{{announcement.body}}
{{announcement.title}}

DuckDuckGo Has a Privacy Problem

DZone 's Guide to

DuckDuckGo Has a Privacy Problem

Potential privacy issues in DuckDuckGo.

· Security Zone ·
Free Resource

DuckDuckGo is a private search engine. It is adamant about spreading privacy around the internet. However, there is one issue we discovered that raises privacy concerns. Your search terms, while they may be sent over your network in an encrypted form, show up in plain text in browsing history.

Is DuckDuckGo Really Private?

DDG may work well for reducing advertiser tracking, avoiding filter bubbles, and limiting data profiling. However as this post explains, it may not offer the protection from surveillance organizations that some think. DuckDuckGo, along with many other private search engines, saw a massive influx of users after Edward Snowden sparked general interest in privacy, specifically from government surveillance agencies. Snowden endorsed the use of private search tools for their lack of tracking. However, he also endorsed the use of other data protection measures to create a complete privacy suite. Snowden explains that no privacy tool or system is perfect. But more privacy is a good thing, across the board, even if it doesn’t quite protect you from all angles.

No Forward Secrecy on a Local Level

While DuckDuckGo may not track my searches or link them to my personal information, this is a clear lack of privacy. As a private search engine, DuckDuckGo gives the expectation of privacy. However, anyone with access to your computer can view your searches in plain-text in your browsing history. If any user, or person with access to my computer, can view my search history, there is a clear conflict with the privacy claims that DDG delivers.Browsing history










By comparison, some other browsers don’t display search terms in your history. If you try to go to the links in your history, you will be returned to the search engine’s homepage. That is not the case for DuckDuckGo and Google, which take you right back to the results you were viewing before. This may seem like a minor issue because users could just clear their history.

However, privacy by design means that the most private settings are enabled by default. This extra step makes privacy inconvenient, and the product less user-friendly. Privacy by design is essential, especially for privacy based products. The expectation of private search engines is that they deliver on their privacy promises. In this case, DuckDuckGo has failed.

If your DuckDuckGo searches appear in your history, that means Google can access and track your searches even on this search engine. This is especially true if you use Chrome for your browser. Users who want to search the web privately, but who are less technically adept, may assume they are protected when there is really a clear vulnerability in DuckDuckGo.

DuckDuckGo Displays Search Terms in URL

When you search on DuckDuckGo, your search term is visible in the address bar of your browser. As a result, your search term shows up in your history. If the point of DuckDuckGo is to remain more private while searching the web, it doesn’t make sense to have your search terms visible to anyone with access to your computer (or your network).

Your search URL on DuckDuckGo: https://duckduckgo.com/?q=your+search+term&t=h_&ia=web

Search history in DuckDuckGo










You can see in the image above that using DuckDuckGo or Google leaves your search terms unencrypted and visible to anyone on your computer. 

Let’s say you’re searching for “cars” on DuckDuckGo. If you search and click on one of the search results, you’re taken to that web page; if you return to the search engine and perform the same or a similar search, any of the search results you’ve already visited are shown in a different color.

duckduckgo-search-history












Notice that since we’ve visited cars.com before, the link appears in purple rather than blue. This may seem to be a convenient feature, but we see a privacy issue here. If someone else is using your computer, they can see which websites you’ve visited, and can determine what sort of searches you’ve been doing.

Bangs Don’t Protect Your Privacy

One of DuckDuckGo’s features that many of its users find attractive is “bangs.” These are like shortcuts that you can use to search other websites directly from DuckDuckGo. Say, for example, you want to search for something on Amazon. You can do so directly from the search engine rather, than having to navigate to Amazon first by typing ‘!’ and then selecting Amazon. Unfortunately, the functionality of “bangs” is often misrepresented and misunderstood. There is an expectation of privacy when using DuckDuckGo. Bangs are represented as a way to search other websites on the internet with the “privacy protection” of DDG, but this is not the case. If you use DuckDuckGo and use bangs to search Google, there is no additional privacy protection. This is the same as going directly to Google and searching from there. Google can still track your search and the metadata associated with it.

DuckDuckGo, like many other search engines, offers a search bar that you can be embedded into your website. Google’s version of this is called Google Custom Search Engine, and when you use it, your results are typically embedded on the site you’re searching for. DuckDuckGo’s version of this can’t embed results on your page. Because of how DuckDuckGo sources their results, they cannot “syndicate” search results on your website. This version is certainly better than Google’s Custom Search because DuckDuckGo won’t track your search from the site you’re searching for. However, because DuckDuckGo doesn’t encrypt your search term in the URL, other users on your device would be able to see what you searched for.

Review

DuckDuckGo has a well-established hold on the “private search” market. Its users are extremely loyal to the private search engine. It is feature-rich and has a sleek and modern design, whic makes for a user-friendly experience. 

While DuckDuckGo is certainly another option for searching the web, it is not a totally private search engine. It has some privacy protection measures in place, but you should be able to trust that DuckDuckGo will protect your privacy, since their company is based around it. As a result, you can either trust Google’s extremely advanced security or put your privacy in the hands of DuckDuckGo. 

Topics:
privacy ,internet ,search engine ,private search engine ,encryption ,cybersecuity ,privacy by design

Published at DZone with permission of Christian Stewart . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}