DuckDuckGo is Serious About improving Your Privacy

DuckDuckGo

I use DuckDuckGo exclusively as my search engine. I trust it.

DuckDuckGo’s Quest to Prove Online Privacy Is Possible

Wired – By: Gilad Edelman – “I was driving up through Pennsylvania last summer, somewhere along US Route 15 between Harrisburg and Williamsport, when I saw a familiar face: a goofy cartoon duck wearing a green bowtie. It was the logo for DuckDuckGo, the privacy-focused search engine, along with a message: ‘Tired of Being Tracked Online? We Can Help.’

The sight of a tech company on a billboard in rural Pennsylvania was surprising enough to lodge in my memory. Highways in and out of Silicon Valley may be lined with billboards advertising startups, where they can be easily spied by VCs and other industry influencers, but the post-industrial communities hugging the Susquehanna River will never be confused with Palo Alto. Far more typical are road signs advertising a fireworks store, a sex shop, or Donald Trump. I found it hard to imagine that the other drivers on the road were really the audience for an internet company that occupies a very specific niche.

It turns out DuckDuckGo—itself based in Valley Forge, PA, about 90 miles east of Route 15—knew something I didn’t. According to the company’s market research, just about every demographic wants more data privacy: young, old, male, female, urban, rural. Public polling backs that up, though the results vary based on how the question is asked. One recent survey found that ’93 percent of Americans would switch to a company that prioritizes data privacy if given the option.’ Another reported that 57 percent of Americans would give up personalization in exchange for privacy. Perhaps most telling are the early returns on Apple’s new App Tracking Transparency system, which prompts iOS users to opt in to being tracked by third-party apps rather than handing over their data by default, as has long been standard. According to some estimates, only a tiny minority of users are choosing to allow tracking.

The problem for a company like DuckDuckGo, then, isn’t making people care about privacy; it’s convincing them that privacy is possible. Many consumers, the company has found, have basically thrown up their hands in resignation, concluding that there’s no way out of the modern surveillance economy. It’s easy to see why. Each new story about data privacy, whether it’s about the pervasiveness of tracking, or a huge data breach, or Facebook or Google’s latest violation of user trust, not only underscores the extent of corporate surveillance but also makes it feel increasingly inescapable.

DuckDuckGo is on a mission to prove that giving up one’s privacy online is not, in fact, inevitable. Over the past several years, it has expanded far beyond its original search engine to provide a suite of free privacy-centric tools, including a popular browser extension, that plug up the various holes through which ad tech companies and data brokers spy on us as we browse the internet and use our phones. This year it will roll out some major new products and features, including a desktop browser and email privacy protection. And it will spend more money than it ever has on advertising to get the word out. The long-term goal is to turn DuckDuckGo into an all-in-one online privacy shield—what Gabriel Weinberg, the company’s founder and CEO, calls ‘the ‘easy button’ for privacy.’

‘People want privacy, but they feel like it’s impossible to get,’ Weinberg says. ‘So our main challenge is to make the idea that you can get simple privacy protection credible.’

Whether that mission succeeds could have consequences far beyond DuckDuckGo’s bottom line. DuckDuckGo is operating to some extent in the shadow of Apple, which has already made privacy a core part of its pitch to customers. But DuckDuckGo’s ambition is to provide a suite of protections that are even more extensive and intuitive than Apple’s. And it is offering them to the millions of people who don’t want or can’t afford to use Apple products: Google’s Android operating system accounts for about 50 percent of the mobile market in the US and more than 70 percent worldwide. Perhaps most important, if DuckDuckGo succeeds at bringing simple privacy to the masses, it will mean that the future of privacy might not depend on the relative benevolence of just two corporate overlords.

FOUNDED IN 2008, DuckDuckGo is best known for its search engine. Which means that it has always been defined as a challenger to Google. It has not shied away from the comparison. In 2011, Weinberg, then the company’s sole employee, took out an ad on a billboard in San Francisco that declared, ‘Google tracks you. We don’t.’ That branding—Google, but private—has served the company well in the years since.

‘The only way to compete with Google is not to try to compete on search results,’ says Brad Burnham, a partner at Union Square Ventures, which gave DuckDuckGo its first and only Series A funding in 2011. When the upstart launched, Google already controlled 90 percent of the market and was spending billions of dollars, and collecting data on billions of users, to make its product even better. DuckDuckGo, however, ‘offered something that Google couldn’t offer,’ Burnham says: ‘They offered not to track you. And Google’s entire business model is, obviously, built on the ability to do that, so Google couldn’t respond by saying, ‘OK, we won’t track you either.”

Neither DuckDuckGo nor anyone else came close to stopping Google from dominating search. Today, Google’s market share still hovers around the 90 percent range. But the pie is so enormous—advertisers spent $60 billion on search advertising in the US alone last year, according to eMarketer—that there’s quite a bit of money in even a tiny slice. DuckDuckGo has been profitable since 2014.

Like Google Search, DuckDuckGo makes money by selling ads on top of people’s search results. The difference is that while the ads you see when searching on Google are generally targeted to you in part based on your past searches, plus what Google knows about your behavior more broadly, DuckDuckGo’s are purely ‘contextual’—that is, they are based only on the search term. That’s because DuckDuckGo doesn’t know anything about you. It doesn’t assign you an identifier or keep track of your search history in order to personalize your results.

This non-creepy approach only protects you, however, while you’re on DuckDuckGo. ‘You’re anonymous on the search engine, but once you click off, now you’re going to other websites where you’re less anonymous,’ Weinberg says. ‘How can we protect you there?’

DuckDuckGo’s first answer to that question rolled out in 2018, with the launch of a desktop browser extension and mobile browser that block third-party trackers by default wherever a user goes on the internet. It was good timing: 2018 was a banner year for raising privacy awareness. Facebook’s Cambridge Analytica scandal broke that spring. The GDPR took effect in Europe, throwing into relief how little the US regulates data collection. That summer, the Associated Press revealed that many Google services were storing your location data even if you explicitly opted out. Data collection and privacy were firmly in the national conversation. Since then, congressional inquiries, antitrust lawsuits, Netflix documentaries, and a growing feud between Apple and Facebook have kept it there.

‘One of the funny things about DuckDuckGo is that the single best marketing we’ve ever had has been the gaffes that Google and Facebook have made over the years,’ says Burnham. ‘Cambridge Analytica, for instance, was a huge driver of adoption for DuckDuckGo. There is an increasing awareness of how this business model works and what it means—not just in terms of the loss of privacy and agency over our own data, but also what it means for the vibrance and success of an open marketplace.’

Awareness is one thing, action another. DuckDuckGo was in position to capitalize on the rising tide of scandal because it has a reputation for building products that work. In 2019, for instance, it added a feature to its extension and browser that directs users to encrypted versions of websites whenever possible, preventing would-be hackers or ISPs from, say, looking over your shoulder as you type a password into a web page. While other encryption tools work by manually creating lists of tens of thousands of websites in need of an upgrade, DuckDuckGo crawled the internet to automatically populate a list of more than 12 million sites. The Electronic Frontier Foundation recently announced that it would incorporate DuckDuckGo’s dataset for its own HTTPS Everywhere extension. Similarly, Apple uses DuckDuckGo’s Tracker Radar dataset—a continuously updated, publicly available list of trackers assembled using open-source code—for Safari’s tracking prevention.

Weinberg is particularly proud of DuckDuckGo’s tracker prevention. Surveillance is so built into the infrastructure of the web that many sites will stop functioning if you block all cookies. Take Google Analytics, which is found on the vast majority of websites. ‘If you just straight-up block Google Analytics, you’ll break sites,’ Weinberg says. As a result, mainstream browsers with tracking prevention, like Safari and Firefox, allow trackers to load, then try to restrict the data they can gather.

‘They’re more inclined to err on the side of not breaking websites,’ explains Bennett Cyphers, a technologist at the Electronic Frontier Foundation. ‘They will try and do this middle ground thing where they’ll load resources but restrict what Google can do once it’s in your browser.’

The problem is that even allowing a tracker to load in the first place can allow it to gather highly specific data about the user, including their IP address. So DuckDuckGo, like some other privacy extensions, works differently. It simply prevents the cookie from loading at all. To avoid the broken-site problem, it replaces some trackers with a dummy that essentially tricks the site into thinking the cookie has loaded, a technique called ‘surrogates’ pioneered by the ad blocker uBlock Origin.

Ultimately, DuckDuckGo probably owes its success less to the technical aspects of its tracker prevention, which very few people are in any position to understand, than to the fact that the company does a pretty good job honoring its slogan: ‘Privacy, simplified.’ Its products don’t require a user to toggle any elaborate settings. They simply include encryption, tracker blocking, and private search automatically.

Since their launch, the extension and mobile browser have experienced rapid user growth. According to DuckDuckGo, the extension and browser have together been downloaded more than 100 million times since 2018, and more than half of those downloads took place over the past twelve months. That growth has in turn helped juice the use of the original search engine, which is built into mobile app. The company estimates that its search user count doubled over the past year to between 70 and 100 million. (It’s an estimate because they don’t track users.) According to StatCounter, DuckDuckGo now has the second highest share of the US mobile search market, edging out Bing and Yahoo. (A distant second, that is: 2 percent to Google’s 94 percent.) DuckDuckGo says its annual revenue is over $100 million.

This year, the company plans to significantly expand its privacy offerings. It is introducing a desktop browser, incorporating the same features as the existing mobile app. Currently, even someone with the DuckDuckGo privacy extension can’t stop Google from gathering some data on them if they’re using Chrome, for example.

DuckDuckGo is also adding two new features to its existing extension and mobile app. The first is email privacy protection. Weinberg says that his company’s researchers found that some 70 percent of emails have some sort of tracker embedded in them. That includes not just corporate promotional emails, but just about any newsletter or fundraising email that’s sent using an automated service. In nearly a third of those cases, Weinberg says, the trackers are sending users’ plaintext email addresses over the internet, potentially exposing them to any number of marketers, data brokers, and shadier actors. The email tool is designed to thwart that by forwarding messages through a DuckDuckGo email address, which will remove the trackers before sending them along to inboxes. It also will allow people to generate random email addresses whenever they have to use email to sign up for something. (Apple recently announced a similar feature for the Mail app on iOS.) In theory, DuckDuckGo could have created its own email client, but Weinberg recognizes getting users to switch their email providers is prohibitively difficult.

‘Our goal is simplicity, right?’ he says. ‘We want to make privacy simple and seamless without sacrifice for users.’

The final new tech DuckDuckGo is unveiling this year operates on a similar principle. A new feature within its Android app will operate in the background, even when the app itself is not in use, to block third parties from tracking you through any other app on your phone. It does that by using the phone’s VPN permission to route all traffic through DuckDuckGo, so that, as with the email trackers, it can block requests from anyone on its tracker list before they have an opportunity to gather any user data. (Again, this is somewhat analogous to Apple’s App Tracking Transparency on iOS. It will not stop first-party data collection, meaning the app you’re using can still collect your data. But it won’t be able to pass that data through to other companies, including Facebook, which currently tracks users through a vast number of unrelated apps.)

Taken together, the new features, which the company says will be available in beta this summer, represent DuckDuckGo’s evolving mission to create what Weinberg calls ‘the privacy layer of the internet.’

‘The ideal case for that from a user perspective is, you download DuckDuckGo and you’re just protected wherever you go online,’ he says. ‘We’re obviously not there yet, but that’s the product vision.’

So, about those billboards.

The company’s reliance on old-school advertising mediums—in addition to billboards, DuckDuckGo is partial to radio ads—is partly of necessity: As a privacy-focused business, it refuses to do any microtargeted online advertising. (Even when it advertises on a social media site like Twitter, Weinberg says it doesn’t set any demographic targeting parameters.) But the strategy also stems from the company’s market research, which has found that precise targeting would be a waste of money anyway.

‘People who care about privacy, who act on privacy, who would adopt a DuckDuckGo product—they’re actually not a very niche audience,’ says Zac Pappis, head of the company’s user insight team. ‘People who act and care about privacy don’t fall into a particular age group or demographic or have a particular psychographic background, so that makes them easier to reach.’

To put it in advertising parlance, this means DuckDuckGo spends its marketing budget on brand awareness. Ordinary people around the country don’t need to be convinced to care about privacy, the theory goes—they just need to learn that a solution exists. ‘Our current top business priority is to be the household name for simple online privacy protection,’ Weinberg says. ‘So when you think about privacy online, we want you to turn to DuckDuckGo.’

To that end, the company is investing in its biggest marketing blitz to date this year, devoting tens of millions to an advertising push—so expect more billboards and more radio ads during those summer road trips. Weinberg believes the time is ripe. He points out the fact that tech giants like Apple, Facebook, and Google have all been raising the salience of privacy through very public battles over their policies and products. Plus, the ongoing antitrust lawsuits against the tech giants will draw more attention to those companies’ business practices, including around user privacy. One of the cases, brought by the Department of Justice, could even give DuckDuckGo a direct boost by preventing Google from being set as the default search engine on phones.

DuckDuckGo has competition. Companies like Ghostery offer tracking protection. Brave has a well-regarded privacy browser. The Netherlands-based Startpage offers search without tracking. But in the US, at least, DuckDuckGo has a strong position in the privacy market. In a sector where users have to trust that your product works the way you say it does, a decade-long track record without any privacy scandals establishes important credibility. ‘They’re probably the biggest name right now, probably because of the popularity of their search engine,’ says Jon Callas, director of technology products at the Electronic Frontier Foundation.

But being the biggest name among people with a special interest in online privacy still amounts to being a big fish in a small pond. Weinberg believes DuckDuckGo can change that. He is convinced that the pond is actually huge. It just doesn’t know it yet.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.