DuckDuckGo's BLATANT lie regarding user privacy

[inka]

=== EDIT ===
Whoa! Sorry -- mea culpa!

The favicons are in fact served from host I2.duck.co, NOT from each remote site.

FunkyDude, thanks for setting me straight.

================

The DuckDuckGo domain wound up in my proxied blocklist quite a while ago, but after seeing it mentioned (touted as a "partner", and hyped) in a recent Mint Linux blog post, I decided to unblock it and have a fresh look.

DuckDuckGo purports:
"There is no search history, personal profile or any other information about you gathered, stored, sold, used or leaked."

reality check:
Perform any search at the DuckDuckGo site and note the http request headers issued by your browser.
You will discover that their search results page, by design, LEAKS (telegraphs) your activity !

For each site it lists in the search results, DuckPoo embeds a link to each site's "favicon" image,
causing your browser to connect with each of the listed sites in order to retrieve the remotely-hosted favicon asset.

The mechanism is GREAT for DuckPoo; regardless whether you clickthrough,
webmasters see the hits, along with the DuckDuckGo brand reflected in referer logs.

Did you read the DuckDuckGo "example" (presented on the bubble.us page) ? about Susie... searching for Herpes

Well, without even clicking through to visit any of the DuckDuckGo -listed sites, you get the "privilege" of telegraphing your herpes outbreak to the raft of sites listed in your search results. Egad!

"hi, please send your favicon. Oh, and by the way, i was referred to you by DuckPoo.
What? Yah, the person at this IP address is using that search engine to search for \'Herpes\' and stuff."


sad footnote:
I posted a comment similar to the above, to the Mint Linux blog article... and it wound up moderated (deleted).
I've reposted, removing the arguably "offensive" DuckPoo moniker.
Hopefully the revised version won't be similarly squelched.

[Daveski17]

Oh dear, that's food (crispy duck?) for thought. I have DDG as my default search engine in *SRWare Iron. Well, a bird in the hand ...

*Apparently, according to some; also a blatant lie/scam.

Does this mean my goose is cooked?

[vasa1]

Quote:

Originally Posted by Daveski17

Oh dear, that's food (crispy duck?) for thought. I have DDG as my default search engine in *SRWare Iron. Well, a bird in the hand ...

*Apparently, according to some; also a blatant lie/scam.

Does this mean my goose is cooked?

Since you asked for it. Chromium is made by Google, the most untrustworthy organization possible. SRWare Iron is based on Chromium.

[vasa1]

Quote:

Originally Posted by inka

...
For each site it lists in the search results, DuckPoo embeds a link to each site's "favicon" image,
causing your browser to connect with each of the listed sites in order to retrieve the remotely-hosted favicon asset.
...
sad footnote:
...
I've reposted...

1. So favicons should be present in the browser cache? That should be a simple way for DDG users to verify the quote.
2. Link?

[Daveski17]

Quote:

Originally Posted by vasa1

Since you asked for it. Chromium is made by Google, the most untrustworthy organization possible. SRWare Iron is based on Chromium.

I knew that. That's why I'm using SeaMonkey at the moment.

Chromium is also based on WebKit, or at least uses it as its rendering engine.

"WebKit was originally derived by Apple Inc. from the Konqueror browser's KHTML software library for use as the engine of Safari web browser, and has now been further developed by individuals from KDE, Apple Inc., Nokia, Google, Bitstream, Torch Mobile, Samsung, Igalia, and others.[2] Mac OS X, Windows, GNU/Linux, and some other Unix-like operating systems are supported by the project." ~ Wikipedia

I admit Google are Dr Evil evil untrustworthy, but there must be a good side to them.

*Waits for flying porcines & for Hades to develop permafrost ... *

[inka]

Quote:

Originally Posted by vasa1

1. So favicons should be present in the browser cache? That should be a simple way for DDG users to verify the quote.
2. Link?

1) I suggested watching outbound requests because you cannot simply "View Source",
because the page is dynamically built (its code is INconveniently "obfuscated", eh)

2) the blog article is here:
Linux Mint signs a partnership with DuckDuckGo
http://blog.linuxmint.com/?p=1884

[funkydude]

Quote:

Originally Posted by inka

sad footnote:
I posted a comment similar to the above, to the Mint Linux blog article... and it wound up moderated (deleted).
I've reposted, removing the arguably "offensive" DuckPoo moniker.
Hopefully the revised version won't be similarly squelched.

I'm willing to bet it was moderated because you're talking complete and utter garbage and until you can bring forth some evidence of your sensationalist claim in this thread, this one should be moderated too.

Notice how every single favicon retrieved is hosted by DDG?

[inka]

Quote:

*SRWare Iron

*Apparently, according to some; also a blatant lie/scam.

I reported my personal observations regarding Chrome vs Iron here:

blocking google.com domain CRIPPLES Chrome browser?
http://www.wilderssecurity.com/showthread.php?t=306620

There's an overlapping issue at work here (Chrome vs Iron) and (Mint Linux vs Ubuntu)
SRWare was (is) criticized for "taking the free codebase and doing little other than post-pending their "brand" to the user-agent string... as means to an end ~~ monetizing user searches".
-=-
Mint Linux was similarly criticized for "basically usurping the Ubuntu brand" (considering their recent releases though, I think they are now beyond such harsh criticism) but now, via "partnering" they apparently intend to monetize user searches.

Sigh. All things considered, dems small puhtatoes.
On the horizon, we have NaCl (native client) coming soon, to a browser near you...

[inka]

Quote:

I'm willing to bet it was moderated because you're talking complete and utter garbage and until you can bring forth some evidence of your sensationalist claim in this thread, this one should be moderated too.

Notice how every single favicon retrieved is hosted by DDG?

FunkyDude, thanks for checking.
I'll revisit, and recheck. None of your results show 302 redirection, so now I'm wondering whether "what I observed" was due to proxo or adblock rewriting the page.

[Daveski17]

Quote:

Originally Posted by inka

There's an overlapping issue at work here (Chrome vs Iron) and (Mint Linux vs Ubuntu)
SRWare was (is) criticized for "taking the free codebase and doing little other than post-pending their "brand" to the user-agent string... as means to an end ~~ monetizing user searches".

Well, I didn't expect SRWare to work for free LOL! At least you can actually uninstall it completely from your computer. I just can't justify it being a scam, it's freeware. Either way, it's nice to have a virtually de-Googleised alternative to Chrome.

Quote:

Originally Posted by inka

Mint Linux was similarly criticized for "basically usurping the Ubuntu brand" (considering their recent releases though, I think they are now beyond such harsh criticism) but now, via "partnering" they apparently intend to monetize user searches.

Mint looks quite good to me. I have a feeling Ubuntu has changed too much recently for many of its devotees.

Quote:

Originally Posted by inka

Sigh. All things considered, dems small puhtatoes.
On the horizon, we have NaCl (native client) coming soon, to a browser near you...

"Some groups of browser developers support the Native Client technology, but others do not. This technology is controversial with x86 browser developers.

Supporters: Chad Austin (of IMVU) are praising the way Native Client can bring high-performance applications to the web (with about 5% penalty compared to native code) in a secure way, while also accelerating the evolution of client-side applications by giving a choice of the programming language used (beside JavaScript).[16]

Detractors: Other IT professionals are more critical of this sandboxing technology as it has substantial or substantive interoperability issues.

Mozilla's vice president of products, Jay Sullivan said it has no intention to run native code inside the browser, as

"These native apps are just little black boxes in a webpage. [...] We really believe in HTML, and this is where we want to focus."[17]

Håkon Wium Lie, Opera's CTO believes that

"NaCl seems to be 'yearning for the bad old days, before the web'", and that "Native Client is about building a new platform – or porting an old platform into the web [...] it will bring in complexity and security issues, and it will take away focus from the web platform."[3]

Christopher Blizzard, Mozilla's Open Source evangelist fears that without the source code, the pace of innovation will slow, and compares NaCl to Microsoft's ActiveX technology, plagued with DLL hell. In his views, even if it's secure, Native Client isn't a good thing.[3]" ~ Wikipedia

... Oh my ...

[vasa1]

Quote:

Originally Posted by Daveski17

I knew that. That's why I'm using SeaMonkey at the moment.

Chromium is also based on WebKit, or at least uses it as its rendering engine...

I will repeat: Chromium is a Google-funded project. SRwhatever is based on Chromium. Chromium is a Google-funded project. Why do people who renounce Google and all its works and empty promises (as some of us were taught to say), use browsers based on Chromium and ingenuously (not!) point out that Chromium uses WebKit.

And if one already "knows that", then using SRwhatever and ranting against Google at every opportunity is "interesting" for want of an appropriate stronger term.

[Daveski17]

Quote:

Originally Posted by vasa1

I will repeat: Chromium is a Google-funded project.

Dude, you really need to drink less caffeine.

Quote:

Originally Posted by vasa1

SRwhatever is based on Chromium. Chromium is a Google-funded project.

Now you really are repeating yourself. Is this a short term memory thing?

Quote:

Originally Posted by vasa1

Why do people who renounce Google and all its works and empty promises (as some of us were taught to say),

Who says anything about renouncing all of Google's works? Where have I ever stated this? (refer back to drinking less caffeine)

Where are the rules written stating that anybody can't criticise an organisation whilst using its products?

Criticism can be good.

Quote:

Originally Posted by vasa1

use browsers based on Chromium and ingenuously (not!) point out that Chromium uses WebKit.

Yes, but at the end of the day, it does use WebKit, which originally had nothing to do with Google.

Quote:

Originally Posted by vasa1

And if one already "knows that", then using SRwhatever and ranting against Google at every opportunity is "interesting" for want of an appropriate stronger term.

If it makes me a hypocrite, fair-do's. It doesn't matter to me as I am essentially a nihilist.

To use an analogy: I can criticise democracy, yet partake in a constitutional monarchy. I don't see that as hypocrisy.

If I contradict myself, very well; I am large & contain multitudes.

[Hungry Man]

I would suggest that the question of whether Iron is a scam be moved to another topic but it just seems so obvious I don't even think it needs one.

[Daveski17]

Quote:

Originally Posted by Hungry Man

I would suggest that the question of whether Iron is a scam be moved to another topic but it just seems so obvious I don't even think it needs one.

It seems obvious that you have caught a dose of Googlefanboyitis LOL!

I don't know what to prescribe as a cure.

[Hungry Man]

Yep that must be it.

http://neugierig.org/software/chromi...9/12/iron.html

All the proof I need really.

Quote:

<Kmos> Iron: why not contribute to it, instead of forking ?
<Iron> because i removed all privacy-related code
<Iron> e.g. RLZ
<Iron> and URL tracking every 5 seconds after start
<Iron> the original chrome is heavily communitating to google...i
hate that
<jamessan> all of those are supposed to have options to disable them,
iirc
<Iron> yes but they haven't options yet
<Iron> and nobody knows when the next beta is released
<jamessan> so work on getting the options added so they'll be there
for the next release

...


<Iron> because a fork will bring a lot of publicity to my person and
my homepage
<Iron> that means: a lot of money too

...

<Iron> i dont take money for my fork
<Iron> but i have adsense on my page

...

<Iron> nobody here trusts google
<Iron> the german people say: google is very evil
<jamessan> yet you use google's adsense

Blatantly playing on users fears that he helps to spread with his silly page about how Google is calling home and how ironware disables it when it's all able to be disabled in Chrome.

Quote:

Furthermore, the "URL tracking" mentioned both on IRC and on the Iron website refers to the GoogleURLTracker class. This unforutnately-named class figures out whether to use google.com or google.es for searches from the URL bar, and does not in any way do any sort of spyware URL monitoring. This is obvious to anyone who can read code, and should be obvious to anyone technical enough to produce a product like Iron. At this point I can't believe they're doing anything other than being intentionally misleading.

It's just so silly.

[inka]

{blush} Okay, I revised the initial post.
The favicon images are, in fact, being served from duck.co server, NOT from remote sites.
So, there's no boogeyman lurking in THAT corner...

[Daveski17]

Quote:

Originally Posted by Hungry Man

Yep that must be it.

http://neugierig.org/software/chromi...9/12/iron.html

All the proof I need really.


Blatantly playing on users fears that he helps to spread with his silly page about how Google is calling home and how ironware disables it when it's all able to be disabled in Chrome.



It's just so silly.

It's not the only thing that's silly on this site mate!

[vasa1]

Quote:

Originally Posted by Daveski17

Dude, you really need to drink less caffeine.
...
Criticism can be good.
...

But try to make it informative or at least entertaining

It's the repetitive and highly unoriginal and often motivated criticism that drives me to caffeine. If this goes on I'll move on to plonk and even you wouldn't wish that on me!

[vasa1]

Oh! And if we are sooooo keen on WebKit, there's Midori and Epiphany that aren't, to my limited knowledge, tainted by supping with Google even with a long spoon (to continue the metaphor).

[Daveski17]

Quote:

Originally Posted by vasa1

But try to make it informative or at least entertaining

I'm an alternative comedian; I'm not funny.

Quote:

Originally Posted by vasa1

It's the repetitive and highly unoriginal and often motivated criticism that drives me to caffeine.

The pot calling the kettle ... ?

Quote:

Originally Posted by vasa1

If this goes on I'll move on to plonk and even you wouldn't wish that on me!

I recommend Butty Bach.

[Daveski17]

Quote:

Originally Posted by vasa1

Oh! And if we are sooooo keen on WebKit, there's Midori and Epiphany that aren't, to my limited knowledge, tainted by supping with Google even with a long spoon (to continue the metaphor).

Extended metaphors aside, I still prefer Gecko.

[vasa1]

Quote:

Originally Posted by Daveski17

...
I recommend Butty Bach.

Is it a knock-off of something else?

[Daveski17]

Quote:

Originally Posted by vasa1

Is it a knock-off of something else?

I dunno, but after six pints you won't care.