As some of you may know, Spread Privacy, the parent company of the DuckDuckGo search engine, announced on 20 July 2021 two new services. The first is similar to the disposable email addresses akin to MySudo, Temp Mail, and others. The other, and a larger threat to privacy, in my opinion, is an “Email Tracker Removal Service.”
Posts about this have been circulating through my various social media feeds this week and as I reviewed the press release and associated documentation with a skeptical lens, it created more questions than answers. This particular post is, in a way, me thinking “out loud,” but also asking difficult questions openly to DuckDuckGo regarding the services.
I am not a lawyer, nor have I played one on Broadway, Saturday Night Live, or any Netflix shows. I am not writing this as legal advice, but rather from the lens of someone concerned with privacy with some background in the IT compliance field, albeit a few years ago.
While the above disclaimer is mostly a joke, I am definitely not a lawyer!
My Thoughts and Analysis
Disposable Email Addresses
Seeing as the press release included the domain of duck.com, this service ma[g1] y have a limited shelf life for its intended use. In an era where social media platforms actively prevent people from registering fake accounts (or sock puppets), I suspect that this will have a similar fate. I learned this a few years ago while creating a Facebook account with a MySudo email address.
There is an incentive for platforms to ensure that users are inputting real information. In some cases, this is from government oversight, such as with US-focused cryptocurrency exchanges and social media platforms. The latter has come under intense scrutiny for their part in disinformation spreading and its possible election influence. Furthermore, such platforms are seeking to sell user data while also realizing that they cannot market such data originating from false accounts.
DDG’s duck.com disposable email service seems decent from the technology perspective on the surface, but given my experiences with similar services and products, I doubt that I will use duck.com much, if at all.
Email Tracker Removal Service
About email trackers: Simply put, email trackers are elements of code quietly included in emails to see if an email is opened or forwarded. Some trackers can ascertain the IP address, hostname, or username of who opens the emails.
Most often, this is completed with a “tracking pixel,” which is a 1x1 pixel (blank image) that phones home to a server when the email is opened. Per engadget’s post about the service, these trackers can be used for targeted ads as well.
The Email Tracker Removal service is the one that I am most concerned with. Maybe I am too pessimistic, but I feel like DuckDuckGo is over-emphasizing the word "save." "Not saving" is only saying that nothing is directly left behind, which is a rather strange semantic point. Their stance on "not saving" is not much different from running Natural Language Processing (NLP) algorithms across the bodies of the emails or something similar. Someone can do a lot with a file (such as an email) without saving it. Maybe my worldview is too dystopian.
I like DuckDuckGo’s search engine, but without any inside or direct knowledge of their service/product, I am inclined to suspect that there are other motives at play here that aren't quite apparent yet. As with any company, DuckDuckGo can only go so long doing things out of "the goodness of their hearts" without *something* from users in return.
Most importantly, how will DuckDuckGo apply this to End to End Encrypted (E2E) emails?
Before thoroughly reading their press release, I was going to ask, "should we trust them with our private keys to be able to decrypt emails to remove any trackers in the body?"
But I now see that this is an email forwarding service. Does DuckDuckGo plan on monetizing the statistics from inbounds? They say that they're not reading emails, but how can they entirely remove all trackers without SOME level of parsing? Parsing would require a human or automated process to "read" the body and any attachments.
Reading the DuckDuckGo Privacy Guarantees, I may be going too deep into this, but their chosen phrasing is questionable, that’s for sure.
1. "We do not save your emails."
Privacy Guarantee doesn't mention reading (whether by human or code) and anything prohibiting any analysis - whether analyzing the text, content, or sender/recipient. Stating that something is not saved is different from saying that it is “Zero-Knowledge” or not read, analyzed, or otherwise manipulated. I get that the point of the service is not “Zero-Knowledge.” Still, a lot of the userbase of DuckDuckGo is more privacy-focused than the "average bear," and the company has massively embraced this as part of its overall marketing strategy.
2. "When using this service, the only personal information we save is your forwarding email address and the duck addresses you create."
I don't see a whole lot wrong with this. Given what this service is and how it works, this would be a requirement for it to work, but it also reduces a user's privacy posture in that it could be another data point to be "requested" via legal processes.
It is also important to note that DuckDuckGo is based in Paoli, PA, per the footer of their About page. This location presents privacy concerns in and of itself in contrast to mail services outside the US and the 5, 9, and 14 eyes countries and cooperators like Tutanota and ProtonMail.
3. "We do not use your personal information for advertising or any other purposes unrelated to this service."
Aside from identifiers like name, email address, and IP address, what are they defining as "personal information?" This statement is something that seems to be deliberately vague and likely up to varied legal interpretations.
4. "We will only disclose personal information if we are legally forced to do so, and we will go to court to fight against such disclosure."
5. "We do not use third-party email services to forward your email."
Cool, but has anyone audited these claims? Does the software that runs the service use any external libraries? This is undoubtedly an instance where I would like to see audit results or a pen test report. Building your own software can be rewarding but is not without its own plethora of issues.
6. "We protect our infrastructure and your personal information with strict technical and organizational controls."
This passage in the policy primarily addresses encryption and agreements with data processors. I would venture to guess that this may be on par with other search engines, but I need more information and context before feeling comfortable routing email through this.
7 & 8. Deals with support and account deletion requests.
Nothing to say about these points. Seems fine.
9. "We will not allow an ownership change to weaken these privacy guarantees."
This statement looks excellent on paper but is not enforceable AFTER a sales transaction is complete.
Finally, the Email Tracker removal Service seems to require a mobile application. While not all mobile applications are evil, as we have observed with other platforms (namely social media), they do tend to collect "anonymized" data from user devices. I have a certain level of skepticism for this claim, and (maybe it's my inner conspiracy theorist speaking, but) it does make my "spidey senses" tingle a bit.
In theory, these new services from DuckDuckGo seem to be decent enough services, but I do not fully trust the provided information given the context. I think that further clarification is required. Given that these are free services, the old adage probably applies:
If you aren't paying for the product, you ARE the product.