Grepular

DuckDuckGo Searches Are Not Anonymous

Written 14 years ago by Mike Cardwell

If I go to https://duckduckgo.com/ and search for “POTENTIALLY DAMAGING SEARCH TERM“, duckduckgo.com claim on their privacy page that they don’t keep a log connecting my IP address to that search term. Here is an exact quote:

“When you access Duck Duck Go (or any Web site), your Web browser automatically sends your type of browser and IP address. Because this information could be used to link you to your searches, we do not log (store) it at all.”

This is a good thing because it means the government can’t get access to the server and search for “POTENTIALLY DAMAGING SEARCH TERM“ in the logs to get a list of IPs of people who searched for it.

When I do the search though, what other HTTP requests take place? Here’s an example of one which my browser sends to ddgw.s3.amazonaws.com:

GET /consumerreports.org.ico HTTP/1.1
Host: ddgw.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://duckduckgo.com/?q=POTENTIALLY+DAMAGING+SEARCH+TERM&v=d

Take a look at the “Referer” HTTP header there… So Amazon probably has a log of DuckDuckGo searches, along with IP addresses and browser user agents simply by virtue of doing standard web access logging. They certainly could log that information if they wanted to. I did actually report this problem a couple of months ago, but it’s still an issue today.

Update (2010-May-21):

Gabriel has now fixed this problem.

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS. To read more, visit my blog index.