Click here to see the changes, updates and notes. March 2, 2017:

Based on a conversation and email correspondence with Gabriel Weinberg in December ’16, as well as several emails and follow up emails with DDG and StartPage and additional research:

– Added a note regarding ixquick.eu in the intro.

– Changed “Look and Feel – Homepage” – DuckDuckGo adjusted their index page so information that was previously in a slider is now available just by scrolling down.

– Changed “Look and Feel – The search” – Removed the mention of Yahoo helping DDG get fast loading times as Yahoo had nothing to do with this.

– Changed section title “Interesting Partnerships” to “Partnerships and Hosting”.

– Changed “Look and Feel – Search results, Images – StartPage” – Added additional information.

– Added “Omissions”.

– Changes to “Interesting Partnerships – DuckDuckGo and Amazon” to correct my assumption traffic contents to and from DDG is visible to Amazon.

– Changes to “Interesting Partnerships – DuckDuckGo and Yahoo” Added explanation for the DDG removal of Yahoo logo and Yahoo web pages from their site.

– Changes to “Logging” – Removed “In the case of DuckDuckGo it’s hard to say if Amazon and/or Yahoo log any sensitive data flowing to and from their servers.” as it was based on the same assumption about traffic contents to and from DDG.

– Changes to “Location – DuckDuckGo” – Removed reference to Yahoo as US based company as, from what I understand, only Yahoo technologies are used, not actual servers or infrastructure. Also added quote from DDG and some more text.

– Changes to “Additional features – DuckDuckGo – Bangs” – Explaining privacy implications of using bangs.

– Changes to “Additional features – StartPage – Maps” – Mentioning OpenStreetMap integration.

– Added “Certification”.

– Added “Referers”.

– Added “Behind the Engine”.

– Added “Law”.

The previous version (original) of this article can be found here.

As this has become a fairly lengthy article, I have created topic shortcuts that make content easier to find and/or to link to.

In 2013 I wrote a basic comparison between DuckDuckGo (DDG) and Startpage. That article has since been viewed several hundreds of thousands of times and I receive regular requests for updates. Has anything changed since then? Is DDG the new king? Let’s find out.

Last time I explained why Startpage was my search engine of choice. This time I’ll do a side by side comparison of both covering features and everything that matters when it comes to privacy and security.

I use startpage.com in most of my examples but you can use ixquick.com as well. Everything mentioned in this article applies to ixquick.com too as the two sites have merged earlier this year. There is also ixquick.eu which returns results from search engines that are not Google ( Yahoo , Yandex, Statesman). I found no visible difference in use of ixquick.com or .eu so I won’t mention .eu in the rest of the article. NOTE: Due to Google’s recent omission of content that affected StartPage, the ixquick.eu site is mentioned once as an alternative engine.



Look and Feel – Homepage

The vast majority of people I know, don’t use a search engine’s homepage to perform a search. Instead they use the browser’s address bar or designated search field. This doesn’t mean there are not a lot of people out there using search engines the classic way; open searchengineofchoice.com > type search. So the homepage can be important as a lot of people see and use it often.

StartPage

A clean and simple homepage. Rather than having additional links and information in a slide deck it’s readily available without making the page appear messy or crowded. To learn more about how StartPage works I can click the arrow at the bottom of the page which just extends the current page. When I’m done reading I just scroll up and enter my search. They make adding the search engine to your browser very easy too, it’s right there. “Add to Firefox” (or Safari, the URL and wording adjust depending on the browser you use to visit the page) shows a small information window with instructions and you’re done in just a few seconds.

DuckDuckGo



Also clean and simple and easy to see where to type to start a search. Previously an impractical slide deck presented additional information but took you away from the index page. DDG changed this so now all one has to do for additional information is simply scroll down. A much better experience and actually smoother than that of StartPage as the ‘down’ button does not even have to be clicked, just scroll and read. Once done reading you can dismiss that information forever and all you’re left with is a clean index page with a search bar (which can also be invoked by going straight to start.duckduckgo.com).

This one goes to DuckDuckGo.



Look and Feel – The search

Here there are really only two things that matter, for me anyway. Search suggestions as I’m typing and how fast it performs the search and loads my results.

Search suggestions

Both engines can do it. DDG does so by default but for StartPage you have to enable it in the settings.

Speed

DuckDuckGo loads results faster. Of course being served through Amazon AWS helps a lot in this regard. When it comes to web results, the engines are matched. However on an image search StartPage is clearly slower. Slow enough to notice the difference but not too slow to be annoying.

DuckDuckGo is superior here.



Look and Feel – Search results, Web

The page every user will see, regardless of which search method they use, is the results page. The search results must be accurate, relevant and easy to read. Loading more results or switching between “web”, “image” and “video” should also be easy to do. Finally no-one likes to scroll to get to what they’re looking for (though this of course depends on how clear the search term is) For this example I used the following search query: “Apple privacy policy”.

StartPage



After a pretty big block of ads, the page I was after is listed first. I didn’t have to scroll. The layout is standard what we’re used to from a search engine but the colors and font size choices make it look a bit messy and not as easy to read at a glance. The placement of the URL directly underneath the title is also not something I’m a big fan of. The search tools to select a time frame to search in are available on the left and don’t require additional clicking to get to. Where StartPage shines when it comes to privacy, is the proxy. They load the website for you and display it in a frame. As far as that website knows, you were never there. Any browsing you do on that site is routed through the proxy as well so your click away. It’s a great feature.

DuckDuckGo



My results are the first thing to show up and ads are pushed to the side (occasionally one ad would show at the top of the list, the rest would still be off to the side). This is the way it should be in my humble opinion. The page I was looking for is first in the list so no scrolling required. The layout is standard but the use of color (lack of), font, font size and favicon makes the way these results are displayed much easier to digest. Search tools are hidden behind the “Anytime” button rather than shown by default and a globe button allows you to narrow the search down to a specific region which can be very useful. In this case setting Brazil as the region showed me the URL to the Portuguese privacy policy just a few places down in the results list.

Easy to read VS extra privacy features? I have to go with StartPage. If it wasn’t for the proxy though, DDG would have won this hands down.



Look and Feel – Search results, Images

I search for images A LOT so having a clear presentation and of course relevant results is very important. The ability to quickly pull up similar images is also a big deal for me. but unfortunately neither engines offer this feature. For the images test I used the search query: “White cat with green eyes”.

DuckDuckGo



That’s a lot of white kitties with green eyes. As expected, I got the results I wanted. Click on an image to see the dimensions and a link to the actual file. Basic filter options let me select a size of small, medium or large. Offering an image search is new since I wrote the last article. At that time DDG was unable to do this.

StartPage



Here as well, all the cats I expected to see. The layout is the same on both engines and while there are currently no filter options to select an image size or type, there are a few other really nice options and additional filters are coming very soon. First, the option to visit the page the image is on, very useful if you want additional info on the image or the story that goes with it. Second, the option to visit the page anonymously, this is the same proxy feature mentioned earlier which loads the page in a frame. Last, that good ‘ol proxy to view just the image. At the time of writing, yours truly was shown some new image filters that will be rolling out within the next month. Something that makes me very happy as these filters are what I miss the most from Google.

The ability to select size, color and type are a huge deal to me and I really look forward to testing these filters out. Thanks to StartPage for providing this sneak peek.

Note: While the first results were mostly spot on, DuckDuckGo started mixing in other content much faster than StartPage. Meaning after scrolling just once on the DDG results I started seeing black cats with blue eyes, random color cats with yellow eyes etc. On the StartPage results this happened too but there were much more white cats with green eyes preceding it.

For both the amount of accurate images it pulled up and the proxy options, StartPage takes this round. The upcoming image filters from StartPage did not influence this decision as those filters are not live yet and their performance is yet to be tested.



Look and Feel – Search results, Videos

For this one I went back to the “Apple privacy policy” search. There are just wayyyy to many cat videos out there..

DuckDuckGo



DDG pulls up relevant results and displays a privacy warning when clicking on a video. No filter options though.

StartPage



StartPage, same story. Relevant results and a privacy warning when clicking on a video. Unfortunately their proxy can not help here. A nice addition is the menu “Relevant” which can be changed to “Popular”, “Recent” or sort the results by playback time of “Short”, “Medium” or “long”.

The engines are matched when it comes to video search but StartPage takes this one home just by offering some useful filter options.



Browser integration

In the 2013 article I mentioned one had to install additional software; Glims, to be able to add StartPage as a browser search engine. Luckily StartPage can easily be added to Firefox and Safari now. For Safari the site downloads an extension that takes over the built-in preset search engines and for Firefox it’s as easy as just clicking a button and changing a setting. Once added, it works as one would expect. Type a search into the address bar and Startpage will take over and show you the results. In Firefox you can use the address bar or the designated search field next to it, the results are the same. StartPage was added to Vivaldi and Brave but not to any of the major browsers yet.

For DuckDuckGo, browser integration is a lot easier (which is likely why they don’t offer buttons for it on their homepage), Apple has chosen to offer DDG as a search engine option. No need to install an extension, just change the setting from Google to DuckDuckGo and Safari is all set. The same goes for Firefox which has it’s default set to Yahoo. Go to settings, pull down the list of options and DDG is right there. If StartPage can get these vendors to build their engine in as an option it would go a long way to getting them more users. Almost everyone I know has heard of DuckDuckGo but has never heard of StartPage. Built-in presence would likely change that.

Again once StartPage has been manually added to your browser, it works like a charm. However just because of the easy change in settings and no additional clicking or downloading required, DuckDuckGo takes this round.



Omissions

Both DuckDuckGo and StartPage keep you out of the “Filter Bubble“. You get the raw search results and not any one content is prioritized based on personalization, how popular it is etc. However there can be a problem with the search results. For example, because StartPage uses only Google search results, Google’s omissions are passed on to StartPage. One recent example is naturalnews.com which was removed from Google in what was believed to be the war on “fake news” according to some or a technical issue according to others.

The point is, Google decides something is omitted from their results which automatically means it’s omitted on StartPage as well. This was not an intentional move from StartPage, it’s just a result of the way the service is set up. Now I do not keep track of which sites may or may not be omitted by Google (and are therefore missing from StartPage as well) but if you suspect search results are missing, try your search in https://ixquick.eu which uses results from non-Google sources.

StartPage was already aware of this issue when I reached out for comment and several options were being explored to prevent or correct this kind of thing in the future. Before the updated version of this article published, Google added Naturalnews.com back to their index so it showed up on StartPage again too. I decided to leave this section in to show the importance a search engine has access to multiple sources to generate it’s search results. Both companies get their search results from other companies and websites, they are not the ones that did the indexing of these result pages. Being dependent on others for anything can always carry a risk. I do feel DDG is better protected from a scenario like this as it draws it’s information from several sources but even for them, this could happen if their sources decide to omit content. (I believe this does not apply to Instant Answers on both sites).



Additional features

DuckDuckGo

• Bangs – Bangs are little codes you can add to your search to narrow your search to a specific website or service. For example a search for “!a shoes” searches for shoes on amazon.com. There are thousands of bangs you can use which can speed up your search a lot. Keep in mind that using these bangs will instantly connect you to the service you requested. For example typing “!g white cat with green eyes” and hitting return, drops you off on the Google website to display your results (thus logging your IP, search term and browser info immediately). It does not get you Google results inside DuckDuckGo. It is reasonable for DDG users to assume and expect a private search engine warns if there is a risk to that privacy being lost, like it does with Youtube videos but in the case of Bangs this does not happen.



• Adapting search tools – Depending on what you’re searching for, the default “web, Images, Videos” expands and offers more filters. Here are a few examples:



• Maps – Enter an address and a window-wide map is presented, powered by OpenStreetMap. You can zoom, pan around, make it fullscreen or open the displayed address in the Maps service of your choice including Apple Maps. It’s very slick and works great.









• Customization – You can select several themes that play with colors, font, font sizes, page width, alignment etc. but the default settings are the best I believe. Overall DDG has much more granular customization which allows you to tweak everything and set it exactly how you want it. I did not see any obviously missing features when it came to customization, there is something for everyone.



• Saving your settings – If you made changes to the settings, maybe a different theme and some font changes, you want to be able to save those tweaks so you don’t have to make them every time you use the site. DDG offers to save your settings to the cloud so you can easily load them on any device. You set a passphrase and it stores basic parameters. A quick test with several passphrase showed me how easy it is to load someone else’s data (and delete it). So if you put a lot of time and effort into customizing your DDG, make sure you set a passphrase no-one will easily guess because some clown can pull up your settings, change or delete them. Cloud save and the ability to pull up your settings on any device is a nice idea but the implementation needs work.



StartPage

• Proxy – The gem of StartPage is the proxy feature. I have mentioned it earlier but it’s worth repeating. Perform a search, then visit the desired page and browse it, all anonymously. It’s a feature that’s easily overlooked but worth exploring.



• Maps – Pulling up a map in StartPage can be tricky. Sometimes it’s clever enough to figure out you’re looking for a location and will show a map. Most of the times though, even if you enter a complete address, you have to add the word “map” to the search before the map shows up. StartPage has begun the transition to OpenStreetMaps and in a test site they granted me access to so I could see the implementation in action, it worked smooth. It’s still a small square image that can not be enlarged but I could zoom and pan around. A big improvement over the static Google Maps image that it replaces. Their OpenStreetMaps implementation will roll out in the next few weeks and additional functionality such as enlarging the map and/or opening a location in a 3rd party maps app may be added in the future.

Getting the new map to show in the first place is still hit or miss and how the map is displayed and can be interacted with is still not even close to what DDG offers. It is a step in the right direction though.



• Customization – The user has a choice between a few pre-set themes. They are equally bad as the presets seen in DDG. and there are no further tweaks you can make to enhance the visual experience. What StartPage does offer, is an option to select a continent when it comes to the server you connect to. But that’s it.



• Saving your settings – No cloud setting here but an option to save your settings as a cookie or as a URL (which acts as a cloud saved setting). If you frequently clear cookies from your browser or don’t accept them to begin with, the URL option is for you. Once you configure the settings to your liking, generate the URL and bookmark it, set it as your homepage or install it as a custom search engine in your browser.





Behind the Engine

I was debating if I should include this section but after talking to a few people, decided there is enough interest in these details to include them.

StartPage is owned by Surfboard Holding B.V., a privately held, independent Dutch company, run by Robert Beens, whose only activities are operating StartPage, Ixquick and StartMail. No 3rd party investors or venture capital behind it as far as I could find. StartPage (and Ixquick) generates income solely from advertising (Google Ads).

DuckDuckGo is owned by Gabriel Weinberg who is is the founder, current CEO and controlling shareholder. Investors (/shareholders?) include Union Square Ventures and several others. DuckDuckGo generates it’s income from advertising (Bing Ads) and collects affiliate revenue (Amazon, eBay).

We covered quite a bit of ground here and kudos for making it this far. Surely you’re wondering about security and privacy at this point so let’s get to it.



Partnerships and Hosting

DuckDuckGo and Amazon – DuckDuckGo uses Amazon AWS for hosting, which explains the speed at which it’s able to crank out search results. One of the problems with using Amazon is the location the company is based in, more on that below. Privacy may be another concern. According to Amazon’s Data Privacy FAQ

“Disclosure of customer content: We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body.”

and by customer content they mean:

“software (including machine images), data, text, audio, video or images that a customer or any end user transfers to us for processing, storage or hosting by AWS services in connection with that customer’s account and any computational results that a customer or any end user derives from the foregoing through their use of AWS services.”

Your search query is typed text, sent to Amazon because that’s where DDG is hosted. After a chat with Gabriel Weinberg I realized this was of course a wrong notion. Thanks to the SSL/TLS encryption of the session the traffic contents between you and DDG are not visible to anyone else.

What is, or can be, a concern however is the way Amazon’s hosting servers are set up. Amazon AWS uses servers that run many virtual servers in them. Using a system called hypervisor (which is the software that creates and runs the virtual machines) it allows Amazon to run a lot of guest machines on a single piece of hardware. If you use Amazon AWS, you’re using one or more of those virtual machines, or guest machines. Amazon has access to the hypervisor and therefor access to all the virtual machines that run on it. Amazon has the ability to log into the hypervisor and they do so when required by court order, when requested by a customer (under certain circumstances), or when an Amazon director authorizes it. With access to the virtual machine that runs the DDG website… imagine the possibilities. SSL/TLS won’t mean a thing if there is root access to the hypervisor and everything running on it. I’m not saying this has happened or is currently happening. I’m simply pointing out that being a U.S. company, with resources hosted on hardware owned by another U.S. company, can pose an issue for privacy and security. DDG mentioned their virtual server infrastructure uses encryption.



StartPage and hosting – Physical hardware servers on multiple continents that are owned, controlled and administered by StartPage, hosted in colocation facilities. The host facilities can not log in to the servers and encryption is used in several ways. Servers are located in The Netherlands, California and the state of New York but who the colocation hosts are is unknown.



DuckDuckGo and Yahoo – On October 4, 2016, news was published showing Yahoo had secretly been scanning customer emails for the government. The “In partnership with Yahoo!” text that graced DuckDuckGo’s pages (Still visible in the screenshots I took while writing this article) was quickly removed, as was their webpage that explained the Yahoo partnership and technical details. DuckDuckGo has been working with Yahoo since the very beginning, most people just weren’t aware until the partnership was officially announced. Reactions to the news can be seen here in a blog post. DDG pointed out to me that the pages and references of Yahoo were removed because the Yahoo implementation did in fact change on the back-end and are no longer relevant. “In particular, the previous implementation used https://duckduckgo-owned-server.yahoo.net, and that server is no longer in use.” The way I understand it now is that DDG never used Yahoo server(s) but only their technologies that drive some of the features on the site and perhaps anonymized search results. This means there is still a partnership with Yahoo but the removal of the logo was just for PR reasons, which is understandable. After reading the DuckDuckGo / Yahoo Technical Details page, it does indeed show Yahoo’s physical servers were never used.

To get access to the most relevant Yahoo technology, due to contractual obligations that call has to be associated with a Yahoo domain, in this case, duckduckgo-owned-server.yahoo.net. To make sure this call does not violate our privacy policy, Yahoo delegates this domain to us via DNS. In other words, duckduckgo-owned-server.yahoo.net is operated by DuckDuckGo and runs solely on our servers. Yahoo does not have access to these servers in any respect.

This does make me believe the DuckDuckGo/Yahoo partnership is/was not a reason for concern when it comes to privacy. What I do find interesting and probably needs further investigating is that DDG states “we have never used any servers but our own”. According to an older article I found most of the DDG components run on Amazon AWS. Being hosted in a virtual machine owned and operated by Amazon, to me, is not using your own server.



StartPage and Yahoo – No partnerships there. Their site ixquick.eu did serve up anonymized Yahoo search results but stopped doing so when the previously mentioned Yahoo news became public.

The issue was raised that “Google has been known to shut down anyone trying to access their service anonymously, and I know of several companies that have been refused contractual access if they didn’t share with them a unique user identifier”. This may mean that for DDG (using results from various engines) and StartPage (using Google) to use those search results and ads there must be some kind of deal that give them some kind of valuable information. Does the contract between the search engines “create any persistent unique identifiers like by hashing the IP?” Interesting point and one I had not thought of until it was brought up, so I asked both DDG and StartPage “Did Google, or any of the other engines you use request user data in one way or another” For example the mentioned unique user identifiers like hashed IP’s. Both companies replied:



DuckDuckGo and other search engines – “With regards to your question about engines requesting user data, they do request it, and we don’t give it. This is especially important around ad networks because they are intrusive, but also from their perspective, they have to protect their advertisers against fraud, and there is a lot of fraud on the Internet. I believe most private search engines have good intentions, but without significant technical background, I can see them getting tripped up and may provide a persistent unique identifier when they didn’t intend to (like by hashing the IP).”



StartPage and Google – “StartPage purchases search results from Google because they are known to be the best in the world. We also run Google ads. We have negotiated a very strict contract with Google to ensure user privacy is protected. We NEVER create any persistent user identifiers to send to Google, and we never transmit even a portion of a user’s IP, to safeguard our users’ privacy.”



Both DDG and StartPage pay for the right to use the results from other engines and have agreements in place that allow them to do this without sacrificing user privacy.

I asked both DDG and StartPage if they are willing to share the contracts they have with the engines they draw search results from. Of course these kinds of agreements are covered by NDA’s so neither could share any of that information. Expected but was worth a shot.

Another issue that was raised was “if you outsource server maintenance, who’s to say who has access to the root account on these machines anyway from a software perspective”. Valid point. You can own and operate your own servers but if maintenance is outsourced, how do you control whom has access to what? Also, who does the maintenance and where are they located? The relevance of location is detailed in the next section. So, the who, what and where details were asked of both companies:



DuckDuckGo and technical staff – Gabriel Weinberg commented: “It is all done in-house, we have two factor security on everything, we limit access to our ops team, etc. etc.”



StartPage and technical staff – “Like many companies, StartPage works with individuals (whether as employees or through contracting) with whom we have longstanding relationships. But we also have a dedicated technical team in the Netherlands and strict controls to ensure work meets our strict privacy specifications. For example, we use multi-factor authentication and limit server access to just a few individuals. Contracted work is an aspect that is closely scrutinized by our 3rd party EuroPriSe code auditor.”

Looking at the EuroPriSe certification, details show the following:

Surfboard Holding BV, the owner of Ixquick, has a contractual relationship with Web Intensive LLC, having its registered office in New York that develops software for Ixquick, and is monitoring and doing maintenance work on the assets, equipment, servers, software, networks and other components relevant to the operation of Ixquick. Web Intensive LLC has a subsidiary in India that performs the abovementioned activities. The required data export and data import agreement (Commisson Decision C(2010)593) has been duly signed by Surfboard Holding B.V., WebINTENSIVE Software LLC and its Indian subsidiary and checked on compliance.

DDG states it has all it’s staff in-house however according to their careers page on one of their open positions: “We are a small, remote team in different time zones and communicate with a variety of tools throughout the day” and another page mentions “The majority of our staff work from home or shared office spaces in countries all around the world” There is nothing wrong with this arrangement, but my definition of “in-house” is different. However this is 2017 so.. things change. It appears that both DuckDuckGo and StartPage have what I would call “remote workers.”

StartPage outsources part of the technical work to a US company that in turn outsources to India. Their 3rd party certification however is aware of this, saw the agreement involved and states is up to snuff.

Personally, from a security perspective, I feel whether you outsource to another country of have your own employees or contractors in another country.. it’s the same thing. Unless the staff that do server maintenance, for example, are in the same building where data traffic, access and assets can be closely managed, you don’t really know what goes on at all times, you just can’t. Both DDG and StartPage have remote workers, but say they keep a close eye on quality. StartPage backs up its quality with a 3rd party certification by EuroPriSe, and any outsourcing or remote work is closely scrutinized through the audit process. DuckDuckGo does not have this kind of audit to provide quality assurance.



Location

You might wonder, why is location relevant? The biggest concern is government surveillance, something on a lot of people’s minds ever since Snowden.

DuckDuckGo is a U.S. based company and their hosting is done on Amazon servers. Amazon is a U.S. based company which means it’s subject to U.S. legal pressure. Being subject to surveillance mandates like PRISM and laws like the U.S. Patriot Act make it a less than desirable location for anything you want to keep private and secure.

StartPage is based in The Netherlands, where privacy is protected by law, so it is not subject to the same mandates and laws which is one (BIG) less thing to worry about. They own and operate their own servers in colocated facilities both in the U.S. and internationally.

Every search engine I’m aware of hosts servers in multiple countries, DuckDuckGo and StartPage are no different. Of course the facility/company hosting the StartPage servers in the U.S. can be compromised by the government and because of gag orders StartPage will likely not know if there is any tampering with their servers or any data being intercepted. However in this case it’s Amazon VS unknown company somewhere. Who do you feel is a better host/location for your search queries? Of course you can set StartPage to just use a server in the EU or Asia instead and not use the U.S. server at all.

When it comes to the ability to choose your server, DDG had the following to say:

“DuckDuckGo has servers around the world, and if you are in Europe you will be connected to our European servers. It doesn’t make much sense in terms of privacy to be in the US and set a European server since your traffic has to go through the US to get to Europe in any case, and we are not storing any personal information in the US (or anywhere). All that would get you is a slower search experience.”

Which of course makes sense from a usability perspective. After some more research I’ve also found that even if DDG offers the option to manually select a non-U.S. server, it really doesn’t matter from a privacy standpoint. DuckDuckGo is a U.S. company it is subject to U.S. laws, period. This means even their servers in other countries are fair game if the government wants the data that’s on them. This was made clear in the recent case where Google was ordered to comply with a warrant to turn over emails that were stored on overseas servers. While DDG does not store any data, so there is nothing to hand over, don’t forget the SSL keys are stored on the servers as well.

When it comes to privacy, location is a big deal. A U.S. company’s privacy intentions, no matter how sincere, can be derailed if it’s served a national security letter (NSL). As those always include a gag order, the public won’t know if their information is compromised until it is too late. However DDG pointed out to me this perception is not accurate:

In fact, those letters have to operate under legal authority, and there is no clear authority to force a company to create new code and collect new information. Instead, the legal authority operates on asking for existing business records, of which we have none. This is why the recent Apple case was such a big deal. Independently, if you’re worried about government surveillance, you have to similarly analyze the legal situations in other countries. If you’re worried about organizations like the NSA in particular, you also should note that inside the US they have legal restrictions (they cannot spy on US citizens) that prevent them from taking certain actions, but outside the US they have no such legal restrictions, and are therefore free to operate clandestine operations without any similar threat of legal recourse.

Organizations like the NSA, FBI and CIA, just to name a few, do have legal restrictions which means they can not spy on US citizens which should put all our minds at ease, if that’s the way it actually worked. The NSA has been caught doing, pardon my French, all kinds of shady crap in the past, including spying on US citizens. Just because they, and other branches of government, shouldn’t, does not mean it hasn’t happened and/or is happening right now. It takes people like Snowden for the truth to come out which can take years or never happen at all.

All that said, I do want to point out that both DDG and StartPage do not collect any personal information or information that should be of value to a government agency, wherever they may be located. With nothing stored to hand over if served an NSL, apart from maybe those SSL keys, is being based in the U.S. really that much of a concern? You be the judge. The topic of location has many many angles, too many to explore or mention in this article. If you are concerned about the impact location may have on your privacy, in regards to search engines, search the web, see how laws apply and have been applied/abused in the past. Do your homework and make up your own mind (and feel free to share the results of your homework in the comments for other readers!)



Logging

Nothing has changed here. Your IP address, search query, what site you came from and what site you click on in the results, none of this is logged. That is, by the search engine operators themselves.



Encryption

Both sites use strong encryption with TLS. Pretty much the standard but let’s have a virtual expert take a look at it. Using Qualys SSL Labs I pulled up both sites and got the following results:

StartPage





DuckDuckGo



Enough said, certificate security is not an issue on either site. If you want to analyze a full breakdown of the results just visit Qualys SSL Labs and plug in the domain you want to check.



Certification

StartPage has been audited by a 3rd party; EuroPriSe. They look at much of the same things that were covered in this article such as use of cookies (all kinds), logging, web hosting and content delivery networks, use of social plugins and much more. This certification is renewed every two years. Having a trusted and respected 3rd party verify your claims is a big plus.

Surfboard Holding B.V. proved that its meta search engine which is provided under the names “Ixquick” and “Startpage” complies with EU data protection law. Users of Ixquick and Startpage can be sure that processing of their personal data which is related to their use of the meta search engine is in line with the high requirements of EU data protection law. (source)

DuckDuckGo has no 3rd party certifications.

With DuckDuckGo based in the U.S. theoretically it does have one thing going for it; the law. At least in the case of their privacy policy. If DDG violates it’s own privacy policy they can be sued by the FTC and lose all of their customers in the process. The FTC’s press releases indicate that in just a few extremely egregious cases of blatant misrepresentation they have taken action, often with no financial penalty. Based on their history it is extremely unlikely they would be aware of or care about, for example, technical implementations that are problematic or not as strong as they could be which makes the FTC threat much less threatening. Does this make it just as good and trustworthy as a 3rd party certification? I’ll leave that up to you.



Referers

Defined by Wikipedia as “The HTTP referer (originally a misspelling of referrer) is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.” Basically it tells a website where you came from. One way to see if your search engine enhances your privacy by not sending referer data is to do a search for “What is my referer”. One of the results that pops up is “whatismyreferer.com” which simply does the following: “This service is mainly used by people who want to test whether their anonymization service or their browser settings work correctly.” Click on that and see if they were able to make out where you came from.

DuckDuckGo



StartPage



As you can see, DDG sends a referer, StartPage does not. This is because StartPage uses POST and DDG uses GET by default. By using POST StartPage avoids transmitting the referer which hides the search term and search engine when you click on a search result. It also keeps that referer information out of referer logs and your browser history where browser extensions, malware or snoopers can find it.

In the settings on the DDG site you can disable GET so that POST is used, however in my testing once GET was disabled and settings were saved my referer still popped up. This was tested in several browsers on several computers. DDG states GET is their default for better usability (for example, you can use the browser’s back button) and they use a variety of methods to strip search terms from the referer. The end result, even though both engines use different techniques, is that your search term is not known to the site you visit after clicking a search result. With your search query private, is it a big deal that the domain itself is visible? I don’t think so but the domain being passed on might be a turnoff for you.



Law

At this point this deserves it’s own section as it was pointed out I “spend a good portion of the article talking about the US, but literally zero talking about the equivalent legal situation in the Netherlands and European Union.” Which is fair. And there is a reason my focus has been on US law and not Dutch law, there really isn’t much to mention about Dutch law that impacts this conversation. Does the Dutch government have investigatory powers like every other country in the world, yes. I’m sure they do their own fair bit of snooping and intercepting as well just like every other country. The biggest problem in the US however is The Patriot Act and is what underlines the problem with hosting a private and/or secure service in the US. There is no “Dutch Patriot Act” or equivalent to the National Security Letter (NSL) and gag order that accompanies them. Being based in the US is part of the reason privacytools.io removed DuckDuckGo from their top recommended search engines, thanks to laws like the patriot act and surveillance programs. No country is perfect and The Netherlands is no exception but when it comes to laws that protect your privacy, it stands far above the US.

And unlike with the FTC in the US, there is a far more serious slap on the wrist you can get in Europe for violating user privacy. Under the current Dutch Data Protection Act, the Dutch Privacy Authority has the possibility to impose fines of up to €820.000 or 10% of the annual turnover, for infractions of applicable privacy laws and regulations. In May 2018 the General Data Protection Regulation will enter into force, which will provide for the possibility to impose fines up to €20.000.000 or 4% of the total annual worldwide turnover of the preceding year, whichever is higher. Such fines can be imposed in the event personal data is processed without consent or another legitimate ground for processing of personal data under the law. (If personal data is processed in violation of the applicable privacy policy, this would mean in principle that there is no consent, and probably no legitimate ground for processing.)

The definition of personal data under European law includes any information relating to an identified or identifiable natural person, and is generally construed much broader than the US definition of personally identifiable information (PII). For example, IP-addresses are generally presumed to constitute personal data under European law, while IP-addresses are generally not held to be PII under US law.

I can go on but US VS Dutch privacy laws and regulatory agencies can easily be researched online if you want to further look into this.

I did ask both companies the following question: “if you were served an NSL or were commanded to compromise your service/customer privacy in any way, would you and could you just pull the plug like Lavabit did or would you run into opposition from shareholders/investors that would prevent you from doing so?” Both companies replied:

DuckDuckGo – Gabriel Weinberg said: “No one is preventing me from doing that.”

StartPage – “If we receive a request from any foreign government, including the United States, we will refuse to comply. Under the strong current laws that protect the right to privacy in Europe, European governments cannot legally force service providers to implement a blanket spying program on their users. Were that ever to change, we would move or close shop.”



And the title of most private search engine goes to:



DuckDuckGo is superior when it comes to the user experience but a smooth interface is not their selling point, privacy is. And when it comes to privacy, StartPage is the obvious choice.

Both engines need work in certain areas and there is no telling where we’ll be another 3 years down the road. Going into this I expected DDG to come out on top but tally all of the above and it’s StartPage that takes home the prize. So what do I use now, what’s my go-to search engine? The answer; it depends on what I’m searching for. My browsers on the Mac are configured to use StartPage by default but if I have to spend a lot of time searching for stuff, have a bunch of tabs open and am on a time crunch, I use DuckDuckGo. Just for the speed and how easy the results page is on my eyes. Being able to scan a page full of results in just a few seconds is a big deal for me and just isn’t something I can do with StartPage. The ads displayed by StartPage are annoying too. They take up too much space, are not labeled as ads clearly enough and their positioning forces me to scroll down unless what I’m looking for is in the first 4 results. At least DDG lets you disable ads in the settings. Then again I am willing to deal with it if privacy is a concern.

I believe this article offers a comprehensive, unbiased comparison of the two search engines and it will offer all relevant information to those looking to reclaim some privacy online and those that are hard-core must-be-as-private-as-possible. Everything covered in this article is drawn from my own research and was not influenced by what either company said (those claims were researched as well and some did not make the cut) or what popular figures or sites recommended one engine over the other.

In short (too late for that now, I know), they are both solid search engines that take your privacy serious and between both of them, you won’t need another search engine again.

While writing and updating this article I have reached out to both DDG and StartPage for comment several times. I’d make changes, send a draft to both, receive feedback, research claims, make changes, send a draft etc etc. Both StartPage and DuckDuckGo have been very helpful answering my questions and providing feedback and I thank them both for their time and patience. I invite both StartPage and DuckDuckGo to contact me if they wish to dispute/correct any information in this article or simply to provide additional information.

Like this: Like Loading...