DuckDuckGo’s surprisingly simple plan to make the internet more private

Gabriel Weinberg doesn't want to blow up the internet. He just wants to blow up the trackers.

DuckDuckGo CEO Gabriel Weinberg at the company's office.

DuckDuckGo CEO Gabriel Weinberg.

Photo: DuckDuckGo

DuckDuckGo has been on a tear the last couple of years. In mid-2018, the company's data showed it was getting about 18 million searches a day; now that number's pushing 100 million. Both numbers still look like rounding errors next to Google's gargantuan scale, but DuckDuckGo has cemented itself as one of the most important players in search.

But Gabriel Weinberg, DuckDuckGo's founder and CEO, doesn't see search as the endgame for the company. DDG is a privacy company, set out on building what he calls "an easy button for privacy." Weinberg's is a slightly unusual vision for privacy on the internet: He wants to let people use the apps they want, the way they want, without being tracked or having their personal data collected and used against them. And it should all happen in the background. Privacy, he said, should be "really making one choice: the choice that you want privacy, you don't want to be coerced."

Weinberg joined the Source Code podcast to discuss what we talk about when we talk about privacy, how a company like DuckDuckGo can compete in a world dominated by the data gatherers and whether products can be both private and best of breed.

You can hear our full conversation on the latest episode of the Source Code podcast, or by clicking on the player above. Below are excerpts from our conversation, edited for length and clarity.

I want to know how you define privacy, both in your own head and at DuckDuckGo. I get the sense that when we talk about privacy, it sounds like we're talking about the same thing. But we're actually talking about 1,000 things that only slightly overlap, and so it's hard to have one coherent conversation about privacy, because we don't even know what we're talking about. But I'm assuming at some point, you've had to, like, write on the whiteboard, "Here is what we mean when we talk about privacy." So define it for me.

I've literally done the digital equivalent of writing on the whiteboard! Yes, you're right, people have lots of different definitions. And I think a common definition is, "Privacy is protecting your personal information." I do not think that's the right definition, to be clear.

I think the definition is a little more abstract, but wider than that, which is: It is protecting your personal autonomy. And the flip side of that is, it's protecting you from not being coerced to make decisions you wouldn't otherwise make. And when you think about it from that perspective, all sorts of things relate to privacy. The filter bubble and misinformation, where you're getting presented with information trying to coerce you based on your personal attributes, that is a privacy violation that people don't often connect with privacy. Same with commercial exploitation. So you can be coerced in a lot of different ways. And our solve for that, generally, is to give people solutions to not only protect their personal information, but to make it so they're not really trying to be manipulated online.

Does that then lead you down the road of thinking the solution to everything is choice and transparency?

No. And the reason is that choice and transparency — sometimes what they call notice and consent, where you get all these cookie dialogs, asking you to make all these controls — can be really complicated and confusing. And our basic product vision is "privacy simplified." And simplified is really making one choice: the choice that you want privacy, you don't want to be coerced. Not 1,000 choices. In fact, I think that's generally what people want.

We like to call it the "easy button" for privacy. That's what we're trying to build. And I think that's what people want: They don't want tons of different choices and controls, they just want not to be tracked and targeted online.

I think that's what people want: They don't want tons of different choices and controls, they just want not to be tracked and targeted online.

How much are you either hoping for or banking on regulation to help you on that front? We've had lots of debates about the default screen on Android where you have to choose your search engine when you load it, and that was a good idea that kind of broke in the execution. But that's the sort of thing that I think could be a push to end some of that inertia. But I also get the sense that, especially here in the U.S., if that stuff is ever coming, it's not coming anytime soon. So is regulation part of your planning?

Our focus has always been purely from a product perspective. We've been succeeding in spite of those headwinds, and we're not banking on regulation, but we would welcome it, and we do welcome what's going on in the House and in the U.S., and think that there really is a chance for unlock there.

You mentioned search preference menus. We are working with governments across the world to try to implement that well. And I do think that if those anti-competitive mechanisms were removed, by regulation or otherwise, we would be much bigger than we are now. Because right now, it's just difficult to switch on some devices. On Android, if you want to use our search engine across the device, it takes by our count over 15 different taps or clicks just to do that. And it really should be one. In a real competitive landscape, it would just be a one-click type of switch.

There's a huge, ongoing perception that you still have to sacrifice product quality for privacy, that privacy is a thing you get at the expense of something else. And so just purely by saying, "We are the privacy-preserving one," you plant this thing in people's brains that says OK, well, it's gonna be a little worse, but it's good for privacy, and am I willing to make that trade-off? You mentioned feeling like you had reached sort of a reasonable par with Google in order to then go focus on other stuff. What do you make of that perception gap at this point?

Yeah, I think that it is a vestige, at least for us, that isn't really real anymore. But you're right: It is embedded in people's minds that there has to be a trade-off. But we don't think it's true.

Now, granted, it is true for lots of products. And I think part of the reason there is, a lot of privacy products were not companies. They weren't built with high-quality UX in mind. They were often run by enthusiasts who had the best intentions in mind, but they weren't trying to build businesses to compete with the biggest tech companies in the world, like we are.

We need to change that narrative over time. There are a couple headwinds on that, though, just to be completely frank about it. One is, people just think it's not even possible to get privacy. And so we have to educate them that this easy button is real. We have to explain to them, yes, if you stop the trackers from loading, they won't track you.

The other headwind is that there's been several studies that have done this: You have the same set of search results and put different logos on it, and if you see the Google logo, you perceive it to be more relevant. So over time, we have to just overcome that with our own brand, and let our users tell other people that you're not really sacrificing anything here.

One thing that we've seen over and over is these privacy-first options, saying, "We won't let anybody track you. (Except for us.)" And then it's like, well, now all I'm doing is choosing to trust you instead of Google. And I've been trusting Google for two decades. So I might as well just keep doing that. I've even talked to people who are afraid to download VPNs now, because if you download a VPN, somebody else is just going to look at your web traffic now. I would think even if you're right, even if your intentions are good, even if you're handling everything correctly, to say "trust us" and have people believe you just seems so hard right now.

Yeah, I think what you're getting at is, you know, there's not a lot of trust in the world.

And deservedly so!

Yeah! Look what happened to the internet. It's been overrun by untrustworthy companies, and tracking and whatnot. And that's why we set up the company vision to begin with, "to raise the standard of trust online." And so we then focused right from that point to say, we don't track you ever, and established that trusted brand, and both just in our privacy policy and kind of a legal way, but also just in all of our product design, communications, etc.

We're just saying we throw everything away. And you can just use us more privately.

And so we're not saying, "Hey, we're going to store your information, and then trust us to keep it safe." We're just saying we throw everything away. And you can just use us more privately. The question that always comes up is, then how do you make it good enough? Like, how do I get local weather or restaurants if you don't know who I am? And the short version of that is, your computer can send that information on the fly for that request, and we can use it to show you local coffee shops, and then throw it away, never storing it or saving it. We don't have a copy and the government can't come get it, etc. And that's effectively how it works.

Right. But even in that transaction, I have to believe you that it's not being stored anywhere. And you have to prove this crazy counterfactual, which is like, how do you show me that you don't have my data?

There's no way to prove a negative. So at some point, it's turtles all the way down. But, you know, we have a very strict privacy policy. We would get in trouble, ultimately, if it was violated. And all of our code for our apps and extensions is open source. So you know, people look at it, and can kind of see what's going on. But then you ask, Well, are you running that code, or are you modifying it or something? And so there's some level of trust that is needed. But I mean, our whole company's purpose is for this purpose: to help you protect your privacy.

Do you spend a lot of time having to make your life harder in the name of privacy?

Yeah. I mean, we have architected lots and lots of systems to maintain people's privacy that no one would ever architect but for this problem. And we would love other companies to do it, and so we're trying to start explaining how they work. And internally, we have tons of other reviews and internal audits just to make sure we've never done anything or will never do anything against our code policies, even accidentally.

And a good example of this is, how do we A/B test the site? How do we make improvements while keeping everyone anonymous. And had to develop a completely anonymous A/B testing system, where we basically just show different versions of the page and count what happens. The drawback in that system, which is making it harder, is that we can't keep somebody in one of the variants, because we don't have any session data. We don't have any way to tie searches together.

So I could be both in the A and the B group.

Yeah, you can reload the page and then see something different. And then you're in both groups. It averages out, it just makes our life a little harder, statistically. But we had to build that system from scratch, we can't use name-your-big-data-analytics, we don't use any third-party software for that kind of stuff.

That gives you a pretty long to-do list, full of things that ordinarily you'd just call in an API and move on with your day.

Yeah, we don't have any third-party scripts on our site. Never have. But it means we have to develop more than other companies to make that all work.

Are there pieces of it that just straight up don't exist in a privacy-preserving way that you're comfortable with?

In search? Yeah. All of these content providers we use, we've architected to protect user privacy, so they remain anonymous. Any content that we call from anybody, we call on the user's behalf from our servers. We don't pass the IP address or part of the IP address or a hash or anything that is personally identifiable or can tie searches together. And then we bring back the content, and then format it for the user. But a lot of that didn't exist. We had to architect those systems, depending on the provider, and work with them to make it all work.

When you say you don't store anything, is that literally true? Do you save things for like two seconds in order to execute whatever you're needing to do, and then it gets deleted? What does it mean to not store anything?

So we believe that means don't write anything to disk, don't log anything that could tie anything back to an individual. So that means your IP address, or a unique cookie. We don't write any of that down, effectively. And the same with the email: It passes through us in memory, and we never store it or log it to disk. So any information that we would write would be completely anonymous information. So for example, we save a record of what queries occurred, but without any information associated with the individual with it. So nothing related to your computer or IP address or anything like that.

So the way to do that is not to collect it for as long as you need it and then get rid of it, it's just to never ask for it in the first place. Like, DuckDuckGo is just not asking for that information from me when I come to the site or open the app.

That's right. It's a little more complex than that, because the way the internet works, it just sends your IP address and your device ID and stuff. So you actively have to not store it. I mean, storing it is an act, but all the computers are set up by default to do it.

So why work on email? I'm curious kind of why that felt like sort of the next natural extension of this.

Thinking about where people spend the most time online, in other places besides search and browsing, email is on that next list, as [are] other apps. So those are the two protections that we started to focus on next.

We're not asking people to switch their email provider or email service. We're saying more like, 'the same inbox, more privacy.'

For email, in the simplification that we're trying to do, we're not asking people to switch their email provider or email service. We're saying more like, "the same inbox, more privacy." The same way we've been doing with our browser extension. So you can keep your current email provider, but you get this new email address — or set of addresses you can generate — that get delivered to your regular inbox with trackers removed. And then app tracker blocking for Android, initially, will help protect you and all the other apps you use. We're gonna make all that third-party tracking kind of go away on Android.

As people have adopted more tracker blocking on the web, more email tracking has popped up. People are using an email address as the main identifier now in a lot of places. And so it's the natural place to get protection next. And then apps [are another] Wild West, like the web was 10 years ago, where there's just tons of tracking embedded in apps, and it's not transparent. And it's just ripe for someone to come in and help protect it.

Is your way of thinking about it that you want to build privacy layers around those apps, or that you want to build your versions of those apps? You're making me think of that scene in "Silicon Valley" where Jian Yang has the whiteboard and it's like, "New Twitter, New Instagram, New Google." Are you just going to build Private Twitter and Private Instagram and Private Google? Or do you want to become the tracker blocker around all of those existing things?

It's the tracker blocker. We believe "privacy simplified" means not having to change as many workflows as you can. And so ideally you'll use the same websites, the same apps, and they won't break, but you'll get all sorts of new privacy protection.

Now, some apps we think you should switch off. That's the Googles and the Facebooks. Some of them are so big, and they're the main tracking networks that you really probably should avoid. But other things like your general utilities, a DoorDash or something like that, they have trackers embedded in them. We would like to help you just keep visiting those sites and apps, but in a much more privacy-protected way. And if it works well, it'll be seamless. You just set it up once and you're protected.

Power

How the creators of Spligate built gaming’s newest unicorn

1047 Games is now valued at $1.5 billion after three rounds of funding since May.

1047 Games' Splitgate amassed 13 million downloads when its beta launched in July.

Image: 1047 Games

The creators of Splitgate had a problem. Their new free-to-play video game, a take on the legendary arena shooter Halo with a teleportation twist borrowed from Valve's Portal, was gaining steam during its open beta period in July. But it was happening too quickly.

Splitgate was growing so fast and unexpectedly that the entire game was starting to break, as the servers supporting the game began to, figuratively speaking, melt down. The game went from fewer than 1,000 people playing it at any given moment in time to suddenly having tens of thousands of concurrent players. Then it grew to hundreds of thousands of players, all trying to log in and play at once across PlayStation, Xbox and PC.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

While it's easy to get lost in the operational and technical side of a transaction, it's important to remember the third component of a payment. That is, the human behind the screen.

Over the last two years, many retailers have seen the benefit of investing in new, flexible payments. Ones that reflect the changing lifestyles of younger spenders, who are increasingly holding onto their cash — despite reports to the contrary. This means it's more important than ever for merchants to take note of the latest payment innovations so they can tap into the savings of the COVID-19 generation.

Keep Reading Show less
Antoine Nougue,Checkout.com

Antoine Nougue is Head of Europe at Checkout.com. He works with ambitious enterprise businesses to help them scale and grow their operations through payment processing services. He is responsible for leading the European sales, customer success, engineering & implementation teams and is based out of London, U.K.

Protocol | Policy

Why Twitch’s 'hate raid' lawsuit isn’t just about Twitch

When is it OK for tech companies to unmask their anonymous users? And when should a violation of terms of service get someone sued?

The case Twitch is bringing against two hate raiders is hardly black and white.

Photo: Caspar Camille Rubin/Unsplash

It isn't hard to figure out who the bad guys are in Twitch's latest lawsuit against two of its users. On one side are two anonymous "hate raiders" who have been allegedly bombarding the gaming platform with abhorrent attacks on Black and LGBTQ+ users, using armies of bots to do it. On the other side is Twitch, a company that, for all the lumps it's taken for ignoring harassment on its platform, is finally standing up to protect its users against persistent violators whom it's been unable to stop any other way.

But the case Twitch is bringing against these hate raiders is hardly black and white. For starters, the plaintiff here isn't an aggrieved user suing another user for defamation on the platform. The plaintiff is the platform itself. Complicating matters more is the fact that, according to a spokesperson, at least part of Twitch's goal in the case is to "shed light on the identity of the individuals behind these attacks," raising complicated questions about when tech companies should be able to use the courts to unmask their own anonymous users and, just as critically, when they should be able to actually sue them for violating their speech policies.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Protocol | Workplace

Remote work is here to stay. Here are the cybersecurity risks.

Phishing and ransomware are on the rise. Is your remote workforce prepared?

Before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

Photo: Stefan Wermuth/Bloomberg via Getty Images

The delta variant continues to dash or delay return-to-work plans, but before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

So far in 2021, CrowdStrike has already observed over 1,400 "big game hunting" ransomware incidents and $180 million in ransom demands averaging over $5 million each. That's due in part to the "expanded attack surface that work-from-home creates," according to CTO Michael Sentonas.

Keep Reading Show less
Michelle Ma
Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.
Protocol | Fintech

When COVID rocked the insurance market, this startup saw opportunity

Ethos has outraised and outmarketed the competition in selling life insurance directly online — but there's still an $887 billion industry to transform.

Life insurance has been slow to change.

Image: courtneyk/Getty Images

Peter Colis cited a striking statistic that he said led him to launch a life insurance startup: One in twenty children will lose a parent before they turn 15.

"No one ever thinks that will happen to them, but that's the statistics," the co-CEO and co-founder of Ethos told Protocol. "If it's a breadwinning parent, the majority of those families will go bankrupt immediately, within three months. Life insurance elegantly solves this problem."

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Latest Stories