DuckDuckGo has been on a tear the last couple of years. In mid-2018, the company's data showed it was getting about 18 million searches a day; now that number's pushing 100 million. Both numbers still look like rounding errors next to Google's gargantuan scale, but DuckDuckGo has cemented itself as one of the most important players in search.
But Gabriel Weinberg, DuckDuckGo's founder and CEO, doesn't see search as the endgame for the company. DDG is a privacy company, set out on building what he calls "an easy button for privacy." Weinberg's is a slightly unusual vision for privacy on the internet: He wants to let people use the apps they want, the way they want, without being tracked or having their personal data collected and used against them. And it should all happen in the background. Privacy, he said, should be "really making one choice: the choice that you want privacy, you don't want to be coerced."
Weinberg joined the Source Code podcast to discuss what we talk about when we talk about privacy, how a company like DuckDuckGo can compete in a world dominated by the data gatherers and whether products can be both private and best of breed.
You can hear our full conversation on the latest episode of the Source Code podcast, or by clicking on the player above. Below are excerpts from our conversation, edited for length and clarity.
I want to know how you define privacy, both in your own head and at DuckDuckGo. I get the sense that when we talk about privacy, it sounds like we're talking about the same thing. But we're actually talking about 1,000 things that only slightly overlap, and so it's hard to have one coherent conversation about privacy, because we don't even know what we're talking about. But I'm assuming at some point, you've had to, like, write on the whiteboard, "Here is what we mean when we talk about privacy." So define it for me.
I've literally done the digital equivalent of writing on the whiteboard! Yes, you're right, people have lots of different definitions. And I think a common definition is, "Privacy is protecting your personal information." I do not think that's the right definition, to be clear.
I think the definition is a little more abstract, but wider than that, which is: It is protecting your personal autonomy. And the flip side of that is, it's protecting you from not being coerced to make decisions you wouldn't otherwise make. And when you think about it from that perspective, all sorts of things relate to privacy. The filter bubble and misinformation, where you're getting presented with information trying to coerce you based on your personal attributes, that is a privacy violation that people don't often connect with privacy. Same with commercial exploitation. So you can be coerced in a lot of different ways. And our solve for that, generally, is to give people solutions to not only protect their personal information, but to make it so they're not really trying to be manipulated online.
Does that then lead you down the road of thinking the solution to everything is choice and transparency?
No. And the reason is that choice and transparency — sometimes what they call notice and consent, where you get all these cookie dialogs, asking you to make all these controls — can be really complicated and confusing. And our basic product vision is "privacy simplified." And simplified is really making one choice: the choice that you want privacy, you don't want to be coerced. Not 1,000 choices. In fact, I think that's generally what people want.
We like to call it the "easy button" for privacy. That's what we're trying to build. And I think that's what people want: They don't want tons of different choices and controls, they just want not to be tracked and targeted online.
I think that's what people want: They don't want tons of different choices and controls, they just want not to be tracked and targeted online.
How much are you either hoping for or banking on regulation to help you on that front? We've had lots of debates about the default screen on Android where you have to choose your search engine when you load it, and that was a good idea that kind of broke in the execution. But that's the sort of thing that I think could be a push to end some of that inertia. But I also get the sense that, especially here in the U.S., if that stuff is ever coming, it's not coming anytime soon. So is regulation part of your planning?
Our focus has always been purely from a product perspective. We've been succeeding in spite of those headwinds, and we're not banking on regulation, but we would welcome it, and we do welcome what's going on in the House and in the U.S., and think that there really is a chance for unlock there.
You mentioned search preference menus. We are working with governments across the world to try to implement that well. And I do think that if those anti-competitive mechanisms were removed, by regulation or otherwise, we would be much bigger than we are now. Because right now, it's just difficult to switch on some devices. On Android, if you want to use our search engine across the device, it takes by our count over 15 different taps or clicks just to do that. And it really should be one. In a real competitive landscape, it would just be a one-click type of switch.
There's a huge, ongoing perception that you still have to sacrifice product quality for privacy, that privacy is a thing you get at the expense of something else. And so just purely by saying, "We are the privacy-preserving one," you plant this thing in people's brains that says OK, well, it's gonna be a little worse, but it's good for privacy, and am I willing to make that trade-off? You mentioned feeling like you had reached sort of a reasonable par with Google in order to then go focus on other stuff. What do you make of that perception gap at this point?
Yeah, I think that it is a vestige, at least for us, that isn't really real anymore. But you're right: It is embedded in people's minds that there has to be a trade-off. But we don't think it's true.
Now, granted, it is true for lots of products. And I think part of the reason there is, a lot of privacy products were not companies. They weren't built with high-quality UX in mind. They were often run by enthusiasts who had the best intentions in mind, but they weren't trying to build businesses to compete with the biggest tech companies in the world, like we are.
We need to change that narrative over time. There are a couple headwinds on that, though, just to be completely frank about it. One is, people just think it's not even possible to get privacy. And so we have to educate them that this easy button is real. We have to explain to them, yes, if you stop the trackers from loading, they won't track you.
The other headwind is that there's been several studies that have done this: You have the same set of search results and put different logos on it, and if you see the Google logo, you perceive it to be more relevant. So over time, we have to just overcome that with our own brand, and let our users tell other people that you're not really sacrificing anything here.
One thing that we've seen over and over is these privacy-first options, saying, "We won't let anybody track you. (Except for us.)" And then it's like, well, now all I'm doing is choosing to trust you instead of Google. And I've been trusting Google for two decades. So I might as well just keep doing that. I've even talked to people who are afraid to download VPNs now, because if you download a VPN, somebody else is just going to look at your web traffic now. I would think even if you're right, even if your intentions are good, even if you're handling everything correctly, to say "trust us" and have people believe you just seems so hard right now.
Yeah, I think what you're getting at is, you know, there's not a lot of trust in the world.
And deservedly so!
We're just saying we throw everything away. And you can just use us more privately.
And so we're not saying, "Hey, we're going to store your information, and then trust us to keep it safe." We're just saying we throw everything away. And you can just use us more privately. The question that always comes up is, then how do you make it good enough? Like, how do I get local weather or restaurants if you don't know who I am? And the short version of that is, your computer can send that information on the fly for that request, and we can use it to show you local coffee shops, and then throw it away, never storing it or saving it. We don't have a copy and the government can't come get it, etc. And that's effectively how it works.
Right. But even in that transaction, I have to believe you that it's not being stored anywhere. And you have to prove this crazy counterfactual, which is like, how do you show me that you don't have my data?
Do you spend a lot of time having to make your life harder in the name of privacy?
Yeah. I mean, we have architected lots and lots of systems to maintain people's privacy that no one would ever architect but for this problem. And we would love other companies to do it, and so we're trying to start explaining how they work. And internally, we have tons of other reviews and internal audits just to make sure we've never done anything or will never do anything against our code policies, even accidentally.
And a good example of this is, how do we A/B test the site? How do we make improvements while keeping everyone anonymous. And had to develop a completely anonymous A/B testing system, where we basically just show different versions of the page and count what happens. The drawback in that system, which is making it harder, is that we can't keep somebody in one of the variants, because we don't have any session data. We don't have any way to tie searches together.
So I could be both in the A and the B group.
Yeah, you can reload the page and then see something different. And then you're in both groups. It averages out, it just makes our life a little harder, statistically. But we had to build that system from scratch, we can't use name-your-big-data-analytics, we don't use any third-party software for that kind of stuff.
That gives you a pretty long to-do list, full of things that ordinarily you'd just call in an API and move on with your day.
Yeah, we don't have any third-party scripts on our site. Never have. But it means we have to develop more than other companies to make that all work.
Are there pieces of it that just straight up don't exist in a privacy-preserving way that you're comfortable with?
In search? Yeah. All of these content providers we use, we've architected to protect user privacy, so they remain anonymous. Any content that we call from anybody, we call on the user's behalf from our servers. We don't pass the IP address or part of the IP address or a hash or anything that is personally identifiable or can tie searches together. And then we bring back the content, and then format it for the user. But a lot of that didn't exist. We had to architect those systems, depending on the provider, and work with them to make it all work.
When you say you don't store anything, is that literally true? Do you save things for like two seconds in order to execute whatever you're needing to do, and then it gets deleted? What does it mean to not store anything?
So we believe that means don't write anything to disk, don't log anything that could tie anything back to an individual. So that means your IP address, or a unique cookie. We don't write any of that down, effectively. And the same with the email: It passes through us in memory, and we never store it or log it to disk. So any information that we would write would be completely anonymous information. So for example, we save a record of what queries occurred, but without any information associated with the individual with it. So nothing related to your computer or IP address or anything like that.
So the way to do that is not to collect it for as long as you need it and then get rid of it, it's just to never ask for it in the first place. Like, DuckDuckGo is just not asking for that information from me when I come to the site or open the app.
That's right. It's a little more complex than that, because the way the internet works, it just sends your IP address and your device ID and stuff. So you actively have to not store it. I mean, storing it is an act, but all the computers are set up by default to do it.
So why work on email? I'm curious kind of why that felt like sort of the next natural extension of this.
Thinking about where people spend the most time online, in other places besides search and browsing, email is on that next list, as [are] other apps. So those are the two protections that we started to focus on next.
We're not asking people to switch their email provider or email service. We're saying more like, 'the same inbox, more privacy.'
For email, in the simplification that we're trying to do, we're not asking people to switch their email provider or email service. We're saying more like, "the same inbox, more privacy." The same way we've been doing with our browser extension. So you can keep your current email provider, but you get this new email address — or set of addresses you can generate — that get delivered to your regular inbox with trackers removed. And then app tracker blocking for Android, initially, will help protect you and all the other apps you use. We're gonna make all that third-party tracking kind of go away on Android.
As people have adopted more tracker blocking on the web, more email tracking has popped up. People are using an email address as the main identifier now in a lot of places. And so it's the natural place to get protection next. And then apps [are another] Wild West, like the web was 10 years ago, where there's just tons of tracking embedded in apps, and it's not transparent. And it's just ripe for someone to come in and help protect it.
Is your way of thinking about it that you want to build privacy layers around those apps, or that you want to build your versions of those apps? You're making me think of that scene in "Silicon Valley" where Jian Yang has the whiteboard and it's like, "New Twitter, New Instagram, New Google." Are you just going to build Private Twitter and Private Instagram and Private Google? Or do you want to become the tracker blocker around all of those existing things?
It's the tracker blocker. We believe "privacy simplified" means not having to change as many workflows as you can. And so ideally you'll use the same websites, the same apps, and they won't break, but you'll get all sorts of new privacy protection.
Now, some apps we think you should switch off. That's the Googles and the Facebooks. Some of them are so big, and they're the main tracking networks that you really probably should avoid. But other things like your general utilities, a DoorDash or something like that, they have trackers embedded in them. We would like to help you just keep visiting those sites and apps, but in a much more privacy-protected way. And if it works well, it'll be seamless. You just set it up once and you're protected.