> This change caused my chromium browser to report that it's being managed by
my "organization". I thought that my machine was somehow compromised. This
is terrifying! I wound up deleting my entire chromium profile before I
discovered that the root cause was this DuckDuckGo config change.
Yeah, that was alarming. Figuring out that it was innocuous took me 15-30 minutes of urgent, drop-everything-else work.
I should've thought to post a Debian bug report after that (especially since the Debian bugs database was one of the first things I checked). I'd reported the cause informally to some colleagues, and then must've gotten distracted with what I was trying to do before I saw the suspicious message.
Putting even more identifying information into User Agent strings seems completely insane, who's interests is that meant to serve? The number of people in any town with Fedora in their UA must be minuscule, that blows a huge number of 'privacy bits', and for what?
Uh, no?
This is managed policy, and this is a 100% good way of letting the user know that someone else has control of their settings
Just because Debian thinks that they are doing the right thing, they are in fact, controlling the user's settings through a policy
It's just telling you that, as it should.
The notion that it has anything to do with keeping search the default or not is like, such a silly assumption i don't know where to begin.
The feature overall came from a desire of enterprises to manage browser settings. Back then, Google was one of the first to tell you someone was doing that to you so that you knew your organization could see and control your settings.
IE had a deployment kit that let you deploy managed browser settings, but you didn't get told (this changed, eventually, i think, it's been a while)
Letting orgs change the default search engine was an explicit, designed goal, since some wanted to redirect people to their internal searches by default, etc.
There is in fact, another way to do this that is easy and doesn't give the user the same warning, and is meant for software distributors
You can just use master preferences here for this kind of thing and it is meant for this use case.
Google in fact, made this easy and officially supported, despite your claim.
It would likely be pretty silly to make this hard - end users aren't using these interfaces or tools, and distributors always know how to change this stuff .
As HN as grown in popularity, the sheer number of kneejerk reaction comments has unfortunately kept pace (IE the overall percent has not dropped. Even sadder, nobody ever goes back and edits it or replies and was like "you know what, i was probably wrong".
They feel comfortable moving on and doing it again.
If you read the thread linked in the comment you replied to [1], the Debian folks added a JSON file to `/etc/chromium/policies/managed` when they should have edited `/etc/chromium/master_preferences` (a different JSON file). If they had done that, there would be no message.
Everyone on the thread agrees that's a better solution.
Reporting that there is a policy is no bug, but maybe there should be a way to signify that it's customized by your software vendor (i.e. signed and keys are compiled in) and that it just sets the default search engine.
Chromium does change the message to "This device is managed by <google workspaces domain>" if attached to Chrome Enterprise.
This is only useful for people who know what a search engine is. (Seriously, many people equate "googling" = "search engine", and don't know there is a general category of this thing). Unless there are two big bold buttons on start-up--one that says "Use Google for Search" and the other that says "Use Duck Duck Go for Search"--it would appear broken to them. Even then, almost everyone would pick "Google" just for name brand recognition.
i would argue most people that install chromium, not chrome, no what a search engine is. unfortunately, since chromium lost google account login capabilities, i do not install chromium anymore. now i just think "search engine" means "google".
Exactly. We're on the third age of the internet so to speak. At the first only the computer nerds were on it (up to ~2000); then only computer nerds + mostly young adults were on it (up to ~2010); and now all the literal toddlers and literal elderly and everyolne else is on it.
Can someone please explain why we are supposed to trust DDG? Isnt it just a random website that popped up out of nowhere claiming to be private yet no audit has ever been conducted which substantiated those claims?
And finally, I’m not sure that random or just popped up is an accurate characterization for us. We’re pretty well established at this point, having been around for nearly 15 years! I was an early user of this site and a frequent contributor during the early days of DuckDuckGo.
Those aren't proper audits. And again, bringing up the fact that it's open source is a meaningless piece of information since there is no way to verify it's the same software code on production. It only serves to trick the average user who doesn't understand how web servers work into trusting your service more.
The best thing you could do, if you actually care about privacy and not just $$$, is to open-source the entire search index db and accompanying webserver software, making it easy for users to setup their own local instance of DDG which is actually auditable. Additionally, posting a notice on-site which notifies your users that their searches may be recorded and tracked in spite of what the privacy policy says(due to the USA jurisdiction of the company making it susceptible to National Security Letters and secret gag orders) would be the right thing to do.
I stopped trusting ddg when they said they were going to sensor Russian news. I assume google and other major search engines sensor political issues but I didn’t think ddg would.
You're not supposed to totally trust DDG, but they are a better default search engine than Google if you care about privacy.
- they are less likely to throw a captcha in your face if you connect over VPN
- they have less surveillance infrastructure and run less code clientside than Google does
- they are at least not explicitly tracking you
- they have a lower number of secondary data-points from other services that can be connected to your searches
the list kind of goes on. I don't assume that DuckDuckGo is perfectly trustworthy just because they say so, but Debian has a choice of a couple of different default search engines that are mature enough and give good enough results to use as a default search tool: Google, Bing, DuckDuckGo, etc...
Of those choices, DuckDuckGo seems to be a pretty reasonable decision.
At the very least, DuckDuckGo lets me search when I'm behind a VPN and have anti-fingerprinting tools turned on, Google very often doesn't. It's not a super-hard decision for me which one is more private.
You aren't supposed to. Even if you assume they lie in every sentence about their data collection, with their current setup it would be much harder for them to build a valuable shadow profile about you.
They haven't been caught running fingerprinting scripts yet and they dont have an account system to tie to your searches. At best they could use your ip to build a shadow profile and thats wildly inaccurate in our mostly ipv4 world.
How do you know what server-side profiling occurs or does not occur? There is no way to know that. DDG gives people a completely misplaced and false sense of security, when they are just as easily comprimisable/corruptable/subpoenable/susceptible to NSLs, EDRs and secret court orders as any other company.
And I disagree with your premise that it's particularly difficult to link a persons IP to their real world identity. There are organized fraud gangs who have it down to a science. know exactly what dept. of the ISP to call, what to say, etc. Basically if someone knows your IP and your ISP account is registered in your name it's game over.
It is a legit company based in Pennsylvania, not some random website. Their privacy policy explicitly states they do not collect user info. If they are caught doing it anyway they could be open to legal action. While they may be lying, at least it's better than other search engines where collecting data is explicit and built into their business model.
That doesnt mean anything. I can go ahead and register an LLC in Pennsylvania too for a few hundred bucks and then put up a website with a completely fictional privacy policy. I could collect everyones IPs depite claims that we do not, and no one would be able to prove it.
> While they may be lying, at least it's better than other search engines where collecting data is explicit and built into their business model.
Just to be clear, are you saying that given the choice between collecting data and lying about it vs. collecting data and being explicit about it, you’d choose the first option?
Thanks for bringing this up. I don't understand why people seem to automatically trust things just because they advertise as being more "private" than the alternatives. I guess none of us are immune to advertising tactics, but it's so important to remember that they have no obligation to be truthful and will lie every chance they get.
I am not claiming that DDG is bad or anything, I just don't like putting trust into something just because it says "you can totally trust me!".
Unfortunately my search engine is far away, both in terms of functionality and hardware capacity from being able to deal with that. Maybe some day, who knows, but not yet. Even if I'm destined to make the Linux of search engines, we're metaphorically living in 1992 or so.
Would be funny though because it's both developed on a Debian workstation and hosted on a Debian server.
Hey, totally unrelated, but the way your status page is set up made me think your site was down for months (I had started to assume permanently) - when it last went down for maintenance I got redirected to https://status.marginalia.nu/?query=... which said, and still says, "Site down for maintenance" across the top.
After DDG decided they would censor material they considered misinformation from Russia I went out search engine shopping and I'm using brave search. I value transparency and fairness and can make my own mind about things (I remember when being against the Iraq or Lybia wars made you a terrorist sympsthizer).
Do you have any stance there? (I'm not saying you should have one or agree with mine, just curious. Every search engine might have its time and place).
risiOS hosts a searx instance for its users and configures it as the default search engine.
I worry about the sustainability of such a service though. Don’t they inevitably get blocked upstream?
It might work better for more local organizations to host such projects. I’ve always liked the idea of community centers and churches and whatnot hosting shared services for their community.
It would also crash marginalia I think. Which would be sad.
What would we have Debian change the default search to? I get that DuckDuckGo might not be ideal, but it is better than Google, Bing, Yahoo or Marginalia. The results need to be good enough, but also not obviously anti-privacy. It basically leave you with DuckDuckGo, Qwants or Ecosia. Personally I might had picked Ecosia, had they not had a cookie banner.
We (at DuckDuckGo) actually have no current relationship (or commercial deal) with Debian. They did this on their own. That is, there is no revenue share here.
Also, we no longer use the Amazon affiliate program, or Yahoo for that matter, and we don't (and never have had) any idea what any individual bought.
They know the types of items you buy. You don’t get the exact items from Amazon. They can guess if you click a link to an iPhone and then later bought a $1,200 electronic but if you click on an iPhone and buy a PS5 they don’t know what you bought.
DDG is a more practical default than Google simply because I don't get a "We'd like to abuse your personal data" pop-up that gets in the way every time I open an Incognito window to search for something.
This switch by Debian to DDG is less of an issue for me than it would have been a few years ago. Google has recently been claiming it will only ever show 1000 results (10 pages of 100). But for many users, myself included, google will only ever show less than 400 results. This is apparently an intentional policy (at least according to the support forums).
For me this is terrible. I can scan through 100 search results pretty quick, going 4 pages deep is something I have always done often. Seeing the reported ~82 million results shrink suddenly to 4 pages and maybe 389 results with ommitted included is extremely disheartening. But at least google scholar still works properly.
Sadly I have found the DDG lacking, most times I have to go back to Google to find information that just doesn't show up on DDG. As an example, I don't have Twitter but I follow certain sport journalist with a huge following, all thanks to his Twitter. When I search for his name + twitter, DDG shows me articles about the journalist and even a Facebook page link, but not his twitter even if it is in the query and his handle is literally his name!
Twitter are so hostile to casual anonymous browsing via the web that I'm not surprised DDG aren't indexing them, and actually prefer that. It's like Twitter are actively choosing to not be part of the web.
But yes, I do use !g when needed to jump to Google. It's just the default that works better on DDG for me due to the Incognito window issue - so much so that I've been running DDG by default for quite a long time now, just for that reason.
Did you use the "Send Feedback" in the bottom left corner? I've heard (via a comment on HN) that they do read them. I also readily admit the bottom left corner is a suboptimal place to put a feedback link, but here we are
The way they did it shows lack of experience as well, as this will enforce the change to all users rather than simply change the default profile settings upon creation.
I'm not a Debian user, but Ubuntu 22.04 tried to force snap down my throat with Firefox and it broke the hell out of everything. It turns out that a web-browser needs to run outside of a sandbox, who could have foreseen?!
Anyway, so now I just manage my own updates via the tar.gz because I can't be bothered to rebuild .deb for the releases and hope snap and its flatpak friend go the way of the dodo
I think that they will need to fork the web browsers and maintain the forks instead of the originals, in order to make improvements. This is one of them but is not only one. To actually make the web browsers good, will require further changes (sometimes involving adding stuff back in that was removed in older versions, or removing some of the newly added stuff while keeping some of it).
However, I would prefer the default to be "no search", and to only search if the user explicitly specifies which search engine to use. (This does not necessarily mean that Debian has to do this; it only means that it is what would be my own preference. Some other people will agree with me, although some people will disagree.)
Regardless of the default settings though (sometimes different default settings might be suitable due to the distribution; in this case it doesn't matter, but for some settings of some programs, it will matter), the end user should have the opportunity to change all of the settings.
I wish they would have gone with search.brave.com, but DDG is also acceptable to me. The main reason I would have preferred brave.com has to with their using their own search engine for at least a portion of their results. I also like the discussions result they added.
> "At DuckDuckGo, we've been rolling out search updates that down-rank sites associated with Russian disinformation. In addition to down-ranking sites associated with disinformation, we also often place news modules and information boxes at the top of DuckDuckGo search results (where they are seen and clicked the most) to highlight quality information for rapidly unfolding topics."
In hope to quickly clear up some common misconceptions about them though: we don’t censor, we don’t move things so far down that they are effectively censored, we don’t have any definition of misinformation, and we don’t rank based on any political agenda or opinions (that includes mine!). This is just a summary though so would read the help page for details.
This leaves me with conflicting emotions. I don't know where the easiest place to find the actual explanation of the change is (not very familiar with Debian development practices) but I wonder if it clears things up.
The year of the Linux desktop gets further away as people try to use their browser and go “why can’t I search” and drop it all together. A lot of people really don’t have the patience to configure their computers, they want it to ‘just work’.
Yea I guess. Though I'm having a hard time with the idea that someone who went through the trouble of running on Debian in the first place would have this reaction to the browser not automatically opening a search engine.
For a solution to be required there first has to be a problem. Then it has to be shown the new solution is better than the current implementation.
You’re not happy with the default which you can trivially change but no one has to change, so you propose having no default so you still have to change it but now everyone has to change it.
As reported in an earlier comment, DDG did not make a deal with Debian for this.
Prior art is that Linux Mint at one point had Yahoo as the default search engine in their Firefox builds. I am not sure whether that is currently the case.
I don't mind the idea of changing the default search engine to DDG, but not in a stable release, do that in testing.
It is opinionated choice, not a bug fix, and definitely not a security update (severity: wishlist). I don't have a problem with maintainers having opinions, but on a stable distribution like Debian, I would have preferred they expressed them before the freeze.
Changing the search engine of existing installs is quite questionable and it is worrying that this was released without a much bigger discussion involving not just the maintainers of the browser package going by their personal feelings. If I was a debian user I would be mad.
Debian being free of cost, I dont think you have a right to be mad about anything if you don't help with maintenance. Open source maintainers are not your employees.
Users can always switch back to Google if they so desire.
It is literally against anything Debian has done the past decades
Why would they choose a proprietary software and proprietary service?
Chromium at least has a BSD like license and is open source [1], the search provider alternative should be similar
Literally nobody can confirm DDG's privacy claims, they refused every independent audits and your search is leaking to their servers [2], it happened again [3]
And let's not forget the Microsoft Bing trackers ;)
I can't recall a single 502 response that I've ever gotten from DDG, but plenty of them for presearch, to say nothing of their closed-source node software. I enjoy advocating new tech as much as the next person, but not "route searches through who knows what, and only respond to queries some of the time" worth
The big reasons people seem to be looking for alternatives are privacy concerns and increasingly aggressive optimization for NLP. DDG and Bing both have ~1% market share and both return decent results - why support the one that will ostensibly become Google II if given the opportunity?
There was a posting on HN not long ago warning that DDG was run by spammers, and that the "privacy" focus is purely a marketing ploy.
This should be predictable on the basis that it is a free service, making you the product, and somebody else, therefore, the customer.
It is hard to know what else one can do to get useful search functionality. It has been a long time since Google dropped any emphasis on usefulness. Any useful results seem purely luck nowadays. You cannot even buy a subscription to "useful" from them or from, AFAIHF, anybody else.
DDG has ads based on your search query, that's how they make money. The difference is that they don't profile you, at least that's what they say. You can spam and respect people privacy, just by not looking who you are spamming.
And yes, "privacy" is a marketing ploy for anyone who is not Google. As for general purpose search engines, there are only two: Google and Bing, most others (including DDG) are just a front for Bing. There are other, more specialized crawlers including Marginalia whose author often posts on HN, and there is Yandex for Russia and Baidu for China, but the general idea is that if it is not Google, it is Bing.
Googler, opinions are my own. I don't work on chrome or anything related.
Many companies put out free software to drive people towards their products, and Chrome with Google Search seems to be one of those. As many know, improving and maintaining Chrome is not free, and having Google Search being a default is one part of what helps pay for this work.
Yes, this is Google, yes, this is likely a tiny drop in the bucket for them, but at the same time, it's taking away potential revenue from Google.
If this was some smaller company that produced a product that had some default that pointed to one of their SaaS offerings or the like, there would be potential issues raised over the Debian maintainers changing this default.
Chromium isn't just gratis software ("free" has a different meaning), it's open source software. There is no implicit expectation that downstream users can't change it any way want[1] and redistribute the result, that's the whole point of the open source license that Chromium is released under.
Chromium is distributed under the 3-clause BSD license, so I totally agree with you that distros can do whatever they want with it (more details here: https://www.chromium.org/chromium-os/licensing/ ). I'd imagine many people that work on Chromium would agree with this and are happy for distros to do what they'd like. If Google wanted to be pushy with the software, it could do some other kind of licensing saying people couldn't modify it and still use the Chromium branding, but they obviously chose not to do this.
My take from a business perspective is that Google produces Chrome and Chromium for a number of reasons. Good will to the community (with how permissive they are with the license), and having a stable platform to be able to build things like GMail and Search on-top of. But there is also the Ads side that benefits from Google Search being the default.
So I guess there are really many benefits for Chrome's existence, and Google Searching being a default is only part of that. But I still stand by my original post and reasoning.
Wow. Yes, that's how competition works. Are people at the tech monopolists really that entitled that they consider the entire world's purse strings theirs to control?
What a bizarre way to justify surveillance. Who said the web browser can't be sold instead? The browser and the search engine should not be developed by the same company, there are clear conflicts of interest there, but we all know why Google provides all of these products and services "for free".
> If this was some smaller company that produced a product that had some default that pointed to one of their SaaS offerings or the like, there would be potential issues raised over the Debian maintainers changing this default.
Well, thankfully this is Google, and not a small company then.
Some unintended consequences:
> This change caused my chromium browser to report that it's being managed by my "organization". I thought that my machine was somehow compromised. This is terrifying! I wound up deleting my entire chromium profile before I discovered that the root cause was this DuckDuckGo config change.
https://bugs.debian.org/956012
Yeah, that was alarming. Figuring out that it was innocuous took me 15-30 minutes of urgent, drop-everything-else work.
I should've thought to post a Debian bug report after that (especially since the Debian bugs database was one of the first things I checked). I'd reported the cause informally to some colleagues, and then must've gotten distracted with what I was trying to do before I saw the suspicious message.
If it was implemented by managed policy file, then Chrome/Chromium will complain exactly this way.
You can see the details in the chrome://policy page.
Fedora did this for a while to inject the word "Fedora" into the User Agent. They eventually stopped because users were similarly spooked.
Putting even more identifying information into User Agent strings seems completely insane, who's interests is that meant to serve? The number of people in any town with Fedora in their UA must be minuscule, that blows a huge number of 'privacy bits', and for what?
1 reply →
They still do it
3 replies →
Sounds like a Chromium bug, not a Debian bug--it's an insidious way to keep Google search as the default.
Uh, no? This is managed policy, and this is a 100% good way of letting the user know that someone else has control of their settings
Just because Debian thinks that they are doing the right thing, they are in fact, controlling the user's settings through a policy It's just telling you that, as it should.
The notion that it has anything to do with keeping search the default or not is like, such a silly assumption i don't know where to begin.
The feature overall came from a desire of enterprises to manage browser settings. Back then, Google was one of the first to tell you someone was doing that to you so that you knew your organization could see and control your settings.
IE had a deployment kit that let you deploy managed browser settings, but you didn't get told (this changed, eventually, i think, it's been a while)
Letting orgs change the default search engine was an explicit, designed goal, since some wanted to redirect people to their internal searches by default, etc.
There is in fact, another way to do this that is easy and doesn't give the user the same warning, and is meant for software distributors
You can just use master preferences here for this kind of thing and it is meant for this use case.
Google in fact, made this easy and officially supported, despite your claim.
It would likely be pretty silly to make this hard - end users aren't using these interfaces or tools, and distributors always know how to change this stuff .
As HN as grown in popularity, the sheer number of kneejerk reaction comments has unfortunately kept pace (IE the overall percent has not dropped. Even sadder, nobody ever goes back and edits it or replies and was like "you know what, i was probably wrong".
They feel comfortable moving on and doing it again.
12 replies →
No, it's a Debian bug.
If you read the thread linked in the comment you replied to [1], the Debian folks added a JSON file to `/etc/chromium/policies/managed` when they should have edited `/etc/chromium/master_preferences` (a different JSON file). If they had done that, there would be no message.
Everyone on the thread agrees that's a better solution.
[1] https://bugs.debian.org/956012
Reporting that there is a policy is no bug, but maybe there should be a way to signify that it's customized by your software vendor (i.e. signed and keys are compiled in) and that it just sets the default search engine.
Chromium does change the message to "This device is managed by <google workspaces domain>" if attached to Chrome Enterprise.
4 replies →
Preconfigured profiles are the right way to solve this, it’s just that the message could be worded more kindly.
1 reply →
The only bug here is the changing of the search engine to a sketchy website without user input or consent.
This is actually not that uncommon... I've stumbled on a similar thing with the browsers as shipped by Fedora
It's superficial but I completely understand the alarm
For those noticing this, be aware that you'll likely see it elsewhere. Don't panic.
That sounds like a Firefox bug (and a common one I've seen in other software).
Tell me what organization. "Debian" would have been perfectly fine to show here.
How is that a Firefox bug if the software it is reported on is Chromium? Those are two very distinct projects.
7 replies →
Whoops, meant Chromium. My bad.
Best approach i think is, they way "ungoogled-chromium" does it.
They don't enforce organization policies, but they set the default config to "no search" and then leave it up to the user to change it.
^This, let the user choose. If you can run Debian you can change your default search engine.
This is only useful for people who know what a search engine is. (Seriously, many people equate "googling" = "search engine", and don't know there is a general category of this thing). Unless there are two big bold buttons on start-up--one that says "Use Google for Search" and the other that says "Use Duck Duck Go for Search"--it would appear broken to them. Even then, almost everyone would pick "Google" just for name brand recognition.
i would argue most people that install chromium, not chrome, no what a search engine is. unfortunately, since chromium lost google account login capabilities, i do not install chromium anymore. now i just think "search engine" means "google".
2 replies →
Exactly. We're on the third age of the internet so to speak. At the first only the computer nerds were on it (up to ~2000); then only computer nerds + mostly young adults were on it (up to ~2010); and now all the literal toddlers and literal elderly and everyolne else is on it.
Perhaps a ballot on first run, much like browsers should be in a well regulated market.
My favorite thing is when a government "solves" a market problem by incentivizing forcing a user to choose when most don't care
It worked great for cookies in the EU. Really improved my browsing experience.
4 replies →
Can someone please explain why we are supposed to trust DDG? Isnt it just a random website that popped up out of nowhere claiming to be private yet no audit has ever been conducted which substantiated those claims?
Recently the National Advertising Division looked into our privacy claims and found them supported, see https://bbbprograms.org/media-center/newsroom/duckduckgo-pri... & https://www.mondaq.com/unitedstates/privacy-protection/12106...
Also a lot of what we do is open source on GitHub. We recently put out a help page detailing or web tracking protections that link to a lot of the relevant repositories: https://help.duckduckgo.com/duckduckgo-help-pages/privacy/we...
And finally, I’m not sure that random or just popped up is an accurate characterization for us. We’re pretty well established at this point, having been around for nearly 15 years! I was an early user of this site and a frequent contributor during the early days of DuckDuckGo.
Those aren't proper audits. And again, bringing up the fact that it's open source is a meaningless piece of information since there is no way to verify it's the same software code on production. It only serves to trick the average user who doesn't understand how web servers work into trusting your service more.
The best thing you could do, if you actually care about privacy and not just $$$, is to open-source the entire search index db and accompanying webserver software, making it easy for users to setup their own local instance of DDG which is actually auditable. Additionally, posting a notice on-site which notifies your users that their searches may be recorded and tracked in spite of what the privacy policy says(due to the USA jurisdiction of the company making it susceptible to National Security Letters and secret gag orders) would be the right thing to do.
15 replies →
I stopped trusting ddg when they said they were going to sensor Russian news. I assume google and other major search engines sensor political issues but I didn’t think ddg would.
2 replies →
You're not supposed to totally trust DDG, but they are a better default search engine than Google if you care about privacy.
- they are less likely to throw a captcha in your face if you connect over VPN
- they have less surveillance infrastructure and run less code clientside than Google does
- they are at least not explicitly tracking you
- they have a lower number of secondary data-points from other services that can be connected to your searches
the list kind of goes on. I don't assume that DuckDuckGo is perfectly trustworthy just because they say so, but Debian has a choice of a couple of different default search engines that are mature enough and give good enough results to use as a default search tool: Google, Bing, DuckDuckGo, etc...
Of those choices, DuckDuckGo seems to be a pretty reasonable decision.
At the very least, DuckDuckGo lets me search when I'm behind a VPN and have anti-fingerprinting tools turned on, Google very often doesn't. It's not a super-hard decision for me which one is more private.
Maybe DDG is good replacement for English users, but I wonder does debian developers considered is it fine for global users.
3 replies →
You aren't supposed to. Even if you assume they lie in every sentence about their data collection, with their current setup it would be much harder for them to build a valuable shadow profile about you.
They haven't been caught running fingerprinting scripts yet and they dont have an account system to tie to your searches. At best they could use your ip to build a shadow profile and thats wildly inaccurate in our mostly ipv4 world.
How do you know what server-side profiling occurs or does not occur? There is no way to know that. DDG gives people a completely misplaced and false sense of security, when they are just as easily comprimisable/corruptable/subpoenable/susceptible to NSLs, EDRs and secret court orders as any other company.
And I disagree with your premise that it's particularly difficult to link a persons IP to their real world identity. There are organized fraud gangs who have it down to a science. know exactly what dept. of the ISP to call, what to say, etc. Basically if someone knows your IP and your ISP account is registered in your name it's game over.
9 replies →
It is a legit company based in Pennsylvania, not some random website. Their privacy policy explicitly states they do not collect user info. If they are caught doing it anyway they could be open to legal action. While they may be lying, at least it's better than other search engines where collecting data is explicit and built into their business model.
edit: I should have just down-voted and moved on.
That doesnt mean anything. I can go ahead and register an LLC in Pennsylvania too for a few hundred bucks and then put up a website with a completely fictional privacy policy. I could collect everyones IPs depite claims that we do not, and no one would be able to prove it.
1 reply →
> While they may be lying, at least it's better than other search engines where collecting data is explicit and built into their business model.
Just to be clear, are you saying that given the choice between collecting data and lying about it vs. collecting data and being explicit about it, you’d choose the first option?
1 reply →
If you're worried about it, you can buy searches directly from Bing ( https://www.microsoft.com/en-us/bing/apis/pricing ). DDG makes no secret that the Bing search API is where they get their link and image results -- https://help.duckduckgo.com/results/sources/ .
Actually that's the only problem I have with DuckDuckGo. I don't have much trust in Google, but I have less trust in Microsoft.
Thanks for bringing this up. I don't understand why people seem to automatically trust things just because they advertise as being more "private" than the alternatives. I guess none of us are immune to advertising tactics, but it's so important to remember that they have no obligation to be truthful and will lie every chance they get.
I am not claiming that DDG is bad or anything, I just don't like putting trust into something just because it says "you can totally trust me!".
If you don't trust them, use https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswz...
DDG is for-profit and serves for the most part Bing results. Why not pick something truly open, like search.marginalia.nu?
Flattering.
Unfortunately my search engine is far away, both in terms of functionality and hardware capacity from being able to deal with that. Maybe some day, who knows, but not yet. Even if I'm destined to make the Linux of search engines, we're metaphorically living in 1992 or so.
Would be funny though because it's both developed on a Debian workstation and hosted on a Debian server.
Hey, totally unrelated, but the way your status page is set up made me think your site was down for months (I had started to assume permanently) - when it last went down for maintenance I got redirected to https://status.marginalia.nu/?query=... which said, and still says, "Site down for maintenance" across the top.
1 reply →
After DDG decided they would censor material they considered misinformation from Russia I went out search engine shopping and I'm using brave search. I value transparency and fairness and can make my own mind about things (I remember when being against the Iraq or Lybia wars made you a terrorist sympsthizer).
Do you have any stance there? (I'm not saying you should have one or agree with mine, just curious. Every search engine might have its time and place).
6 replies →
Probably because one doesn’t exist? That particular example isn’t a general purpose search engine.
A Debian (or FSF, or ...) hosted SearX instance would indeed be interesting and perhaps most Free.
risiOS hosts a searx instance for its users and configures it as the default search engine.
I worry about the sustainability of such a service though. Don’t they inevitably get blocked upstream?
It might work better for more local organizations to host such projects. I’ve always liked the idea of community centers and churches and whatnot hosting shared services for their community.
1 reply →
I think you're confusing for-profit, opensource and, as I assume would be the motive behind this switch, at least relatively privacy protecting?
> DDG is for-profit and serves for the most part Bing results
What’s the problem? What matters is that my searches aren’t recorded and added to a profile.
Because the results from search.marginalia.nu are absolutely irrelevant?
It would also crash marginalia I think. Which would be sad.
What would we have Debian change the default search to? I get that DuckDuckGo might not be ideal, but it is better than Google, Bing, Yahoo or Marginalia. The results need to be good enough, but also not obviously anti-privacy. It basically leave you with DuckDuckGo, Qwants or Ecosia. Personally I might had picked Ecosia, had they not had a cookie banner.
1 reply →
We (at DuckDuckGo) actually have no current relationship (or commercial deal) with Debian. They did this on their own. That is, there is no revenue share here.
Also, we no longer use the Amazon affiliate program, or Yahoo for that matter, and we don't (and never have had) any idea what any individual bought.
1 reply →
Why are you spouting off accusations without any evidence? This blind cynicism makes HN a worse place.
They know the types of items you buy. You don’t get the exact items from Amazon. They can guess if you click a link to an iPhone and then later bought a $1,200 electronic but if you click on an iPhone and buy a PS5 they don’t know what you bought.
1 reply →
Is that really the case here? I really doubt it considering how careful debian is when it comes to privacy. Even the popularity contest is opt in.
> I hope Debian negotiated better
Do you have any evidence that Debian negotiated a deal? Debian is not a company.
that lwn.net article is from 10 years ago...is it still accurate?
DDG is a more practical default than Google simply because I don't get a "We'd like to abuse your personal data" pop-up that gets in the way every time I open an Incognito window to search for something.
This switch by Debian to DDG is less of an issue for me than it would have been a few years ago. Google has recently been claiming it will only ever show 1000 results (10 pages of 100). But for many users, myself included, google will only ever show less than 400 results. This is apparently an intentional policy (at least according to the support forums).
For me this is terrible. I can scan through 100 search results pretty quick, going 4 pages deep is something I have always done often. Seeing the reported ~82 million results shrink suddenly to 4 pages and maybe 389 results with ommitted included is extremely disheartening. But at least google scholar still works properly.
When I found out about this I was so pissed I made a crappy little website to more easily complain about it to people. http://googlesearchonlyreturns400results.lol/
Sadly I have found the DDG lacking, most times I have to go back to Google to find information that just doesn't show up on DDG. As an example, I don't have Twitter but I follow certain sport journalist with a huge following, all thanks to his Twitter. When I search for his name + twitter, DDG shows me articles about the journalist and even a Facebook page link, but not his twitter even if it is in the query and his handle is literally his name!
Twitter are so hostile to casual anonymous browsing via the web that I'm not surprised DDG aren't indexing them, and actually prefer that. It's like Twitter are actively choosing to not be part of the web.
But yes, I do use !g when needed to jump to Google. It's just the default that works better on DDG for me due to the Incognito window issue - so much so that I've been running DDG by default for quite a long time now, just for that reason.
Did you use the "Send Feedback" in the bottom left corner? I've heard (via a comment on HN) that they do read them. I also readily admit the bottom left corner is a suboptimal place to put a feedback link, but here we are
Not sure about Chromium but at least in Firefox you can set a separate default search engine for incognito sessions.
Context and rationale here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956012
TLDR
> Hey let’s change the default engine to DDG
> I’ve used DDG for a week, let’s do it!
The way they did it shows lack of experience as well, as this will enforce the change to all users rather than simply change the default profile settings upon creation.
...slightly related question, what is the benefit of using the Debian package, versus the Ubuntu snap?
As a CentOS user, the Ubuntu snap is updated much more often than the EPEL package.
I'm not a Debian user, but Ubuntu 22.04 tried to force snap down my throat with Firefox and it broke the hell out of everything. It turns out that a web-browser needs to run outside of a sandbox, who could have foreseen?!
Anyway, so now I just manage my own updates via the tar.gz because I can't be bothered to rebuild .deb for the releases and hope snap and its flatpak friend go the way of the dodo
I think that they will need to fork the web browsers and maintain the forks instead of the originals, in order to make improvements. This is one of them but is not only one. To actually make the web browsers good, will require further changes (sometimes involving adding stuff back in that was removed in older versions, or removing some of the newly added stuff while keeping some of it).
However, I would prefer the default to be "no search", and to only search if the user explicitly specifies which search engine to use. (This does not necessarily mean that Debian has to do this; it only means that it is what would be my own preference. Some other people will agree with me, although some people will disagree.)
Regardless of the default settings though (sometimes different default settings might be suitable due to the distribution; in this case it doesn't matter, but for some settings of some programs, it will matter), the end user should have the opportunity to change all of the settings.
I wish they would have gone with search.brave.com, but DDG is also acceptable to me. The main reason I would have preferred brave.com has to with their using their own search engine for at least a portion of their results. I also like the discussions result they added.
Didn't DDG recently have some controversy about censoring things they didn't like related to Russia or Russian sites/news?
I don't have links stored in history but it was fairly recent, it was their CEO on twitter I believe and they got a LOT of backlash.
> "At DuckDuckGo, we've been rolling out search updates that down-rank sites associated with Russian disinformation. In addition to down-ranking sites associated with disinformation, we also often place news modules and information boxes at the top of DuckDuckGo search results (where they are seen and clicked the most) to highlight quality information for rapidly unfolding topics."
https://twitter.com/yegg/status/1501716484761997318
I realize that due to own my unfortunate phrasing, how our news results rankings work have been highly misinterpreted since then. I subsequently put out a clarification thread (https://twitter.com/yegg/status/1515635886855233537) and then we (DuckDuckGo) made a help page to explain how our news rankings actually work. I suggest anyone interested check it out (it’s short): https://help.duckduckgo.com/duckduckgo-help-pages/results/ne...
In hope to quickly clear up some common misconceptions about them though: we don’t censor, we don’t move things so far down that they are effectively censored, we don’t have any definition of misinformation, and we don’t rank based on any political agenda or opinions (that includes mine!). This is just a summary though so would read the help page for details.
5 replies →
Drop the default search engine and show us a list of search engines with the option to add our own instead of setting it for us on first run.
How about removing every search engine and letting a user decide? I believe Debian users can handle this technical challenge.
This leaves me with conflicting emotions. I don't know where the easiest place to find the actual explanation of the change is (not very familiar with Debian development practices) but I wonder if it clears things up.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956012
Wouldn't changing the default search engine to "no default" be a solution too?
I'm sure many people have thought about it, so, I wonder, what is the issue with this approach?
The year of the Linux desktop gets further away as people try to use their browser and go “why can’t I search” and drop it all together. A lot of people really don’t have the patience to configure their computers, they want it to ‘just work’.
Yea I guess. Though I'm having a hard time with the idea that someone who went through the trouble of running on Debian in the first place would have this reaction to the browser not automatically opening a search engine.
1 reply →
For a solution to be required there first has to be a problem. Then it has to be shown the new solution is better than the current implementation.
You’re not happy with the default which you can trivially change but no one has to change, so you propose having no default so you still have to change it but now everyone has to change it.
Is it common for distros to have deals with search providers in exchange for keeping them as the default in their browsers ?
As reported in an earlier comment, DDG did not make a deal with Debian for this.
Prior art is that Linux Mint at one point had Yahoo as the default search engine in their Firefox builds. I am not sure whether that is currently the case.
Common? Probably not.
It's not unheard of though. See: Ubuntu.
It was so cool to have amazon snoop on your presumably local searches...
4 replies →
I don't know, but that seems like a reasonable funding solution given that Google is expected to pay Apple ~$20B this year: https://dazeinfo.com/2022/01/05/google-pays-apple-for-not-la...
Apple has hundreds of millions of wealthy customers. Debian does not.
4 replies →
Pretty sure the negotiations would go approximately like: “Best I can do is fifty bucks.”
Do you believe Debian has made a deal with a search provider?
I don't mind the idea of changing the default search engine to DDG, but not in a stable release, do that in testing.
It is opinionated choice, not a bug fix, and definitely not a security update (severity: wishlist). I don't have a problem with maintainers having opinions, but on a stable distribution like Debian, I would have preferred they expressed them before the freeze.
Better link: https://tracker.debian.org/news/1355283/accepted-chromium-10...
Changing the search engine of existing installs is quite questionable and it is worrying that this was released without a much bigger discussion involving not just the maintainers of the browser package going by their personal feelings. If I was a debian user I would be mad.
Debian being free of cost, I dont think you have a right to be mad about anything if you don't help with maintenance. Open source maintainers are not your employees.
Users can always switch back to Google if they so desire.
What a mistake
It is literally against anything Debian has done the past decades
Why would they choose a proprietary software and proprietary service?
Chromium at least has a BSD like license and is open source [1], the search provider alternative should be similar
Literally nobody can confirm DDG's privacy claims, they refused every independent audits and your search is leaking to their servers [2], it happened again [3]
And let's not forget the Microsoft Bing trackers ;)
[1] - https://chromium.googlesource.com/chromium/src/+/HEAD/LICENS...
[2] - https://github.com/duckduckgo/Android/issues/527
[3] - https://github.com/duckduckgo/Android/issues/2004
Did they fix the bug that did not allow you to log on to your Google account and sync from Chromium?
Or was that intentional?
That's something Google did to Chromium, not Debian.
Ah, thank you.
That's a shame.
surprised this isn't changing to presearch.com. Google and DDG are great but the presearch concept of paying ME to do searches, I just love.
I can't recall a single 502 response that I've ever gotten from DDG, but plenty of them for presearch, to say nothing of their closed-source node software. I enjoy advocating new tech as much as the next person, but not "route searches through who knows what, and only respond to queries some of the time" worth
Halleluiah?
Interesting how every post ever made on your account is to spam that link, which also happens to be the first time I had ever heard of it.
tbh if we want some competition to google we should support bing
The big reasons people seem to be looking for alternatives are privacy concerns and increasingly aggressive optimization for NLP. DDG and Bing both have ~1% market share and both return decent results - why support the one that will ostensibly become Google II if given the opportunity?
Depends what kind of competition you're looking for. If we want competition for PC software, we should support anything but Bing.
DDG already pays Bing for use of their API though?
DDG relies heavily on Bing, I think
If anyone uses the debian chromium package that is. Because its always out of date, just use Flatpak.
Oh, no! All the people buying Debian desktops at Best Buy will be locked into issues with DDG forever.
There was a posting on HN not long ago warning that DDG was run by spammers, and that the "privacy" focus is purely a marketing ploy.
This should be predictable on the basis that it is a free service, making you the product, and somebody else, therefore, the customer.
It is hard to know what else one can do to get useful search functionality. It has been a long time since Google dropped any emphasis on usefulness. Any useful results seem purely luck nowadays. You cannot even buy a subscription to "useful" from them or from, AFAIHF, anybody else.
Privacy and ads/spam are different things.
DDG has ads based on your search query, that's how they make money. The difference is that they don't profile you, at least that's what they say. You can spam and respect people privacy, just by not looking who you are spamming.
And yes, "privacy" is a marketing ploy for anyone who is not Google. As for general purpose search engines, there are only two: Google and Bing, most others (including DDG) are just a front for Bing. There are other, more specialized crawlers including Marginalia whose author often posts on HN, and there is Yandex for Russia and Baidu for China, but the general idea is that if it is not Google, it is Bing.
"At least that's what they say" is exactly what is at issue. You offer no reason to believe what they say.
I can find no actual evidence that DDG is run by spammers. This does not strike me as credible.
I can find no evidence that DDG is not run by spammers. Any claim that it is not is clearly what would demand solid evidence.
2 replies →
Regardless of whether you are right or wrong about DDG:
Doesn't this line of logic lead to every free site being evil, including the one we're talking on?
It would actually help if you would link to that HN posting so others can verify.
Googler, opinions are my own. I don't work on chrome or anything related.
Many companies put out free software to drive people towards their products, and Chrome with Google Search seems to be one of those. As many know, improving and maintaining Chrome is not free, and having Google Search being a default is one part of what helps pay for this work.
Yes, this is Google, yes, this is likely a tiny drop in the bucket for them, but at the same time, it's taking away potential revenue from Google.
If this was some smaller company that produced a product that had some default that pointed to one of their SaaS offerings or the like, there would be potential issues raised over the Debian maintainers changing this default.
Chromium isn't just gratis software ("free" has a different meaning), it's open source software. There is no implicit expectation that downstream users can't change it any way want[1] and redistribute the result, that's the whole point of the open source license that Chromium is released under.
1. Within existing legal boundaries, of course
Chromium is distributed under the 3-clause BSD license, so I totally agree with you that distros can do whatever they want with it (more details here: https://www.chromium.org/chromium-os/licensing/ ). I'd imagine many people that work on Chromium would agree with this and are happy for distros to do what they'd like. If Google wanted to be pushy with the software, it could do some other kind of licensing saying people couldn't modify it and still use the Chromium branding, but they obviously chose not to do this.
My take from a business perspective is that Google produces Chrome and Chromium for a number of reasons. Good will to the community (with how permissive they are with the license), and having a stable platform to be able to build things like GMail and Search on-top of. But there is also the Ads side that benefits from Google Search being the default.
So I guess there are really many benefits for Chrome's existence, and Google Searching being a default is only part of that. But I still stand by my original post and reasoning.
it's also a derived work of KHTML
so complaining that it is being modified to restore it back to its demonitised form reeks of entitlement
it's taking away potential revenue from Google.
Wow. Yes, that's how competition works. Are people at the tech monopolists really that entitled that they consider the entire world's purse strings theirs to control?
What a bizarre way to justify surveillance. Who said the web browser can't be sold instead? The browser and the search engine should not be developed by the same company, there are clear conflicts of interest there, but we all know why Google provides all of these products and services "for free".
> If this was some smaller company that produced a product that had some default that pointed to one of their SaaS offerings or the like, there would be potential issues raised over the Debian maintainers changing this default.
Well, thankfully this is Google, and not a small company then.
> it's taking away potential revenue from Google.
Google still has 92.5% global market share, 10x more than all other search engines combined https://radar.cloudflare.com/notebooks/searchengines-2022-q1
> Yes, this is Google, yes, this is likely a tiny drop in the bucket for them, but at the same time, it's taking away potential revenue from Google.
Good. Hopefully we will see anti-trust enforcement force Chrome and Android to not default to Google search either.
> but at the same time, it's taking away potential revenue from Google.
many of us see this as a positive
Microsoft also has people contributing to Chrome and apparently DDG searches go to Bing. So no difference.
Nah, it's just a fork of KHTML.