> > Question: does anyone actually know what DDG does with user data? Like they market themselves as a "privacy respecting" search engine, but how much of this is truth?
> It doesn't matter.
> Why? Because when going through the exercise of identifying risks in the system one can't assume the actors are benevolent and won't ever use the access+data they have for evil.
Storing any data in database is just asking someone to either steal it or abuse it. So only solution is to not store it, if it's not critical for operation. And if it's critical, store privacy data in encrypted form(and keep decryption keys away from database, so database breach won't jeopardize keys, like in different business unit in corporation). One such example is logs, store some of the data encrypted, and if you need it(with a really good reason) ask it to be decrypted. Also you can encrypt various forms of data with different keys, and make accessing one type easier while more privacy critical data will be harder to get access to.
> It doesn't matter.
> Why? Because when going through the exercise of identifying risks in the system one can't assume the actors are benevolent and won't ever use the access+data they have for evil.
Storing any data in database is just asking someone to either steal it or abuse it. So only solution is to not store it, if it's not critical for operation. And if it's critical, store privacy data in encrypted form(and keep decryption keys away from database, so database breach won't jeopardize keys, like in different business unit in corporation). One such example is logs, store some of the data encrypted, and if you need it(with a really good reason) ask it to be decrypted. Also you can encrypt various forms of data with different keys, and make accessing one type easier while more privacy critical data will be harder to get access to.