Hexbyte Hacker News Computers
In late November, hotel conglomerate Marriott International disclosed that the personal information of some 500 million customers — including home addresses, phone numbers, and credit card numbers — had been exposed as part of a data breach affecting its Starwood Hotels and Resorts network. One day earlier, the venerable breakfast chain Dunkin’ (née Donuts) announced that its rewards program had been compromised. Only two weeks before that, it was revealed that a major two-factor authentication provider had exposed millions of temporary account passwords and reset links for Google, Amazon, HQ Trivia, Yahoo, and Microsoft users.
These were just the icing on the cake for a year of compromised data: Adidas, Orbitz, Macy’s, Under Armour, Sears, Forever 21, Whole Foods, Ticketfly, Delta, Panera Bread, and Best Buy, just to name a few, were all affected by security breaches.
Meanwhile, there’s a growing sense that the tech giants have finally turned on their users. Amazon dominates so many facets of the online shopping experience that legislators mayhave to rewrite antitrust law to rein them in. Google has been playing fast and loose with its “Don’t Be Evil” mantra by almost launching a censored search engine for the Chinese government while simultaneously developing killer A.I. for Pentagon drones. And we now know that Facebook collected people’s personal data without their consent, had third party deals that would have allegedly made it possible for Spotify and Netflix to look at users’ private messages, fueled fake news and the rise of Donald Trump, and was used to facilitate a genocide in Myanmar.
The backlash against these companies dominated our national discourse in 2018. The European Union is cracking down on anticompetitive practices at Amazon and Google. Both Facebook and Twitter have had their turns in the congressional hot seat, facing questions from slightly confused but definitely irate lawmakers about how the two companies choose what information to show us and what they do with our data when we’re not looking. Worries over privacy have led everyone from the New York Times to Brian Acton, the disgruntled co-founder of Facebook-owned WhatsApp, to call for a Facebook exodus. And judging by Facebook’s stagnating rate of user growth, people seem to be listening.
For Gabriel Weinberg, the founder and CEO of privacy-focused search engine DuckDuckGo, our growing tech skepticism recalls the early 1900s, when Upton Sinclair’s novel The Jungle revealed the previously unexamined horrors of the meatpacking industry. “Industries have historically gone through periods of almost ignorant bliss, and then people start to expose how the sausage is being made,” he says.
This, in a nutshell, is DuckDuckGo’s proposition: “The big tech companies are taking advantage of you by selling your data. We won’t.” In effect, it’s an anti-sales sales pitch. DuckDuckGo is perhaps the most prominent in a number of small but rapidly growing firms attempting to make it big — or at least sustainable — by putting their customers’ privacy and security first. And unlike the previous generation of privacy products, such as Tor or SecureDrop, these services are easy to use and intuitive, and their user bases aren’t exclusively composed of political activists, security researchers, and paranoiacs. The same day Weinberg and I spoke, DuckDuckGo’s search engine returned results for 33,626,258 queries — a new daily record for the company. Weinberg estimates that since 2014, DuckDuckGo’s traffic has been increasing at a rate of “about 50 percent a year,” a claim backed up by the company’s publicly available traffic data.
Just before DuckDuckGo’s entrance sits a welcome mat that reads, “COME BACK WITH A WARRANT.”
“You can run a profitable company — which we are — without [using] a surveillance business model,” Weinberg says. If he’s right, DuckDuckGo stands to capitalize handsomely off our collective backlash against the giants of the web economy and establish a prominent brand in the coming era of data privacy. If he’s wrong, his company looks more like a last dying gasp before surveillance capitalism finally takes over the world.
DuckDuckGo is based just east of nowhere. Not in the Bay Area, or New York, or Weinberg’s hometown of Atlanta, or in Boston, where he and his wife met while attending MIT. Instead, DuckDuckGo headquarters is set along a side street just off the main drag of Paoli, Pennsylvania, in a building that looks like a cross between a Pennsylvania Dutch house and a modest Catholic church, on the second floor above a laser eye surgery center. Stained-glass windows look out onto the street, and a small statue of an angel hangs precariously off the roof. On the second floor, a door leading out to a balcony is framed by a pair of friendly looking cartoon ducks, one of which wears an eye patch. Just before DuckDuckGo’s entrance sits a welcome mat that reads “COME BACK WITH A WARRANT.”
“People don’t generally show up at our doorstep, but I hope that at some point it’ll be useful,” Weinberg tells me, sitting on a couch a few feet from an Aqua Teen Hunger Force mural that takes up a quarter of a wall. At 39, he is energetic, affable, and generally much more at ease with himself than the stereotypical tech CEO. The office around us looks like it was furnished by the set designer of Ready Player One: a Hitchhiker’s Guide to the Galaxy print in the entryway, Japanese-style panels depicting the Teenage Mutant Ninja Turtles in the bathroom, and a vintage-looking RoboCop pinball machine in the break room. There’s even a Lego model of the DeLorean from Back to the Future on his desk. The furniture, Weinberg tells me, is mostly from Ikea. The lamp in the communal area is a hand-me-down from his mom.
Weinberg learned basic programming on an Atari while he was still in elementary school. Before hitting puberty, he’d built an early internet bulletin board. “It didn’t really have a purpose” in the beginning, Weinberg says. The one feature that made his bulletin board unique, he says, was that he hosted anonymous AMA-style question panels with his father, an infectious disease doctor with substantial experience treating AIDS patients. This was during the early 1990s, when the stigma surrounding HIV and AIDS remained so great that doctors were known to deny treatment to those suffering from it. Weinberg says that the free—and private—medical advice made the board a valuable resource for the small number of people who found it. It was an early instance of Weinberg’s interest in facilitating access to information, as well as a cogent example of the power of online privacy: “The ability to access informational resources anonymously actually opens up that access significantly,” he told me over email.
After graduating from MIT in 2001, Weinberg launched a slew of businesses, none of which are particularly memorable. First there was an educational software program called Learnection. (“Terrible name… the idea was good, but 15 years too early,” he says.) Then he co-founded an early social networking company called Opobox, taking on no employees and writing all the code himself. “Facebook just kind of obliterated it,” Weinberg says, though he was able to sell the network to the parent company of Classmates.com for roughly $10 million in cash in 2006.
It was around that time when Weinberg began working on what would become DuckDuckGo. Google had yet to achieve total hegemony over the internet search field, and Weinberg felt that he could create a browser plugin that might help eliminate the scourge of spammy search results in other search engines.
Weinberg bought a billboard in San Francisco that proudly proclaimed, “Google tracks you. We don’t.” The stunt paid off in spades, doubling DuckDuckGo’s daily search traffic.
To build an algorithm that weeded out bad search results, he first had to do it by hand. “I took a large sample of different pages and hand-marked them as ‘spam’ or ‘not spam.’” The process of scraping the web, Weinberg says, inadvertently earned him a visit from the FBI. “Once they realized I was just crawling the web, they just went away,” he says. He also experimented with creating a proto-Quora service that allowed anyone to pose a question and have it answered by someone else, as well as a free alternative to Meetup.com. Eventually, he combined facets of all three efforts into a full-on search engine.
When Weinberg first launched DuckDuckGo in 2008 — the name is a wink to the children’s game of skipping over the wrong options to get to the right one — he differentiated his search engine by offering instant answers to basic questions (essentially an early open-source version of Google’s Answer Box), spam filtering, and highly customizable search results based on user preferences. “Those [were] things that early adopters kind of appreciated,” he says.
At the time, Weinberg says, consumer privacy was not a central concern. In 2009, when he made the decision to stop collecting personal search data, it was more a matter of practicality than a principled decision about civil liberties. Instead of storing troves of data on every user and targeting those users individually, DuckDuckGo would simply sell ads against search keywords. Most of DuckDuckGo’s revenue, he explains, is still generated this way. The system doesn’t capitalize on targeted ads, but, Weinberg says, “I think there’s a choice between squeezing out every ounce of profit and making ethical decisions that aren’t at the expense of society.”
Until 2011, Weinberg was DuckDuckGo’s sole full-time employee. That year, he pushed to expand the company. He bought a billboard in Google’s backyard of San Francisco that proudly proclaimed, “Google tracks you. We don’t.” (That defiant gesture and others like it were later parodied on HBO’s Silicon Valley.) The stunt paid off in spades, doubling DuckDuckGo’s daily search traffic. Weinberg began courting VC investors, eventually selling a minority stake in the company to Union Square Ventures, the firm that has also backed SoundCloud, Coinbase, Kickstarter, and Stripe. That fall, he hired his first full-time employee, and DuckDuckGo moved out of Weinberg’s house and into the strangest-looking office in all of Paoli, Pennsylvania.
Then, in 2013, digital privacy became front-page news. That year, NSA contractor Edward Snowden leaked a series of documents to the Guardian and the Washington Post revealing the existence of the NSA’s PRISM program, which granted the agency unfettered access to the personal data of millions of Americans through a secret back door into the servers of Google, Yahoo, Facebook, Apple, and other major internet firms. Though Google denied any knowledge of the program, the reputational damage had been done. DuckDuckGo rode a wave of press coverage, enjoying placement in stories that offered data privacy solutions to millions of newly freaked-out people worried that the government was spying on them.
“All of a sudden we were part of this international story,” Weinberg says. The next year, DuckDuckGo turned a profit. Shortly thereafter, Weinberg finally started paying himself a salary.
Today, DuckDuckGo employs 55 people, most of whom work remotely from around the world. (On the day I visited, there were maybe five employees in the Paoli office, plus one dog.) This year, the company went through its second funding round of VC funding, accepting a $10 million investment from Canadian firm OMERS. Weinberg insists that both OMERS and Union Square Ventures are “deeply interested in privacy and restoring power to the non-monopoly providers.” Later, via email, Weinberg declined to share DuckDuckGo’s exact revenue, beyond the fact that its 2018 gross revenue exceeded $25 million, a figure the company has chosen to disclose in order to stress that it is subject to the California Consumer Privacy Act. Weinberg feels that the company’s main challenge these days is improving brand recognition.
“I don’t think there’s many trustworthy entities on the internet, just straight-up,” he says. “Ads follow people around. Most people have gotten multiple data breaches. Most people know somebody who’s had some kind of identity theft issue. The percentage of people who’ve had those events happen to them has just grown and grown.”
The recent investment from OMERS has helped cover the cost of DuckDuckGo’s new app, launched in January 2018. The app, a lightweight mobile web browser for iOS and Android that’s also available as a Chrome plugin, is built around the DuckDuckGo search engine. It gives each site you visit a letter grade based on its privacy practices and has an option to let you know which web trackers — usually ones from Google, Facebook, or Comscore — it blocked from monitoring your browsing activity. After you’ve finished surfing, you can press a little flame icon and an oddly satisfying animated fire engulfs your screen, indicating that you’ve deleted your tabs and cleared your search history.
The rest of the recent investment, Weinberg says, has been spent on “trying to explain to people in the world that [DuckDuckGo] exists.” He continues, “That’s our main issue — the vast majority of people don’t realize there’s a simple solution to reduce their [online] footprint.” To that end, DuckDuckGo maintains an in-house consumer advocacy blog called Spread Privacy, offering helpful tips on how to protect yourself online as well as commentary and analysis on the state of online surveillance. Its most recent initiative was a study on how filter bubbles — the term for how a site like Google uses our data to show us what it thinks we want — can shape the political news we consume.
Brand recognition is a challenge for a lot of startups offering privacy-focused digital services. After all, the competition includes some of the biggest and most prominent companies in the world: Google, Apple, Facebook. And in some ways, this is an entire new sector of the market. “Privacy has traditionally not been a product; it’s been more like a set of best practices,” says David Temkin, chief product officer for the Brave web browser. “Imagine turning that set of best practices into a product. That’s kind of where we’re going.”
Like DuckDuckGo — whose search engine Brave incorporates into its private browsing mode — Brave doesn’t collect user data and blocks ads and web trackers by default. In 2018, Brave’s user base exploded from 1 million to 5.5 million, and the company reached a deal with HTC to be the default browser on the manufacturer’s upcoming Exodus smartphone.
Google knows that I’m in Durham, North Carolina. As far as DuckDuckGo is concerned, I may as well be on the moon
Temkin, who first moved out to the Bay Area in the early ’90s to work at Apple, says that the past two decades of consolidation under Google/Facebook/Netflix/Apple/Amazon have radically upended the notion of the internet as a safe haven for the individual. “It’s swung back to a very centralized model,” he says. “The digital advertising landscape has turned into a surveillance ecosystem. The way to optimize the value of advertising is through better targeting and better data collection. And, well, water goes downhill.”
In companies such as Brave and DuckDuckGo, Temkin sees a return to the more conscientious attitude behind early personal computing. “I think to an ordinary user, [privacy] is starting to sound like something they do need to care about,” he says.
But to succeed, these companies will have to make privacy as accessible and simple as possible. “Privacy’s not gonna win if it’s a specialist tool that requires an expert to wield,” Temkin says. “What we’re doing is trying to package [those practices] in a way that’s empathetic and respectful to the user but doesn’t impose the requirement for knowledge or the regular ongoing annoyance that might go with maintaining privacy on your own.”
In November, I decided to switch my personal search querying to DuckDuckGo in order to see whether it was a feasible solution to my online surveillance woes. Physically making the switch is relatively seamless. The search engine is already an optional default in browsers such as Safari, Microsoft Edge, and Firefox, as well as more niche browsers such as Brave and Tor, the latter of which made DuckDuckGo its default search in 2016.
Actually using the service, though, can be slightly disorienting. I use Google on a daily basis for one simple reason: It’s easy. When I need to find something online, it knows what to look for. To boot, it gives me free email, which is connected to the free word processor that my editor and I are using to work on this article together in real time. It knows me. It’s only when I consider the implications of handing over a digital record of my life to a massive company that the sense of free-floating dread about digital surveillance kicks in. Otherwise, it’s great. And that’s the exact hurdle DuckDuckGo is trying to convince people to clear.
Using DuckDuckGo can feel like relearning to walk after you’ve spent a decade flying. On Google, a search for, say, “vape shop” yields a map of vape shops in my area. On DuckDuckGo, that same search returns a list of online vaporizer retailers. The difference, of course, is the data: Google knows that I’m in Durham, North Carolina. As far as DuckDuckGo is concerned, I may as well be on the moon.
That’s not to say using DuckDuckGo is all bad. For one, it can feel mildly revelatory knowing that you’re seeing the same search results that anyone else would. It restores a sense of objectivity to the internet at a time when being online can feel like stepping into The Truman Show — a world created to serve and revolve around you. And I was able to look up stuff I wanted to know about — how to open a vacuum-sealed mattress I’d bought off the internet, the origin of the martingale dog collar, the latest insane thing Donald Trump did — all without the possibility of my search history coming back to haunt me in the form of ads for bedding, dog leashes, or anti-Trump knickknacks. Without personalized results, DuckDuckGo just needs to know what most people are looking for when they type in search terms and serve against that. And most of the time, we fit the profile of most people.
When I asked Weinberg if he wanted to displace Google as the top search engine in all the land, he demurred. “I mean, I wouldn’t be opposed to it,” he says, “but it’s really not our intention, and I don’t expect that to happen.” Instead, he’d like to see DuckDuckGo as a “second option” to Google for people who are interested in maintaining their online anonymity. “Even if you don’t have anything to hide, it doesn’t mean you want people to profit off your information or be manipulated or biased against as a result [of that information],” he says.
Even though DuckDuckGo may serve a different market and never even challenge Google head-on, the search giant remains its largest hurdle in the long term. For more than a decade, Google has been synonymous with search. And that association is hard, if not impossible, to break.
In the meantime, the two companies are on frosty terms. In 2010, Google obtained the domain duck.com as part of a larger business deal in a company formerly known as Duck Co. For years, the domain would redirect to Google’s search page, despite seeming like something you’d type into your browser while trying to get to DuckDuckGo. After DuckDuckGo petitioned for ownership for nearly a decade, Google finally handed over the domain in December. The acquisition was a minor branding coup for DuckDuckGo — and a potential hedge against accusations of antitrust for Google.
That doesn’t mean relations between the two companies have improved. As the Goliath in the room, Google could attempt to undercut DuckDuckGo’s entire business proposition. Over the past few years, even mainstream players have attempted to assuage our privacy anxieties by offering VPNs (Verizon), hosting “privacy pop-ups” (Facebook), and using their billions to fight against state surveillance in court (Microsoft). With some tweaks, Google could essentially copy DuckDuckGo wholesale and create its own privacy-focused search engine with many of the same protections DuckDuckGo has built its business on. As to whether people would actually believe that Google, a company that muscled its way into becoming an integral part of the online infrastructure by selling people’s data, could suddenly transform into a guardian of that data remains to be seen.
When it comes to the internet, trust is something easily lost and difficult to regain. In a sense, every time a giant of the internet surveillance economy is revealed to have sold out its customers in some innovatively horrifying way, the ensuing chaos almost serves as free advertising for DuckDuckGo. “The world keeps going in a bad direction, and it makes people think, ‘Hey, I would like to escape some of the bad stuff on the internet and go to a safer place,’” Weinberg says. “And that’s where we see ourselves.”