You aren't supposed to. Even if you assume they lie in every sentence about their data collection, with their current setup it would be much harder for them to build a valuable shadow profile about you.
They haven't been caught running fingerprinting scripts yet and they dont have an account system to tie to your searches. At best they could use your ip to build a shadow profile and thats wildly inaccurate in our mostly ipv4 world.
How do you know what server-side profiling occurs or does not occur? There is no way to know that. DDG gives people a completely misplaced and false sense of security, when they are just as easily comprimisable/corruptable/subpoenable/susceptible to NSLs, EDRs and secret court orders as any other company.
And I disagree with your premise that it's particularly difficult to link a persons IP to their real world identity. There are organized fraud gangs who have it down to a science. know exactly what dept. of the ISP to call, what to say, etc. Basically if someone knows your IP and your ISP account is registered in your name it's game over.
I am aware that they are susepctible to nation state level data collection, just like every site on the internet. I conduct all my non e2e encrypted communications/interactions with this in mind.
I'm more worried about teenage crooks equipped with Emergency Data Request PDF templates than any nation state. We know Google, Facebook, Snapchat etc were all giving up information on users without a court order to these crooks. All it took(probably still) was a EDR notice alleging an imminent threat to human life is about to occur -sent from a real or fake police dept email- and companies will hand over your data without second thought.
Even if they do server-side profiling, they can only track you on duckduckgo.com. Last I checked, DDG did not also own an analytics service that has infested half the world's websites.
> Last I checked, DDG did not also own an analytics service that has infested half the world's websites.
uMatrix shows a 3rd party request to improving.duckduckgo.com every time I visit a page from DDG search results, ostensibly to measure click-through rate. This is claimed to be anonymous, but in principle it gives DDG the opportunity to log much about their users' browsing habits.
Even in the worst case scenario you propose, where DuckDuckGo is deliberately lying and collecting more information than they claim and where those clickthrough requests are sending as much information as is possible for them to send, this is still exposing you to way less risk than Google Analytics.
It is still, I would claim, objectively more private to use DuckDuckGo than Google even in a world where they are lying about their privacy policies, purely because DuckDuckGo does not have the same surveillance scope and level of infrastructure as Google.
And that's really what we're arguing about here, unless you have a more private alternative to DuckDuckGo that has been subject to more rigorous audits and can scale to support being the default search engine for a bunch of nontechnical users?
Cynically speaking, I am not sure that there is an audit you're going to be able to do that won't cost a ton of money that the people in this thread would trust as definitive "proof" of anything[0].
I think a big part of what I'm personally getting at with the comment above is that I'm not looking for perfect proof of anything; independent audits are great and I love to see them and I absolutely encourage them, but remember that the point of comparison here is Google/Bing. Take it with a grain of salt, and purely opinion me, but I think its fine for private search engines to offer the best proof of their claims that they can and to otherwise ignore people who demand perfection or nothing.
It's great to see more search engines in the space with a focus on privacy, and if you're able to pull off building your own indexes, that's also a pretty big win. I wish there was a more obvious path forward for your company to make money (I get nervous when companies say, "we'll figure out funding later", to me that comes across as a little bit of a time bomb). But in general, always good to see more private options for people available.
If I was in your position and I was looking for audits, I'd honestly be looking at the same sources that DuckDuckGo's founder talks about further up-thread, because that would at least allow me to say, "the same sources that claim DuckDuckGo is private have also said that we are private." But it's not my area of expertise, so maybe that's bad advice.
As a regular user of the Javascript-less page, several months ago it started returning wildly different results than the “fully featured” version for the same queries. My uneducated guess is that it’s using a different index. There also appears to be some sort of rate-limiting wherein the results will frequently just be empty (using the JS version and same query resolves the issue).
I’m guessing they’re intentionally degrading the non-Javascript page as an anti-bot measure, but it’s so bad that I find it disingenuous to suggest that the non-Javascript page even a valid alternative at this point.
They haven't been caught running fingerprinting scripts yet and they dont have an account system to tie to your searches. At best they could use your ip to build a shadow profile and thats wildly inaccurate in our mostly ipv4 world.