: JIHAD, NUKE, SARIN, INFIDEL, ...

    It's about time to apply techniques similar to Culture jamming [wikipedia.org] to these spying tactics. It probably won't stop them, but we can at least try to piss them off.

  • by Norny (9940) on Sunday July 14, 2013 @12:38AM (#44274097) Homepage

    Name me another major web search engine with an official Tor onion endpoint. DDG is the only one I know.

    https://3g2upl4pq6kufc4m.onion/ [3g2upl4pq6kufc4m.onion]
    https://3g2upl4pq6kufc4m.tor2web.org/ [tor2web.org]

  • by Anonymous Coward

    I have been using DuckDuckGo for some time now but stopped lately because I notice something fishy. When you hover over a link the bar at the bottom of the screen displays the link address to make you believe clicking on that link will go to that address, but if you look closely at it when you click it flashes "Sending Request..." then "Waiting for https://duckduckgo.com/" and finally "Waiting for https://what-you-clicked.com/". So they are redirecting all the search results so they know who clicked what. G

  • There are many similar services in other countries. Startpage is hosted in the Netherlands for example.
  • Probably going to get modded down for asking such a simple(stupid?) question.. I've never been able to find this answer though.

    From the article:

    However, DuckDuckGo is using SSL encryption. Without DuckDuckGo's private SSL certificate, your search queries (but not your location) are invisible.

    Can someone clarify this for me? I want to make sure I understand this. If I search for "Star Trek" in Google then I get redirected to

    https://www.google.com/search?q=star%20trek&ie=utf-8&oe=utf-8&aq=t [google.com]

  • When I'm being nefarious and Googling things, I use a dedicated local machine which knows nothing about me, and which has all of its Internet traffic routed through a country (over a VPN) that I do not expect trouble from.

    My VPN provider does not keep logs. I fire up a browser (on that VPN-connected machine) with Private Browsing turned on, and do my nefarious things with plain-old Google.

    I disconnect and reconnect to the provider periodically, which flushes the state and the connection relationship I have

  • If DDG doesn't store data persistently or share cookies with other sites, NSA would have to dedicate a data center bigger than DDGs own one to store all searches and subsequent clicks if they are needed later. They would then only have IP addresses which would be hard to resolve to identities of foreign users they are most interested in. They would never be able to scale this to EVERY popular site in existence.

The first Rotarian was the first man to call John the Baptist "Jack." -- H.L. Mencken

Working...