"Unlike when you load other “private search engine” homepages, you're not alone with DuckDuckGo. You're actually connecting to the Microsoft cloud hosting service... And that means Microsoft knows both who you are, and what you searched for. Oh dear..."
If you read my posts regularly, you'll know the issue that prompted the title of this post would have come as no surprise to me. But it's finally happened. DuckDuckGo - the search engine that presents itself as a paragon of privacy - has been blocked by a Firefox browser extension designed to protect users from the grip of the big six megatrackers. Namely: Amazon, Apple, Cloudflare, Facebook, Google and Microsoft. And as regular readers will have guessed, the megatracker responsible for DuckDuckGo's blocking, is Microsoft.
The Firefox extension is called Cloud Firewall, and it takes a zero-tolerance approach to megatrackers, blocking their cloud connections outright. You can select which cloud connections you want to block, and which you want to allow. For example, if you want to use Google, you'll need to make sure Google's cloud connections are enabled. That's logical.
But what if you're not using Google? What if you've specifically chosen a search engine that claims to be free from tracking? Well, normally that's absolutely fine. Block all trackers with Cloud Firewall, and Startpage loads and runs searches. Same with Qwant. Same with Mojeek… Looking good.
But not so, DuckDuckGo. Block all trackers with Cloud Firewall, and DuckDuckGo will not load. At all. Instead, the privacy protection system prevents the page load, and serves this message…
“Blocked duckduckgo.com as it is in Microsoft cloud and you chose to block this cloud.”
Oh dear. It appears that unlike when you load other “private search engine” homepages, you're not alone with DuckDuckGo. You're actually connecting to the Microsoft cloud hosting service.
[UPDATE: Big Tech Detective - a similar tracker-blocker for Chromium browsers - is also blocking DuckDuckGo…
End of update.]
I've previously mentioned that if you run a program called Traceroute on DuckDuckGo, you get a highly suspicious progression. Let me explain…
When you visit a website, in technical terms you don't just go straight there. You're routed via a path, which bounces off a range of nodes. This is completely normal, and the path can vary - even when you're visiting the same website. If you want to see the path, you can use a routine called Traceroute. The routine is built into Windows, and can also be used in other operating systems, including Linux.
Traceroute is easy to use. You simply call up the Windows Command Prompt, and at the C:>, you type:
tracert [your chosen website]
So in the case of DuckDuckGo you'd type…
tracert duckduckgo.com
If you run an aggressive PC firewall, you'll probably need to create an exception for the Traceroute program, but for the average user it should run without the need for prior action.
Once you've typed in the command, hit Enter, and the computer will automatically trace the route for you. So what does a Traceroute actually look like? Well here's one for the search engine Mojeek. I've obscured early steps in the route for privacy reasons. The steps I've obscured were the same for all traces I ran…
The final step in the above sequence - step 8 - shows the IP address for Mojeek itself. I was able to verify this by typing the IP address directly into my browser's URL bar, upon which Mojeek search loaded. So, nothing fishy about Mojeek. Here's Google…
Once again, the final step was the IP address for Google itself. As one would expect.
Now let's try DuckDuckGo…
Okay, so that's not what one would expect. And this is an invariable pattern. The path comes out of the constant nodes, and immediately reaches Microsoft's msn.net. It then stays with Microsoft until step 10, at which point the Traceroute fails. I have never got a DuckDuckGo Traceroute to progress beyond step 10, or seen it go anywhere other than Microsoft. One has to ask the question: why the beeline for Microsoft, and why the apparent block of visibility for the conclusion of the trace?
If we run a Traceroute on Bing, immediately after the path leaves the constant nodes, we see it hitting the exact same msn.net address that DuckDuckGo hits…
I'm not a network expert, but in conjunction with the Cloud Firewall message that deems DuckDuckGo to be using the Microsoft cloud, we obviously have a severe red flag for DuckDuckGo. If Microsoft is hosting the service in its cloud, then Microsoft would have access to all users' IP addresses, regardless of what DuckDuckGo did or did not submit as part of each search query. You don't need to be an expert to understand that. The biggest red flag of all is that DDG's Traceroute appears to have been deliberately blocked to obscure the truth.
Just before I completely drop the subject of Traceroute, I should point out that Brave Search's trace ended at cloudfront.net - which is that good old surveillance giant Amazon…
Why wasn't I surprised to see that?
There have for long been rumours that DuckDuckGo is just a thinly-masked facade for Microsoft. Such rumours were originally no more than a jumble of unevidenced claims from privacy “tin hats”, based on the DDG CEO's past history in hardcore data-mining. Before DuckDuckGo, CEO Gabriel Weinberg had made $10million building and then selling a data-desperate, proto-Facebook "connection" site.
But even in the early period of DDG itself, he had a pretty grim privacy policy which warranted the company permission to keep its logs indefinitely. Whilst that line was taken out of the policy when Weinberg jumped onto the privacy bandwagon, it hasn't to my knowledge ever been officially retracted. The current policy admits the company collects search queries, but gives no timeframe for retention.
So it was easy to see how rumours of dodgy practices started. But they gained more credibility when a webmaster was told by DuckDuckGo in a private communication that the DDG crawler was not adding anything at all to the search index. This had to mean that ALL of DuckDuckGo's search results came from third parties. Prior to this, the implication had been that DDG served results, at least in part, from its own index.
The credibility of the Microsoft partnership rumour inflated further when The Register reported on a Microsoft service outage. The article stated…
“The Bing outage prevented DuckDuckGo, the privacy-centric engine that aggregates results from the Microsoft search engine, from returning useful links to queries.”
This empirically highlighted the extent of DDG's dependency on Microsoft. Before that, Microsoft was widely believed (based on DDG's marketing) to be a small component contributor to the DuckDuckGo results pool. But while Bing was down, many DDG searches displayed no results at all. Zero. Microsoft was clearly the core provider for DuckDuckGo search. This was in late 2017.
Since then, there have been collations of damning facts against DuckDuckGo - some shared rampantly in the Fediverse. Very especially this one, by Dr Roy Schestowitz, which asserts that because Microsoft hosts DuckDuckGo (which now looks pretty clear even to non-network experts like me)…
“Microsoft sees both sides of the transaction and can link your IP address (i.e. identity) to your search query that Bing processes.”
Schestowitz continues…
“While it may be true that DDG doesn’t transmit users’ IP addresses to Microsoft, Microsoft has already seen users’ IP addresses via Azure.”
Azure is Microsoft's cloud service.
So let me suggest two things. One, that you read the Schestowitz article in full. It's a comprehensive indictment on a company that is pretty clearly not what it claims to be. Remember also, in connection with this, that DuckDuckGo is involved in running Tor nodes. So even if you're using Tor, you're not necessarily anonymous to DDG/Microsoft.
And two, think hard about ALL of the so-called “privacy respecting” services. I, along with other privacy advocates, have questioned their integrity for years, but we are small voices in a world where even big voices often struggle to get a message across in the face of the tech industry's knack of burying bad news.
I know I repeat variations on this message, but there is no such thing as a centralised alternative to Big Tech. All significant tech brands are run by highly trained and highly entitled marketers who will only ever tell you what you want to hear, and will only ever hide what you don't want to hear. I know the picture is depressing at the moment. When you think there's a better way, and it turns out there isn't, it's hard to accept as the truth.
But this is the truth. DuckDuckGo is sitting nonchalantly in the prying lair of a megratracker and spyware manufacturer, while claiming it has a passionate commitment to privacy. And that's such an appalling dereliction of the brand's ethical stance that a third party privacy tool actually blocks the entire site. And if DuckDuckGo has gone to the trouble of calculatedly obscuring the Traceroute display in order to hide its Microsoft cloud hosting, I think we should be viewing it as a potential threat to our safety. Such a level of sneakiness runs beyond dishonesty, and into the level of danger.
Do not use DDG's “email protection service”, because it is blatantly a completely unnecessary data harvesting scheme, and we have no idea whatsoever where that vast bank of extremely private data is going to end up.
We won't get better privacy by blindly accepting everything these sly, scheming brands tell us. We will get better privacy by spreading the truth about their grim reality. So pass it on.