Slashdot Mirror
DuckDuckGo: Illusion of Privacy
An anonymous reader writes "With all of the news stories about users moving to DuckDuckGo because of NSA spying, this article discusses why the privacy provided by DuckDuckGo is more the privacy from third-party tracking (advertisers) but may do little, if anything, to prevent the NSA from tracking your searches."
"The NSA Can't Loose" ... Really?
I started using DuckDuckGo because, out of all the other search engines out there, it's the only one I've found whose entire mission statement centers around _not_ collecting information on every goddamn thing you do. Yes it's probably still being tapped at the fibre optic cable level so it doesn't really matter, that's not the point. The point is to vote with your dollar, or in this case your page view, far more influential these days than one thinks.
I don't use DuckDuckGo because it preserves my privacy. I use DuckDuckGo because they don't try to take it away from me.
At least for me its not, its about not feeding the beast directly. I jumped to Linux, Opera, and DDG as a way to add a few more cycles and maybe a few more man hours to the mess rather than hand it over directly with Windows, IE or Chrome, and Google. If anyone thinks they can really be anonymous in this ecosystem they are sorely mistaken. I do believe however there are less trodden paths and a little more pains in the rear that can be had, and as a silent protest, I chose to use them.
I may be breaking the fundamental rules of Slashdot, but ...
- the "article" is a single post on a recently created blog
- they misspell "lose"
- a quick google of Brett Wooldrige doesn't bring up anything exciting (a Forbes blog account with no content?)
This is the very definition of "nothing to see here, move along".
-
Run your traffic encrypted through another country with actual privacy protections.
It's not perfect, but it is another complication and barrier to direct monitoring.
Ultimately, the NSA reveal is a good thing - it's going to drive demand for virtual private cloud services where you hold the keys, and perhaps, a move back to corporate controlled cloud services on-site. Great news if you're in IT.
..don't panic
At least Ixquick is not a U.S. company: https://ixquick.com/eng/prism-program-revealed.html
While their searches aren't as fast as Google's, I have found them to be pretty good quality-wise.
It's about as good as a google search [b]and it gives the wikipedia article for any topic at the top[/b]. My opinion is better than your opinion.
Don't know about you, but when I want to look up something on Wikipedia, I look for it on Wikipedia. Having Wikipedia info displayed automatically for a search isn't really a "feature" as far as I'm concerned.
I think the article brings up and interesting point about who's SSL certs the NSA has access to. It's reasonable to assume that they are capturing most if not all Internet traffic in the states (at the very least all packets entering or leaving the county.) What is unknown is how much of that encrypted traffic can be easily decrypted. If I were a three letter gov't agency intent on decrypting massive amounts of traffic, I would go straight for the keys. It's particularly of note that DuckDuckGo does NOT use session keys in its SSL implementation, meaning if their private key got compromised, all previous searches would also be compromised. I don't think it's too much of a stretch to assume that the NSA has found a way to that key, either through secret court orders, or good old fashioned nefarious means. Especially for a site like DDG, who makes promises of "privacy". Makes you wonder who else's keys they have access to.
DDG is a reskinned Yandex with shortcuts to search particular sites. If you don't commonly use site: searches on Google, and you can't stand Yandex, you won't like DDG.
Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe we can be compelled to store or siphon off user data to the NSA or anyone else. All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business. We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt. There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example. A couple other responses to things I've noticed in the comments already: --Our servers are already located around the world. European users are generally not hitting US-based servers, for example. --We do have PFS on our cert: https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com&s=50.18.192.251
To strip off the referrer. Otherwise the end site would see the URL of the DuckDuckGo search revealing the details of the search, page, etc.
I don't know but if you do not want to use Google, DuckDuckGo is by far one of the best alternatives. Try doing temperature, currency conversions with DuckDuckGo, the integrated results from WolframAlpha are pretty good. The only thing is missing is image search imho.
It's so their system will strip out referrals, thus increasing your privacy: the site you end up on won't know what search terms you used to get there.
if you search for something, you may want to have web-results and wikipedia. When DDG displays you an excerpt from Wikipedia (like a Definition of your term), it may be enough, so you do not need to open wikipedia, but read it just before reading the rest of the search results.