DuckDuckGo now fingerprinting visitors

DuckDuckGo is using the Canvas DOMRect API on their search engine. Canvas is used to make unique geometry measurements on target browsers, and DOMRect API uses rectangles. This can be verified with the CanvasBlocker Firefox add-on by Korbinian Kapsner. DDG has recently been redirecting some website navigations to cute pictures with remarks about their privacy promises. The organization is now seeking to expand their Internet presence. DDG are without question data brokers, and commercial websites that make promises like DDG does will not survive for long if they actually keep them.

While I’m at it, Whonix forums also use Canvas identification. Hmm…

Those interested may find a bit more certainty (for now) with the searx and YaCy projects. Searx is a customizable meta-search engine whose source code is available at Github. Anyone can create a searx-instance for public or private use, and some are onion services. YaCy is a P2P search engine that can be accessed via a client proxy or websites offered by volunteers who allow access to their own installation.

https://searx.me/about

About DuckDuckGo Dec. 19, 2018

With our roots as the search engine that doesn’t track you, we’ve expanded what we do to protect you no matter where you go on the Internet.

Welcome to DuckDuckGo

We’re setting the new standard of trust online, empowering people to take control of their information.

You deserve privacy. Companies are making money off of your private information online without your consent.

At DuckDuckGo, we don’t think the Internet should feel so creepy and getting the privacy you deserve online should be as simple as closing the blinds.

Why is that done here?

Noted. Maybe someone else could answer, then?

Asked:


We don’t develop forum software. We use forum software.

new FAQ entry just now added:
Frequently Asked Questions - Whonix ™ FAQ

I assumed you could toggle it.

Discourse is a cool forum software, but it’s far from being highly flexible. You can’t even delete your account.

But good to know that DDG is fingerprinting visitors. Gotta keep an eye on them.

since when DDG was good ? Tor Project supported them because of money not because of the morality and safety to users behind it. its not fully free software in the end. (based in US …)

better alternative is SearX , or MetaGer:

Hi, I work for DuckDuckGo and wanted to clarify that We absolutely do NOT doing any fingerprinting whatsoever. Our privacy policy is very clear on this: “We don’t collect or share personal information.” DuckDuckGo Privacy

We use a variety of browser API’s to deliver a search experience that is competitive with Google’s. Many “fingerprint” protection extensions take a scorched earth approach, blocking any browser API that could be exploited by a bad actor.

3 Likes

@brianstoner Thanks for your input

Also a note to readers: If a company does contrary to its claims, the FTC would step in and penalize them for fraudulent claims. It would be easy to discover if fingerprinting was going on.

Untargeted advertising is still viable. I don’t doubt that DDG can and does make a good living without resorting to unethical privacy breaches.

2 Likes

Nice, but a more technical response would be even better.

So what is DuckDuckGo using the API for? Weinberg thinks it could be the search engine’s use of getBoundingClientRect() to “determine size of browser and how to layout the page” that’s causing the problem.

  1. I would feel more comfortable with a definite answer. Why should users be satisfied with what the CEO “thinks”. If DDG wants to provide a serious rebuttal of the claim I am sure they can do better than that.

  2. If DDG saves browser size server-side, together with any kind of search activities then this is fingerprinting. If it’s just needed to perform proper layout, there are many ways to do that without communicating it back to the server. Question is, does it get sent back to the servers or not.