
DuckDuckGo now fingerprinting visitors? - MikusR
https://forums.whonix.org/t/duckduckgo-now-fingerprinting-visitors/6497
======
bfrydl
The site is giving me a 429, but discussion Reddit seems to indicate this is
misleading. DuckDuckGo has code that includes calls to
`getBoundingClientRect()` which can be used, most likely with other metrics
since it just tells you the size of the window, to fingerprint visitors.
However, inspection of the source reveals it's just part of normal layout
code.

[https://www.reddit.com/r/privacy/comments/ad4h0u/duckduckgo_...](https://www.reddit.com/r/privacy/comments/ad4h0u/duckduckgo_now_fingerprinting_visitors/)

~~~
garrettj
Had a feeling that this entire post was just privacy “purists” taking
something a bit too far. I’m not confident that knowing the size of your
browser window is enough to definitively ruin your life.

~~~
adetrest
This is frequently some of the most identifying bits of information about you.
Have you try the eff's panopticlic? It'll tell you how much the combination of
things like your resolution, available fonts and available extension can
identify you 1 in a few hundred thousand or million of visitors. This is a
legitimate concern for a privacy oriented search engine that claims not to
track you.

[https://panopticlick.eff.org](https://panopticlick.eff.org)

~~~
yellowapple
1) Just because it's possible to use this in an aggregate fingerprint doesn't
mean the collection of this one datum in isolation is actually for
fingerprinting

2) Given the context of the actual API call, this is probably for benign
purposes and not for fingerprinting

------
zelon88
It's impossible to use a platform without revealing some details about
yourself. Either physical or organic, they will get some data out of you.

What's important to me, personally, is that platform doesn't share or sell
what it has learned about you, and doesn't use potentially sensitive
information in its advertising.

It would be unrealistic to expect a platform to not collect any data and still
function. Analytics is the foundation for the feedback loop that it takes to
effectively develop something like DDG.

If I go to an adult toy store I expect the person at the counter to know, but
I don't want him telling everyone else.

~~~
lisper
Not all data collections are created equal. Canvas fingerprinting really only
has one use, and that is to try to circumvent a user's decision to delete site
cookies (or not accept them in the first place). That, combined with the fact
that DDG's entire marketing campaign is that they respect your privacy, is a
bad sign. They may not be using this information for anything nefarious now,
but it does seem plausible that this is a canary in a coal mine.

~~~
godelski
Are they using canvas fingerprinting though (or are they fingerprinting screen
resolution)? I downloaded Canvas Defender to check and it doesn't go off,
though it does on tons of other sites. Which seems like it'd be a big story as
well, that they were working with a company to hide it. But that sounds
unlikely. I think they are fingerprinting screen resolution. Which isn't that
unique.

~~~
lisper
That's a good question, I don't know. But they are not setting off my anti-
canvas measures either (I use jsblocker) so I'm guessing you are right.

------
djsumdog
Hmm. Benefit of the doubt, they might have just included this library for
something else and might not be fingerprinting/logging individual browsers.
I'm sure we'll see a response from DDG on this.

uMatrix+disabling Javascript explicitly will help prevent tracking for those
who know how.

The privacy aspect of DDG was always their marketing point, and I think we all
knew it couldn't be totally true. Surely they must be harvesting data of some
type, or else how would they expect to earn revenue? Others' have shown that
at least some of their services run on AWS, so if Amazon really wanted your
data (like if they were served a National Security Letter), I'm sure they
could get it without DDG even knowing.

~~~
hedora
> The privacy aspect of DDG was always their marketing point, and I think we
> all knew it couldn't be totally true. Surely they must be harvesting data of
> some type, or else how would they expect to earn revenue?

Simple. They can run display ads instead of targeted ads.

Since they have the search term you just typed, they know exactly what you’re
looking for at this moment, and can target with that.

~~~
guan
It looks like they also insert affiliate codes into search result URLs for
sites like Amazon and eBay.

[https://duck.co/help/company/advertising-and-
affiliates](https://duck.co/help/company/advertising-and-affiliates)

------
coldcode
If you really want to avoid internet privacy concerns, stay off of the
internet. If you are so paranoid that you trust no one on the internet, stay
off of the internet. If you want to be part of the internet, you have to make
a reasonable guess as to what to trust, and ignore the paranoia where you find
bad things everywhere. Even being off the internet, someone somewhere is still
tracking you in ways you don't even realize. Living as a hermit in a cave on
an island with no people is not a lifestyle most people want. DDG is still way
better than any other option.

------
hirundo
> DDG are without question data brokers, and commercial websites that make
> promises like DDG does will not survive for long if they actually keep them.

I'm not convinced that this is a law of nature, but it does seem to have some
truth in it. I pay ~$5/month for services like Feedly and Evernote. I'd be
willing to do the same for a high quality search engine that does not make me
the product.

~~~
hedora
Search is probably the most likely counterexample of your rule. They can sell
ads based on search terms instead of user profiles. This might be leaving some
profit on the table, but might not.

They can generate artificial scarcity by preventing the search query stream
from being joined to user profiles by third parties.

If they end up with a well-educated, affluent userbase (likely, given their
selling point), they can charge a huge premium for that scarcity.

This trick is much older than the internet itself.

~~~
hirundo
If they are advertising to me based on my search string, I'm still the
product. Ads are part of what I'd pay to evade.

~~~
benj111
Do you object to companies advertising to you based on the magazines you buy,
or tv you watch, or roads you travel to work on?

If you are against advertising full stop then fine. This article, and peoples
claimed grievances are with tracking, rather than advertising per se.

Edit: Missed your first post. Ignore me.

------
octosphere
I only ever use DDG with Tor Browser Bundle, because even though they are a
'privacy first' search engine, it doesn't stop some intel agency sitting in
their data center and being able to attribute certain search queries to
specific users.

As a bonus: Last time I checked The Tor Browser Bundle displays a prompt
anytime the canvas API is used in some javascript, and you can opt out of
canvas fingerprinting this way.

I know DDG doesn't always have the results you are looking for, but for more
long-tail queries and advanced searches I can use Startpage[0] which basically
proxies the results from Google (using vanilla Google with Tor is a pain
because of captchas).

[0] [https://www.startpage.com](https://www.startpage.com)

------
lettergram
I’m not familiar with the mentioned API in the article, is it possible they
are using it for just statistics on what type of browsers visit their website?

I know as a software developer I’d design tests to ensure the wa testing is
done in the order of the most users impacted.

------
xte
DuckDuckGo is a company, so it's aim is not develop something to solve a
problem they have but making money. That's why it can't be trusted as any
other proprietary service.

Only FOSS so projects developed by someone, companies included, with the aim
of solving some _authors_ problem or desire can be trusted to a certain
extent.

The rest it doesn't count much you may have "ugly dictators" or "less
oppressive dictators" but they are still dictators. It's their nature, no
matter how good intentions they have at start or they try to keep.

~~~
tialaramex
Companies aren't required to make money, this is a popular misconception. The
company can have any purpose or set of purposes unless it's illegal, and most
often even if "make money" is on the list it isn't the sole purpose.

I appreciate that HN might be more likely than most places to be inhabited by
people who can't imagine any other motivation except money, but for most of us
there are other priorities.

~~~
xte
An ancient proverb say "power corrupt, money corrupt": if you start a company
with good intention when (if) money and power arrive you start to head
naturally toward "dangerous" directions...

Of course exception may exists and actually I'm sure exists, but they are
exceptions, not "the rule"...

------
yellowapple
Yeah, while it's possible DuckDuckGo is secretly evil, the API call in
question seems to be perfectly innocuous. While the size of the screen is
certainly one part of a fingerprint, there are far more benign uses for it,
and trying to frame DDG as evil over such a benign use is misleading at best
(and maliciously dishonest at worst).

I'm sticking this in my "guilty until proven innocent" file.

------
jammygit
My search results have been really good lately on ddg, even for topics I
thought were ambiguous. I hope it wasn't related

------
godelski
Are they just fingerprinting screen geometry or doing canvas fingerprinting?

Because I can't find where they are doing canvas fingerprinting, that or
canvas defender doesn't say anything on only DDG. If they are just getting
screen geometry, which I suspect, that's not enough to de-anonymize you. As
far as I know anyway.

~~~
jammygit
On panopticlick, screen resolution is consistently top 2 most uniquely
identifying things they fingerprint (edit: for me), hence the concern I
suppose.

~~~
godelski
That's odd. Because this is my result (in order of "x browsers have this
value):

Canvas Fingerprinting: 1 in 3e6

User Agent: 1 in 2e3 (not many using FF on Linux I guess)

System Fonts: 1 in 3e2

Timezone: 1 in 5e1

A few other things < 1 in 10

Screen Size and Color Depth: 1 in 6

Screen Size is nowhere near identifying to me. There are just huge drops in
the order of magnitude in this stuff. I can't imagine standard fingerprinting
is that reliable. Though I wouldn't be surprised to learn if there were
certain trends about things. Like if you identify I'm using FF on Linux it
tells you I'm nerdy. That'd be good for targeting ads, but not good for unique
identification. I thought that's why cookies are used.

------
ignoranceprior
Mirror: [https://archive.fo/5TxMb](https://archive.fo/5TxMb)

------
dearrifling
I use ddg for their uncensored search, I have no reason to trust them with my
privacy. But when I search for sci-hub or libgen then the first result is
always the relevant webpage.

