33
submitted 4 years ago* (last edited 4 years ago) by dirtfindr@lemmy.ml to c/privacy@lemmy.ml

There are substantial privacy and civil liberty issues with DuckDuckGo. Here they are spot-lighted:

  • Nefarious History of DDG founder & CEO:
    • DDG's founder (Gabriel Weinberg) has a history of privacy abuse, starting with his founding of Names DB, a surveillance capitalist service designed to coerce naive users to submit sensitive information about their friends. (2006)
    • Weinberg's motivation for creating DDG was not actually to "spread privacy"; it was to create something big, something that would compete with big players. As a privacy abuser during the conception of DDG (Names Database), Weinberg sought to become a big-name legacy. Privacy is Weinberg's means (not ends) in that endeavor. Clearly he doesn't value privacy -- he values perception of privacy.
  • Direct Privacy Abuse:
    • DDG was caught violating its own privacy policy by issuing tracker cookies.
    • DDG's app sends every URL you visit to DDG servers. (reaction).
    • DDG is currently collecting users' operating systems and everything they highlight in the search results. (to verify this, simply hit F12 in your browser and select the "network" tab. Do a search with javascript enabled. Highlight some text on the screen. Mouseover the traffic rows and see that your highlighted text, operating system, and other details relating to geolocation are sent to DDG. Then change the query and submit. Notice that the previous query is being transmitted with the new query to link the queries together)
    • DDG is accused of fingerprinting users' browsers.
    • When clicking an ad on the DDG results page, all data available in your session is sent to the advertiser, which is why the Epic browser project refuses to set DDG as the default browser.
    • DDG blacklisted Framabee, a search engine for the highly respected framasoft.org consortium.
  • Censorship: Some people replace Google with DDG in order to avoid censorship. DDG is not the answer.
    • DDG is complying with the "celebrity threesome injunction".
  • CloudFlare: DDG promotes one of the largest privacy abusing tech giants and adversary to the Tor community: CloudFlare Inc. DDG results give high rankings to CloudFlare sites, which consequently compromises privacy, net neutrality, and anonymity:
    • Anonymity: CloudFlare DoS attacks Tor users, causing substantial damage to the Tor network.
    • Privacy: All CloudFlare sites are surreptitiously MitM'd by design.
    • Net neutrality: CloudFlare's attack on Tor users causes access inequality, the centerpiece to net neutrality.
    • DDG T-shirts are sold using a CloudFlare site, thus surreptitiously sharing all order information (name, address, credit card, etc) with CloudFlare despite their statement at the bottom of the page saying "DuckDuckGo is an Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs." (2019)
    • DDG hired CloudFlare to host spreadprivacy.com (2019)
  • Harmful Partnerships with Adversaries of Privacy Seekers:
    • DDG patronizes privacy-abuser Amazon, using AWS for hosting.
      • Amazon is making an astronomical investment in facial recognition which will destroy physical travel privacy worldwide.
      • Amazon uses Ring and Alexa to surveil neighborhoods and the inside of homes.
      • Amazon paid $195k to fight privacy in CA. (also see http://cal-access.sos.ca.gov/Campaign/Committees/Detail.aspx?id=1401518&view=late1)
      • Amazon runs sweat shops, invests in climate denial, etc.. the list of non-privacy related harms is too long to list here.
    • DDG feeds privacy-abuser Microsoft by patronizing the Bing API for search results and uses Outlook email service.
      • Microsoft Office products violate the GDPR (the Dutch government discovered numerous violations)
      • Microsoft finances AnyVision to equip the Israeli military with facial recognition to be used against the Palestinians who they oppress.
      • Microsoft paid $195k to fight privacy in CA. (also see http://cal-access.sos.ca.gov/Campaign/Committees/Detail.aspx?id=1401518&view=late1)
      • DDG hires Microsoft for email service: torsocks dig @8.8.8.8 mx duckduckgo.com +tcp | grep -E '^\w' ==> "...duckduckgo-com.mail.protection.outlook.com"
    • DDG is partnered with Yahoo (aka Oath; plus Verizon and AOL by extension). DDG helps Yahoo profit by patronizing Yahoo's API for search results, and also through advertising. The Verizon corporate conglomerate is evil in many ways:
      • Yahoo, Verizon, and AOL all supported CISPA (unwarranted surveillance bills)
      • Yahoo, Verizon, and AOL all use DNSBLs to block individuals from running their own mail servers, thus forcing an over-share of e-mail metadata with a relay.
      • Verizon and AOL both drug test their employees, thus intruding on their privacy outside of the workplace.
      • Verizon supports the TTP treaty.
      • Yahoo voluntarily ratted out a human rights journalist (Shi Tao) to the Chinese gov w/out warrant, leading to his incarceration.
      • Yahoo recently recovered "deleted" e-mail to convict a criminal. The deleted e-mail was not expected to be recoverable per the Yahoo Privacy Policy.
      • Verizon received $16.8 billion in Trump tax breaks, then immediately laid off thousands of workers.
      • (2014) Verizon fined $7.4 million for violating customers’ privacy
      • (2016) Verizon fined $1.35 million for violating customers’ privacy
      • (2018) Verizon paid $200k to fight privacy in CA. See also this page
      • (2018) Verizon caught taking voice prints?
      • more dirt (scroll down to Verizon)
      • (2016) Yahoo caught surreptitiously monitoring Yahoo Mail messages for the NSA.
  • Advertising Abuses & Corruption:
    • DDG consumed a room at FOSDEM 2018 to deliver a sales pitch despite its proprietary non-free server code, then dashed out without taking questions. Shame on FOSDEM organizers for allowing this corrupt abuse of precious resources.
    • Tor Project accepted a $25k "contribution" (read: bribe) from DDG, so you'll find that DDG problems are down-played. This is why Tor Browser defaults to using DDG and why Tor Project endorses DDG over Ss -- and against the interests of the privacy-seeking Tor community. The EFF also pimps DDG -- a likely consequence of EFF's close ties to Tor Project.

For the record, this is how Tor Project responds to criticism about their loyalty toward DuckDuckGo (their benefactor) in IRC:

18:20 < psychil> if torbrowser is going to be recommended, it should also be open to scrutiny. in the absence of that transparency, you create an untrustworthy forum.

18:20 < psychil> we've seen a loyalty from TB toward duckduckgo, but DDG is in partnership with Verizon, Yahoo, AOL et. al.

18:21 < psychil> all CISPA-sponsoring companies

18:22 < psychil> if ppl choose to trust them fair enough, but this trust shouldn't be pushed on every user weighing their choice of browsers

18:26 -!- mode/#tor [-b psychil@!@*] by ChanServ

18:27 < YY_Bozhinsky> psychil: i am using Tor (thanks to Tor Devs)... PLUS brain - good bundle. I am happy. And please, don't rush to change Reality (do it slowly with love and respect). Because it's home for many ppl. They construct their lives in it. Think twice before ruining that. Please.

18:27 -!- mode/#tor [+b psychil!@] by ChanServ

18:27 -!- psychil was kicked from #tor by ChanServ [wont stop the FUD]

Indeed, Tor Project is notoriously fast to censor any discourse (no matter how civil) when it supports a narrative that doesn't align with their view / propaganda.

all 20 comments
sorted by: hot top controversial new old
[-] Melody@lemmy.one 6 points 1 year ago

There are So many issues/inconsistencies with this laundry list of "Problems".

Nefarious History of DDG founder & CEO:

  • Every link under this header is effectively broken except the wikipedia link.
  • Yes; onion links count as broken my friend. You need to link the clearweb version too for our clearweb using readers. Furthermore it is more difficult for the casual reader to verify that the server they arrive on when they use an onion link is actually the source it claims to be coming from. (Because TOR onions do anonymize locations)

Direct Privacy Abuse:

  • Link is broken; onions don't resolve on clearweb

  • Reaction link is broken (timeout)

  • this is a good testable procedure to show your concerns

  • four year old source that seems to heavily imply that this is just normal use of the Canvas API for layout purposes. source questionable; as it is not a typical tech news focused reporting outlet.

  • The FAQ states why certain engines are not included with the browser but I see no hard refusal language. They do call it out that the relevant providers went silent when asked how things work and offer this as the reason why they have not yet chosen to include them. It's entirely possible that if the companies explained their ad-tech to Epic team's satisfaction they might consider the partnership. We know they probably won't explain that tech; but the possibility exists based on this document alone.

  • This is probably a reasonable source; and if this isn't ever printed in English or made available in English ever; I can understand. However the lack of an English language version of this source could be frustrating. I did run it through translate and verify the claim though it's just one line in a newsletter.

Censorship

  • This entire header is irrelevant. DuckDuckGo isn't specifically censoring the content. However; downstream search engines such as Google and Yahoo definitely ARE and DDG is returning what they do.
  • No, they are not complicit in censorship by doing this; they are just as affected by it as you and I are and are working with the data they can obtain.
  • Censorship requires specific action to suppress information and it is not evident that DDG is doing so in the example provided in the source links.

Cloudflare

  • The reasons under this header are also irrelevant. These are nasty things that Cloudflare is doing. Go yell at Cloudflare.
  • I'd suspect that DDG didn't do their homework on Cloudflare; but the alternatives to Cloudflare are simply not large at all; and may have been more costly.
  • Not defending their choice to go with Cloudflare but; Cloudflare does have a rather absurd near-monopoly on the kinds of services they can provide.
  • Show me a viable alternative to Cloudflare that meets your privacy model. I'd love to learn about one.

Harmful Partnerships with Adversaries of Privacy Seekers:

  • Once again you're listing things that other companies have explicitly done. Everything under this header is largely irrelevant
  • Amazon & AWS: a large number of FLOSS projects use it or provide binaries and containers you can run (for/on) it.
  • Microsoft: like it or not they have to work with, around, near them; they provide Bing.
  • Yahoo/Oath: Same as Microsoft they provide a search engine.
  • DDG is one part "Metasearch Engine" and one part "Search Engine" in that they do also crawl the web to augment their results.

Advertising Abuses & Corruption:

  • All of this lacks any usable sources or proof.

  • Your one link is an onion; which is not a usable source link.

  • The IRC logs provided appear to be missing a truckload of context and IRC logs never really do provide solid prove as they can be edited/cherrypicked to show/support your argument.

  • The provided logs do only show ChanServ making a ban.

  • IRC channels such as this one are notorious for being highly focused on their specific topic as they state in their rules.

  • Your apparent ban in that channel Does not mean they are censoring you; but it does mean you barged into their IRC channel, probably without reading their rules carefully, and got banned for breaking those rules.

  • As someone who has sit in channels like that on OFTC and even Freenode before the splits happened for 20ish years; I can assert that your communication style was not civil to the standards of that channel. Joining an IRC channel to yell at project maintainers is never going to earn you anything more than a ban if their channel is actually monitored or moderated.

  • I may not have been there myself; but I know that is how things are typically done on IRC in general.

[-] imrichyouknow@sh.itjust.works 5 points 1 year ago

Always better off with SearXNG

Thanks, just spun this up in a container.

[-] imperator@sh.itjust.works 1 points 1 year ago

Can you run this not having a public facing page?

[-] DrWeevilJammer@lm.rdbt.no 2 points 1 year ago

Yes, you just access it from an internal address.

[-] uranushertz@lemmy.one 3 points 1 year ago

Currently using Brave browser with its own search engine search.brave.com

[-] Akovia@latte.isnot.coffee 1 points 1 year ago

I so badly wanted to use Brave search, but I found it to be terribly slow on its initial search in a tor window, and the results are poor at best.

I was having an issue with Brave that I tried to find a solution for using their own search and couldn't find a single result, but found pages of results elsewhere. I'm sure it will get better over time, but certainly not ready for a production environment yet. Will keep checking back through.

[-] Akovia@latte.isnot.coffee 2 points 1 year ago

That's a bit of a gut punch! Just when you thought it was safe to go back into the water....

Thanks for sharing.

[-] NoEmail@lemmy.ml 1 points 4 years ago

NB: Can't believe I had to register here with an e-mail address to comment about privacy...

Problem I have with searx is it does no regional searches at all - I just can't find what I'm looking for in my own country. Results seem to be .com results. I see a Github issue was opened for that about 4 years ago and is still open.

I notice that DDG does allow users to set their search method to POST requests and support redirects to prevent search leakage. Partly the problem of browser and OS etc identity is our own browsers that are sending this info? DDG does do good regional search too.

So my big challenge is give me a metasearch engine that can at least do regional searches. For someone living in the US they probably don't have a problem with "global" results, but outside the US we need results for locally in Botswana, South Africa, Egypt, etc and language is no good to filter on.

[-] dirtfindr@lemmy.ml 1 points 4 years ago

NB: Can’t believe I had to register here with an e-mail address to comment about privacy…

Supplying an email address on Lemmy used to be optional. Has that changed?

Problem I have with searx is it does no regional searches at all

I think that's determined by the searx instance. Some instances let you choose your UI language, as well as the results language. You can also do "site:de" if you want to search *.de sites for example.

I notice that DDG does allow users to set their search method to POST requests and support redirects to prevent search leakage.

Why would POST prevent leakage? As long as the site is HTTPS, the query is encrypted regardless of whether it's HTTPPOST or HTTPGET.

[-] Serval@sh.itjust.works 0 points 1 year ago

I don't use DDG browser, but I do use DDG search. What are the alternatives?

[-] Srootus@sh.itjust.works 1 points 1 year ago

Startpage if you don't use a VPN, Brave search if you do and don't want to tinker, or Searx. Searx is very powerful but requires some small tinkering, plus its decentralized so you ether host it yourself or give trust to the person running the instance.

[-] raverrebel@lemmy.ml 0 points 4 years ago

Anyone has an opinion on startpage.com? This would be the best alternative imho.

[-] SudoDnfDashY@lemmy.ml 1 points 3 years ago

I would recommend MataGer as they are a non profit and have their own crawlers.

[-] Percy@lemmy.one 0 points 1 year ago

I know this was 3 years ago but anyone got a good alternative?

[-] janAkali@lemmy.one 1 points 1 year ago* (last edited 1 year ago)

metager.org in my experience is alright in terms of search, it's also open-source and run by a non-profit.

[-] arthur@lemmy.ml 0 points 4 years ago

This has inspired me to start testing out Searx as my default again.

[-] dessalines@lemmy.ml 0 points 4 years ago

I love searx but instances keep getting taken down, or results not coming back from the main sources.

[-] arthur@lemmy.ml 1 points 4 years ago

That's ultimately why I left the last time. That and the speed in which most instances load is terrible.

this post was submitted on 09 Mar 2020
33 points (100.0% liked)

Privacy

32229 readers
595 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS