In my recent blog post PRISM - Where do we go from here? I made the point that using services such as DuckDuckGo on the presumption that they are safe, is a dangerous thing to do and explained why. I have also been explaining to people on Twitter that using DuckDuckGo on the assumption that their searches will be private was a misunderstanding of who DuckDuckGo are and what they do and pointed them to the previously mentioned blog post. I even had a short conversation with DuckDuckGo's CEO via Direct Message (DM) on Twitter explaining my reasons and suggesting he move operations to Europe in order to escape the US Surveillance machine - at which point I would be happy to support them:
"You guys should consider moving all your business to the EU and setting up new exclusively EU corp (no ties to US), then I can support you."
Upon further investigation over the following days, I discovered that DuckDuckGo were not complying with their own Privacy Policy which states:
Another way that your searches are often tied together at other search engines are through browser cookies, which are pieces of information that sit on your computer and get sent to the search engine on each request. What search engines often do is store a unique identifier in your browser and then associate that identifier with your searches. At DuckDuckGo, no cookies are used by default.[Emphasis Added]
Yet they do store a cookie by default - this cookie is called "user_segment" and is valid for 1 month after it is first set.
Furthermore, they state in their privacy policy that they do comply with law enforcement requests and then attempt to offset concerns by saying they don't log anything - what they don't tell you is they can be compelled to log your searches as a result of those law enforcement requests, so admitting they comply with such requests is also an admission that they cannot guarantee they will not log your searches.
To make matters worse, they also attach unique identifiers to certain search results in order to obtain commission payments should you make a purchase on an affiliate site (where they get their revenues) - this identifier's sole purpose of existence is to track users between DuckDuckGo and affiliate web sites.
I have been making these points clear to people wrongfully assuming and telling other that DuckDuckGo is a good search engine if you seek privacy - not because I have anything against DuckDuckGo, simply because I want people to be fully informed about the risks posed by the services they use.
Today DuckDuckGo responded, with an illustration of exactly how much they value peoples' privacy. They sent me a tweet with the following:
DuckDuckGo @duckduckgo
@alexanderhanff thanks for sharing @duckduckgo! An easter egg in your honor duckduckgo.com/?q=alexanderha… -- bottom right corner :)
If you visit the link you will see they have setup a custom search for my name with my picture at the bottom right corner of the page. They did this purely out of spite because I was making people aware of my concerns regarding their service. They did this because they don't care a hoot for peoples' privacy. On the plus side, at least we have now seen their true colours - somehow I don't think the people behind Startpage.com and Ixquick.com would ever resort to such spiteful actions and of course, they have been audited and certified by Europrise something DuckDuckGo cannot claim about their own services.
UPDATE
DuckDuckGo have now removed the custom search and image linking back to my Twitter account, I guess they were afraid of people seeing them for who they truly are - too late DuckDuckGo the horse has already bolted.
Update 2
DuckDuckGo have now responded to this post the link is in the comments below but I wanted to clarify a few things by updating the original post.
First of all, DuckDuckGo have admitted that the cookie did exist and was being set by a 3rd party (desk.com) - they have since removed the cookie which is why people are no longer able to find it, this is as a result of my exposing the issue.
Second, DuckDuckGo insist that they cannot be compelled by the courts to provide access to user data which crosses their networks or touches their servers - they even claim they are exempt from Communications Assistance for Law Enforcement Act (CALEA) - this is misleading. They may be exempt from having to pre-install technologies providing the ability to "wiretap" (intercept) data on their networks but they can still be compelled to do so:
Notably, a U.S. court can compel any provider to provision a wiretap, even if the provider is exempt from CALEA. But exempt providers need not necessarily adopt tools in advance to meet CALEA's specifications for immediate and unobtrusive interception, with high-quality data streams and without infringing on others' privacy.
[Source]
Furthermore, they can be compelled to decrypt the encrypted data (HTTPS) since they are the origin of the encryption and have the capability to decrypt it:
"Covered providers are not required to decrypt communications unless they initially provide the encryption service, and, moreover, have the means to decrypt."
[Source]
When you understand this and include the fact that in their Privacy Policy, DuckDuckGo state they will comply with law enforcement requests, it becomes pretty clear that their "We don't log anything." statement offers absolutely zero protection and their claims that they are immune to being compelled to intercept and/or log are patently false.
