Change the default search engine in TBB

Some users are concerned that the default search engine in TBB is Google. While we do rewrite the parameters sent to Google, the fact that google can see a large percent of the tor user search queries (as a whole community) may be reducing their anonymity set. The power of defaults means many users, perhaps the majority, will not change their behavior.

Alternatives to google by default are ixquick and duckduckgo. My vote is for ddg. They run a hidden service, exit enclave, and in general seem to support Tor. ixquick has refused to work with us in the past.

changed milestone to %TorBrowserBundle 2.3.x-stable

added MikePerry201204 actualpoints::1 component::firefox patch issues milestone::TorBrowserBundle 2.3.x-stable owner::mikeperry points::1 priority::medium resolution::worksforme severity::blocker status::closed type::enhancement labels

I like DuckDuckGo or scroogle. They are both equally anonymous. Never used ixquick. The good thing about DuckDuckGo is that they support the cause. They run an exit enclave. They also support the free software community (they sponsor Linux Mint) The good thing about scroogle is its fast, only one request/reply. The bad is it searches exactly what you typed,(even if it has a typo) without providing the "Did you mean" thing. So is not noob friendly.

+1 to DuckDuckGo

Trac:
Username: Neo139

I like DuckDuckGo or scroogle. They are both equally anonymous.

While I like scroogle and use it for my own searching, it would not be a good default for TBB. Scroogle relies on scraping google's content which has a couple disadvantages...

1. Scroogle breaks whenever google changes their page. Scraping becomes more difficult as google integrates more ajax into their pages and, iirc, scroogle is now relying on the mobile version of the google site.

There have been a few times that it looked like scroogle would be broken indefinitely. It would be a bad idea to potentially leave TBB users with a broken default search.

2. Google would still be getting TBB search queries, just through a one hop proxy. I'm not sure if this really addresses the concerns people have been raising...

My preference would be for us to go with DDG too. Besides being a nice search, they've been supportive of tor and also changed their homepage in response to complaints that it required javascript to operate. Both great signs that they're highly supportive of user privacy.

Cheers! -Damian

First, the main problem with Google, as I see it, is that it tracks clicks on result pages, and has demonstrated its disregard for users privacy. Combined with users inevitably logging in to other Google-owned services, such as GMail, having Google search as a default provides for complete deanonymization when accessing URLs via search results.

If you want DuckDuckGo to work like Scroogle, you can use the non-Javascript interface (see below). I will attempt to outline the technical pros and cons of some search engines.

1. DuckDuckGo

• Click tracking and advertisements can be disabled in URL parameters: http://3g2upl4pq6kufc4m.onion/?q=test&kd=-1&k1=-1
• Non-Javascript page has no click tracking, but cannot be configured (not via URL parameters either): http://3g2upl4pq6kufc4m.onion/html/?q=test, and has an annoying “Spread DDG” sidebar, which takes time to load.
• The regular page does not automatically use non-Javascript interface if Javascript is turned off, it just breaks.

2. Ixquick via Google

• Has high results quality and no click tracking (which Google does)
• Supports Google's date filter
• Uses POST requests (a problem with search extensions?), and GET support is apparently undocumented, but works: https://startpage.com/do/search?query=test

3. Ixquick

• Don't see why use it instead of its Google-results page

3. Scroogle

• Has high results quality and no click tracking (which Google does)
• No date filter or any other configuration: https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?Gw=test
• Dated and fragile

I think that overall, DuckDuckGo is the best choice as a default search engine, given its support for Tor (including a hidden service to access the site), and that Ixquick via Google (startpage.com) is a good alternative for users who are dissatisfied with DuckDuckGo's results quality. This is probably the configuration that I will stay with use in Liberté Linux.

Trac:
Username: mk
Cc: N/A to mk@dee.su

Trac:
Cc: mk@dee.su to mk@dee.su, tails@boum.org

Duck Duck Go & Scroogle are both good in their own right, but EACH records / logs some info about visitors or searches (read their privacy policies). Scroogle's privacy policy isn't really a policy (that I find) - it's a graphic.

Duck Duck Go's policy says: "Similarly, we may add an affiliate code to some eCommerce sites (e.g. Amazon & eBay) that results in small commissions being paid back to DuckDuckGo when you make purchases at those sites." Sounds odd. Unless one uses a completely anonymous payment method, the site that DDG referred you to, knows who you are, once purchases are made. There's too little info in DDG's privacy policy about how the process of adding affiliate code & receiving payment works to fully understand it. It also raises the question, of the popular practice of search engines presenting what they want the user to see, first. In this case, possibly results from sites with whom they have financial agreements.

Ixquick & Start Page don't record any info (log searches, record IP addresses, etc) per their policies, last I read. If one wants Google search results, use Start Page. If you want results from other search engines, use Ixquick. Both have https. My experience is, different search results are often seen in Ixquick vs Google (or Google scrapers).

I don't know about "default" search engine. Would it be possible to actually prompt users to choose one, if Ixquick, Start Page, Duck Duck Go, Scroogle are all included in Aurora?

If Google search is COMPLETELY left out of Aurora, help is available through Mozilla (Aurora) Help, how to find / add search engines. Simple FAQ on Tor Project site could explain it. Most Tor users already know how to add search engines.

Trac:
Username: joebt

startpage and ixquick are the same thing. ixquick just queries google these days. ixquick seems to do a lot to fingerprint individual users without recording the IP.

As one of the support people, most tor users don't look for a faq nor know how to manipulate the torbrowser at all.

What Duck Duck Go does is adding &tag=duckduckgo to all the URLs of Amazon. That's it. If you search "Amazon kindle" you will get https://www.amazon.com/kindle-store-ebooks-newspapers-blogs/b?ie=UTF8&node=133141011&tag=duckduckgo-d-20 This is doesn't affect privacy more than cross-referering in common browsers. Amazon knows you came there via DDG. Nothing more.

I use Amazon Associates so I know the info duckduckgo is able to see is not much (number of clicks, number of buys, and products bought, You can't tell if 100 products were bought by 100 different people or all by 1 dude.

I think is way of business is much 'privacy-friendly' than recording everything you do, mining all, and displaying ads based on that.

There should be both scroogle, start page and DDG in the search engine (ctrl K) list. But as default, DDG. Scroogle is currently laggy

@mk We can ask DDG admins to have an option to access the non-javascript page via URL parameters. &js=0 and maybe some 'lite' version without the "Spread DGG" sidebar, with a &lite=1

Trac:
Username: Neo139

@phobos: mk is right. It looks like ixquick is no longer the same backend as startpage.com. Startpage.com seems to use Google on the back end where as ixquick does not. That gives us another option..

I am in favor of getting Google out of the default omnibox position, at least for now, due mainly to the Captcha problem. I am also made nervous by the gmail linkage. I'm not sure if people are aware of this risk, and the TBB threat model doesn't deal with it.

I am annoyed by startpage/ixquick giving us the cold shoulder, but I do feel like real Google search results are considerably better than what I get from DuckDuckGo (which I guess is Bing?)..

So I am torn between startpage and DDG for the omnibox default... We should include them both, though, and probably eliminate ebay, amazon, yahoo and bing.

Erinn, do you happen to know how the url box is built during the build process? Can we just add in our own .src plugins and remove the current ones?

Trac:
Cc: mk@dee.su, tails@boum.org to mk@dee.su, tails@boum.org, mikeperry, erinn
Owner: mikeperry to erinn
Status: new to assigned

Replying to phobos:

"startpage and ixquick are the same thing. ixquick just queries google these days. "

No, they're different. Ixquick is a metacrawler and Start Page is a google scraper, just like Duck Duck Go. Start Page is run by Ixquick folks, but they don't use the same sources for search results.

I believe SOME Tor (TBB) users don't know "how to manipulate" the browser. Adding a search engine is as easy as adding bookmarks - not manipulating. The ones calling are those that don't know much. People that know their way around don't call support for ANY product much, by comparison.

If Google search is left out, ANYone can get it easily. If they're too clueless to add a search engine, they have worse problems & Tor's not going to protect them from themselves. You can only idiot proof something so much.

For anonymity's sake, I don't know how smart it would be to tell "the clueless" that Firefox Help from Mozilla works the same on Aurora, but they can get help there. Could force a readme file to open on Aurora's 1st start (no opt out) w/ some basic info. If they choose to close w/o reading, that's their problem.

Trac:
Username: joebt

Google is somewhat hostile to Tor users and more than somewhat hostile to privacy. DuckDuckGo has made overt efforts to support privacy, and to support Tor specifically. We should be embracing DDG. They may not be perfect (URI rewriting to add affiliate codes in search results) but they are orders of magnitude better than Google for our purposes. The transparency DDG has offered into their operation is unprecedented. Having a really high quality search engine that runs both a hidden service and an exit enclave is something TBB should be supporting and driving users to by default.

Please, make this change and make it soon.

Trac:
Username: strunk
Cc: mk@dee.su, tails@boum.org, mikeperry, erinn to mk@dee.su, tails@boum.org, mikeperry, erinn, strunk@tormail.net

Searches of users logged in to G+, Gmail or other Google services can very likely be traced by Google and we can be sure that Google will continue to work on tracing their users as much as they can. Gathering and connecting data is their business, hence they are by default a threat to the privacy of TOR users. We cannot keep users away from using Gmail or G+, so we should at least take precautions that their internet searches will not be traced by default. If they add Google themselves, so be it.

Alternatives have been mentioned here in various postings. DDG is the only one of the mentioned search engines that is actively supporting TOR. DDG is running a TOR relay and an exit enclave. DDG gave a part of their 2010 revenue FOSS donations to TOR and the DDG community nominated the TOR project again for 2011 revenue FOSS donations. On the other hand the IXQuick/ Startpage-people seem to be ignorant towards the TOR project. Scroogle gives anonymized Google searches but seems to be unreliable.

Therefore please add the DDG TOR service as the default engine for future versions of TBB. Maybe add Scroogle as an alternative and delete the default search engines (Google, eBay, Amazon etc.). The person behind DDG is usually very responsive and helpful and obviously aware and supporting of TOR which may be helpful in the future.

DDG is by the way not a Google scraper as mentioned earlier. AFAIK they gather data from several different sources and their own crawlers.

Trac:
Username: m
Cc: mk@dee.su, tails@boum.org, mikeperry, erinn, strunk@tormail.net to mk@dee.su, tails@boum.org, mikeperry, erinn, strunk@tormail.net, 5p4m@gmx.de

Replying to m:

Searches of users logged in to G+, Gmail or other Google services can very likely be traced by Google and we can be sure that Google will continue to work on tracing their users as much as they can. Gathering and connecting data is their business, hence they are by default a threat to the privacy of TOR users. We cannot keep users away from using Gmail or G+, so we should at least take precautions that their internet searches will not be traced by default. If they add Google themselves, so be it.

It turns out that Google offers encrypted search on https://www.google.ca. The different TLD will cause Tor Browser's url isolation to prevent Google from tracking google.com users when google.ca is used for search, but google.com is used for authenticated services.

Alternatives have been mentioned here in various postings. DDG is the only one of the mentioned search engines that is actively supporting TOR. DDG is running a TOR relay and an exit enclave. DDG gave a part of their 2010 revenue FOSS donations to TOR and the DDG community nominated the TOR project again for 2011 revenue FOSS donations. On the other hand the IXQuick/ Startpage-people seem to be ignorant towards the TOR project. Scroogle gives anonymized Google searches but seems to be unreliable.

Therefore please add the DDG TOR service as the default engine for future versions of TBB. Maybe add Scroogle as an alternative and delete the default search engines (Google, eBay, Amazon etc.). The person behind DDG is usually very responsive and helpful and obviously aware and supporting of TOR which may be helpful in the future.

I would accept a patch to change our default search engine to DDG and/or to add DDG and StartPage to the Omnibox, because captchas fucking suck. But changing it right now myself is not a super high priority. I imagine Erinn is thinking the same thing.

Note that we already have code to use DDG as the searchbox on check.torproject.org (#3962 (moved)), but since it's no one's job to admin check, and no one wants to give admin access to anyone else, that code will probably sit around forever unused :/.

Replying to mikeperry:

Note that we already have code to use DDG as the searchbox on check.torproject.org (#3962 (moved)), but since it's no one's job to admin check, and no one wants to give admin access to anyone else, that code will probably sit around forever unused :/.

Not true, sir. I admin check. We have an svn repo for check. And if we want something to go live on check, it should be committed first, and then I can push it live. It appears arma has a check fetish as well. Therefore you have not one, but two avenues for making things go live to check.

Replying to mikeperry:

Note that we already have code to use DDG as the searchbox on check.torproject.org (#3962 (moved)), but since it's no one's job to admin check, and no one wants to give admin access to anyone else, that code will probably sit around forever unused :/.

I don't see code on #3962 (moved), I see a ticket to patch torbel for ddg/new user interface. If there is code for check, point me at it. torbel isn't ready for production yet and won't be ready for a while.

Trac:
Username: cooperq

google.xml

Google.is search widget

Trac:
Username: cooperq

Trac:
Username: cooperq

ddg-tor.xml

duck duck go search widget

Trac:
Username: cooperq