DuckDuckGo is using the Canvas DOMRect API on their search engine. Canvas is used to make unique geometry measurements on target browsers, and DOMRect API uses rectangles. This can be verified with the CanvasBlocker Firefox add-on by Korbinian Kapsner. DDG has recently been redirecting some website navigations to cute pictures with remarks about their privacy promises. The organization is now seeking to expand their Internet presence. DDG are without question data brokers, and commercial websites that make promises like DDG does will not survive for long if they actually keep them.
While I’m at it, Whonix forums also use Canvas identification. Hmm…
Those interested may find a bit more certainty (for now) with the searx and YaCy projects. Searx is a customizable meta-search engine whose source code is available at Github. Anyone can create a searx-instance for public or private use, and some are onion services. YaCy is a P2P search engine that can be accessed via a client proxy or websites offered by volunteers who allow access to their own installation.
We use a variety of browser API’s to deliver a search experience that is competitive with Google’s. Many “fingerprint” protection extensions take a scorched earth approach, blocking any browser API that could be exploited by a bad actor.
Nice, but a more technical response would be even better.
So what is DuckDuckGo using the API for? Weinberg thinks it could be the search engine’s use of getBoundingClientRect() to “determine size of browser and how to layout the page” that’s causing the problem.
I would feel more comfortable with a definite answer. Why should users be satisfied with what the CEO “thinks”. If DDG wants to provide a serious rebuttal of the claim I am sure they can do better than that.
If DDG saves browser size server-side, together with any kind of search activities then this is fingerprinting. If it’s just needed to perform proper layout, there are many ways to do that without communicating it back to the server. Question is, does it get sent back to the servers or not.