💾 Archived View for zelena.flounder.online › gemlog › 2023-04-02_DuckDuckGo_Leaking_Location.gmi captured on 2024-08-24 at 23:37:26. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-04-19)

-=-=-=-=-=-=-

DuckDuckGo Is Leaking Location Data And Could Be Violating FTC Guidelines

I've been using DuckDuckGo almost since it first launched. Occasionally I'd get these weird completely unrelated search results that seem to have an unreasonable understanding of my location data.

DuckDuckGo weird results

More recently, the frequency of these results has risen to an alarming rate. They now happen daily. They used to appear only at the end of several pages after the search was exhausted, but now they are appearing at the end of the first or second page before resuming real search results.

More strangely specific location results

The only way DuckDuckGo could be receiving such intensely personalized location-based results is if they were revealing that information somewhere. DuckDuckGo passed that information to Microsoft's Bing to complete the search. Bing then uses that information for advertising purposes and returns the results to DuckDuckGo.

According to DuckDuckGo, they use your IP address to perform a GEO::IP lookup to get a general idea of your location.[1] They then forward this information to Bing along with your search request.

[1] How DuckDuckGo gets location data

This is the *standard* for how websites get your location. It is not privacy respecting.

If you searched through Bing directly, they'd perform the exact same GEO::IP lookup. It's no different if DuckDuckGo is the one performing the lookup then hands it to Bing. The location data is one of the most important parts about an IP address that needs to be protected. They are willingly handing it over. This is negligence at best, and demonstrates a failure to understand what sort of metadata needs to be protected to ensure privacy.

While the specific IP address itself is more identifying, there's still a lot to be learned from the metadata. The difference is telling someone you just got a call from a specific phone number vs telling them you just got a call from your mom. Both ways they could figure out who the call was with.

I was once able to find the EXACT building someone was located in using just a GEO::IP lookup and the word "library". That was me doing a manual search with two points of data. Companies like Bing have vastly larger pools of data points to pull from and automated systems that further aid targeting you.

This is DuckDuckGo leaking location data. That's not okay for a service that claims to be protecting user privacy. At this point it feels like DuckDuckGo is a paper-thin front for Bing. After so many miss-steps by them, I'm left wondering what they actually do to protect privacy.

This is worse than services like StartPage who at least proxy your data, preventing their partnered search engine from getting your true location. In the following screenshot, I've intentionally attempted to coax out location related information. Startpage uses the proxy's location, while DuckDuckGo's top result, shall we say, hits too close to home.

StartPage and DuckDuckGo search comparison

A GEO::IP is far more accurate than their help pages imply. They should not be misinforming users like this.

I would guess this search result pollution is an intentional workaround to circumvent users who use ad-block. Ads injected as regular results are more difficult to detect. Not only is that intensely disrespectful towards users, it could land them in legal trouble.

These ads are not labeled as ads. In the FTC's response to the 2002 Search Engine Letter[2], it was mentioned that including unlabeled ads as search results "are violating Section 5 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 45(a)(1),(1) by failing to disclose that advertisements are inserted into search engine results lists."

[2] Commercial Alert Response Letter (2002 Search Engine Letter Response)

The FTC decided not to press charges at the time, since it was a new and evolving technology. They instead release a set of guidelines for search engines to follow to avoid "possible future Commission action", giving them a chance to fix it in advance. These guidelines were emailed to search engine companies of the time, which was before DuckDuckGo's creation. But the information is publicly available.

In 2013, an update to these search engine guidelines was published.[3] Interestingly, this time DuckDuckGo was mentioned. DuckDuckGo should be aware of these guidelines.

The updated guidance has been sent to the general-purpose search engines AOL, Ask.com, Bing, Blekko, **DuckDuckGo,** Google, and Yahoo!, as well as 17 of the most heavily trafficked search engines that specialize in the areas of shopping, travel, and local business, and that display advertisements to consumers.

[3] FTC Consumer Protection Staff Updates Agency's Guidance to Search Engine Industry on the Need to Distinguish Between Advertisements and Search Results

A summary of the updated letter[4] outlines generally the following advice:

Including or ranking a search result in whole or in part based on payment is a form of advertising. To avoid the potential for deception, consumers should be able to easily distinguish a natural search result from advertising that a search engine delivers.

[4] Updated Letter

In point 1, "Clarity and Prominence of Advertising Disclosures Are Key", the letter advises using visual queues and text labels. This is why Google ads have the yellow "AD" text in the corner of their ads. That much is significant enough to distinguish what is an ad.

DuckDuckGo, as of today, is not including any indicators to distinguish this advertising. Their ads are identical in form to the search results they provide.

At this point, DuckDuckGo has betrayed its users too many times. They have made too many anti-consumer decisions and business deals. They've lied about the effectiveness of its services. They have lost my trust completely now.

Enough is enough. I am dropping DuckDuckGo and will not be recommending it to anyone. Goodbye.