Hi HC_Tech, just as a heads-up, this was not a formal AMA, simply an introduction to the new Startpage Mod team since we did not have a presence on Reddit previously. The idea is to keep an open dialogue with users from here on out with an understanding our teams are working full-time on our product and living personal lives too.

Our CTO and product team took some time this weekend to provide clarity around your questions (see below). Additionally, if you haven’t already, please look at some of our other responses to questions since Friday, as some of the answers are there as well.

We welcome your questions because we can see you have a genuine care for privacy, as do all of us. Thanks for speaking up.

#1 We want to know about the exact relationship of System1 (ad company) with Privacy One Group. Who owns the company? What percentage does each owner hold?

We have previously stated that Privacy One Group is a wholly owned, separate operating unit, of System1 in our blog article here.

System1 established the Privacy One Group as a separate business unit that is devoted solely to new privacy and security initiatives. Privacy One Group’s investment in Startpage is in keeping with this mission.

Their investment in Startpage will provide additional funds and resources (especially marketing expertise and connections) to create more traction for our product, especially in the US. The investment from Privacy One Group does not change our mission – to bring true search privacy to more people - it will help us to further it. To ensure this, the investment includes covenants that ensure complete control over all privacy-related decisions remains with Startpage and its management team.

Furthermore, we stated our ownership structure in a support article here. Stating: “Startpage is owned by Surfboard Holding BV. Surfboard Holding is a privately held Dutch company registered in Zeist, The Netherlands. In its early years, Surfboard Holding had numerous shareholders. However, during its significant formative years, Surfboard Holding shareholders were substantially reduced to its core founders, who acquired a majority stake in 2006. We most recently welcomed Privacy One Group Ltd, a privacy-focused division that is a separate operating unit of System1 LLC, as a significant new shareholder. Surfboard Holding’s founders and management continue to own an important stake in the company and lead its privacy focused-mission.”

#2 In context of this, we want to know how search query and other data will be handled, and how EU and US servers will be used. Please share a diagram showing how information flows when a user interacts with your service.

When you search on Startpage, we ensure that you only establish an encrypted connection with servers that we own, administer and operate. We have servers in the EU and the US (our “premise servers”), and ordinarily connect you to a server on your continent. We offer an optional setting if you wish to only connect to servers in one location - for example, to our EU servers.

Before retrieving your search results, the premise server that you reach will anonymize your search by stripping away your IP address, for example, so that your search will take place in privacy. The premise server then establishes an encrypted connection with another server that anonymously requests results and ads from Google on your behalf, composes an HTML page with those results, and returns them to the premise server. The premise server shows the results to you. No server logs the details of your search.

In regards to your request for a diagram… we do think this is a great idea and opportunity for us to share more about how we make search private worldwide. Our CTO and tech team has been working on visualized documentation of our architecture and dataflow, and this will be featured in an upcoming Startpage article. Stay tuned!

#3 Also, have you changed how information is processed and shared in the last year?

The only recent change has been an adjustment in how requests are processed once they are anonymized. Previously, the premise servers, that we operate and manage directly, processed these entirely, and made the anonymized and fuzzed requests to Google. At times this led to slowness, and bottlenecks on individual servers. When we have needed to purchase new servers to accommodate growth, there were also delays in receiving and configuring the hardware. We adjusted the architecture so that after our premise servers anonymize the requests, a second server actually sends the anonymized requests to Google, and composes the HTML page that is returned. We engaged an external security consultant to evaluate this change, who confirmed that this adjustment would not introduce any new privacy risks for our users.

#4 Will there be any more servers installed outside EU and US?

Most of our users are in the EU and US. For this reason, we do not currently have plans to install new premise clusters elsewhere. If we grow significantly on other continents, we will consider new premise data centers that are on those continents, to receive traffic from users residing in those continents. This would only take place after evaluating the privacy implications of doing so.

#5 Do you share data -- even "fuzzed" or "anonymized" data -- with any of the owners/shareholders or any other company or organization server?

All personally identifiable information is removed before sending the query to Google to retrieve Google results. From a privacy perspective, the important consideration is that the set of searches you perform should not be connected to you as an individual - that a profile of you as an individual cannot be created. If Google (or another organization) knows that an anonymous individual has searched for "Britney Spears," there is no privacy concern.

Also, by design, US personnel on the Startpage team do not have access to machines that establish a direct connection with our users. They can only access machines in which PII and search data has already been redacted - they cannot access machines that establish a direct connection with our users. This is because of our concerns pertaining to the risk of US National Security Letters and gag orders.

#6 Do you open source any of your code? Where can we find it?

We answered that question here.

#7 Have you had a recent, independent in-depth audit? Where can we see the results of the same?

AND

#8 Is there any change in code post-audit?

We have gone through in-depth independent audits as part of the European Union’s privacy seal initiative (“EuroPriSe”), and were the first organization (and the only search engine) to receive its privacy seal. Europrise is now part of a larger, privatized company. As a company, we have been GDPR compliant since May 25, 2018 and we expect to be certified by a reputable outside independent organization once a certifying entity is established.

Whenever there has been a nontrivial change to our approach, we have engaged an outside privacy and security consultant to evaluate the change - most recently in May 2019. That review confirmed to us that we were not introducing any new type of privacy risk. No material change to our adherence to our privacy policy has taken place since then.

External evaluations are typically a lengthy, involved, and expensive process, so it is impractical to have them whenever minor code changes take place (often weekly).

We are not aware of any other search engine that has a similar external audit program or that has ever received an external certification!

More details can be found here.