Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> DuckDuckGo is a mirage ... The privacy problems with this claim are many ... good luck verifying ...

Okay, can you list just a few?

If you're going to make counter-claims like this, you're going to have to provide evidence.

Statements like these are not conducive in gaining popular support for increased privacy.



How do you save a search in a non-personally identifiable way? Do you have a human verify the data belonging to each and every search ? Not saving IPs and/or browser data doesn't solve the problem since the search terms themselves can be personally identifiable.

How do you verify that DuckDuckGo does -the minimal and ineffective- things they claim to do? They offer no proof.

How do you verify that DuckDuckGo does not secretly cooperate with more powerful coercive actors?

How do you verify that DuckDuckGo, offering a single point of compromise, has not been thoroughly compromised by more powerful actors?


"How do you save a search in a non-personally identifiable way?"

To a first approximation, you just... do it.

Granted, if you search "{jerf's realname here} {embarrassing disease} cure" or something, in the pathological case, you could at least guess that maybe it was me, though even then my real name is far from unique, and nothing stops anyone else from running such a search.

But otherwise, if all you have is a pile of a few billion searches, you don't have any information about any of the specific searchers. Even if you search for your own specific address, you don't really get anything out of it; there's no guarantee it was you, or a friend of yours, or an automated address scraper. There isn't much you can get out of a search string without more information connected to it.

The rest of your criticisms are too powerful for the topic at hand; they don't prove we shouldn't use DDG, they prove we shouldn't use the internet at all.


At the very least your example is PII which you cannot save and also claim to be Private.


The mere existence of someone is not really PII. You don't know that I did that search, nor can you connect to anything else... and this is a constructed example in which I try to jam some sort of PII into a single search is itself a bizarre example that probably corresponds to fewer than 1 in 100,000 or 1 in 1,000,000 searches, if that. When's the last time you stuck your own PII into a search box and connected it to something of some sort of significance? It's a very small edge case.

A search history can reveal many things about a person. The mere fact that someone, somewhere searched for "star wars harry potter crossover slash", unconnected to any other search item, doesn't reveal anything about anybody.


> How do you save a search in a non-personally identifiable way?

Save a sha256 hash of every search for 24 hours. If you see the same hash from >10 distinct IP addresses in a 24 hour period, save the search terms.

That's just off the top of my head, I have no reason to think they're doing it exactly like that. The point is that you're claiming that we shouldn't trust DuckDuckGo because you can't think of a way that they could securely and privately do what they do -- but that's just your intuitions, for whatever they may be worth.

I also don't really buy the worries you have with the last two questions, e.g.:

> How do you verify that DuckDuckGo does not secretly cooperate with more powerful coercive actors?

How would you verify that for any centralized service, open source or not? I think your security concerns go a bit beyond what most people interested in critiquing / improving DDG can reasonably expect to achieve.


>How would you verify that for any centralized service, open source or not?

Other centralized (search) services don't have their entire existence depending on this one factor. What is DDG if not alleged privacy? Just use Bing directly.


I don't understand that argument at all. What's the threat model?

I think it's entirely reasonable to be in the following posture: I want as much privacy for my web searches as I can reasonably achieve without having to run a search engine myself. I'm willing to trust that search providers are not saving personally identifiable information or passively turning over search data to law enforcement if they claim that they are not in their terms of service.

That's pretty much the use case for DDG. With Bing you know they are violating your privacy. With DDG you have a promise in writing that they are not. It's hard to see how that's not strictly better than what you get from Bing if privacy is among your core desiderata.


I think we're on the same page. I was saying that if it were to be discovered that DDG lacks privacy then there would be no reason to use it over Bing since that is its raison d'etre.

>I'm willing to trust that search providers are not saving personally identifiable information or passively turning over search data to law enforcement if they claim that they are not in their terms of service.

Do other search companies disclose that they share data with the FBI, NSA, etc in their ToS? Genuinely don't know.


> How would you verify that for any centralized service, open source or not?

I think, technically, some sort of honeypot verification could prove a compromise (i.e. if information that has very little chance of existing naturally in two systems, say a string a guids).

But... I agree with your point. I don't think this is actually feasible or realistic, just technically possible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: