134

DuckDuckGo is a search engine that claims it will not share your results with others. Many of my skeptical coworkers think it may be a scam.

Is there any proof that any web search engine will protect your privacy as it advertises?

Anders
  • 64,406
  • 24
  • 178
  • 215
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 18
    The founder, Gabriel Weinberg, has a blog at: http://www.gabrielweinberg.com/blog/ It's not "proof" by itself, but taken together will all the other indicators that have been mentioned by others, the amount of effort someone would have to go to in order to fake all these signals of authenticity is very significant! – scuzzy-delta Mar 13 '12 at 22:59
  • 8
    I've suggested an edit to this. Why single out DuckDuck? The same question applies to Google (*especially* to Google), Bing, Yahoo and all the others. – deworde Mar 14 '12 at 09:56
  • 9
    @deworde: It applies to DuckDuckGo. Specifically because of their privacy policy, your edit changes the question. – Dave Mar 14 '12 at 10:30
  • @Dave The question was "Why should I trust them", not "Why should I trust this specific thing about them" If another site offered the same privacy policy or said that your data would be encrypted over the wire, the same concerns would be valid. Even Google's policy promises certain things, and the same question applies to them. – deworde Mar 14 '12 at 10:38
  • 8
    @deworde: I'd agree, except, DuckDuckGo have a very specific (and MUCH more private) privacy policy, designed to entice users to use it rather than other search engines, with more loosely worded privacy policies. Their uniqueness comes from that, and historically, was a much larger focus - http://duckduckgo.com/about - I stand by my original comment - your edit has changed the question. – Dave Mar 14 '12 at 10:59
  • 7
    I have edited this back to be specific around DuckDuckGo - I think the answers given are applicable to other providers if they use the same sort of privacy policy, but the question was sparked from this specific provider. – Rory Alsop Mar 14 '12 at 11:14
  • 2
    I say close this question as too localized. You'd need the founder of the company or someone who makes decisions there to answer this question... Whoa, wait a sec! – Kalamane Mar 14 '12 at 15:27

8 Answers8

177

I'm the founder of DuckDuckGo. D.W. is right, if we were to violate our privacy policy we could get in a lot of trouble. Additionally, I've tried to be as transparent as possible on how we operate, both in our privacy policy and on my blog.

I've thought and explored external verification, from someone like the EFF for instance, but I don't think that really would do much to assuage the core of the comment.

yegg
  • 1,631
  • 1
  • 9
  • 3
  • 57
    welcome to stack exchange! – antony.trupe Mar 14 '12 at 00:45
  • 5
    @Yegg Based on one of the comments below, could you edit your answer to confirm how someone could verify that you're based in the US, and thus subject to privacy policy laws? – deworde Mar 14 '12 at 10:03
  • 14
    Sure, go to https://delecorp.delaware.gov/tin/GINameSearch.jsp and search for DuckDuckGo. – yegg Mar 14 '12 at 13:30
  • Welcome to SE! I found Delaware file number #5019303, so that puts this site under US jurisdiction. Just curious for our UK brethren and their unique privacy laws, will you have a dedicated instance for them, or is it not needed? – makerofthings7 Mar 14 '12 at 14:24
  • -1 Though I appreciate him pointing to the policies and noting that they have bite, I am not sure the owner of the site in question pointing to the site's trustworthiness adds to the discussion. – Joshua Drake Mar 14 '12 at 16:08
  • 10
    @JoshuaDrake I disagree - as he says, he tries to be as transparent as possible, and discusses as such on his *personal* blog. The point is, (I think) he is implictly making the claim that you should trust *him*, personally, not just the anonymous corporate entity that is DuckDuckGo, and definitely not the *very* anonymous headless corporate giant that is Google, or other services. Therefore him standing up to stand behind his word I think is the *core* of the discussion. Yegg, please correct me if I'm wrong... – AviD Mar 14 '12 at 16:25
  • @AviD Legally once he incorporated he has little (no?) skin in the game. This simply causes a recursion of the question from "Why would someone trust DuckDuckGo..." to "Why would someone trust yegg or other internet business owners?". – Joshua Drake Mar 14 '12 at 16:29
  • 7
    His skin is in his reputation. But I agree about it being (at least partly) about trusting a specific person. And the trust is no longer in some random Joe Schmoe, but this specific person - Gabriel Weinberg. He seems to go for the open kimono, which is more cause for trust. Don't forget, most people (especially when they cannot hide behind anonymity) *are honest*. The Internet may make it easier for the dishonest minority to come out in force, but a specific, non-anonymous person can usually be trusted. – AviD Mar 14 '12 at 16:33
  • @AviD Still, as the owner of the site in question he has already made such a claim. The question is why or how one would trust or verify that claim, the author of the claim restating it does not make an answer to the question; it is similar to using a word in the definition of the word, which only works for recursion. Now if he were to say: "Because the owner of the site is me (or so and so) and I (they) have a specific identity and reputation, then we have an answer to why we should trust the site. – Joshua Drake Mar 14 '12 at 17:09
  • 33
    Since we are on security.se.com I'm curious; how do we know you (user yegg) are Gabriel Weinberg of DuckDuckGo? – Paul Cager Mar 14 '12 at 21:23
  • @PaulCager - Do you have any reason not to beleive him. Does he write in a similar fashion? – Ramhound Mar 15 '12 at 12:40
  • 19
    @Ramhound - I have absolutely no reason to doubt what he says, but the original poster asked for *proof* that the DDG will protect you. On a site specialising in security I was surprised that we didn't want to authenticate his identity. – Paul Cager Mar 15 '12 at 15:29
  • @PaulCager - I was just providing a counter-statement is all. – Ramhound Mar 15 '12 at 16:44
  • 16
    @PaulCager Have yegg send you his public key, encrypt a message with it, send the message to yegg@duckduckgo.com, see if you get a proper response back. – Safado Mar 15 '12 at 17:20
  • 1
    Here are links to the new Division of Corporations for [Delaware](https://corp.delaware.gov/) (File #5019303) and [Pennsylvania](https://www.corporations.pa.gov/search/corpsearch) (Entity #3792728), where they appear to be incorporated now. – Chiramisu Jan 13 '20 at 08:50
165

There is no proof that DuckDuckGo operates as advertised. (There never is, on the web.) However, that is the wrong question.

DuckDuckGo is very clear in its privacy policy. DuckDuckGo says it doesn't track you, it doesn't send your searches to other sites, by default it does not use any cookies, it does not collect personal information, it does not log your IP address or other information about your computer that may be sent automatically with your searches, it doesn't store any personal information at all. Those are pretty strong promises, with no weasel-wording. And, as far as I can see, DuckDuckGo's privacy policy seems like a model privacy policy. It is a model of clarity, plain language, and lack of legal obfuscation.

And privacy policies have bite. The FTC has filed lawsuits after companies that violate their own advertised privacy policy. (Not just little companies you've never heard of: They even went after Facebook!) The way privacy law works in the US is, basically, there are almost no privacy rules that restrict what information web sites can collect -- except that if they have a privacy policy, they must abide by it. Breaching your own privacy policy may be fraud, which is illegal. Also, violating your own privacy policy represents "unfair or deceptive acts or practices", and the FTC is empowered to pursue anyone who engages in "unfair or deceptive acts or practices" in court. DuckDuckGo would be pretty dumb to breach their own privacy policy; their privacy policy is clear and unambiguous and leaves them little wiggle room.

No, I don't think that DuckDuckGo is a scam. I think that's crazy talk. Given the incentives and legal regime, I think you should assume DuckDuckGo follows their own privacy policies, until you find any information to the contrary.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 22
    Your reliance on legal incentives seems to assume the site or owner are located in the US. I never feel very trusting of a site when `whois` tells me `Registrant Contact: WhoisGuard Protected`. – Hugh Allen Mar 14 '12 at 01:26
  • 4
    @HughAllen - Since whois can be completely faked, what's to prevent someone from spoofing a legitimate address from a business in NYC to the Whitehouse? Well one may be fishy, but ultimately I need a D&B number to prove incorporation of some type. – makerofthings7 Mar 14 '12 at 05:12
  • 7
    @HughAllen There are perfectly legitimate reasons to guard against another site revealing your information, and just because WhoIs shows as US isn't proof that the *business* is registered there. Paranoia will destroy ya, but the right place to look would be a registry of incorporated businesses. – deworde Mar 14 '12 at 10:01
  • @HughAllen Also, even if it was registered internationally, these laws are generally applied globally. And in most places you'd be able to get around them, your site's reliability would be severly compromised. – deworde Mar 14 '12 at 10:02
  • 1
    @HughAllen consider also that there were cases of US government taking over .com domains of entities outside US which violated US laws. So having .com site and committing a felony in the US is usually not a very smart move for an entity whose business is entirely web-based. – StasM Mar 14 '12 at 17:29
  • @HughAllen - Does it matter if where they are located? If they do business with american citzens as proven by several recent cases, there is an expectation that a company even located in a country where said action is not illegal, must take measures so american citzens cannot violate the law. If you have a .com, .org or .net domain and are in the business that might be gray, then you better understand the laws which apply to you, as a business owner and the people who visit your website. – Ramhound Mar 15 '12 at 12:45
  • 3 years late… just wanted to drop that a privacy-protected `whois` doesn’t prevent finding the location of an officially registered company: DuckDuckGo, Inc. is ”[…headquartered in Paoli, Pennsylvania, USA…](https://duck.co/help/company/hiring)” as [Bloomberg’s info](http://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapid=141641872) and even the [Yellow Pages entry](http://www.yellowpages.com/paoli-pa/mip/duckduckgo-483274373) seem to confirm. Maybe just pick up the phone and give [the founder, “yegg”](http://security.stackexchange.com/a/12678/26145) a call in case of doubt? ;) – e-sushi Oct 11 '15 at 05:06
30

What D.W. said. But also, You don't have to trust DuckDuckGo. You don't log in, you can clear cookies, you can change your IP address, you can access it via Tor. Not being an appendage of an identity company (e.g., Google) is a big privacy plus to begin with.

pseudon
  • 1,420
  • 9
  • 20
18

I arrive late to this question, but hopefully I can contribute some useful information which will also help others make a more informed decision regarding the trustworthiness of DuckDuckGo. This answer gives a few reasons to believe that DuckDuckGo is putting its privacy policy into practise by investigating the technical aspects of DuckDuckGo as of 2012-08-23.

I had a look at the data being sent from my browser (Firefox 14.0.1 on Ubuntu 11.04) back to the DuckDuckGo servers when I do page searches (without changing any of DuckDuckGo's default settings) and found the following good points:

  • no DuckDuckGo cookies are stored on my browser.
  • all searches are performed with a http GET.
  • no identification parameters are returned in the query string part of the http request.
  • all requests are https.

Of course there is still some information which a regular user of DuckDuckGo must assume is available to DuckDuckGo:

  • the IP address of the user's router.
  • the name of the user's browser (user agent) and OS (e.g. mine is "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1")
  • other http signatures which I am not so familiar with.

I'm sure I missed a few things in that last list, but its a good start. So from the first set of positive points we can see that DuckDuckGo is really doing everything they can.

The lack of cookies and any identifying parameters in the http GET string is some assurance that DuckDuckGo has no interest in tracking a user from one search to the next. I.e. as far as the cookies and URL information being sent back to the server, your first search on DuckDuckGo could have been somebody completely different to your second search on DuckDuckGo. However, you should not assume from this that DuckDuckGo are not capable of linking multiple searches to you - see later on for further detail on this.

I should explain that http GET is not actually more secure than POST - DuckDuckGo could have chosen POST and there would have been no compromises there. However the nice thing with GET is that the user can see the data that is being sent back to DuckDuckGo right there in their URL - i.e. they do not need to go digging to find post parameters being sent by the browser to DuckDuckGo.

Another point is that https is always on. this indicates that DuckDuckGo does not want their users to be vulnerable to man-in-the-middle attacks. Of course that is not to say that man-in-the-middle attacks will not happen if you use DuckDuckGo, but just that from the DuckDuckGo servers' side of things they appear to have done all they can to prevent them.

Having said all that, DuckDuckGo could still link your searches to a single person and possibly to you if you do not take precautions. the user agent is a form of identification simply because it does not change from one request to the next (unless you take precautions against this). Likewise the IP address of your internet-facing router will show up at the DuckDuckGo server.

For these last two points there are things you can do to hide your identity further - like installing a user agent randomizer or using Tor, but if you do not use these things then you will have to trust DuckDuckGo when they say they are respecting your privacy. As far as I can tell, they have done everything they can to assure me that they respect my privacy. Would I go and search for incriminating terms without using Tor and other security on my PC? Absolutely not!

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
mulllhausen
  • 628
  • 2
  • 7
  • 14
  • 6
    “other http signatures which i am not so familiar with” → recommended reading: [Panopticlick](https://panopticlick.eff.org/) – Gilles 'SO- stop being evil' Aug 23 '12 at 11:24
  • 2
    → mulhausen: thank you for this serious investigation. I can confirm this analysis (I always track cookies feeded to my browsers, and I fluently read `tcpdump`), and DuckDuckGo silence was a *huge* surprise. I'd like to add a positive point beyond privacy: DuckDuckGo is a pretty good scientific search engine, since your tracking doesn't bias your successive searches. Same search (within a given time frame) ⇒ same result. That's a huge trust grower. – dan Aug 01 '14 at 07:04
11

It is not possible to prove that it will operate this way, but it is very easy to use it the way they advertise it.

I also agree with D.W. and started using it some days ago. I deleted google from my search engine list but had some problems trusting ddg too, since I'm a slightly paranoid person, but it provides a secure connection, I use it over tor and always have a look for my privacy. I couldn't find any problems yet. There is no ID to track you. They could fingerprint you with your privacy settings, but nothing more.

I joined their irc channel and asked some questions, you should do that too, it's irc.freenode.net #duckduckgo

If you are afraid of a dataleak you can try to visit a page and look into the logs. Visit it once over google and once over ddg. Google will leak your search term over the referer.

sfx
  • 903
  • 7
  • 14
4

It is never easy to prove these things, but people are moving to DuckDuckGo often for privacy reasons. It takes ages for a brand to gain a positive name and in the Internet age it can take as little as a few minutes to see your good name destroyed.

With the first news articles that DuckDuckGo breaches its promises to its users, they will start to leave as the news will spread in all media in a matter of minute. Also the name of its founder will be remembered for ages and he will probably be out of business forever when it comes to privacy services. You can put information on the Internet, but you can never remove it.

jippie
  • 790
  • 1
  • 4
  • 9
3

Here's another bit of evidence you can trust DDG if you're paranoid: they make it easy to control what information gets sent to the target host when you follow a link. Maybe you can't really know what they're keeping in their logs, but you CAN know how they treat your interaction with the link targets, and you can control it if you like. Try this on both DuckDuckGo and Google, with Javascript enabled: 1. search for something 2. hover over one of the result links and check the address in the status bar 3. right-click one of the links, and look at the address in the status bar again

On DuckDuckGo, the links are what they say they are. If you want to keep DuckDuckGo from seeing what you're clicking on, and if you want the target to be unaware that you came in via DuckDuckGo, you can do so easily: just copy the link in step 3, paste it into your address bar, and there you are -- no further interaction with DuckDuckGo and no referrer URL sent to the target site. On Google, however, note that in #2 they show you the link you expect, but in step #3 the link suddenly changes to a google.com address with a ton of gobbledeygook. This is also the address that gets used if you click the link normally. The only way to get the real target address directly is to hover over it and retype it yourself instead of clicking it. The Google client-side script is specifically designed to make sure you hit the Google tracking server before being redirected to the page you really wanted, and moreover, TO HIDE THE FACT THAT IT IS DOING SO from the vast majority of users. This is the action Google took a few years ago that finally caused me to use DDG exclusively. I understand Google's need to monetize its service, but when it purposely hides this fundamental mechanism they prove they are not trustworthy.

So you can have your choice: use a site that says it's not tracking you, and seems to be carrying out its promise; or use a site that tracks you every way it can, tells you it's doing so, and makes it as hard as possible to evade it. The choice is obvious.

Randall Krieg
  • 31
  • 1
  • I dislike the change-HREF-when-clicked but I disagree about Google trying to hide the fact that selected linked are logged: I have a Google account, and under Search history I can see 1) the searches I have made, 2) the websites I have visited by clicking on Google search results. (I wished Google used the PING feature to collect this data, and not mess with URLs, and I wish browser would show PING requests in some way.) You have to remember that **when you have JS on, everything you type or click on a website can be logged by the website, including form data when you do _not_ "submit".** – curiousguy Jun 02 '14 at 11:22
  • Re: `referer` You can search for "referer.rustybrick.com" in a search engine and click on the link to see how much info is sent. For Google and DDG, I see only the website (`https://google.com/`, `https://duckduckgo.com/`). For Bing, I see lots of stuff. (I use Google Chrome.) Note that this would work with a HTTP website, because referer is usually not sent in this case. – curiousguy Jun 02 '14 at 11:42
  • duckduckgo now does this as well with the same degree of sneakiness. If you search for "test", one of the links is "http://r.duckduckgo.com/l/?kh=-1&uddg=http%3A%2F%2Fwww.iqtest.com%2Fprep.html" which leads to "http://www.iqtest.com/prep.html". Very nasty. –  Dec 21 '15 at 03:28
0

Well now, if DuckDuckGo were domiciled in an EEA state, it would be subject to strong legal controls on what it could do with user data, and in particular it would be prohibited from violating its own privacy policy.

So, if you really care about this issue, look for a similar service based in the EEA, which would give you the potential for legal recourse if you ever found out that they were dealing with your data in a way that violated their privacy policy.

How you detect such breaches is left as an exercise for you.

Marcin
  • 385
  • 2
  • 7