At launch, access to Mullvad Leta was restricted to users with a paid Mullvad VPN account, but it is now free and open to all.
Mullvad Leta has been audited by Assured.
Just a heads up, some of the details in the FAQ and Terms of Service seem a bit outdated and might not be accurate anymore.
Some relevant information from their FAQ section is as follows:
What can I do with Leta?
Leta is a search engine. You can use it to return search results from many locations. We provide text search results, currently we do not offer image, news or any other types of search result. Leta acts as a proxy to Google and Brave search results. You can select which backend search engine you wish to use from the homepage of Leta.
Can I use Leta as my default search engine?
Yes, so long as your browser supports changing default search engines.
Navigate to https://leta.mullvad.net/ in your browser and right-click on the URL bar.
From there you should see Add “Mullvad Leta“ with the Mullvad VPN logo to the left.
If you do not see this, you can attempt to add a custom search engine to your browser with:
- The name set to: Leta
- The URL set to: https://leta.mullvad.net/?q=%25s
You can select which backend engine to use as follows:
- Google: https://leta.mullvad.net/?q=%25s&engine=google
- Brave: https://leta.mullvad.net/?q=%25s&engine=brave
Did you make your own search engine from scratch?
We did not, we made a front end to the Google and Brave Search APIs.
Our search engine performs the searches on behalf of our users. This means that rather than using Google or Brave Search directly, our Leta server makes the requests.
Searching by proxy in other words.
What is the point of Leta?
Leta aims to present a reliable and trustworthy way of searching privately on the internet.
However, Leta is useless as a service if you use the perfect non-logging VPN, a privacy focussed DNS service, a web browser that resists fingerprinting, and correlation attacks from global actors. Leta is also useless if your browser blocks all cookies, tracking pixels and other tracking technologies.
For most people Leta can be useful, as the above conditions cannot ever truly be met by systems that are available today.
What is a cached search?
We store every search in a RAM based cache storage (Redis), which is removed after it reaches over 30 days in age.
Cached searches are fetched from this storage, which means we return a result that can be from 0 to 30 days old. It may be the case that no other user has searched for something during the time that you search, which means you would be shown a stale result.
What happens to everything I search for?
Your searches are performed by proxy, it is the Leta server that makes calls to the Google or Brave Search API.
Each search that has not already been cached is saved in RAM for 30 days. The idea is that the more searches performed, the larger and more substantial the cached results become, therefore aiding with privacy.
All searches will be stored hashed with a secret in a cache. When you perform a search the cache will be checked first, before determining whether a direct call to Google or Brave Search should be made. Each time the Leta application is restarted (due to an upgrade, or new version) server side, a new secret hash is generated, meaning that all previous search queries are no longer visible to Leta
What could potentially be a unique search would become something that many other users would also search for.
What is running on the server side?
We run the Leta servers on STBooted RAM only servers, the same as our VPN servers. These servers run the latest Ubuntu LTS, with our own stripped down custom Mullvad VPN kernel which we tune in-house to remove anything unnecessary for the running system.
The cached search results are stored in an in-memory Redis key / value store.
The Leta service is a NodeJS based application that proxies requests to Google or Brave Search, or returns them from cache.
We gather metrics relating to the number of cached searches, vs direct searches, solely to understand the value of our service.
Additionally we gather information about CPU usage, RAM usage and other such information to keep the service running smoothly.
I respect the effort of creating this search engine and the effort to create a good privacy focused browser. However I didn’t appreciate the fact that the latest update to the browser set this search engine as the default.
I cannot help but respect any organization that has “here are the conditions that make our product useless” in their FAQ.
It’s an effective way to describe what their proxy does, for sure. It’s just nice to read public-facing text that doesn’t feel sanitized by committee.
It’s also underselling what they are providing.
You get to skip all the AI garbage, all the sponsored links, and the “what other people are asking” sections and just go straight to the search results.
Privacy is the primary selling point, but the clean “old school” google interface is what I’m really excited about. I’ve set my default search in the browser to Leta for now.
Funny you say that, because my only complaint about this search engine is that it’s missing the AI “garbage”. I suppose I could just go directly to Gemini but it was convenient getting a quick answer without having to use two separate websites.
Gemini is wrong quite often. You shouldn’t rely on it to tell you facts.
If I need to double check it, then it’s worthless to me.
Thankfully I don’t rely on it for “facts”, just for a quick summary on something or to get a definition of a word. Something like that.
So SearXNG?
SearXNG
Always wondered how the fuck I’m supposed to say that.
Seeks’nn’jnn?
Sur X N G?
Search engine?I’ve never thought about it until now, so thanks for that…
I’ve said it in my head as “Seer” and then the letters X N G. I didn’t even CONSIDER part of it is supposed to sound like “search”…
Same here. XNG isn’t pronouncable in english, so it will always be Seer X N G for me
I’d rather let some EU company like Qwant use my anonymized data, to hopefully someday build their own index, than use Google by proxy (except when neccessary, of course).
Good news, they are doing just that (in cooperation with Ecosia)
Edit: And it is supposed to be released this year (as early as Q1 apparently) https://betterweb.qwant.com/en/2024/11/08/ecosia-and-qwant-join-forces-to-develop-european-search-index/
That is some unexpectedly good news. I’m looking forward to see the results of an EU based search index.
Good moves from Ecosia. They used to get some flack for using Bing and Google.
While this is nice, I would really like to see more fully independent options that are not just a proxy for Google/Bing. I realize that is a lot easier said than done, but this kind of solution is not providing a real alternative in anything but name only. Google/Microsoft fully control the APIs being used. so this only exists so long as those they are trying to provide an alternative for allow them to exist. Which will not scale if they are anything but a blip on the radar.
I’ve been paying for Mullvad for a while and didn’t realize this was even a thing until this announcement.
This is also what Startpage does.
And Searx
search engine
Not a search engine.
Ehhh. I mean, technically yes, but a proxy for search engine requests is probably functionally equivalent to the end user.
Also, if users don’t know that such a thing exists and goes looking for a “search engine”, they likely also want this.
One of my personal pet peeves is power stations — a big lithium-ion battery pack hooked up to a charge controller and inverter and USB power supply and with points to attach solar panels — being called a “solar generator”. It’s not a generator, doesn’t use mechanical energy. But…a lot of people who think “I need electricity in an outage” just go searching for “generator”. I don’t like the practice, but I think that the aim is less to deceive users and more to try to deal with the fact that they functionally act in much the same role and people might not otherwise think of them.
I am less sympathetic to vendors who do the same with calling evaporative coolers “air conditioners”. Those have some level of overlap in use, but are substantially different devices in price and capability.
It’s like saying a passenger rail car is a freight engine
I think they just call them trains
Is it really though? To the common person, it is most important thinking about the intent rather than what the word literally means. Like what people think of as AI may really just be a LLM, or VR may really be AR, or the like.
So is it like DDG but with EU GDPR ?
I think that would be Qwant. This is a search engine proxy.
Now I’m getting confused. Are DDG and Qwant not proxies for Bing?
Not exactly, they are search engines in their own right that have their own crawlers, but also use the Bing API. Leta is literally a proxy, it searches on the google (or brave) search website on your behalf and serves you the results. That way the only data Google gets is Mullvad’s.
I wonder if they’re using the (paid) Google and Brave APIs, and are running Leta as a loss leader, or if they have some way to get around it
Never gave this much thought. I’ve been considering subscribing for Kagi again, but basically they are paying for a Google API subscription, meaning that Google directly monetizes my Kagi searches?
To be completely honest, I’m less worried about privacy and more worried about what kind of world I’m contributing to with my internet usage. I Mullvad sends money to Google for every search, it’s probably not for me.
Switched to Qwant now - rather Microsoft than Google, and at least they are working on their own engine.
I don’t like how it tells you when the results were cached. You can tell if and when a query was searched for by someone else.
I do like it because when I’m trying to find out more information about break8ng events I want to know if I’m getting outdated information. Also, knowing that someone, somewhere in the world entered the same search terms as you within the last 30 days tells you absolutely nothing about that person.
Unless the terms include a name or location. Plus Leta is not widely used.
Suppose you tell someone in secret that you were arrested. You know they use Leta, so you look up “John Doe arrest” later and see that it was just recently cached. You only told one person so it must have been them. You now know what someone searched because they used Leta.
uh-oh
Leta is not widely used.
Please everyone, help click
It seems like a good alternative so some of the most popular engines. I think I’ll stick with Ecosia, since on top of being EU based, they also make the world a better place.
Your search query, IP address and iirc fingerprint gets shown to Bing everytime you make a search, so it’s not private at all
But doesn’t Leta use Bing as it’s backend also?
No, it uses Google and Brave search.
I don’t see them claiming it is
Your IP address and search terms are automatically shared with our search partners, Microsoft Bing or Google, when you search.
Sorry, I left this ambiguous. My intended context was that the person you were replying to didn’t mention Ecosia’s privacy.
my bad, I always assume not just because we’re on the topic of privacy but because of how Ecosia advertises itself as a privacy friendly alternative on their front page when it isn’t that at all that, much like the difference between apple.com/privacy and apple.com/legal/privacy
It is still a good reason not to use Ecosia, however.
Nice! I’ve been wanting to get off startpage for a while now. This is a perfect replacement.
Same question. Why are you moving away from Startpage? I
They were bought by a shady company a while back.
Are you referring to Privacy One Group? Seems like that was cleared up and PrivacyTools went back to recommending them
System1 specifically, which is also mentioned in the article you linked. Privacy Tools has also lost their reputation recently. Privacy Guides is more of the standard now. I know they cleared up their position, but ads and privacy together just doesn’t sit right with me. I’m just glad there’s an alternative.
Thanks for the response!
I’ll check it Privacy Guides
Wait… what’s wrong with startpage?
They were bought by a shady company a while back.
