Skip to content

[QUESTION] Privacy of Qwant and Startpage #45

@lilithium-hydride

Description

@lilithium-hydride

Your Question

I had never really looked into Qwant or Startpage before and was curious to see if their claims of privacy actually held up (spoiler alert: it doesn't look like it).

For Qwant, I went to the homepage, searched for "test", and then saved uBlock Origin's blocked requests, which appear in the table below. Note that as you stay on the page and interact with random elements, further requests will be sent and blocked. I don't know what some of these requests are for, and I can assume some of them are extraneous without being necessarily malicious, but rum stands for Real User Monitoring, and is a tracker capable of collecting a whole host of information on the user. What exactly is Qwant collecting with RUM? What does it do with this data? There's no way to be sure, because Qwant isn't open source and the payloads sent to the apm/intake/v2/rum/events endpoint are garbled binary data.

Logger output
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
##.result--ext www.qwant.com dom https://www.qwant.com/?q=test&t=web
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/ui
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/ui
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
/rum/events www.qwant.com xhr https://www.qwant.com/apm/intake/v2/rum/events
||qwant.com/v2/api/ux/surveys? www.qwant.com xhr https://api.qwant.com/v2/api/ux/surveys?website=qwant&tab=home&tgp=90&locale=en_US&device=desktop
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/webapp_loaded
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display
||qwant.com/action/ www.qwant.com ping https://www.qwant.com/action/display_page

As for Startpage, it doesn't send near as many shady-looking requests, but I also wouldn't call it private. I won't bog you down with another uBlock Origin log, as this GitHub issue does a good job of summing it up.

Should these still be included? They're certainly better than $BIG_TECH_SEARCH, but I'm also not sure if they're the best places to direct people.

Please tick the boxes

  • You have filled out this form accurately, and to the best of your knowledge
  • A similar question has not already been asked for this software/ service
  • You agree to the code of conduct

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions