Still trust DuckDuckGo?

In my recent blog post PRISM - Where do we go from here? I made the point that using services such as DuckDuckGo on the presumption that they are safe, is a dangerous thing to do and explained why. I have also been explaining to people on Twitter that using DuckDuckGo on the assumption that their searches will be private was a misunderstanding of who DuckDuckGo are and what they do and pointed them to the previously mentioned blog post. I even had a short conversation with DuckDuckGo's CEO via Direct Message (DM) on Twitter explaining my reasons and suggesting he move operations to Europe in order to escape the US Surveillance machine - at which point I would be happy to support them:

"You guys should consider moving all your business to the EU and setting up new exclusively EU corp (no ties to US), then I can support you."

Upon further investigation over the following days, I discovered that DuckDuckGo were not complying with their own Privacy Policy which states:

Another way that your searches are often tied together at other search engines are through browser cookies, which are pieces of information that sit on your computer and get sent to the search engine on each request. What search engines often do is store a unique identifier in your browser and then associate that identifier with your searches. At DuckDuckGo, no cookies are used by default.[Emphasis Added]

Yet they do store a cookie by default - this cookie is called "user_segment" and is valid for 1 month after it is first set.

Furthermore, they state in their privacy policy that they do comply with law enforcement requests and then attempt to offset concerns by saying they don't log anything - what they don't tell you is they can be compelled to log your searches as a result of those law enforcement requests, so admitting they comply with such requests is also an admission that they cannot guarantee they will not log your searches.

To make matters worse, they also attach unique identifiers to certain search results in order to obtain commission payments should you make a purchase on an affiliate site (where they get their revenues) - this identifier's sole purpose of existence is to track users between DuckDuckGo and affiliate web sites.

I have been making these points clear to people wrongfully assuming and telling other that DuckDuckGo is a good search engine if you seek privacy - not because I have anything against DuckDuckGo, simply because I want people to be fully informed about the risks posed by the services they use.

Today DuckDuckGo responded, with an illustration of exactly how much they value peoples' privacy. They sent me a tweet with the following:

DuckDuckGo @duckduckgo
@alexanderhanff thanks for sharing @duckduckgo! An easter egg in your honor duckduckgo.com/?q=alexanderha… -- bottom right corner :)

If you visit the link you will see they have setup a custom search for my name with my picture at the bottom right corner of the page. They did this purely out of spite because I was making people aware of my concerns regarding their service. They did this because they don't care a hoot for peoples' privacy. On the plus side, at least we have now seen their true colours - somehow I don't think the people behind Startpage.com and Ixquick.com would ever resort to such spiteful actions and of course, they have been audited and certified by Europrise something DuckDuckGo cannot claim about their own services.

UPDATE

DuckDuckGo have now removed the custom search and image linking back to my Twitter account, I guess they were afraid of people seeing them for who they truly are - too late DuckDuckGo the horse has already bolted.

Update 2

DuckDuckGo have now responded to this post the link is in the comments below but I wanted to clarify a few things by updating the original post.

First of all, DuckDuckGo have admitted that the cookie did exist and was being set by a 3rd party (desk.com) - they have since removed the cookie which is why people are no longer able to find it, this is as a result of my exposing the issue.

Second, DuckDuckGo insist that they cannot be compelled by the courts to provide access to user data which crosses their networks or touches their servers - they even claim they are exempt from Communications Assistance for Law Enforcement Act (CALEA) - this is misleading. They may be exempt from having to pre-install technologies providing the ability to "wiretap" (intercept) data on their networks but they can still be compelled to do so:

Notably, a U.S. court can compel any provider to provision a wiretap, even if the provider is exempt from CALEA. But exempt providers need not necessarily adopt tools in advance to meet CALEA's specifications for immediate and unobtrusive interception, with high-quality data streams and without infringing on others' privacy.
[Source]

Furthermore, they can be compelled to decrypt the encrypted data (HTTPS) since they are the origin of the encryption and have the capability to decrypt it:

"Covered providers are not required to decrypt communications unless they initially provide the encryption service, and, moreover, have the means to decrypt."
[Source]

When you understand this and include the fact that in their Privacy Policy, DuckDuckGo state they will comply with law enforcement requests, it becomes pretty clear that their "We don't log anything." statement offers absolutely zero protection and their claims that they are immune to being compelled to intercept and/or log are patently false.

Comments

Hi,

I tried to make a search with DuckDuckGo and I haven't any cookie stored...
Where did you find the user_segment cookie ?
Regards

All I have ever done on their site is read their Privacy Policy, read their news page and do 1 search and I have the cookie, it was set on 19th June and expires on 19th July and is called user_segment

Hi,

"... they can be compelled to log your searches as a result of those law enforcement requests..." -- Can you specify how that can happen, a citation or something would be nice, because it is my understanding that a subpoena for information can only ask you for what you have and cannot require you to make changes to your configuration in order to gather data in the future.

As I explained on DDGs forum, the data they choose not to log still comes in to their network and servers and is stored in RAM and page files in routers, switches and servers. Just because they claim they don't log it it doesn't mean that FISC can't compel them to give access to it. Given FISAAA orders are secret, difficult to produce a citation but I will try to find one and post it when I do.

While fair points, that "easter egg in your honor" is a generic thing they send to pretty much anyone that tweets about them. I'm all for getting to the truth of things, but that also means not jumping to conclusions like "They did this purely out of spite". (I got one of those notices too, weeks ago, for tweeting about them, months ago)

The fact is the CEO knows full well I was not recommending them - we had discussed issues directly in DM - I found it offensive that he then decided (several days later) to post the tweet (suggesting I was recommending them) and setting up the Easter Egg - I found it offensive - maybe you don't that is fine, but I did and that is what matters.

Hi, this is Gabriel Weinberg, the founder and CEO of DuckDuckGo. I responded to these allegations on our forum.

Are you sure the cookie isn't for .dukgo.com, which is their separate help/community site?

No the cookie was for duckduckgo.com root domain and the CEO has admitted on their forum (see comment above yours) that it was set by the third party desk.com

Quite how a 3rd party managed to set a 1st party cookie is still a mystery and no explanation has been given. This makes the situation worse, not better.

I confirm that says Oli, there are no cookie on DuckDuckGo.
You can have it with the settings.

Or in their press website (duckgo.com).
I found here tracker, and more than one cookie.
So please don't say that duckduckgo.com and duckgo.com are the same.

I think too that DuckDuckGo can be hosting where he wants : he didn't store information about us (the name is « Metasearch_engine ») → https://en.wikipedia.org/wiki/Metasearch_engine
So they can respect the law.

About twitter :
> They did this because they don't care a hoot for peoples' privacy.
Your profile is public, so they can share a link with a picture f you're twitter account.
And about privacy, targeted advertising in Twitter arrive.

As I stated above, the question of the cookie is indisputable their CEO has already admitted that desk.com were setting a 1st party cookie under the root duckduckgo.com domain - go and read the link he posted in response to this article if you don't believe me. How desk.com were able to do that is still in question and no answer has been provided by DuckDuckGo on this - which as I stated above, raises even more concerns about their security and privacy claims.

The cookie is no longer being set - because I exposed it, that is why you cannot see it.

Still think they can't be compelled?

"Notably, a U.S. court can compel any provider to provision a wiretap, even if the provider is exempt from CALEA. But exempt providers need not necessarily adopt tools in advance to meet CALEA's specifications for immediate and unobtrusive interception, with high-quality data streams and without infringing on others' privacy."

http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=4&id=6417

Hey buddy!
Thanks for interesting and educational reading here and over at their board. Do you care to comment on the other new inflation of "privacy" tools promoted all the time. For example the Mozilla - FireFox add-ons and their reliability.

br

I am just one person, I couldn't possibly write about every privacy "service" or addon out there, but I am planning to write a lot more about these issues over the coming months, so keep an eye on the blog.

Duck Duck go is not safe at all.
WHY? I am tired of posting and re-posting this ;)
It's because the PRISM folk can spy on your IP address as it connects to duckduckgo and then it can spy on the query it receives from duckduckgo on the Bing search engine. DDG sends all its queries to bing because it is not a search engine, it is a query-relay service. Then they can track the query to about one of 20 or so IPs that were querying ddg at the time. Then if you refine your query or fix a spelling error, etc., they got you! now they have two lists each of about 20 IPs and they take the interesection and it's your IP. more detail here: https://www.gigablast.com/privacy.html (and yes i am a competitor privacy search engine that has its own index so i don't suffer from this, but who else would have caught such a glaring hole in ddg's security model???????)

You need to understand that you are subject to exactly the same problems as DDG are - you are based in the US therefore you can be compelled under CALEA/FISAAA/PATRIOT to collect information about your users. So your argument about DDG may well be valid, but it doesn't really make you any better with regards to vulnerability to draconian surveillance laws. I will give you the same advice I gave to DDG, move your operations out of the US - preferably to Europe, if you want to protect your users from the US surveillance machine - just not the UK, because they are even worse.

Thank you for your efforts on the issue of duckduckgo. It is always hard to know which companies to trust on these matters.

On a different but related topic, I wonder if there are any better email alternatives to google and yahoo out there.

Startpage are releasing an email service this summer which I have already had the benefit of using. It will incorporate some very strong protections for privacy and security making it unique compared to other services out there. You can sign up for the beta at www.startmail.com

I know DDG. So far DDG has proven to be good and they respect the user, they even went out of their way to please the author of this blog (as well as other random people). It's not DDG that's the problem, it's the government surveillance. I doubt the US has a secret order for blanket DDG searches. Prism may be super advanced, who really knows what exactly is logged and how deep the wires run? Everybody is guessing, but it is concerning. The focus shouldn't be on DDG but on government surveillance.

Actually the focus should be on both. I already work on the government side of ti and have filed several letter with the European Commission requesting US Safe Harbour status be revoked as well as calling for formal investigations and infringement proceedings against EU Member States involved with PRISM. I did all of that before I wrote anything about DuckDuckGo.

But DuckDuckGo are vulnerable to the US surveillance machine and that means they simply cannot be trusted because they can be gagged - as such I will continue to warn people against using them. You are welcome to disagree, but it will not change the fact that they are a US company that can be compelled to monitor their users under US law.

I understand this point, but Startpage has servers in the US. Don't you think they're also vulnerable? This said, I would prefer legal protection than tech protection...

Startpage have some servers in the US in order for North American users to use the service with limited latency (compared to using the servers in the Netherlands). Their service selects whether to send you to US or EU based on where your IP is registered (this information is not logged it is determined in real time). But because they are a Dutch company and everything is encrypted using POST instead of GET they are not vulnerable. Let me explain why in more detail:

1. As a Dutch company registered entirely in the Netherlands with all corporate legal responsibilities existing under Dutch law, they are not vulnerable to US court orders. This means they cannot be served a surveillance order under Foreign Intelligence Surveillance Act by the FIS Court - nor can they be served under CALEA or National Security Letters. Even if their US staff were served these orders, the company itself cannot be compelled to respond to them. US courts have no jurisdiction outside of the US.

2. As I stated all communications with their servers are encrypted by default over HTTPS and searches are sent using the POST method instead of the GET method, which means everything is encrypted within the data packets as opposed to being vulnerable in the packet headers. This means that even if the NSA or FBI force the datacentre to "tap" into the cables or network at Startpage's gateway or any other point in their physical network, all they will be able to see is encrypted data which would take many thousands of years to decrypt.

Hope that helps explain the situation.

Thanks for your explanation!

GET is not vulnerable in the packet headers when using encryption.
http://stackoverflow.com/questions/187655/are-https-headers-encrypted

Great article.

There is a problem with your bullet point #1 where you say, "U.S. courts have no jurisdiction outside the U.S." Perform an Internet Search on David Carruthers. In a nutshell David Carruther's is/was an Executive with BetOnSports an online gambling Company based in Britain. In 2006 he was traveling from Britain to Costa Rica and during a stop over in the U.S. he was arrested by the FBI for violating U.S. Laws regarding online gambling. The business was perfectly legal in Britain and he is a British citizen. Yet the U.S. Courts and Law Enforcement had no difficulty arresting and charging Mr. Carruther's even though he was a British Citizen running a legal business under British Law.

So while you are technically correct U.S. Courts has seized foreign persons, assets, and other items no evident repercussions before.

The two cases cannot really be compared. BetOnSports were taking bets from US citizens located in the US in breach of US Gambling laws. Ixquick and Startpage are not in breach of any laws in the US so the two cases are not alike - although I do agree that the Carruther's case was/is seriously problematic for various reasons.

Can you explain why its necessary to call a number in the US? I am n ot in the US and specifically DO NOT want any dealings with search engines that use US monitoring etc as you have rightly pointed out the US is not a safe or proper place for data security

We have recently received a large number of searches coming from your computer or others on your local network in a very short time frame. In order to protect our service against automated "screen scraping" software programs, your access to Startpage's search has been paused for approximately one hour.

If you were using Startpage normally, we apologize for the inconvenience and will be able to lift this pause if you phone us at (212) 447-1100 (USA). Alternately, if you were operating a "screen scraping" program, you may phone us to work out an arrangement. You can also contact us at: autoquery @ startpage.com

If you don't want to phone use the email address provided instead.

Hello.
There is no doubt that DuckDuckGo tracks you, and anybody can check that at any moment:

1) Enter search term, and get search results
2) Click on any link - all clicks do not go directly to website from search results, but though their redirect service r.duckduckgo.com, and only then to website. There is absolutely no reason for that, except for tracking you. They want to know where you go.

i believe it's for hiding referring page (search terms to be exact) from the target site, so it won't know what you searched for on ddg.
So in other words if you searched for a book on ddg and you clicked on result from amazon, amazon won't know what you were searching for on ddg, only that you came from there. Google now does it too.

The problem with that theory is that DDG uses HTTPS by default and when you use HTTPS no referrer headers are sent upstream when you click on a link - so it is unlikely that is the reason.

i still prefer using google, because it brings me back more relevant searches, including pirated content, it also has native image search, which lately has become even more enhanced

i would use duckduckgo if it had native image search

and it doesnt matter which one you use.. unless you are searching for "human meat recipes" or "how to create explosives" or "make soap from the jews" you dont have to worry about anything

if you dont wanna be tracked, fucking cancel your contract with your internet service provider, sell your computer, get a basic cell phone and be trough with it.. all those addons - ghostery, no javascript, tor vidalia network... its all a bunch of shennanigans

Startpage provides you with 100% Google results - exactly the results you would get on Google with the same search but without Google ever getting access to your personal data.

Hi,

(I'm not a native English-speaking & I may have miss something, sorry in davance).

What I've understand from your text - and especially "Update 2" - is that DDG principle of not storing users datas have two weaks points :
1°) An US court could force them to have place a mecanism to "wiretap" (intercept) data. My question is : would it be a temporary request that would only concern a few defined people ? Therefore it's not different of what can be found in most democraties where the judiciary is supposed to be there to control executive power.
2°) They can be compelled to decrypt the encrypted data

If the court request is temporary and only concerns a few defined people, we could then say that DDG is NSA safe because such mecanisms have always existed and are not related to the massive spy by the NSA, and, even with a court order, DDG would not be able to supply data from the past regarding the fact that they claim to not store any data which is a good protection (if the claim is true)

Thanks

We know from the current order in the US on the mass collection of phone metadata that under FISA/PATRIOT the orders are not limited to a few named individuals. So let me pose this to you - they are ordered under CALEA to enable logging then a blanket order to provide all those logs is made under FISA because the logs are not afforded Fourth Amendment rights and are available to legal instrument as "tangible things".

Not being able to supply data from the past doesn't prevent them from being forced to supply data from this point onwards - I don't see how that is a good thing.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.