1. 24

  2. 20

    While I like the aesthetic of @duck.com, you are still just trusting that DuckDuckGo will DoTheRightThing™ and not scrape, read, and sell your data maliciously now or sometime far in the future because it’s not just a ‘dumb’ email forwarder. I think more often than not, DuckDuckGo has been on the side of data privacy, but if these services aren’t being charged for, they have to sell something to fit the bill.

    One of the practical ways around this sort of tracking is to configure your client to to prioritize text/plain emails, send a support email to text/html-using services, and subscribe to content via RSS instead of these automated mailing lists.

    1. 6

      Exactly my thoughts when I read this: this smells just like the Google early days when “Don’t be evil” was still a slogan and not a punchline, and tech nerds would push all their friends to use it. While this is a legitimately useful service for those who aren’t using dumb terminal-based email clients (although, there’s no reason why regular all-bells-and-whistles mailclients can’t do this natively too with extra effort), Duckduckgo may have jumped the shark here with their mission scope creep. Or maybe I’m just becoming a cynical old man…

      1. 5

        DuckDuckGo is hoping to get more search users (and so more ad money) by doing this because to sign up you have to download their browser for your mobile.

        That’s a pretty straightforward monetisation strategy.

        1. 1

          I have the same trust issues with Apple and Google’s email services. They also “care a lot” about my privacy. 🤔

          1. 2

            I don’t use either so 🤷. But DDG in this case isn’t even the email provider: they are a proxy. So instead of needing to trust just your provider, you also need to add a link in your chain of trust for the this proxy.

            1. 2

              I thought it was known google definitely reads your gmail messages. I wouldn’t send any trust in that direction. It’s an information/ad company, you should have 0 expectation of privacy with them, even using paid services, especially not free ones.

              1. 4

                The problem is that ‘reads your gmail messages’ has a lot of different possible meanings, for example:

                • A human reads them
                • An automated system builds an advertising profile of you based on the contents of every message.
                • An automated system scans them and produces some completely anonymised aggregate information, for example for spam filtering

                It’s not clear where on this kind of spectrum gmail actually sits. I doubt that they make it easy for an administrator to read your email, but how hard is it? I suspect that they try to anonymise the information that they aggregate from your email, but how well does it actually work in practice?

                The DDG service would be a really great use for confidential computing, where you get a guarantee that they can’t look inside the VM and you get a verifiable attestation that the VM is running what they say it is.

          2. 3

            They require to install their app to do it…

            1. 1

              Yep. Hard pass.

              1. 3

                It’s already the default browser on my phone, so fast accept.

            2. 2

              It looks like they are an email forwarding serivce, if they change the content of the email, then DKIM will be render invalid.

              How does this really work? I wonder how they made SPF/DKIM work without rewriting the message essentially sign with duck.com?

              1. 2

                Is there such a FOSS self-hosting [mf]ilter available ?

                1. 2

                  I know this is intended for non-technical users, but for technical users I think such a feature should be client-side rather than another layer in the email process. Especially since that probably breaks encryption and/or sender verification. (…if you even care about such things when handing out your email to marketers.)

                  1. 2

                    Agreed. Also, non-technical users would have to trust DDG to not read/parse the emails anymore than that they remove the tracking which can be achieved by disabling remote content when looking at the email.

                  2. 1

                    Anyone know if ublock blocks tracking pixels in email?

                    1. 4

                      As far as I know, uBlock is not installable on any email client.

                      Now if you’re talking about tracking pixels in webmails. It depends on your webmail. Most webmails nowadays (this started by gmail) download and cache the images in the emails. So they can’t track you (since the webmail shielding your IPs and your cookies by proxying the image download), but they can track if and when you opened this email, which I find creepy.

                      uBlock can’t do much about this, since the image in your webmail is embedded as https://cdn.webmail.example.com/image-proxy/...., so there is no way to differentiate between a legitimate image and a tracking pixel.

                      1. 5

                        Most non-web email clients now refuse to download any images unless you press a button. I generally don’t press it, so I never see the contents of the GOG.com marketing emails because they don’t put any plain text in that motivates me to click. If I can’t read your marketing email without your tracking me, I don’t read your marketing email. Your loss.

                        1. 2

                          Yeah, I imagine the huge image-only emails are horrible for accessibility as well.

                          I’ve also noticed that the urls in emails that come from recruiters are usually some url shortener with tracking info, even the ones in the footer. Now I just search for whatever company they’re trying to sell instead. This way they don’t send 5 followup emails for their dumb blockchain startup.

                          1. 1

                            I use FairEmail [on Android] which does not display images by default, but also attempts to stop tracking images if you want to see images ; it kinda works for GOG for example. I have a pi-hole on my home network and it also prevents some other tracking beacons.

                            Nothing is 100% proof at this point, except plain-text but depending on senders you also get click tracking (and often stupidly long links with that).

                            On a side topic, I’m curious as to why you are (still ?) subscribed to marketing emails that you don’t want to read?

                            1. 1

                              On a side topic, I’m curious as to why you are (still ?) subscribed to marketing emails that you don’t want to read?

                              I do want to read them, but not enough to load trackers. When they send emails with actual text in them, I sometimes click on them (and I do still buy games from them, though since work gives me a free XBox Game Pass account, I don’t buy games as much as I used to).

                      2. 0

                        Is bashing Google and selling itself in name of Privacy the only business model of DDG? they could just say it’s a good email service with many features that people actually care about.

                        1. 1

                          But it is not an email service. It is more of a filtering proxy.