Startpage and Ixquick - Search in Privacy

I should start off by saying I have known the guys at Startpage for a number of years and consider them as friends, so it seems wholly appropriate to launch the reviews section of the site with a piece about their services. Another great reason would be that they are enjoying a rapidly increasing popularity – delivering more than 2,5 million daily searches worldwide and showing more than 100% growth year on year, so they are certainly a valid interest.

In the words of Robert Beens (Director of Startpage.com and Ixquick.com):

"Privacy is a fundamental right and the basis of a free society. People need to have alternatives for privacy invading and profiling search engines. Startpage.com is that alternative."

I have met with the team on a number of occasions and over the years have advised them on various privacy related issues to help them improve their services and develop new ones. They have always been very respectful of advice and implemented it at every opportunity, which I have to say is refreshing from an advocate’s perspective – and rare.

What is Startpage/Ixquick?

Startpage.com are a search engine (sometimes referred to as a meta-search engine as they utilise other search engines to deliver results) with privacy at the core of everything they do (privacy by design). They have spent a number of years and significant resources developing their service to be what I consider the most privacy friendly search that exists on the Internet today.

Ixquick.com is the original meta-search engine, using up to 10 different underlying search engines to retrieve results from that then get filtered, organized and prioritized or ranked according to the underlying algorithms.

Both Startpage.com and Ixquick.com are run by the same company, the primary difference between the two is Startpage.com's search results come directly from Google’s syndicated search. For the purpose of this review I will be talking about Startpage.com although the review should be valid for both services equally.

What makes Startpage.com so special? Well everything really, but let me try to break it down into specific points.

Logs

Startpage.com don’t log anything – that is, no IP address, nothing to tell them who you are, where have come from or where you went to. They don’t care, they are not interested in profiling you or harvesting vast amounts of data about your searches, all they care about is delivering results to you in the most privacy focused way possible.

Encryption

One of the first pieces of advice I gave to the Startpage.com team about three years ago was to enable SSL (HTTPS) by default – at the time, no search engines were using SSL by default which is a significant security and privacy issue.

Many people are not aware that when they go from one web site to another, they leave a trail in that the web sites they visit know which site you came from and which site you go to when you leave. This is useful for analytics but it also creates a risk to users as it enables a certain degree of profiling.

However, when a site is using SSL it does not send the information, known as a referrer header, to the site you go to when you leave – or at least that is true if you are clicking on a normal HTTP link - if you are clicking on an HTTPS link the referrer is transmitted but Startpage.com deal with this as well by using POST vs GET by default.

For many sites you might not understand why this is a problem - for example, why would you care if a web site knows which site you visited before you visited theirs? For many sites you are probably right, it is trivial information, but with search engines it is a little different because most search engines include the search terms in the URL when you get the results for example if you search Google for “hair removal cream” you end up with a list of results but the page URL will look something like this (note the bold):

http://www.google.com/webhp?source=search_app#hl=en&tbo=d&sclient=psy-ab&q=%22hair+removal+cream%22&oq=%22hair+removal+cream%22&gs_l=hp.3..0l4.1731.4635.0.5284.20.20.0.0.0.0.265.2371.10j9j1.20.0.les%3B..0.0...1c.1.2.hp.1qOG-8xvjAw&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.42261806,d.d2k&fp=9447389c201716e7&biw=1920&bih=936

The web site you go to next from clicking on a search result is able to see these search terms because they are present in the URL you came from – this makes profiling more of an issue. You might think it isn’t a big deal for hair removal cream, but what if you were searching for “domestic abuse advice” or “cancer treatments” – there are many things we might search for that we want to remain private. With the POST method Startpage uses, your search terms are stripped off, keeping your search terms private.

Furthermore, there are some governments and companies (even here in Europe) that want to know what people are doing online. Europe has what is known as the Data Retention Directive which requires services providers to log certain information such as which web sites you visit, when, who you get emails from etc.

Also companies like Bluecoat and Detica (to name just a few) make their money through the sale of Deep Packet Inspection technology which is used by Intelligence agencies such as the FBI and advertising companies (such as Phorm) to profile your Internet activities. Your search terms over time paint a very high resolution picture of you and this picture or behavioural profile is used to infer specific things about you.

In the case of Government surveillance, they might use this profile to determine your political point of view (which in some countries could lead to your execution as a dissident); in the case of advertising it can be used to determine your income levels, what your health is like etc. which can have a profound and prejudicial impact on your consumer choices.

So Startpage turned on SSL by default for all users, protecting your search terms from being seen by anyone else, no matter who they are or what their purpose is.

Cookies

Anyone who knows me knows about my work on cookies – more specifically cookies which are used to track you around the Internet and again use this information to build a profile about you for the purpose of behavioural advertising.

Startpage.com wanted to provide a solution which would allow users to personalise their experience through preferences, but would do so without leaving those users exposed to identification as a result (most web sites store preferences in a cookie). They didn’t need to do this, the purpose of a preference cookie is pretty benign, but they wanted to do so as a proof of concept to counter the spin by the advertising lobby that cookies are essential for the Internet to function properly and that EU regulations (which were being amended at the time to protect citizens from tracking cookies and other similar technologies) posed a threat to the very core of the Internet itself.

startpage-settingsSo they set up a solution on their web site which created a specific code for every single possible combination of preferences available to their users. Once you have set your preferences on Startpage.com, you can click a button to generate a special URL which stores these preferences in it. Users can then bookmark the URL and use it every time they wish to access Startpage.com to make sure their settings are preserved.

This adds an extra layer of privacy protection in that no set of preferences is unique to any single user, all users who have the same preferences have the same URL, which makes identifying users based on their preferences impossible. But it also shows that cookies are not the only answer to providing a personalised experience online and that not using cookies does not mean the Internet will break, as was (and still is) the moral panic being spread by the advertising lobby.

Proxy

Of course a search engine provides users with a list of results for a specific query and those results are contained within links to specific web sites which meet those search criteria. Startpage.com do everything they can to ensure the privacy of their users is protected when on their site and utilises SSL by default to prevent passing search terms on to any link they click in the results, but they wanted to go beyond that and provide another layer of protection for users. They wanted to ensure that when users click on a result the web page they request doesn’t have a negative impact on their privacy either.

So they introduced their proxy service, which allows users to download the page that is linked to in the results but without the remote server ever connecting to their computer. As far as the remote servers are concerned, the Startpage.com servers are the computers requesting the web page so all their tracking scripts, cookies etc. - malicious or otherwise, are sent to their servers which means Startpage.com can sanitize that data before sending it to your computer. This adds an extra layer of protection for their users and whereas it might not guarantee privacy it certainly goes a very long way to preserving it.

Privacy Policy

Startpage.com have made their privacy policy as transparent and human readable as possible – I have personally witnessed them spending many hours deciding how best to write a single term so that users will be able to understand it in a clear and comprehensive manner.

In addition to their Privacy Policy they have a very thorough “Privacy Questions and Answers” where they are transparent about their practices both present and historically and also provide useful information about online privacy in general.

Certification

Don’t just take my word for it when I say Startpage.com are a company committed to privacy. They were the first company to be certified by EuroPriSe and have passed the rigorous certification process every year since 2008 – they are currently the only search engine to be certified by EuroPriSe.

Furthermore they score 100 out of 100 on the popular Privacy Score system.

Conclusion

As you can probably guess already, I have a great deal of respect for Startpage.com and what they have done over the years to increase awareness of privacy issues and to develop a privacy enhancing technology. So it should come as no surprise that I thoroughly recommend and endorse their search engine.

Furthermore, I know that they are working on an email service called Startmail, which sets a new standard for privacy that I am incredibly excited about and is due to launch later this year; so watch this space because as soon as they are ready to launch I will be doing a review of that too. It includes a whole host of privacy enhancing features (some of which I suggested) and I have no doubt it is going to be incredibly popular.

To Robert, Alex and the rest of the team, it has been my pleasure to do this review and I personally wish you great success in the future. I couldn’t have wished to write my first privacy review on anything else.

Comments

Startpage = Great service!

It must be a close-run thing as to whether Ixquick or Metacrawler was "the first" meta search engine.

I absolutely love start page for its privacy standards. I even set my internet explorer search box to start page. I will never use other search engines again period. Startpage is my goto search engine forever and cannot wait until startmail comes into its infancy, at the moment, have been using yahoo as my alternate email client, but when startmail comes about, will definitely switch to startmail as my alternate email. When do you think it will come out exactly?

I am not sure when Startmail will be released but I have been told it will happen this year. I am hoping this summer. I am very excited about it too, I advised the guys on a number of features in Startmail and I am very much looking forward to seeing them working in the real world - they are features which to my knowledge, no other email service currently provide.

I will be doing a review as soon as it is live, so keep an eye out.

When I enter a search subject into Ixquick / Startpage the first and prominent list of web sites are always those based in my state / country.
The search subject may relate specifically to another country yet it lists local sites which have some tenuous similarity.

Q: How is this possible if my address / search is anonymous ?

Hi Ben, I got in touch with one of the Directors at Ixquick/Startpage with regards to your question (just to clarify my own understanding) and here is his reply.

https://startpage.com/eng/privacy-policy.html

There's no personal data stored, that's guaranteed.

But we do detect from which country a user is originating, but this can never brought into relation with any unique -user- identifier like IP-address or search query or something else because that is not stored in the first place.

We need to be able to detect from which country a connection is made because we have to be able to display Startpage in the appropriate language (we support 17 languages), otherwise the results can not be relevant either of course.

If you know the people at startmail could you please convey to them this idea: Create a browser addon which verifies the java encryption's engine hash every time, only allowing the user to login when it matches the recorded checksum. This way if they got compelled by a court to bug the user like hushmail was, the user would be alerted via the uncorrupted plugin. I don't know why doesn't hush implement that as it's a perfect solution for keeping private keys on the server while still verifying their integrity.

I will relay your message to them although I am not sure it is an issue due to the way Startmail works.

I guess "Both Startpage.com and Ixquick.com are run by the same company, the primary difference between the two is Startpage.com's search results come directly from Google’s syndicated search." does say that more or less, but it took me awhile to figure out that was the difference based on looking for info on the sites, then coming back here after I had played with them.

What is "statesman" anyway? Can't find anything about that word related to search.

To get to the next level, the company should let anyone audit their code used to run the sites.

Thanks for the article, I'll be trying startpage and ixquick each a bit, and see if one stays as my default. :)

Can you please tell the people from startpage that they Need to build a private social network. We neeed to stop using facebook and google. Please ask them to build this ASAP. We all need to move AWAY from theses sneaky people.

They are very busy preparing to launch a new privacy focused email service at the moment, but I have already pitched a privacy focused and secure social network to them, so maybe in the future they will.

how do we know that startpage has not been set up by europol or fbi as a trap for criminals and terrorists?

How do you know the entire world is not just some experiment in a giant alien test tube? Seriously, if you want to start conspiracy theories, your best option is to shutdown, sell everything you own and go live in a cave - then hope your cave isn't put under surveillance because if you left society you must have "something to hide"....

SP claims the user's ISP doesn't "see" the destination when the user clicks on open link through proxy. Does that mean that the ISP is somehow prohibited from seeing the long string of characters in the proxy URL?

Because if they see the long proxy url, they can store it and they can see where I go. I experimented to see if the long URL of the proxied page would be specific to the current user and wouldn't work with another user on another ISP. So I emailed myself the URL and opened it on my phone through my phone data ISP. The URL opened up the proxied page just fine.

Interesting. And I'm really interested in finding out the answer.

RC

First of all the URL is not specific to any user, nothing on SP is specific to a user unless they have configured it that way. Even preference settings can be set without using a cookie and gives a unique URL which is specific to the settings not the user.

The long URL you are referring to is an encoded URL so even if the ISP can see that in the metadata, they have no idea what it is, just that you are sending a request to the Startpage proxy, not what that request is. So from a privacy perspective there is nothing to be concerned about from the "long URL".

Thank you for the reply. The question I still have is, can the ISP (even though they don't instantly "know" what I'm looking at when using SP proxy) see the WHOLE URL string to where it can be stored and processed by some program? You know well they will if its possible since SP is gaining huge popularity.

First of all let me re-iterate that even if they could see the encoded URL (if you have HTTPS disabled for example) it wouldn't make any difference because the URL is an encoded strong meaning that they would only be able to see that you are sending a request to the Startpage proxy, they would not be able to decode the rest of the URL not now or at a future data. But before they could see even the encoded URL you would have to turn off HTTPS (which is enabled by default for Startpage).

Second, here is the technical answer:

In an HTTPS communication, a secure "transport layer" is established first, and then the browser and the server communicate using this secure connection. This communication consists of "requests" sent by the browser, and "responses" sent by the server, all done within the secure transport layer. The URL, and all other HTTP parameters, are all inside the "request", therefore they are neither plaintext nor sniffable.

Hope that clears up any further concerns?

I never turn off HTTPS in SP.

Yes, great explanation! Thank you!

I posted this on the duckduckgone thread also, may be of interest as it applies to Startpage also.
Using SeaMonkey v2.19 in a non-private tab, if I navigate to DDG, Ixquick and Yandex, then view Data Manager in the browser, I see entries for all. When I opt to Clear Private Data in the browser (all options selected), only the Yandex entry is removed. The others must be removed manually.
Now I see that Iquick and Startpage are now shown as US locations in Flagfox, whereas previously it indicated the Netherlands.

Hi startpage team.
I would like to say "Thank you very much" I love the way you have made the "Internet" Free gain :) after all the proof on the news about "Big Brother" spying on us,Well I so happy people like you are around to put a stop to it all.I know people think some of us are just "paranoid" but after this spying revelation! it's proof they want as much info as possible on the public.But what for I ask? to sell to the big corporate goons? or something more sinister? :(
anyway Thank you all again I will tell people about you and hope and wish you all the best with "Startmail" and the future.

Alexander, I had posted previously with concerns that Ixquick servers were displaying as US based in Flagfox.
I addressed this issue with Ixquick and Alex kindly provided a workaround to ensure the Dutch servers by using https://eu.ixquick.com
Cheers

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.