[QUESTION] Privacy of Qwant and Startpage

lilithium-hydride commented 2 years ago

Your Question

I had never really looked into Qwant or Startpage before and was curious to see if their claims of privacy actually held up (spoiler alert: it doesn't look like it).

For Qwant, I went to the homepage, searched for "test", and then saved uBlock Origin's blocked requests, which appear in the table below. Note that as you stay on the page and interact with random elements, further requests will be sent and blocked. I don't know what some of these requests are for, and I can assume some of them are extraneous without being necessarily malicious, but rum stands for Real User Monitoring, and is a tracker capable of collecting a whole host of information on the user. What exactly is Qwant collecting with RUM? What does it do with this data? There's no way to be sure, because Qwant isn't open source and the payloads sent to the apm/intake/v2/rum/events endpoint are garbled binary data.

Logger output

As for Startpage, it doesn't send near as many shady-looking requests, but I also wouldn't call it private. I won't bog you down with another uBlock Origin log, as this GitHub issue does a good job of summing it up.

Should these still be included? They're certainly better than $BIG_TECH_SEARCH, but I'm also not sure if they're the best places to direct people.

Please tick the boxes

[X] You have filled out this form accurately, and to the best of your knowledge
[X] A similar question has not already been asked for this software/ service
[X] You agree to the code of conduct

liss-bot commented 2 years ago

If you're enjoying Awesome-Privacy, consider dropping us a ⭐
_{🤖 I'm a bot, and this message was automated}

Lissy93 commented 2 years ago

Looking at the web request you mentioned. It is indeed analytics...

It is going to their self-hosted instance of Elastic (see docs).

For reference, here's the full request

#### Target: ``` POST https://www.qwant.com/apm/intake/v2/rum/events ``` #### Body: ```json {"metadata":{"service":{"name":"phoenix","version":"cb73d8fab484b85a110fd3129702240dcc3ede59","agent":{"name":"rum-js","version":"5.12.0"},"language":{"name":"javascript"}}}} {"transaction":{"id":"b2501a075c81f532","trace_id":"d2d526bfc5fe54d7ef1e2f8f3bf37caf","name":"Click - div","type":"user-interaction","duration":3108,"context":{"custom":{"classes":"Flex-module__flex___35zId"},"page":{"referer":"","url":"https://www.qwant.com/?q=test&t=web"}},"span_count":{"started":0},"sampled":false,"sample_rate":0}} ``` #### Request Headers: ``` Host: www.qwant.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://www.qwant.com/ Content-Type: application/x-ndjson Content-Length: 512 Origin: https://www.qwant.com Connection: keep-alive Cookie: hide_addon_dialog=1; theme=1; s=2; cookieAlertSettings=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin DNT: 1 Sec-GPC: 1 ``` #### Server Headers: ``` content-security-policy | script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.qwant.com qwant.com; style-src 'unsafe-inline' data: *.qwant.com *.qwantjunior.com qwant.com; base-uri 'self'; block-all-mixed-content; frame-ancestors *.qwant.com *.qwantjunior.com lmqt.fyi; worker-src blob: 'self' www.youtube-nocookie.com www.youtube.com; object-src 'self'; img-src blob: 'self' s1.qwant.com s2.qwant.com s.qwant.com f.qwant.com data: s-lite.qwant.com www.qwant.com; form-action 'self'; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' data: *.qwant.com qwant.com; default-src 'self' data: blob:; connect-src *.qobuz.com *.apple.com *.qwant.com qwant.com extras.qwantjunior.com; font-src 'self'; media-src blob: *.qwant.com *.apple.com *.qobuz.com *.vid.web.acsta.net; frame-src viewer.dood3d.com *.vid.web.acsta.net player.twitch.tv player.vimeo.com www.dailymotion.com players-cdn.vidmizer.com players-cdn-v2.vidmizer.com *.qwant.com *.qwantjunior.com www.youtube-nocookie.com *.tvlocale.fr *.smartrezo.com *.femmesetcitoyennete.fr *.jeunesreporterssansfrontieres.fr *.medias-francophones.com *.trendy-community.fr *.tvcitoyenne.com *.veitech.com *.localetv.eu player.myvideoplace.tv; content-type | application/json date | Tue, 26 Jul 2022 14:22:30 GMT permissions-policy | speaker=(self), vibrate=(), oversized-images=(), gyroscope=(), magnetometer=(), document-domain=(), interest-cohort=(), microphone=(), display-capture=(), encrypted-media=(), midi=(), geolocation=(self), accelerometer=(), autoplay=(self), payment=(), vr=(), fullscreen=(), camera=(), ambient-light-sensor=(), sync-xhr=(self "https://api.qwant.com"), usb=() referrer-policy | origin server | Qwant strict-transport-security | max-age=31536000 ; includeSubdomains ; preload x-content-type-options | nosniff x-frame-options | SAMEORIGIN x-xss-protection | 1; mode=block ``` #### Response: ``` None ```

^^ There's other requests too, but they all seem to follow this format.

I started looking into Qwant a bit further....

Privacy Policy

Started with their Privacy Policy. It's really hard to read as info is scattered around, which IMO is not a good sign. Some things that jumped out at me:

They collect analytics
- including user agent, referer (where u came from), the meta info about the links you clicked (unclear if this includes the actual URL), and IP address
They could be sharing data with third-parties
- "We pseudonymize what we need to keep for statistics and for transfer to our technology and business partners."
They use third-party services, but are not transparent about what for and when
- But looking at the sources, Deepl for language translations, Bing for ads,

I couldn't find it written, but search queries have to be somehow sent to Bing in order to serve up ads. This is happening server-side, so there's no reason any other user info would be forwarded, but again, not clear.

Tracking

Qwant is using a self-hosted instance of, I think Elastic APM for both user analytics and "performance monitoring" (actually just more user analytics)

I tried using it as a user would, and analysing the client-side requests that were being sent. And I could not see anything other than what was shown above, which was particularly alarming.

They've previously used New Relic, TraderDoubler and Google Analytics (wtf?!), for analytics and user and performance tracking. That's based on historical BuiltWith scans, so I cannot properly verify that it's correct myself. I did check old snapshots on archive.org, and it seems to add up.

Cookies

There use of local storage, session storage, and cookies looks all fine. Each setting is stored locally, as opposed to giving you a user ID and storing settings remotely. There's no 3rd-party cookies. I played around with it for a while, and this was all that was stored - so just my user settings. They have a 6-month expiry.

JS

If you disable JavaScript, you're redirected to https://lite.qwant.com/ - which functions entirely on the server-side, and IMO is actually a much better experience. There's also no client-side analytics.

Ads

The ads are provided by Bing/ Microsoft. That does mean the search term is sent to Mircosoft, although it happens server-side, so there shouldn't be any user data attached. They're contextual so based only on the current search, and not user data.

One thing I will say, is that the search result ads are labelled as ads, whereas the suggested products, and shopping results have affiliate links attached, yet are not labelled as adverts. Clicking ads is pretty bad for privacy, so it should be important that they're properly labelled.

I think the 2 issues here are 1) Microsoft and 2) not being clear when your clicking an ad. But just having ads alone I don't think is an issue, as it would be more of a red flag is they didn't have a clear revenue model.

Security

I couldn't find any published security audit. Their privacy policy barley mentions security, or the practical things they've put in place to maintain integrity and protect user data.

But in terms of the very basic easy to check stuff, like headers, certificates, ports everything looks normal.

You're not trusting them with a lot personal info, so I guess the biggest motivation of an adversary would be to manipulate results.

Criticism

Overall, I couldn't find a lot of complaints, no historical big privacy mishaps, data leaks or security concerns. The Criticism Section of their Wikipedia doesn't list anything of great concern. There's not many compleints on ?q=Qwant on r/privacy

Search

Not sure if it's relevant, but unlike a lot of other "search engines" Qwant does do their own crawling and indexing, as explained in this article.

They also appear to own their own infrastructure, and are self-hosting most of the services they use.

Worth noting that they are popular in France and French-speaking countries, but less so in other regions.

TLDR; user analytics, association with Microsoft, the use of redirect URLs, Bing ads, somewhat unclear privacy policy.

I'm pretty neutral on this. There's definitely some issues, but weather the severity is enough to warrant removal, I'm not sure. But I will look into it further, and definitely update the listing to mention them. And if anyone else has anything to add, please do :)

If anyone else has any thoughts on this, or if I've missed anything, or got something wrong, do let me know. And if there is stuff I've missed then I'm happy to consider removing Qwant, but it's a slippery slope, as when you look into anything hard enough, there's always going to be issues. I think the main thing is just to present the facts, and let users decide what's right for them.

Lissy93 commented 2 years ago

I'll take a look at StartPage also, when I get a moment. StartPage has had a lot more controversy over the years, so there should be more info to go on.

DuckDuckGo also has some issues, so I should re-check that too.

Side note: I think a common issue that people have when trying to switch to a more privacy-respecting search engine, is just that the results either aren't as tailored as what most people have gotten used to. Which in turn means they end up going back to big 'G. So quality of search results is probably also a factor that should be taken into account.

lilithium-hydride commented 2 years ago

Wow, that's a lot of good research!

I'm happy to consider removing Qwant, but it's a slippery slope, as when you look into anything hard enough, there's always going to be issues. I think the main thing is just to present the facts, and let users decide what's right for them.

Yeah, I agree. You can dig and find unsavory behavior with a lot of things on this list, and staying fully informed to make educated decisions is the real goal with this sort of thing. I think it would do a lot of good to put all of your findings into another document somewhere and link to it so that it doesn't just get buried somewhere in an issue tracker.

I was tempted to mention DuckDuckGo as they've always weirded me out, but I figured that horse had been resurrected and beaten to death many times throughout its existence and I probably wouldn't present any new information. I'm curious to see what you find, though.

atomGit commented 1 year ago

yeah i know, and older topic, but i wanted to splice in a few comments...

@Lissy93 said...

If you disable JavaScript, you're redirected to https://lite.qwant.com/

testing this now in 2023 and the forwarding doesn't occur

also i thought JS was necessary to get Qwant to display anything, but either i was wrong or they changed something

I'll take a look at StartPage also, when I get a moment. StartPage has had a lot more controversy over the years, so there should be more info to go on.

DuckDuckGo also has some issues, so I should re-check that too.

i've been lookin' more closely at search engines since 2017 and the conclusions i've come to are simple: if they don't crawl the web themselves, ignore it - Qwant (Bing), DDG (Bing), Startpage (Google), etc. are all crap from a privacy POV and from a results POV all the rest of the proxies are garbage

the remainder that do indexing, and have decent privacy policies, and that don't require JS, is a very small number with Mojeek probably being the best of them at the moment (around 6.5 billion pages indexed as of this writing)

Lissy93 / awesome-privacy