DuckDuckGo, a privacy-focused search engine, has seen astronomic growth in traffic the last two years, a sign that could mean privacy is becoming a mainstream concern for people online after years as a fringe issue.
In fact, usage has grown 600% since 2013, DuckDuckGo CEO Gabe Weinberg told CNBC. Weinberg credits the uptick to the National Security Agency (NSA) leaks from the same year, which revealed widespread electronic surveillance by the U.S. government and created a demand for better privacy on the web.
Internet giants like Facebook and Google have built their companies around their ability to gather customer data to sell ads, and DuckDuckGo represents the start of a backlash against that kind of business model.
DuckDuckGo in the wake of the recent NSA snooping
revelations. If you are in this category this post is meant for you.
If you use DuckDuckGo solely for the myriad of other
benefits, such as reducing advertiser tracking, filter boxing, etc. move along
nothing to see here. DuckDuckGo will provide you at least that level
of “privacy”.
Update: Wow, I didn't expect this blog post to spread so widely. First of all, let me say to those accusing me of hating on DDG, I am a DDG user. I think they have a great service. This post is solely about the misconception that seems to have spread primarily from The Guardian article that DDG can somehow protect you from NSA monitoring.
Update: Wow, I didn't expect this blog post to spread so widely. First of all, let me say to those accusing me of hating on DDG, I am a DDG user. I think they have a great service. This post is solely about the misconception that seems to have spread primarily from The Guardian article that DDG can somehow protect you from NSA monitoring.
DDG stated, "We literally do not store personally
identifiable user data, so if the NSA were to get a hold of all our data, it
would not be useful to them since it is all truly anonymous." I
would like to direct readers to this article which basically nullifies whatever
protection DDG thinks it can provide, or you the reader think you have.
Standard Wiretaps
DuckDuckGo can easily be compelled either under the
Communications Assistance for Law Enforcement Act (CALEA), standard court
orders, or by secret orders from the Foreign Intelligence Surveillance Court
(FISA) to provide tap-on-demand. I don’t think anyone can dispute
that. If you are specifically targeted in an investigation, you can
bank on the fact that all of your searches and their history “going forward”
after the court order will be collected on you and stored.
Google has at least a transparency report detailing the
number of non-FISA requests it receives and now a “ballpark” reporting of FISA
requests. Users should demand the same of DuckDuckGo.
Deep Integration
DuckDuckGo has made a lot of hay about their privacy, but
like many other technology companies they have remained silent about their
collaboration, if any, with law enforcement and security agencies.
Why shouldn't they? They are reaping the benefits
of an uninformed populace flocking to their service to avoid the NSA
dragnet. The privacy they offer is privacy from third-party
advertisers and cross-site tracking.
The MarCom departments of big players like Google, Yahoo!, Microsoft and others are getting good at
crafting extremely carefully worded denials through lies of omission.
DuckDuckGo says:
DuckDuckGo does not store any personal information, e.g. IP
addresses or user agents
But what if DuckDuckGo provided a splitter-feed to the
NSA? DuckDuckGo can claim without lying that they store no personal
information, but that speaks nothing of a collaborating partner storing it.
Can they refuse to collaborate with the NSA if
approached? If one looks at the recent reports about Yahoo! and
others the answer is “No, you cannot”. Yahoo! apparently made concerted efforts to resist, sending
lawyers into battle, and ultimately (and silently) lost the fighting the FISA
Court. “Silently” because their loss and the ruling that handed it
down is also secret.
Assume, nay bank on, the fact that corporations located
within the United States can be and are being compelled to participate in
programs like PRISM and are legally powerless to refuse.
The NSA Can’t Lose
Let’s be realistic, if services start popping up on the
internet that shield substantial amounts of communications from the NSA that
the NSA thinks is valuable, how long to you think the NSA will allow that to
persist before making efforts to abate it?
What can they do?
According to the Washington Post a NSA initiative called
“Upstream” siphons off of “communications fiber cables and infrastructure as
data flows past” at all the major “choke points” of the internet. So,
we can assume that the NSA has access a substantial amount of ingress and
egress packets to DuckDuckGo.
However, DuckDuckGo is using SSL encryption. Without
DuckDuckGo's private SSL certificate, your search queries (but not your
location) are invisible. What is a spy agency to do?
What is a SSL certificate key after all? It’s
simply a small block of data, often in the form of a file. And it’s
a file that must be installed on every webserver or load-balancer in a
data-center. If you possess DuckDuckGo’s cert, you can decrypt all
traffic to DuckDuckGo. The NSA could get the DuckDuckGo master cert
in one of three ways:
- Be
given the cert
- Physical
access to servers or load-balancers
- Remote
access to servers or load-balancers
Let’s eliminate (1) for the sake of argument.
Option 2
Many smaller internet companies, including DuckDuckGo, do
not operate their own data-center, but instead are “hosted” in another
provider’s datacenter. In DuckDuckGo’s case, they are hosted byVerizon Internet
Services. We’ve all learned about the cozy relationship between the NSA and Verizon, it is
quite imaginable that Verizon would simply give them access to a DuckDuckGo
server, or the load-balancer which is likely owned and operated by Verizon and
upon which the SSL decryption key is installed. They don’t need
continuous access, 30 seconds is all that would be necessary to copy the cert.
Option 3
If Google’s servers can be compromised by a bunch of Chinese hackers, and if the
computers controlling Iran’s
uranium enrichment equipment can be compromised without even being
connected to the internet, how long would a service like DuckDuckGo (or Verizon
Internet Services) standup against a concerted effort by the NSA? Verizon
Internet Services is almost the better target given that penetrating their
infrastructure gives you access to potentially all companies hosted by them.
Again, this is a “get in, and get out quick” type
operation. All they need is the key, they’ve already got the data.
In Summary
This is not an indictment of DuckDuckGo per se. Except
in as far as they are taking advantage of the hysteria to their own ends. Every
provider needs to be upfront with saying, “If it is indeed true that the NSA is
monitoring our ingress/egress traffic, we can make no guarantee of privacy
regardless of encryption or other efforts on our part.”
In the larger picture, this is the crux of the problem not
just for DuckDuckGo, but the internet as a whole. Until and unless
agencies like the NSA are forbidden from conducting dragnet collection and
analysis of data, there can be no privacy. Privacy is merely an illusion
at this point.
That means a search for men's shoes would be populated by ads from companies who bid on those search terms. However, companies can't target you differently based on whether you're a young man living in a city or a middle-aged dad in a suburb.
DuckDuckGo jumped to nearly 2 billion searches in 2014, up from a billion in 2013. But that's still a paltry sum compared to Google's stated "trillions" each year.
Hi. I’m Designer of Blog Magic. I’m CEO/Founder of ThemeXpose. I’m Creative Art Director, Web Designer, UI/UX Designer, Interaction Designer, Industrial Designer, Web Developer, Business Enthusiast, StartUp Enthusiast, Speaker, Writer and Photographer. Inspired to make things looks better.
0 comments:
Post a Comment