If I go to https://duckduckgo.com/ and search for “POTENTIALLY DAMAGING SEARCH TERM“, duckduckgo.com claim on their privacy page that they don’t keep a log connecting my IP address to that search term. Here is an exact quote:
“When you access Duck Duck Go (or any Web site), your Web browser automatically sends your type of browser and IP address. Because this information could be used to link you to your searches, we do not log (store) it at all.”
This is a good thing because it means the government can’t get access to the server and search for “POTENTIALLY DAMAGING SEARCH TERM“ in the logs to get a list of IPs of people who searched for it.
When I do the search though, what other HTTP requests take place? Here’s an example of one which my browser sends to ddgw.s3.amazonaws.com:
GET /consumerreports.org.ico HTTP/1.1 Host: ddgw.s3.amazonaws.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:126.96.36.199) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://duckduckgo.com/?q=POTENTIALLY+DAMAGING+SEARCH+TERM&v=d
Take a look at the “Referer” HTTP header there… So Amazon probably has a log of DuckDuckGo searches, along with IP addresses and browser user agents simply by virtue of doing standard web access logging. They certainly could log that information if they wanted to. I did actually report this problem a couple of months ago, but it’s still an issue today.
Gabriel has now fixed this problem.