We have to talk about DDGs honesty

[Old Forum guest] anonymous
Created: 5 years and 8 months ago
Well, I found a blog with an interesting article about DDG, cookies and tracking.


This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.

I'm happy to answer any questions, of course honestly!

We have a long history of protecting, educating and standing up for users with regards to privacy. We also take any issues with our privacy policy very seriously and are committed to fixing any such issues. So please let's discuss.

With regards to these allegations:

1) We do not have cookies on by default when you visit duckduckgo.com or do searches. You can easily verify this.

It turns out the provider we use for our help desk, desk.com, sets a non-unique cookie and for some reason sets it to the primary domain instead of the secondary domain. I apologize for us not noticing this sooner. From time to time security threats are pointed out to us (usually cross-site-scripting XSS attacks introduced from new code) and we do our best to respond to them as quickly as possible. We really do appreciate people pointing them out so we can make our site even more secure.

In response to this incident we have:
  • immediately moved help.duckduckgo.com to help.dukgo.com so this doesn't happen on our main domain.
  • contacted desk.com to see what this is about and if it can be removed.
  • started a plan to move our help pages off of desk on onto the open source community platform at dukgo.com (depending on what desk.com can and will do for us in response).
Again, though, you can easily verify that our servers do not set this cookie, it has nothing to do with search results or search privacy and therefore does not violate our privacy policy.

2) We've done easter eggs for people who recommend us on Twitter for quite some time. They are not intended for critics or anyone who doesn't want it so this was an obvious mistake and I apologize for it. There was absolutely no mal-intent, and as soon as I saw he was angry about it, I removed it.

We've always been happy to remove them if people want, but no one has ever wanted that. In fact, almost everyone replies that they think it is awesome. They are all hand-checked manually and so we will re-check that process as a result of this incident. This simply isn't a violation of our privacy policy.

3) We've had affiliate revenue for years. It is explained directly in our privacy policy and on our help site. No personal information flows one way or the other and it doesn't compromise anonymity at all.

4) The laws in the US are about turning over existing business records and not compelling companies to change their business practices. Anything that says otherwise is misleading.

Additionally gag orders are about not talking about things and cannot compel you to lie, e.g. lie to your users about your privacy policy or lie as an individual when you're out speaking.

In short, when you search on DuckDuckGo you are anonymous. That's why it says search anonymously on our homepage. We stand by that statement wholeheartedly.
posted by yegg Staff5 years and 8 months ago Link
As the author of the blog in question I will address each of your points in turn:

1.  The cookie was set, now it turns out it was set by a 3rd party in the first party domain, this actually makes it worse not better.

2.  I didn't "recommend" you, on the contrary I have been warning people not to use you because your services are based in the US and thus vulnerable to FISA/PATRIOT/FISC and NSLs.  You and I even had a discussion in DM on Twitter where I made these point very clear, so how you can mistake me as recommending you is ridiculous, you knew personally that I wasn't recommending you.  I never said it was a violation of your policy, I said it shows you don't give a damn about privacy - did you ask for consent to do this?  No you didn't.

3.  Weasel words - no "personal" information.  The very point of the code is to track purchases so you can get your commission - by definition the code tracks users, a semantic debate on what constitutes personal data or not is irrelevant, users are still being tracked for the purpose of generating revenues.

4.  The laws in the US -can- compel you to hand over the details of your users.  The tcp headers which you claim you do not log still come in to your systems and are present in RAM and page files as well as through your network hardware - these data are still vulnerable to surveillance orders from law enforcement and intelligence agencies and to state otherwise is simply incorrect and misleading.  Furthermore, yes you can be compelled under FISAAA and PATRIOT as well as CALEA to monitor the users of your service - again to state otherwise is misleading.  Gag orders prevent you from giving any indication that you are under an order from FISC or NSL.

In short, what you say on your web site is irrelevant because:

a: You have not been externally audited
b: Everything you said in your post above re: point 4 is false.

Alexander Hanff
posted by [Old Forum guest] • 5 years and 8 months ago Link
I am using Safari with Duck Duck Go, and my browser says I have a cookie from duck duck go store in the cache every time I open the browser. Explanation?
posted by [Old Forum guest] • 5 years and 6 months ago Link
The case of Pete Ashdown of Xmission is one I'd characterize as the FISA court compelling a company to change its business practices, not provide existing data responsive to a specific request "particularly describing" specific records or classes of records.

How would Duck Duck Go characterize this? What would Duck Duck Go's response be to a warrant or subpoena requiring them to interpose a virtual or physical "black box" that taps their user data? Would it be as Lavabit did, closing down, or as Yahoo, Microsoft, Google, et al did to comply and allow virtually limitless access to their data and then lie to their users that they've done so?
posted by [Old Forum guest] • 5 years and 5 months ago Link
As I've said before (and to you) we are happy to be externally audited. Who do you recommend we pursue that audit from?

On the legal points you are misinformed. Search engines are not subject to CALEA. The other laws all involve turning over existing business records and everything over that line is unconstitutional. There is plenty of legal precedent for that, e.g. http://caselaw.findlaw.com/us-9th-circuit/1226963.html , "The question remains whether the order goes too far in interfering with the service provided by the Company, by preventing the Company from supplying the System's services to its customers when a vehicle is under surveillance.   We conclude that it does."
posted by yegg Staff5 years and 8 months ago Link
I am misinformed?  I have been a scholar of privacy law for close to a decade and give speeches the world over on these issues.  Just because something is unconstitutional it doesn't mean it doesn't happen - PRISM and the Verizon order are perfect examples of this.

Technically you are not a search engine, you are a meta search engine so it is debatable as to whether or not you are exempt from CALEA and even then you are still subject to FISAAA and PATRIOT.  You have failed completely to address these issues and instead choose to try and mislead people.

External audit won't really make any difference as long as you are in the US because you are still vulnerable to US law - I won't every be comfortable recommending you as long as you are in the US.  But my point was, even before the PRISM scandal (and yes I was aware of FISAAA way before and have lobbied against US Safe Harbour on the basis of FISAAA for the last 5 years in Brussels as well as writing academic papers on PATRIOT and FISA prior to that) all we had to go on regarding your policies was your word, and based on your comment on stackexchange you don't want to bother with an external audit:

I've thought and explored external verification, from someone like the EFF for instance, but I don't think that really would do much to assuage the core of the comment. 

that was over a year ago.

As I have said to you personally and on my blog, I have absolutely nothing against your company, but I will not sit back and tell people it is safe if I don't think it is - I am a privacy advocate, I give people advice on and I campaign/lobby on privacy issues.  I will do whatever I can to enhance the privacy of citizens and sending them to DuckDuckGo does not meet the requirements of that mandate as far as I am concerned.

Alexander Hanff
posted by [Old Forum guest] • 5 years and 8 months ago Link
I have seen several interviews featuring Gabriel and I will say that, even when given the opportunity to do so, he has never gone on the attack against G, B orY!. Rather, he explains the features that DDG has to offer and what sets DDG apart from the other services. Then, I read Alexander's blog post and immediately wondered why he was attacking DDG. I can understand pointing out some perceived shortcomings, but why take off the gloves immediately?

I find that Gabriel has been very open about the operation of DDG. I find it interesting that he and his staff respond quickly to reported and perceived security issues, like the cookie issue mentioned above. I also sense that Alexander is pretty thin-skinned to be offended that a link to his Twitter account (the same account that helps "expose" DDG's shortcomings). I think that it's pretty magnanimous that Gabriel pointed the way to an opposing point of view.

Having read and digested both posts I'll say that I'm very comfortable using DDG and will continue to do so. By the way, unless I want to use TOR (and I don't), having DDG's server's off-shore is worthless, my information still flows throw my ISP and the NSA can force those records to be turned over, so I'm still screwed.

Forum Moderator
posted by x.15a2 Community Leader5 years and 8 months ago Link

"having DDG's server's off-shore is worthless, my information still flows throw my ISP and the NSA can force those records to be turned over, so I'm still screwed."

How is the data flowing between your computer and ddg's servers revealed if you use HTTPS?
posted by [Old Forum guest] • 5 years and 6 months ago Link
I tried to register here but I fail, nothing happens when I press "Join", so I'm still a guest.
I'm the creator of this thread.

At first thanks to yegg13 for the quick answer.

The most interesting point for me is, why no servers in europe?
I mean, European people are the most interested people in your service because it's the US-law what is the problem for the people here (Im from europe).
In the EU the discussion is big to create "Google like services in Europe". The problem is, as long the servers are not in Europe the trust in a service like DDG will be limited. For example ixquick/startpage going this way. US Servers for US-people and EU Servers for EU people.

Im using DDG for a few month and I think its a great searchengine/machine.

Sorry for my not well english
posted by [Old Forum guest] • 5 years and 8 months ago Link
Actually we do have servers in Europe (as well as Asia). Users in those regions should automatically be sent to those servers within their region.
posted by yegg Staff5 years and 8 months ago Link
I've been following this and I detect a bit of privacy grandstanding and bullying bluster in this attack on DuckDuckGo. I have seen this behaviour many times before, and am impressed with the way Gabriel/DDG have responded to it. I can assure you from five years campaigning "alongside" your critic in a privacy related campaign (and then parting company because of just this sort of behaviour), that you should stick to your guns, and certainly not do too much kow-towing.

Unfortunately there are no independent audits or certifications available to verify "privacy advocates" so people self-certify. Which leads to low standards. Just don't take anything at face value and only believe the things you can check out for yourself from an independent source. Some privacy advocates demand accountability from everyone except themselves.

Given that here in the UK we have just been told that our own version of the NSA (called GCHQ), has been taking a tap from the main international internet routing cables in and out of the UK, it really would be pointless moving your servers here.
A substantial quantity of transatlantic internet traffic passes through the UK and therefore through those taps. And no external audit by Europrise or any amount of privacy bluster from your critic alters that fact.
Anyone using Ixquick/Startpage can crow all they like about an audit - their entire data stream still goes through those taps - just do a tracert for ixquick.com and watch your packets leave the UK via those very cables - (and get tapped invisibly by GCHQ on the way). That isn't ixquick's fault. I commend both DDG AND Ixquick for trying to protect privacy.

I've posted as a guest - but you can find me as blepharon on twitter. Have a read of my favorites.
posted by [Old Forum guest] • 5 years and 8 months ago Link
I have updated my blog post with citations to show that DuckDuckGo's claims of immunity to being compelled are patently false.  You can read the update from the original link at the top of this thread at the bottom under UPDATE 2.

As for the chap above me (who is one of my two online stalkers and doesn't know a damn thing about privacy or law his only interest is to try and libel/defame me because he hates Privacy International whom I used to work for) he is wrong about GCHQ and Ixquick - Ixquick/Startpage encrypt all their connections BY DEFAULT so even if GCHQ do intercept them via fiber taps in the UK (on the off chance that a communication actually goes through the UK which is no guarantee at all with BGP) the data they suck up would be illegible due to the encryption.

The problem for DuckDuckGo is even though they encrypt their connections by default also, they can be compelled to decrypt that data by a court order as explained on my blog.
posted by [Old Forum guest] • 5 years and 8 months ago Link
blepharon here again.

According to Mr Hanff, the data obtained from a GCHQ fiber tap "would be illegible due to the encryption". Whereas in the USA DDG can be "compelled to decrypt the data by a court order".

And the UK authorities can't do that sort of compulsory decryption? Oh yes they can.

I suggest Mr Hanff has a read of the UK Regulation of Investigatory Powers Act (which governs the interception of communications) and studies the section on decryption/keys. In case he's forgotten, its in RIPA 2000 Part III, and it's called a Section 49 notice. It's already been tried out successfully in the UK courts, I think in relation to suspected offences relating to Child Pornography images.

RIPA S.49(2)

(2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—
(a) that a key to the protected information is in the possession of any person,
(b) that the imposition of a disclosure requirement in respect of the protected information is—
(i) necessary on grounds falling within subsection (3), or
(ii) necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty,
(c) that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and
(d) that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section, the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information.

(3) A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary—
(a) in the interests of national security;
(b) for the purpose of preventing or detecting crime; or
(c) in the interests of the economic well-being of the United Kingdom.
I'm surprised that a "globally respected privacy advocate" didn't know that.

I think Mr Hanff is shooting at the wrong targets. The problem is the intrusion of government, not privacy friendly search engines. The UK have the same draconian compulsory decryption powers he is shouting about the US government having. And we have had them a long time.

But DuckDuckGo represent an easier target. And people are being misled by Mr Hanff's inaccurate, short sighted, ill  tempered attack on a soft target. When it came to his attempts to sue Google, he failed to follow through by not attending court on the day. I doubt if DuckDuckGo have much to fear from him.

I have no financial connection with any search engine or in fact any IT company or commercial interest.
posted by [Old Forum guest] • 5 years and 8 months ago Link
Seems my previous response to this nonsense was not published so I will try again.

You are correct, I know RIPA very well, I was on the Home Office consultation group for the recent changes to RIPA and know it inside out.

What you failed to take into account with your obvious attempt to discredit me, is that Ixquick/Startpage are owned by a Dutch company in the Netherlands with no servers in the UK and are therefore not subject to s49 Notices or any other notice under UK law.  RIPA and the UK courts/law enforcement have zero jurisdiction in the Netherlands.  And no, they can't be compelled under any mutual assistance treaties or other such agreements because to put it in as simple a way as possible, so you might actually understand - Ixquick/Startpage have committed no crime - there is not a single piece of case law to support your argument neither is there any history whatsoever of any attempts from the UK Home Office to use RIPA to compel a foreign company on foreign soil to provide encryption keys for HTTPS connections to their servers located outside of the UK.

Furthermore, the actions of GCHQ are almost definitely illegal under EU law (we will see what happens there but I hear the Commission are already planning legal action against the UK Government for GCHQs activities). Your suggestion that the UK Government could use UK law in a country it has zero jurisdiction in to facilitate an illegal act of surveillance - is quite frankly ridiculous.
posted by [Old Forum guest] • 5 years and 8 months ago Link
GCHQ cannot use RIPA to compel a Dutch company to do anything - so your entire post was a waste of time and energy.  RIPA is UK law not Dutch law, GCHQ have absolutely zero authority in the Netherlands where Ixquick/Startpage are based. Wow your level of incompetence never ceases to amaze me.
posted by [Old Forum guest] • 5 years and 8 months ago Link
Alexander Hanff has created a fantasy that any and all criticism of him and his childish, ill-informed temper tantrums comes from "two stalkers" as if everyone else on the planet thinks he's a genius and always right.

I would seriously question why hanff is repeatedly promoting startpage and ixcuick wihlst repeatedly posting innacurate and misleading slurs against other privacy protecting application in the same field.

I smell a vested interest.

posted by [Old Forum guest] • 5 years and 8 months ago Link
And out pops tweedle-dee.

The only vested interest I have is in the privacy of the people, if DDG have issues with my comments they have the option not to publish them.
posted by [Old Forum guest] • 5 years and 7 months ago Link
Blepharon again (see @blepharon on twitter)

Unfortunately Hanff has spent time (and venom) on refuting an argument I didn't offer. READ THE POST Hanff.
To the end.
Nowhere do I make the point you are attempting to answer, in your bad-tempered, offensive way.

The point I AM making is that your focus on the USA is misplaced. Your concern should be governments in general abusing their powers over communications and the internet in general. I have demonstrated that there is an equal concern about the UK jurisdiction as exemplified by the GCHQ fibre taps and the RIPA Section 49 orders.  There are other jurisdictions in Europe which give rise to equal concerns.

A narrow focus on "avoiding the USA because Hanff says so" is misguided and misleading. It is also, to coin a phrase you seem to enjoy using, "dangerous".

I am not qualified to say whether the UK government could access and decrypt Ixquick data via the GCHQ fibre tap. Which is why I never said it - which you would know if you could be bothered to read a post more carefully and think before replying. But  to naively assume that the data is safe just because the USA doesn't get its hands on it, is foolish in the extreme. You have completely ignored the RIPA Section 49 argument (and equivalent pieces of legislation in other EU countries) because you are narrowly focussed on this weekend's pet hate - DuckDuckGo. Earlier it was Prism-Break. Before that it was Google. As I write this I see you are exercising your famous charm on Danny Sullivan.
https://twitter.com/alexanderhanff/status/348847005818310657. I wonder who will be next?

It isn't me who has been wasting their time.

Unless of course there is some other agenda we don't know about?
posted by [Old Forum guest] • 5 years and 7 months ago Link

And the UK authorities can't do that sort of compulsory decryption? Oh yes they can.
NO THEY CAN'T against a foreign company on foreign soil - since you are so hell bent on trying to discredit my support of Ixquick/Startpage - which is clearly what your post was about, however much you try and veil it now, your post was completely irrelevant and totally wrong.

Give up, you made yourself out to look like a bloody fool, get over it and crawl back under your rock.

I have called many companies out on Twitter and will call out many more over the coming weeks, you don't like it, stop stalking me and reading my posts - either way it won't stop me writing.
posted by [Old Forum guest] • 5 years and 7 months ago Link
Let's keep it amicable, all. Remember the forum rules. People should feel encouraged to post, not turned away because they're fearful of being attacked. Let's set a good example and keep this at a discussion-level.


posted by zac Staff5 years and 7 months ago Link
I'm happy to call it a day at this point zacbrannigan. I think I have made my point (which is NOT the one being refuted by Hanff). I'll leave people to consider the arguments (and the style) for themselves. Unless of course there are some substantive points which need further discussion? (points I HAVE made, rather than ones I am ALLEGED to have made)

Best of luck to DuckDuckGo (and Ixquick/StartPage) - I genuinely wish you well in your uphill battle against the corporate might of Google and widespread public apathy (hopefully that MIGHT change in the future, but I'm not optimistic - privacy advocacy being in the parlous state it is at the moment).

As for repressive intrusive communications-intercepting governments around the world, including my own here in the UK - I wish you well too - that you might come to your senses and start serving your populations rather than trying to dominate and control us. Without our ongoing consent, you have no legitimacy whatsoever even if you have power. Do remember that, cos it might matter, come Judgement Day.

As for "Privacy Advocates" - I wish them well too, but I wish they were better regulated. I'm not sure the Don Quixote windmill-tilting style achieves very much.

If someone else wants the last word,  they are welcome to it. I've enjoyed the exchange. Back to Twitter!

@blepharon on  twitter.
posted by [Old Forum guest] • 5 years and 7 months ago Link
"If someone else wants the last word,  they are welcome to it."

Not me
posted by [Old Forum guest] • 5 years and 7 months ago Link
I tend to agree with Blepharon's stance on the "issue".
DuckDuckGo started to be a privacy-centric search engine. I joined it in 2010. I've been here for... let's see, 3 years~ I was one of the earlier users.
DuckDuckGo had no way of knowing about the new law, so when it is exposed they are automatically "bad"? I would appreciate if they moved their server to a country except of these laws, but they haven't even had the time to do such a thing yet! So: Hanff brought this issue and calling DuckDuckGo a fake to encourage the switch? I doubt it. He just wants to debunk a search engine which is rising in popularity through the years. It's supposed to be sensational: in this case, he's gonna the person known for destroying and exposing the lies of this search engine. Yeah, right. Good luck.

The only thing I blame DuckDuckGo for is the blatant oversight of the tracking cookie in Zesk. This is not expectable for a search engine of it's span.

I still find it so stupid that the article said that all DDG cared about was money, and the affiliate codes were proof of that. The way that DDG refers to the search results gives NO information in the referrer, and this has been proven.

I think this heated (pointless) debate should be stopped as @zac said, but I just want to right this wrong.

Founder of http://www.dumbsearch.com/
Moderator of DuckDuckGo
posted by [Old Forum sean-anderson] • 5 years and 7 months ago Link
New law?  FISA has been on the books since 1978, FISAAA (FAA) is renewed version from 2008 (2 years before you joined them).  PATRIOT has been on the books since 2001 and CALEA since 1994 - there is nothing new about these laws.

Companies who offer services with a unique selling point of privacy should carry out diligence to ensure that what they say they are offering, they are actually capable of offering.  DuckDuckGo should never have setup in the US if they wanted to mitigate the threat to their users' privacy - they didn't.

I have simply been making people aware that using DuckDuckGo poses exactly the same risks to their privacy with regards to government surveillance, as using Google, Bing etc. because it is important that people who are looking to protect their privacy are able to make an informed choice about which services to use.  When one of those services is being advertised and surveillance safe and it isn't, damn right I am going to expose it.

So: Hanff brought this issue and calling DuckDuckGo a fake to encourage the switch? I doubt it. 
Actually here you are also wrong, as I stated on my blog, I had a discussion with Yegg in private on Twitter before ever posting my article, encouraging him to move to the EU at which point I would be able to support DDG - I quoted the DM directly in my blog post.

I have nothing against the company, I want more privacy enhancing technologies (PETs) I have been campaigning around the world on exactly these issues for many years now, including China, South America, North America and Europe - I don't need stories about companies to raise my profile, I am already very well known and highly respected in my field.

But I will not sit back and watch people being told that a service is safe from surveillance when it isn't.  If you don't like that, that is fine you are entitled to your opinion, but don't presume to tell me that what I am doing is wrong.

posted by [Old Forum guest] • 5 years and 7 months ago Link
I watched this with interest but I have 2 comments to make.

1. Who cares if they are in the US? if people want to use them they will, privacy or not, everyone knows that in this current world nothing is 100% secure or private no matter what you do you will leave fingerprints across the net, this is life, accept that or go and live on an island.

2. Those who have a real desire to be secure wont use ANY search service because NON of them are 100% secure or private (see my point above).

So unless you are really really paranoid, or you’re doing something really really illegal why worry? Live your life, do your own thing and don't worry about big brother watching you, you only need to worry if you are doing something that they might be looking for.

And finally, as someone who has worked in IT for 20 years, PRISM etc etc comes as no surprise to me, the technology was always there, and spying has been around since the dawn of civilisation, we have always wanted to know what everyone else was up to, it is almost human nature to want to know more if not everything....
posted by [Old Forum guest] • 5 years and 7 months ago Link
Wow, there's a lot of mudslinging going on here.

Mr. Hanff, you make a lot of excellent points, but I think your inflammatory tone is causing people to ignore what you have to say. It's unfortunate that we live in a society where people are discredited at the first sign of passion or excitement, but I just wanted to suggest a little more tact and perhaps taking a more assertive, less aggressive posture in this debate, in the interests of being heard.

Not trusting anything in the U.S. due to their legal climate is rather naive and sounds like an easy way to let your guard down. Let's face it, the rest of the world is pretty screwed up, too! As a Canadian I'm not safe either, Echelon gives the CIA an open window through which to spy on us and report back what they find to CSIS (a nice loophole to get around those pesky domestic surveillance laws,) and as part of the deal, CSIS in turn is spying on the U.S. and reporting back what they find on your people, too. The U.K. is doing everything they can to tap transatlantic communications, China successfully blocked every Tor exit node a while back, Sweden has arrested and jailed several operators of The Pirate Bay, and don't even get me started on what Iran, Australia and many others are doing to block and monitor everything they can. This is such a global issue that not even Edward Snowden knows where the hell to run and keeps changing his mind on what the next best place for him to live would be.

If anyone thinks that using any search engine on the open web is protecting your anonymity or privacy in any fashion, they are sorely mistaken. It doesn't matter if you use DDG or Startpage or whatever, that information *can* and *will* be intercepted, archived and retrieved by your government's intelligence if they desire it. Either they will get it directly through their own agencies, or they'll just get it from another country's government agency with whom they've made an information sharing pact. It has nothing to do with the policies or the size of the balls of who runs these search engines, often that information can be retrieved without even needing to involve these site operators.

It takes more work and effort to be anonymous and private than simply using the right website. You need a truly anonymous environment, which requires the right tools, education and cautiousness. It's best to use a live OS (either on a CD/DVD, USB stick or virtual guest OS) designed around anonymity, such as TAILS or Liberte. Verify your download multiple times from multiple sources if necessary to reduce the chances of a MitM attack feeding you a backdoor-edition. Turn off persistence, unless you're incredibly careful and have a good lawyer plus a decent legal environment. Even after you've done all that, you'll need to educate yourself about browser fingerprinting, correlation attacks, sandbox jailbreaking, the ever-present specter of TEMPEST equipment and other ways your anonymity and privacy can be breached even when using these tools. Only then are you ready to even start getting your feet wet doing any kind of shady business. It's not as simple as "Use DuckDuckGo, Smash the State, Mission Accomplished".

Anyway, that's my two cents as a guest who could be easily identified by anyone with an agenda.
posted by [Old Forum guest] • 5 years and 7 months ago Link
My point about it being the in trusive governments that are the problem and not the companies per se (with some notable exceptions), is exemplified by this story here:


The Netherlands, a stable parliamentary democracy, happens to be one of the most surveilled societies, in terms of the extent to which police and security services monitor private communications. In May 2008 the Ministry of Justice released figures that stated the number of telephone taps in the second half of 2007 reached 12491 in total. That is 1681 per day. 84% of this tapping concerned mobile phones. Compare this with the news that there were 2208 taps in the United States in the whole of 2007. And the Dutch figures concerned only the police – the security services fall outside of this assessment...

At the beginning of March the the National Management Organisation for Internet Providers (NBIP) released figures for 2009 that showed the AIVD and the Ministry of Justice tapped 335 times an internet or VoIP (Voice over internet Protocol) connection, involving in total more than 1.5 million end-users. These 335 taps stretched for a total of 8920 ‘tap-days’ in 2009.

NBIP itself was involved in the tapping of 59 internet providers. But it can’t go any further than this – releasing details of which providers were tapped, or what the AIVD was after, would cross the line of state secrecy. But NBIP’s figures already give quite an insight into what is going on. Since the Organisation represents less than 10% of the landline and mobile provider market, these numbers can be multiplied by a factor of ten for a (very conservative) estimate of the national situation. That means a total of 3350 internet taps, stretching for 90,450 ‘tap-days’.

And these figures are on the rise. 2006 saw 69 taps on internet connections, covering 1.5 million end-users. From 69 to 335 in four years is a rise of 385%.

If DDG is suspect because it is in the USA, then doesn't Ixquick become suspect because it is Holland? Note that the figures in that article do not include security service surveillance (the very thing that Mr Hanff has been complaining about). And woe betide any search engine based in the UK - given our level of GCHQ net surveillance.

Isn't it "dangerous" to recommend Ixquick as secure while condemning DDG? As Mr Hanff says, there is "nothing new about these laws".

I've been campaigning for five years on privacy (and four of them were on a forum founded by Mr Hanff) but I can't follow the logic of this argument on picking out individual companies based on links with the USA. There are plenty of countries currently using intrusive net surveillance and it is not possible for ordinary netizens to choose search engines based on an intimate knowledge of global internet routing policies.

Is Mr Hanff saying that Ixquick "should never have setup in the (Netherlands) if they wanted to mitigate the threat to their users' privacy"?
How safe are we visiting Mr Hanff's own blog, as it too is hosted in the Netherlands? Maybe he has crossed the radar of the Dutch security services and visitors to his blog are being surveilled? We will never know,  because the Dutch security services won't be telling anyone, just like in the USA and UK, where they don't tell anyone either. "When one of those services is being advertised as surveillance safe and it isn't, damn right I am going to expose it." What can I do? Should I remain silent about this Netherlands issue? Or expose it? I'll follow Mr Hanff's example, I'll speak out.

Will Mr Hanff be moving all HIS servers out of Holland on the basis of this information? I doubt it.
Will he be "calling out Ixquick" because it is based in a heavily surveilled country? I doubt it.

Once again - don't focus on the companies, focus on the issue of intrusive surveillance by governments. And realise that it is far more widespread than just in the USA.

Best wishes all.
posted by [Old Forum guest] • 5 years and 7 months ago Link
Cell phone networks and ISPs fall under the Dutch version of the Data Retention Directive, online services do not and are therefore not subject to data retention law in the Netherlands.  Instead of just cutting and pasting irrelevant nonsense, actually speak to Dutch lawyer on these issues.  I know several, I also know several Dutch politicians, respected academics and experts on Dutch law.

Yet again you post completely irrelevant information based on a quick 5 minute "Google" search with absolutely no legal background or understanding of the context.  I won't respond to your posts further, there is no point arguing with someone so lacking in intelligent arguments.  Posting out of context is what you do best as your Twitter feed clearly illustrates.
posted by [Old Forum guest] • 5 years and 7 months ago Link
Furthermore, since he keeps accusing me of focusing on companies and not the regimes where they are located, I will respond to that too.

I am an active campaigner/lobbyist on issues of privacy and human rights at the regional level including within Europe, South America, China and North America.  I engage in consultations on legislation on a regular basis and directly work to promote changes in legislation to enhance the fundamental rights of citizens.  It is what I do every single day, 365 days a year - but I also try to encourage people to take more responsibility for their own rights by using privacy enhancing technologies and changing the way they interact within the digital society.

To continually say don't focus on the companies blah blah blah is a total misrepresentation of my work - as he very well knows.

At the end of the day people will make their own decisions on what technologies to use.  That is entirely their choice, but it won't stop me highlighting the issues and raising awareness - neither will it stop be exposing vulnerabilities or promoting privacy enhancing technologies that I believe offer strong protections to consumers.
posted by [Old Forum guest] • 5 years and 7 months ago Link
blepharon again:

I wonder if online services are safe against THIS sort of legislation?


The Dutch government has unveiled a new Bill that would empower its investigators to hack into PCs and servers, install spyware, read people's email and even destroy files - all in the name of fighting cybercrime.

The proposed law, published on Thursday and signed by Ivo Opstelten, the Dutch minister for security and justice, would also allow investigators to target computers and servers outside of The Netherlands. Investigators, though, would have to seek judicial approval first...

The Dutch bill would also make it a criminal offence for a suspect to refuse to decipher encrypted files during a police investigation - similar to UK legislation, the Regulation of Investigatory Powers Act (RIPA), passed in 2000.

With respect to the data retention legislation - presumably that means that someone using Ixquick from a Dutch ISP IP address would be subject to snoopiing? And that the Dutch authorities could:
  1. Get the customer details from the Dutch ISP based on retained data.
  2. Require the Dutch operators of the Ixquick servers to provide decryption information (as provided for in the new law)
Is that SAFE? Seems to be a very similar scenario to that faced by DuckDuckGo in the USA.

It is quite clear that governments all over the world simply want to spy on citizens. They are prepared to either break the law or pass repressive laws to enable them to do so legally. They operate largely in secrecy so by definition we do not KNOW what they are up to. They also are prepared to co-operate with one another to by-pass any inconvenient laws (as exemplified by the recent revelations about the games played by GCHQ and NSA). Is there any reason to trust the Dutch (or any other European government) more than the UK?

It is unreasonable to stamp on DDG in the way Mr Hanff has done so, while getting so hot under the collar at any suggestion that Ixquick data might not be as safe as the gold in the vaults of the Bank of England.
posted by [Old Forum guest] • 5 years and 7 months ago Link
A proposed law, which currently doesn't exist and would be in breach of EU Directives and Regulations, leading to infringement proceedings, if it ever came into being.  If you want to look at proposed laws that have not been put onto the books yet, we can talk about all sorts of stupid things.

As I stated previously, Online Services are NOT subject to data retention under existing Dutch law, only telecoms and internet services providers.

Are going to continue to post lies and irrelevant information about fantasy laws which don't exist?

Seriously, if you guys want to listen to him, go ahead, his posts become more and more delusional with every iteration - I simply don't have the time to waste responding to his fantasies, I have too much work to do.
posted by [Old Forum guest] • 5 years and 7 months ago Link
Blepharon here - I'll keep it civil and avoid personal accusations or abuse.

Anyone who has been following the news this week is surely a lot less complacent about the extent to which their own government is protecting their citizens' interests? Or about the extent of co-operation between friendly  governments with regard to data-sharing? Or the extent to which commercial companies share, willingly or not, accountably or not, secretly or not, data with their own or overseas governments?


'AIVD also has access to information from PRISM'

Dutch secret services also get information from the Internet surveillance program of the U.S., PRISM. If the AIVD (Dutch intelligence agency) signals a U.S. address as suspicious, within five minutes all information is known, says an AIVD agent this morning in The Telegraph (dutch newspaper). The agent was working for a Dutch agency which monitors muslim extremists.

According to the agent many companies are actively involved in giving access to their data. "All the major commercial internet services are forced to provide an application to access their data". Together these applications form the program/programme of the U.S. National Security Agency to collect confidential internet data.


Skype denied access for years, but now that it is owned by Microsoft it shares all data, as is the case with Google and Facebook. The executives of the latter two companies claimed Saturday not to be aware of the Internet surveillance program.

Dutch companies would kindly cooperate. "When a request is made you just get instant access to the data, all on a silver platter." If a company does not cooperate, an agent is 'activated' who has access to the information of the company. Inside businesses and institutions, everywhere agents can be enabled/activated to execute a request for information.

Remember - the original argument from Mr Hanff was all about how DDG was not SAFE. And that DDG executives were not to be trusted. Because of its location and because of what the NSA "MIGHT" (secretly) ask it to do under FISA legislation (to start collecting data that it has never collected). Fantasy? Readers will have to judge for themselves. But it looks as if the problem is a bit moree widespread than he seems prepared to admit.

I have referred to the actual GCHQ international fibre tap that intercepts traffic in and out the UK (including Ixquick traffic). Fact
I have referred to the co-operation between security services and governments, including between European governments and the USA which can and does deal with encryption issues and referred to actual Dutch legislation about decryption powers. I have cited real reports exampling such co-operation. Fact.
I have reminded readers of the revelations of genuine examples international government co-operation aimed at side-stepping legal barriers to surveillance. Fact.
I have referred specifically to the available Dutch laws that would subject Dutch ISP customers using Ixquick to surveillance. Fact.

None of those points have been answered with respect to applying the same criteria to Ixquick as Mr Hanff applies to DuckDuckGo.

I have further given an indication of the actual WISHES of the Dutch government with regard to its plans for future legislation - that is a very good clue as to what they may already be doing by extra-legal means or by side-stepping legal barriers (exactly as we have seen in the UK, as an analysis of William Hague's recent Commons statement will show). That isn't "fantasy". It's common sense not to ignore a governments plans for future legislation - for example the Communications Data Bill in the UK which shows us very clearly what the government here would like to be able to do legally (whereas at present, it has to work out extra-legal ways of doing it).

I am accused of posting lies but regrettably no details are provided. I'm used to that - I don't think I've ever seen Mr Hanff follow through one of his accusations of libel or lying with a factual reference or quote.

Do I really think this is a reason to recommend internet users to avoid Ixquick? Of course I don't. But then neither do I think PRISM/FISA is a reason for proposing a blanket ban on the use of DuckDuckGo. There are far more important problems to be dealt with and far more important priorities to be addressed if we are seriously to protect our privacy.

The minute you go online, when your provider can't be trusted, when surveillance occurs in secret, when governments sidestep or openly break the law, then it doesn't matter WHAT service you use. You may be surveilled. Mr Hanff can't recommend a "safe" service, nor can he accurately identify UNsafe ones. When I go online I bear in mind that I may be being surveilled. I recently was the target of a series of targeted keylogger attacks from Singapore via infected email (they didn't succeed) from a commercial source - aimed and crafted at me specifically. Today when my bookmarked online bank login page couldn't be reached I rang my bank to ask if it had been changed - it had. I'm careful. My ISP already try and read the content of my emails contrary to RIPA 2000 and I have so far been unable to get them sanctioned legally. I'd like assistance from "privacy advocates" about that  issue but they don't seem bothered by it.

But if people feel that simply avoiding every US company and trusting the European ones will keep them safe. Well - bless you. I'm afraid I'm not that complacent.
posted by [Old Forum guest] • 5 years and 7 months ago Link
With regard to data security in Holland...

Hanff asserts:
 Cell phone networks and ISPs fall under the Dutch version of the Data Retention Directive, online services do not and are therefore not subject to data retention law in the Netherlands.

although that doesn't seem to stop the companies concerned from intercepting communications, including presumably, their customer's Ixquick searches?


 A study by the Dutch Data Protection Authority (CBP) has uncovered a series of data violations at KPN, Tele2 Netherlands, T-Mobile Netherlands and Vodafone Netherlands. The study was launched in 2011 following reports about deep packet inspection (DPI) on mobile networks. According to the study, companies often kept data too long or did not anonymise fast enough. Tele2 Netherlands used data for marketing purposes, contrary to the law. KPN is the only company which addressed and resolved all the issues raised.

The CBP found companies stored customer data such as visited websites or used apps, in violation to the Personal Data Protection Act (Wbp) and the Telecommunications Act (Tw). According to legislation, such data must be either deleted or irreversibly anonymised as quickly as possible. The study also said that customers were not or were incorrectly informed about the data operators were collecting, showing a lack of transparency. The data can say much about consumer behaviour and choices.


In today's surveillance climate, NO internet communications are "safe" and it is foolish to try and discriminate between providers based on crude delimiters such as geographical in the USA. Having your servers in Holland doesn't make your service "safe" from snooping by the AIVD OR by the CSP. It is up to the end user to secure their own services via quality encryption.
posted by [Old Forum guest] • 5 years and 7 months ago Link
Alexander Hanff's portrayel as the Netherland's being some kind of privacy holy-land over the US seems pretty unfounded so far :/
posted by [Old Forum guest] • 5 years and 7 months ago Link

hello, i just joined the forum and have been looking at some of the recent post discussions. i hope everyone is exhausted from the above, but i couldn't stay silent! i have only used computers for the last 42 years, and still have no history that would constitute vested interest or political agenda. i am not worth attacking!

the assumption [i am in uk] is that all internet traffic in uk, europe, usa is captured by gchq, nsa and so on at source [via information exchange between them]. i haven't done the sums but even 256 bit ssl encryption is do-able by these organisations. of course they wouldn't waste their time with most internet traffic. the question is how far the information leaks into government and business on the peripheries.

in my time i have been at the receiving end of the great and the good using their reputations to assert that i was wrong even when i was right [i was a post doc then]. so reputations are a bit lame..

i am more likely to believe that the ddg team are truthful about not tracking the data when it is under their control, than a professional writer who moves from target to target grazing on their minor mistakes. it would be better to investigate google [for example], who probably have an office set aside for the fbi [only joking, but bt and bbc did/do have mi5=fbi offices set aside].

but who am i to say? i think that people who are really scared about their privacy should use tor [i have only played with it so far]. of course tor users stick out like a sore thumb and merit a further look by the authorities.

that's all a bit lame on my part, boiling down to trusting the ddg team who have bet their house on doing that they say they're doing. i'll leave the technical arguments to those who understand them.

best wishes, jack

posted by [Old Forum jackspider] • 5 years and 6 months ago Link
@blepharon again.
Alexander Hanff's portrayel as the Netherland's being some kind of privacy holy-land over the US seems pretty unfounded so far :/
It is odd, I agree, especially when you read comments like this by Paladine (google that name)
quoted here from overclockers:
 (the original was deleted by Paladine 7/1/13 at 3:38am)
Originally Posted by Paladine
Careful whom you mock, the Dutch government along with the UK government have been exposed as having been using the NSA's PRISM programme to circumvent the legal processes required under their national laws - given you are Dutch you might want to consider that before mocking the very people trying to protect your civil liberties.

It all seems very contradictory. I repeat my point that we should not be focussing on company tracking in this debate but state surveillance. And right now, I think it is DANGEROUS to promote Europe as a safe place to use the internet from a privacy point of view.
posted by [Old Forum guest] • 5 years and 6 months ago Link
There is no doubt that DuckDuckGo tracks you, and anybody can check that at any moment:

1) Enter search term, and get search results
2) Click on any link - all clicks do not go directly to website from search results, but though their redirect service r.duckduckgo.com, and only then to website. There is absolutely no reason for that, except for tracking you. They want to know where you go.

posted by [Old Forum guest] • 5 years and 6 months ago Link

Click on any link - all clicks do not go directly to website from search results, but though their redirect service r.duckduckgo.com, and only then to website. There is absolutely no reason for that, except for tracking you. They want to know where you go.
Incorrect. Please read the information in this post for complete information. Thanks.

Forum Moderator
posted by x.15a2 Community Leader5 years and 6 months ago Link

but though their redirect service r.duckduckgo.com, and only then to website. There is absolutely no reason for that, except for tracking you.

URL redirection can be used for URL shortening, to prevent broken links when web pages are moved, to allow multiple domain names belonging to the same owner to refer to a single web site, to guide navigation into and out of a website, for privacy protection, and for less innocuous purposes such as phishing attacks.

Sounds like only one reason to me. You might as well edit this Wikipedia article and remove the 'privacy protection' one. Enjoy.
posted by [Old Forum benbowen] • 5 years and 6 months ago Link
"Well, I found a blog with an interesting article about DDG, cookies and tracking."

Oh! Also, no thanks for your lie. You can't really find something you made, so shut up.
posted by [Old Forum benbowen] • 5 years and 6 months ago Link
From Guest's post above:
It is odd, I agree, especially when you read comments like this by Paladine (google that name)
Sorry, I don't "google" anything. Let me duck that for you!

Forum Moderator
posted by x.15a2 Community Leader5 years and 6 months ago Link
Apologies for my bad language ;-)
I am indebted to the person who contacted me to say 'I think you may find this interesting'
with a link to the overclockers forum and then I scrolled down a bit further and saw the quote from the deleted material about Holland.

Best wishes.

posted by [Old Forum guest] • 5 years and 6 months ago Link

I have an old version of ZoneAlarm which I can put certain identifying features of my computer into the privacy section. This is great but can be irritating because the small adverts on many sites demand techie user information from ip address to browser to user name to computer name and so on, & I'm always having to 'allow' or 'deny' the information to be sent.  The worse sites are those you'd least expect it from, e.g. media sites, sites to do with computers  &c. Reuters used to be great, but no more!  No doubt web sites get an income from the advertisers totting up how many access the page & what browsers they use &c. It's all to do with the statistics.

So I just tested DDG.  After clearing my permissions and caches (with Mozilla Firefox v.23 already having DuckDuckGo as the default search engine), I place the cursor in the Mozilla DDG search engine box. Before even typing anything I'm first asked to send (unidentified) info to duckduckgo.com. Then asked to send (unidentified) info to 'safebrowsing.clients.google.com' - even though I've eliminated google as the Firefox search engine. In sequence the demand for (unidentified) info comes from 'safebrowsing-cache.google.com', then 'rapidssl-ocsp.geotrust.com'. All these requests are denied by me.

    I search for 'duckduckgo' (via the mozilla search box for duckduckgo). The search page comes up!  (Doesn't always do this with search engines if you refuse everything.).
   Optimistically, when I press the first page on the list - obviously duckduckgo.com - hey presto I get the '403 Forbidden / nginx' . 
   But I'm allowed to reach the Mozilla site on the duckduckgo list further down (which asks again for geotrust.com info, which I refuse).
    I clear out the privacy settings just imposed above & clear the cache.
    Next I put in the google.co.uk address line into the Firefox browser (not into the duckduckgo search box).  I refuse google having any techie information, put in duckduckgo into the google search line. A search list come up. I press on the first offering of 'https://duckduckgo.com/‎' And...

"The requested URL /htt************uckduckgo.com/ was not found on this server. That’s all we know."

This appears to be the google search site preventing me from access to the sites on the list.
The site permission list/privacy list cleared, cache cleared.  I then open up Mozilla again, and, ah! the site www.duckduckgo.com wants me to send techie info, even before I've used its little search box.

In this respect, for techie information sent down the wire, duckduckgo is not really different to google.

Presumably this is all logged on the individual servers for statistical purposes. And may be collected/eavesdropped enroute, if not by your own isp.  And it's got worse over the last six years.

posted by [Old Forum onlinesubs] • 5 years and 5 months ago Link
That's... really weird. There is absolutely no way to prevent your IP address from being sent other than not connecting at all. There is no way to access a local username or "computer name" at all, from a website. That software sounds really non-trustworthy to me if it's suggesting that it fixes things like that.

DuckDuckGo never logs any identifiable information, though it is of course sent (as it has to be for the Internet to work). It's just discarded before it reaches the logs.

The connections you mentioned when using the search box are done by Firefox -- DDG has no control at that point.
safebrowsing.clients.google.com and safebrowsing-cache.google.com are Google's safe browsing service, which Firefox elects to use to help keep you away from dangerous sites. It is a known privacy risk, and we give one method to disable it on http://fixtracking.com
The connection to rapidssl-ocsp.geotrust.com is to check the validity of the SSL certificate via OCSP -- to ensure you are really connecting to DuckDuckGo, and not something impersonating it. There is no way to connect that lookup to your search terms.

I'm honestly not sure why it connects to duckduckgo.com before you make a search. It might be trying to use autocomplete, but I can't tell at the moment -- I'll look into it. In any case, it cannot be intercepted, and nothing identifiable is logged as usual.
posted by crazedpsyc 5 years and 5 months ago Link
Well, it's Zone Alarm, and when it upgraded to the next version, the forum was filled with people complaining about the omission of the 'privacy' bit.  The next version of Zone Alarm reintroduced it but not as thoroughly as before, so certain info could be sent even if you asked its privacy settings to be 'high security'.  It works on 'strings' sent out. So if I tell it not to send out 'HumptyDumpty' (let's say this is 'User 2''s name) it will tell me that a site is asking for 'User 2' - & to accept or decline.  The more outlandish the string privatised the easier to check the request isn't a conflict. What it does indicate is that web sites are requesting more information than the user is aware of, in addition to Cookies. I've worked out it needs the string to be more than 4 characters otherwise you don't know what exactly the information is that's being requested, this could be the browser type, but whatever it is, the other computer is still asking for data that it doesn't necessarily need.  I have actually locked myself out of the internet by being too thorough.  It may be of course that some of these requests are guarantors for safety. But then why should access be refused if I don't allow it ?  This was indicated both by Google not allowing me further, as did the DuckDuckGo site.  The list of what tries to access the computer is provided on the relevant Zone Alarm program tabs - and you can give permissions to favored sites -  and after a short session on the web the logs collect masses of names of ips, web sites, really weird things, all trying to get permissions to go further in.  What's important to note, as I wrote initially, is that while web sites never seemed to need this info, it now seems mandatory to 'agree' to the demands if you want to view the site(s).
posted by [Old Forum onlinesubs] • 5 years and 5 months ago Link
Getting weirder and weirder.

Since DDG uses HTTPS (SSL) for everything, there is no way your firewall can see the content of the page at all. That's true for any site using HTTPS, so the filter would be very inaccurate. If you are trying to filter out connections that include your IP address... just... don't. Every connection on the internet has to contain an IP address, or nothing would ever make it back to you-- that's the point of IP addresses.

As for DDG's 403, the service doesn't deny requests made without private information. It doesn't request private information at all, your web browser sends some intentionally (the name/version of the browser and operating system). It denies requests that are impossible to fulfill, and requests that look entirely malformed. As far as I can tell (from what you're saying), your filter is just breaking requests, not helping privacy at all.
posted by crazedpsyc 5 years and 5 months ago Link

This guy probably works for Google.

posted by [Old Forum guest] • 5 years and 5 months ago Link
follow up.. the "duckduckgone" html link at alexancers blog shows the attitude of alex about DDG. right there in html.

he is antagonstic.

secondly, he is only one of 3 people on interwebz. i found hat has a beef with DDG enough to make me look at their claims. basically it all boils down to NSA IS GOING TO GET YOU. and you know what? they might. but that is about DDG specifically.

i found this thread...http://search.slashdot.org/story/13/07/1...

interesting to not that orginal blog is a one off... single post to a blog. from a guy named brett woolidge. Brett is real person. he works at a company in japan.

he says he not trying to spread FUD (fear uncertanity doubt) but it is really wierd to do a one off blog with one post...but kudos for getting 84 comments on that one post! you totally kick the ass of blogability.

It is ironic that brett used google blogspot to create blog, though.

finally I found this which sums it up for me.


I liked ddg before I read alexander. now I have spent two hours of my life. I am more impressed with DDG than I was before I started. to make it official, I deleted the other search engines in chrome, made it my default, and my homepage.

DDG, I think it might be good to write something up about the following question

"you don't track us. but what if a judge compellted you to start and put a gag order on you."

btw, the only correct response is....you break gag order. because you should live or die on issue the government not sercetly spyiing on us and forcing companies to help.

posted by <hidden> • 4 years and 10 months ago Link
first I want to say that I wish Alexander hanff a good life. no personal ill will. What I am not impressed with his is level of professionalism and ability to have a discourse.

So Alex Hanff kind of lets the cat out of the bag on his whole mindset when he says "External audit won't really make any difference as long as you are in the US because you are still vulnerable to US law - I won't every be comfortable recommending you as long as you are in the US."

that is interesting for a couple of reasons.

the first would be that he made an issue of the external audit. he cited that as something that mattered. when the CEO (holy shit fuck me, am I siding with a CEO? I am the twilight zone) said "As I've said before (and to you) we are happy to be externally audited. Who do you recommend we pursue that audit from?"

but then the paid professional privacy guy alex (again, how is it that I am annoyed at the privacy side guy, I am always on that side!) said " based on your comment on stackexchange you don't want to bother with an external audit:"

well I am not a privacy expert, but I did have a minor in english and speak it well, and I am noted for being able to read context and understand basic english. Alexander claims that the CEO DOES NOT WANT TO BOTHER with an audit. from this quote:

"I've thought and explored external verification, from someone like the EFF for instance, but I don't think that really would do much to assuage the core of the comment. " -- duckduckdude

"i don't think that would really is not equivilant to "not gonna bother"

so what does this exchange show me?

well, it speaks nothing about Alexanders acumen as a privacy expert. he may be great.
but it speaks volumes about his ability to temper and measure his statements. if alexander really was being a privacy expert, he should be less inflammatory and more exacting.

you don't exude professional integrity and competence when you start feuding online with a CEO. That is the perfect time to be understated, precise, and tactical in what you say and how you say it.

here is what I believe to be the truth.

alexander cares a lot about privacy. but he also wants to make money. creating an internet presence is about buzz and controversy. I only found this stuff due to alex's controversy.

alex got all righteous about duck duck go....but by his own admission, he had no reason to spend so much time and energy. he keeps debating small points and making other points and saying "it matters that they made search of him"

But he explicity states that he cannot recommend a search engine (meta or whatever) that operates in united states. if Alexander were to simply write a blog post saying '

I cant' recommend duckduckgo because i cannot recommend anything hosted in us......where is the drama? where is the feud? who is going to link or send that article? no one.

so instead, he states "I have also been explaining to people on Twitter that using DuckDuckGo on the assumption that their searches will be private was a misunderstanding of who DuckDuckGo are and what they do and pointed them to the previously mentioned blog post. "

but really, all his talk of duckduckgo is specious. it boils down to the fact that alexander is worried/ranting about all us based companies. he claims the average person is "at risk" becuase the us court can compel duckduckdude to log searches.

he said, she said. ---alexander says he is a scholar of law on the issue. I am very well read but I am only a "scholar" in one area..where I have my masters, no other. when alexander gets his law degree, I will consider him a scholar. he may be knoweledable...but "scholar"..it is claims like this that show a lack of professionalism. but if I was really worried about my internet privacy, I would not pay 100 bucks to a privacy expert if my issue was legal. I would pay a lawyer.

he should have said "I am well-versed in" not "i am a scholar" they are very different claims I will say that alexander is well-versed in issues of privacy law. duckduckdude rebuts hims with "my lawyers say we are good"

well, again, can't believe I am on the side of a CEO, but I think duckduckdude is right. however, he is not a "scholar" either. get me a phd in privacy law to explain this shit to me, and I might start to actually be more sure about the whole "nsa gets your stuff" from ddg.

the crux of the matter is DDG is not storing your stuff. if big bad government want to compel them to, and if they tried to gag order that...DuckDude seems to be saying he will fight it publically. let's face it google and bing and yahoo and veriozon are all cowards. they are huge corporations with a lot of employees. some of them are publically traded. they did not want to go up against guv't.

duckduckdude is young, already made 10 milliion, funded duckduck all by himself, and now has only 20 employees. If I had to bet, I would bet Duckdudedude is the don quixote type who won't bow to NSA or big government.

is duckduckgo "safe" no! but only someone as dumb about the internet as my parents would ask that question about a search engine.

the point of duckduckgo is that they don't target or track.
they keep you anonymous.
it seems to me lilke they will fight the government...google/yahoo/bing never set out as mission statement to keep internet privacy...it was something they thought mattered but that was not the purpose...

why was DDG created? for privacy....it is in the mission.

I am not blindly going to follow DDG. they could go "corporate" sell out, lie to us...but so far...I have a lot of trust in DDG.

posted by <hidden> • 4 years and 10 months ago Link
I think a lot of people are being really naive about US laws and privacy.

If DDG servers are belongs to a US company I wouldn't believe ANY SECOND that they could refuse a government agency to provide data.

There has been to many prescedent it's not even worth bothering discussing it. And even if they can't leagally, the NSA would probably have the abilitty to threatened/force DDG to do so.

So then people were responding to Hanff by telling "why bother ? Every countries and agencies are spying on us".
What kind of lame answer is that ? So what ? NSA and GCHQ have been wiretaping everthing everywhere so we shouldn't try our best to preserve some kind of privacy ?

While you still can be intercepted or legally forced to give user data in Europe too, you are taking a much higher risk for that when keeping your servers in the US.

I'm not saying moving DDGs servers to Europe would solve the issue but it would almost CERTAINLY make it harder for government agencies to force DDG to give data or even worse wieretap his users.
I'm not lawyer but I'm pretty sure there is somewhere in the world where laws are still protecting privacy better than in the US.

So when I see a badge saying "Switch to DuckDuckGo , No NSA surveillance" I'm laughing.
Really ? Even in Europe we wouldn't dare say we can argue that we are not spied by the NSA and DDG would say so ? In one of the country with the most liberticide laws ever ?

As long as I don't see a well known lawyer telling me that DDG is as safe (legally) in the US as in some other countries (in Europe or elsewhere) I really wouldn't believe a second that DDG can keep my data from the NSA.

I do use DDG because it's a powerful engine and still more "privacy oriented" than google. But the assumption that they can prevent government agencies from gagging, threatening or handing them subpoenas is a joke. At the very least, US will never be the BEST place to be if you wan'ts our server data to remain private. And for that I think DDG would probably admit it.

I'm not saying either that DDG is bad, I'm just saying that as long as they remain so linked to the US they shouldn't pretend to be able to avoid government agencies from taking data from them.
I don't even think DDG would be happy to hand data to anyone, they just WILL HAVE TO, like we have seen in the past for pretty much any US based business. It's just the way it is.

And please, I beg you, stop saying that since we are tapped on a network level (country-wide wiretape and so on) we shouldn't try our best to keep some privacy. As mentionned before, HTTPS for instance is yet to be proven to be broken). It means that end to end encryption is still working right ? In that case your vulnerability to US LAW is a valid question.

I'm just waiting to see a DDG official telling me that US soil is the safest place (in legal terms) to store user data in privacy. Meanwhile, it remains to be proven by a lawyer that DDG can really defend itself against government agencies.
posted by <hidden> • 4 years and 10 months ago Link