Do we need to move to the darknet to protect out privacy? Here’s how it can be done.
I’ve explained the many ways that our privacy is constantly violated on the clearnet. Edward Snowden’s revelations about the NSA in 2013, and the vast amount of data mining done by mega corporations like Meta and Google define much of it. But you should practice the precautionary principle, and assume everything you do online is being monitored by some entity or another.
For years, Google may have had people believe that the “Incognito Mode” in their Chrome web browser was protecting their privacy effectively. They thought they were “incognito” to all of the web servers they were visiting.
The truth is that web servers know the IP addresses of the Chrome endpoints that visit them, even in Incognito Mode. And they could run JavaScript or other sorts of coding to determine the browser’s user agent string, which includes the engine of the browser (i.e. Blink is now the engine in Chrome, it’s Gecko in Mozilla Firefox, and WebKit in Apple Safari), the type of device (i.e. mobile or desktop, in this context my laptop is “desktop”), operating system, screen resolution in pixels, and the latitude and longitude associated with my gateway IP address.
People may have been under the impression that they were completely private in Chrome “Incognito Mode,” but even Google marketing only said that it stops the browser from locally storing any history information, cookies, site data, or form inputs. But it turns out that, at least for an extended period of time, Incognito Mode wasn’t even doing that.
A class action lawsuit was filed against Google in 2020 with plaintiffs alleging that Google’s claim to not be collecting tracking information on users in Incognito Mode was false and fraudulent. The plaintiffs wanted a collective $5 billion USD settlement. They didn’t get a settlement. And Google’s lawyers said that the claims were “meritless.” But what they did get was Google’s agreement to purge billions of user records. That’s better than nothing.
Class action lawsuits like these should serve as a lesson on how big tech would prefer to violate your privacy, and you can’t trust everything that they say.
Here’s one last example before I serve you some alternatives in this chapter.
WhatsApp is one of the most popular instant messaging apps in the 2020s. It’s used all around the world, but it’s especially popular in developing countries in areas like Africa and the Middle East. WhatsApp was first launched in 2009. In 2014, Meta bought it for billions of dollars, back when they were known as Facebook, Inc.
Also in 2014, WhatsApp announced that they would implement the TextSecure end-to-end encryption protocol that’s used by the Signal app. Signal is great, I use it myself.
By October 2021, the TextSecure end-to-end encryption protocol was rolled out to iOS and Android WhatsApp users for message backups as well. But it’s a feature that has to be enabled by the user.
As a cybersecurity researcher, I think Signal’s TextSecure end-to-end encryption is excellent. But as far as WhatsApp’s implementation is concerned, I could have the best mechanical lock on my door, and it would all be for naught if I gave the cops a copy of my key.
In November 2023, Al Jazeera reported that Palestinians in Gaza have been arrested by the Israelis, triggered by their WhatsApp statuses. And in April 2024, Middle East Monitor reported that an AI-driven technology called Lavender was being used by the Israeli military to identify Palestinian individuals and target them with weapons. Middle East Monitor:
“Rather than just acting as a simple targeting mechanism, the system has a deliberate high civilian casualty rate, with Israeli military and intelligence sources admitting that they strike targets even when they are present in their homes with their entire families. As one source said at the time, the occupation forces ‘bombed them in homes without hesitation, as a first option. It’s much easier to bomb a family’s home. The system is built to look for them in these situations’.”
Paul Biggar, a software engineer for Tech for Palestine, revealed that Lavender uses WhatsApp data to find individuals in shared WhatsApp groups, and target them accordingly. All because an individual is in a WhatsApp group with another targeted individual.
I’m confident based on Signal’s reputation, what people in the intelligence community tell me privately, and their leadership by big tech critic Meredith Whittaker that Signal isn’t giving my key to the cops. In 2018, Whittaker wrote an open letter to Google, urging them to not build warfare technology for the US Department of Defense. She also reinstated her determination to protect user privacy in her “Signal and the Future of Encrypted Messaging” talk at TechCrunch Disrupt 2023.
But I don’t trust WhatsApp’s implementation of TextSecure at all.
Alas, Signal isn’t based on the Tor or I2P proxy networks. There are many more privacy-guarding communication applications if you dive into the world of the darknet.
In this chapter, I’m going to recommend web search engines, email services, a VPN (virtual private network) platform, filesharing and chat, and even whole entire operating systems!
Private and “deshittified” web search with DuckDuckGo via Tor, VormWeb, and Ahmia
DuckDuckGo has been the most popular alternative to Google Search for many years now. People are rightfully wary of Google using vast quantities of information about users’ web searching habits for data mining. It does though profit from advertisers through the Microsoft Bing network, which is one of the sources behind DuckDuckGo. (There are a reported over 400 sources in total, including Yahoo! Search BOSS, Wolfram Alpha, and the DuckDuckBot web crawler. Google is deliberately not one of the sources.) But the ads served are purely based on users’ search queries and not on data collected about the user. For instance, I’m a huge Japanese RPG fan, which is reflected in a lot of my web activity. Google might serve me ads for Metaphor: ReFantazio while I search for information about commercial VPNs. But DuckDuckGo would only target me ads about NordVPN or SurfShark. Because Google knows “this user looks at Japanese RPG news on the web very frequently,” whereas DuckDuckGo only knows “this user’s search query is ‘commercial VPNs’.”
DuckDuckGo promises to not retain information about search queries and IP addresses. Even if your web browser enables the usage of third party geolocation data, DuckDuckGo doesn’t collect user location data through its servers. Furthermore, they promise to not allow other tech companies to track users through the DuckDuckGo web browser. Just like you can use Google Search with or without the Chrome or Chromium web browser, you can use DuckDuckGo search with or without the DuckDuckGo browser. DuckDuckGo promises even greater privacy by using their own web browser, including blocking third party tracking by data mining tech giants.
Although that claim has been called into question. BleepingComputer reported in 2022 that security researcher Zach Edwards found in his audit of the DuckDuckGo web browser that although it does indeed block trackers from entities like Google and Meta, they facilitate trackers for Bing and LinkedIn, which are both owned by Microsoft. Bing has been one of DuckDuckGo’s primary sources since its inception as a privacy minded search engine in 2010 (DuckDuckGo was founded in 2008). Bing’s advertiser network is a major monetization source for DuckDuckGo.
DuckDuckGo CEO and Founder Gabriel Weinberg responded to Edwards’ research in a tweet:
“For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
— Gabriel Weinberg (@yegg) May 23, 2022
In my professional opinion, using the DuckDuckGo web browser through the clearnet isn’t the way to go if you’re really privacy minded.
So this is where Tor comes in. You can definitely load any clearnet website in the Tor Browser through the Tor Network, including duckduckgo.com. DuckDuckGo is the default search engine in the Tor Browser. That uses DuckDuckGo’s clearnet site. As the Tor Project announced on their website:
“With the release of Tor Browser 6.0.6, we switched to DuckDuckGo as the primary search engine. For a while now, Disconnect, which was formerly used in Tor Browser, has had no access to Google search results. Since Disconnect is more of a meta search engine, which allows users to choose between different search providers, it fell back to delivering Bing search results, which were basically unacceptable quality-wise. DuckDuckGo does not log, collect or share the user’s personal information or their search history, and therefore is best positioned to protect your privacy. Most other search engines store your searches along with other information such as the timestamp, your IP address, and your account information if you are logged in.”
But you should go further and use DuckDuckGo’s search engine directly on the Tor Network instead at http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ If you don’t want to paste the .onion address, an “onionize” switch can be toggled in DuckDuckGo.com to direct your search query there. But only if you’re using the Tor Browser.
DuckDuckGo’s facilitation of Microsoft’s trackers is a problem with their own web browser and probably not with DuckDuckGo search outside of the DuckDuckGo browser. And if you use the clearnet DuckDuckGo search in the Tor Browser, external entities won’t have your actual gateway IP address. They’ll just just have the IP address of your nearest entry and exit nodes (depending on upload or download direction) on the Tor Network. If you use darknet DuckDuckGo (duckduckgogg…onion), it’s even more likely that the entry and exit nodes closest to the web server will be made anonymous even more effectively.
When you use duckduckgogg…onion, all routing for your web searches goes through Tor. Your ISP (internet service provider) won’t know you’re using DuckDuckGo, nor will any operators of open WiFi hotspots, or any other possible man-in-the-middle. It’ll just look like all Tor traffic to them. They know it’s Tor traffic, but nothing else.
It’s like the “defense in depth” we talk about in cybersecurity. Antivirus software may be able to stop particular malware strains from infecting your computer, but using your firewall to block IP addresses associated with malware threat actors is another layer of protection.
DuckDuckGo has had a Tor (.onion) website since 2010. That’s my recommendation for searching clearnet sites.
Wow, this may have gotten confusing. Please use DuckDuckGo’s .onion site in the Tor Browser through the Tor Network to search clearnet sites while you’re on Tor. Hopefully I’ve made that clear! Clearnet, through Tor!
Now a word about DuckDuckGo and resisting “enshittification.” As far as “deshittification” is concerned, DuckDuckGo takes one step forward and one step back.
First, the good news. Google has a nasty habit of wanting to deliver webpages to Android devices through AMP, Accelerated Mobile Pages. Especially when you click on a link to a news webpage through the built-in Google News interface in Android (which I can get to on my Android 14 phone by swiping right). Webpages processed through AMP will often look cleaner on a mobile device by hiding some of the stuff that’s extraneous to the webpage text that you intend to read. But this convenient way to make some webpages look simpler harbours a dark secret. It’s another layer of privacy-destroying tracking for Google. And Google is rumoured to prioritize websites that support AMP in Google Search results.
If you use the DuckDuckGo browser on Android, iOS, or Mac, or if you use the DuckDuckGo extension in Firefox or Chrome on desktop, AMP will be blocked automatically. You’ll get the original version of the webpage with less Google tracking instead.
Now here’s the bad news. Since March 2023, DuckDuckGo has implemented a feature called DuckAssist. It’s supposed to “deliver natural language answers to search queries through Wikipedia.” It’s a Gen AI application. Yuck.
There’s also DuckDuckGo AI chat, which is a Gen AI chatbot that’s similar to ChatGPT and based on GPT-3.5. But unlike ChatGPT, DuckDuckGo promises to not conduct AI training on your conversations. Isn’t that swell?
Either way, Gen AI mania is parallel to the enshittification that Cory Doctorow defined. You’ll inevitably get nonsense information, such as the existence of a fruit called “applum.” They’re trying to replace real human creative writers, computer programmers, and visual artists. And the amount of electricity demand Gen AI adds to the power grid is absolutely reckless in a world where catastrophic climate disaster is accelerating. It’s totally dystopian.
I love my patrons!
At the Fan level: Naomi Buckwalter! OMG, thank you!
At the Reader level: François Pelletier and IGcharlzard!
I will do my best to post something new weekly. If you can, I’d love for you to join my Patreon supporters here. I even have support levels where I can do custom work for you: https://www.patreon.com/kimcrawley
