Hacker News new | past | comments | ask | show | jobs | submit login

DuckDuckGo staff here. As mentioned in the linked page, the purpose of the request is to retrieve a website's favicon so that it can be displayed in certain places within the app or on the results page. We use an internal favicon service because it can be complicated to locate a favicon for a website. They can be stored in a variety of locations and in a variety of formats. The service understands these edge cases and simplifies retrieval within our apps and our search engine.

Like our search results, the favicon service adheres to our strict privacy policy[1] in that the requests are anonymous and we do not collect or share any personal information.

[1] https://duckduckgo.com/privacy




Take the code from Firefox iOS or Android-components. We spent a lot of time on these and it is all on device.

https://github.com/mozilla-mobile/android-components

https://github.com/mozilla-mobile/Firefox-iOS


I wonder how many lines of code from big open source applications are generic enough to be reused in other projects.

Firefox and Google Chrome probably have the equivalent of many small high quality libraries embedded in them, implementing 'business' logic or protocols, that could be reused in more places.

I guess a large scale study on github could be done, with a graph analysis to show potential "cut off" points in codebase.


This is one of the goals of our Android-components project. Take a peek. Many components are reusable across browsers/applications.


One issue is that if a bunch of code of a similar theme can be broken off, many times it will be (depending on the culture of the software team). Is looking at the source code of a big project with a hundred dependencies that were all libraries spun off to support the project different to looking at a project where people tried to keep everything monolithic (where you’d expect better re-use potential per line-of-code?)


Yeah... the gesture is nice, but good luck extracting any code from a massive project. Might as well say “Here’s some free oil; all you have to do is dig for it.” Unlike oil, this might not be worth the excavation.

It’s a bit telling that they linked to the GitHub repositories rather than specific lines of code they were talking about.


Here's their kotlin implemenation, looks fairly straightforward/self-contained: https://github.com/mozilla-mobile/android-components/tree/ma...


Android components is a foundational technology for our browser products on Android but also for many other applications. We’ve designed things in such a way that you can pull in just those things that you need. If that is not the case, file an issue and we will take a look at how to improve things.


Looking at the iOS project linked, https://github.com/mozilla-mobile/firefox-ios/blob/76faae8c6... , other than being written swift, it looks pretty self-contained/ok?


There is also a content script I think and storage for these icons and their meta data. It is probably less generic on iOS than on Android but should be fairly simply to take some big chunks for reuse.


Yeah, let's violate privacy instead.


What a world class reply. This is what makes open source valuable.


Yes, apart from Chrome's implementation there is probably no better tested and more mature implementation. Still it seems to be a non-trivial problem because Firefox sometimes shows me a favicon from another site I used.


Why don't they just take the code from their "internal favicon service"? The whole thing smells.


If you don't visit the site explicitly, just have the site somewhere in a list/bookmark/whatever, that site now has your IP address and basic header info when it needs to go retrieve it. By going through DDG, the site has a bot hit.

To me it looks to be trying to uphold your anonimity until you commit (click) through to the site/link. But certainly other ways they can approach this if it really bothers people.. I'd prefer DDG doing the lookup.. or having no fav icons.. over my computer going and downloading all my bookmark or other source icons


It's probably not written in Java.


It's not immediately obvious whether it is more privacy preserving if the client automatically makes a request to each site in the search results while scrolling through the results, especially since you're already trusting DDG when performing the search.

Maybe this should be an opt-in rather than an opt-out feature?

Edit: as pointed out by warpspin in another comment, this is about the DDG Browser, not search results.


Scrolling through results is not a good place to ping websites for their icon. Not from a technical perspective but also not from a privacy perspective.

This is mostly a UX issue IMO.


I appreciate you answering, probably knowing you'd face some negative feedback. Saying "we should trust you, it's for a good reason" is what google and everyone else says. You'll be better off if you just end this. The loss of the fav icon is less important than keeping your credibility.


Seconded. Day in and day out we're given empty promises we can never audit -- now it's being done DuckDuckGo staff too?


thirded. an inconsequential token is not a suitable reason to engage in this kind of data collection, especially for a search tool that prides itself on 'not tracking' users..


Fourthed, and honestly it's strange that they are willing their promise to privacy on saving 2-3 queries on something as trivial as favicons? Why does no other browser need to do this?


Favicon what a hill to die on


For the want of an icon, the kingdom was lost !


This is the correct answer. We all remember "Do No Evil" and have been around long enough to see that sentiment die. Don't go down this path.


They've already started down that path, judging by all the DDG billboards I see driving my 18 wheeler around the country, and all the DDG ads I hear on NPR-related podcasts.

Not that I'm against making money. But there's a tipping point associated with some height value in a pile of cash, and once you cross that point then the pile controls you. DDG probably hasn't crossed that point yet, but self-justification is one of the steps on that path.


Are there really DDG ads on billboards and NPR? That’s cool.


There are ads on billboards here in Sweden.


I amazingly saw one in Las Vegas recently


In Spain too


> is what google and everyone else says.

Do Chrome, Firefox, or Safari do this? I would assume they do it on-device.


Chrome, according to my understanding, hardcodes a few favicon URLs for builtin search engines, and caches everything else on site visit. There's SQLite3 database named Favicons in your profile directory (e.g. on macOS it's ~/Library/Application Support/Google/Chrome/<Profile>/Favicons). Here's the schema:

  CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR);
  CREATE TABLE icon_mapping(id INTEGER PRIMARY KEY,page_url LONGVARCHAR NOT NULL,icon_id INTEGER);
  CREATE TABLE favicons(id INTEGER PRIMARY KEY,url LONGVARCHAR NOT NULL,icon_type INTEGER DEFAULT 1);
  CREATE TABLE favicon_bitmaps(id INTEGER PRIMARY KEY,icon_id INTEGER NOT NULL,last_updated INTEGER DEFAULT 0,image_data BLOB,width INTEGER DEFAULT 0,height INTEGER DEFAULT 0,last_requested INTEGER DEFAULT 0);
  CREATE INDEX icon_mapping_page_url_idx ON icon_mapping(page_url);
  CREATE INDEX icon_mapping_icon_id_idx ON icon_mapping(icon_id);
  CREATE INDEX favicons_url ON favicons(url);
  CREATE INDEX favicon_bitmaps_icon_id ON favicon_bitmaps(icon_id);
Related source code: https://github.com/chromium/chromium/blob/master/components/...

I haven't looked at Firefox and Safari but I assume they do something similar.


I would hope that it can also be made to cache 404 and 410 responses to favicon requests too (or at least 410 even if not 404), so that it won't keep trying to access it.

Also, in SQLite, note that LONGVARCHAR is the same as TEXT, and that you don't need to specify both UNIQUE and PRIMARY KEY (it is redundant), and that if it is not a INTEGER PRIMARY KEY and not WITHOUT ROWID, then it isn't the real primary key but just an index (same as UNIQUE); add WITHOUT ROWID if you want to make it a real primary key, but note that the way the data is stored differs then, and WITHOUT ROWID is inefficient with tables storing large blobs.


In germany we have the words "Datensparsamkeit" (data parsimony) and "Datenvermeidung" (data prevention) [1]. Which wikipedia merely translates as "Privacy by design" [2].

DDG is unneccessaryly producing (aggregating), transmitting (and collecting?) very sensitive user data here, which is just the opposite of data protection. I can't even understand why they try to justify their actions. It's like omitting the seat-belt in a car, then telling customers that this was required to make the in-car entertainment system more usable.

[1] https://de.wikipedia.org/wiki/Datenvermeidung_und_Datenspars...

[2] https://en.wikipedia.org/wiki/Privacy_by_design


In fact I think what they do here is illegal by GDPR. It does not matter that they say they do not collect the information, it is enough it is unnecessarily sent to their servers to make the whole function illegal.

The transmission of ip address alone, which is necessary for the TCP request to happen, deanonymizes the request enough to not be considered anonymous within the GDPR framework.

GDPR Article 5 (1) c: "Personal data shall be ... adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" - this is the "Datensparsamkeit" you mentioned.

Exceptions from Article 7 do not apply: The user has to give wilfully give informed consent, which he cannot do as the privacy policy of the browser omits the information that all visited domains are transmitted to DDG servers.

GDPR Recital 30 "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags."

Oh, and the fact I'm downvoted for a purely informational comment additionally does not shine a good light on DDG.


Yes it does not look very GDPR conformant. They may try to argue that the transmission of visited domain names serves a purpose (browser performance) and that the user agreed to that transmission by accepting the TOS etc. However, I think they may be in trouble as consent for data processing under GDPR needs to be given "freely" [1]:

"When assessing whether consent is freely given, utmost account shall be taken of whether, [..] the performance of a contract[..] is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

As DDG's favicon-hack is not strictly neccessary for operating the DDG-browser, DDG would need to give users the option to opt-out of the favicon-retrieval, otherwise they may have "forced" the users to consent to the data processing, thereby voiding that consent as far as the GDPR is concerned.

[1] https://gdpr.eu/gdpr-consent-requirements/


You are completely right about the not "freely given" aspect. But well, it already breaks down at the "informed" aspect.

Their appstore pages link to the generic privacy policy of the company instead of for the browser specifically. This alone will usually already NOT be accepted by the supervisory authorities at least in Germany - the Landesdatenschutzaufsichten usually require a product specific privacy policy being linked for it being valid (personal experience), or at least making clear in the general policy what applies to the product, what not. And as mentioned, the fact visited domains are sent to the DDG servers (also outside the European Union) was not mentioned at all in that policy when I looked some minutes ago.


> DDG would need to give users the option to opt-out of the favicon-retrieval,

Wouldn't they need to give users the option to opt-in, under GDPR?


I think you are being downvoted because your interpretation of GDPR is extremely broad and people disagree with that. I also don't think it's in line with the way it is being applied in practice. Nothing to do with DDG.


I guess I might be one of the few people here who actually have been regulated under the GDPR by a supervising authority.

When that happens, you have to do insanely stupid seeming stuff like explaining in your privacy policy even, why your application, which is clearly for accessing a webservice, actually needs the Android permission to access the internet at all, true story. So I am pretty sure, an app sending visited domains to a central server outside the EU without even a mention of that fact in the privacy policy will cause problems with them, should they ever check the app. Of course, other countries might handle this differently, as Ireland shows.

So whoever thinks my interpretation is overly broad should first have the decency to step forward and actually explain why, instead of hammering a button and second, talk to me again after he had a meeting with the responsible authority and listen to THEIR interpretation of the GDPR ;-)

People should not mistake my interpretation with endorsement of the overly broad text of the GDPR itself.


Wait what? a TCP request already breaks the GDPR rules? Didn't know that...

Any human readable ways of dealing with that?


That's not what the parent said. The TCP request includes info that deanonimizes the request.

Or put another way, a TCP request sent by your app from my computer can not be considered anonymous.


If it is an unnecessary request to another service, yes.

IP-adddresses are considered personally identifying information. TCP requests transmit IP addresses.

Under the strict interpretation of the GDPR, a lot of things which are common outside the EU might be illegal, like e.g. embedding Google Fonts. To be on the safe side, people usually at least list these external dependencies in their privacy policies to construct some kind of "consent", but till we have more actual court rulings, this is a huge problem area.

For the problem at hand, it is pretty clearly illegal, as it's not only an ip address transmitted, it is a combination of ip address plus visited unrelated domain. This allows the creation of profiles. It does not matter for the GDPR, if the profile is ACTUALLY created, the pure possibility of creating it any time is enough to be a problem.


I don't think this is an accurate way to analyze GDPR compliance. As the staffer points out this favicon service follows their own privacy policy, if by this policy they keep (or analyze, sell, distribute, etc.) no data on your use of the service then there is nothing of interest for the GDPR.

They might have to prove that their privacy policy is indeed GDPR conformant and that their service works as advertised, but in practice this is likely more about public trust that legality.


It's not as simple as that.

Art. 4 GDPR (1) clearly makes the (ip-address, visited domain) tuple personal data Art. 4 GDPR (2) defines "processing" data, and the pure "collecting" of data, even if immediately thrown away, is usually already considered "processing", therefore the GDPR applies.

If you are doubting this, just for a moment imagine, instead of the visited domain they would have sent all form data, including for example credit card data, you entered somewhere on a third party webpage to their central server and did not mention the fact in their privacy policy.

Do you really think then there is "nothing of interest for the GDPR" just because they do not actually permanently record that information? It would clearly be a violation. But to the GDPR, the importance of that data is equal. In fact, the domainnames might actually be more important to the law, as article 9 establishes event stricter rules for "sensitive" data about e.g. health or sex life of a person, and the domainnames might just leak that information.


> Wait what? a TCP request already breaks the GDPR rules?

If the TCP request carries personal data like the name of a visited website plus the user's IP address, then it "breaks the GDPR rules" in so far as you now have to fullfil your GDPR transparency/consent etc. duties /before/ sending that request.

Maybe not all website names look like sensitive data to you, but some website visits you surely want to be treated as sensitive, personal data (like names of hospitals, doctors, political parties, religion etc.).


You really can't use "we promise we won't misuse the information" as an argument, that's what everyone says whether it's true or not, and the whole point of using a privacy-centric browser is that as a user you can't trust those kinds of promises.


They’re primarily a search engine, so yes, you definitely have to trust that they won’t misuse information about what search terms you are querying for.


That’s pretty shaky ground. Trusting a site for X has nothing to do with being comfortable to trusting them with X + Y when Y is unnecessary.


I suppose that's valid. This is the first time I had heard that DDG has a browser too, and I was just assuming that anyone who would use the browser probably also uses the search engine, which they obviously have to trust when they send search queries to it.


AND being so reluctant to remove this pinging mechanism adds more doubts about the real purpose.


> You really can't use "we promise we won't misuse the information" as an argument

Sure they can. Doesn’t mean you have to believe them.


When people say "you can't do" something that is already being done, it means they can't justifiably do it. Context matters for what words mean.


By the way how DDG spend money on the ads like at bus stop, I already starting to NOT trust them. Spend the money on development of development of products.

Seems like time to get SearX a try now: https://searx.me


FWIW I got higher quality results with Searx.


This doesn’t make sense for a browser: just embed the service’s logic in the browser, the browser has all the same information the service could get.


We had already had created this anonymous favicon service for our private search engine. In addition, doing it this way avoids another request (and potentially multiple) to the end site.

The service is private as we do not collect any personal information (e.g. IP addresses) on any requests for this or any service and the requests are all end-to-end encrypted.


> In addition, doing it this way avoids another request (and potentially multiple) to the end site.

Potentially saving a few requests here and there is certainly not worth phoning home with that kind of data regardless of what records you keep how much you do to anonymize it. This is especially true for a company that has built its brand on promises of privacy!

Besides, favicon requests are small potatoes compared to the kind of tracking, ads, metrics, and other often-unnecessary page resources that bog down most of the modern web. And a well-designed website can mitigate the issue pretty easily.


It seems like DDG just doesn't want to do more work to make the browser do the sensible thing and instead piggy back on their existing favicon service, and then going to make the argument that it is safe with us. The domain of browser is totally different from reaching out to the website and rendering favicons server side. Do you not see this as a problem? I think it is acceptable to say "We agree this is a problem, and we are gonna look into fixing this" instead of pushing back on an obvious problem.


Surely you could fetch the favicon asynchronously and update the address bar or tabs or wherever you display it only after the other assets are loaded? It’s not like the DOM has elements that depend on it. This is a really, really weird hill to die on.


And all you lose in the process is hard-earned trust from people like me, who switched to DDG years ago for privacy concerns.

This is troubling.


I understand we’re suppose to take your word but it’s making me skeptical now about the actual intentions. If DDG truly cared about user privacy then you shouldn’t transmit user information for something as trivial as favicons.


Is this service open-source and publicly auditable ? Because we've learned not to trust one's word of "don't be evil", only facts matter.

If you say the service is anonymous and does not leak data, prove it.


I'm sorry, but this is bullshit. If the received HTML contains a <link rel="shortcut icon" ...> element, you already only need one request, so this is not an improvement. If that is present, you should NEVER use your API.

If it's not present, then you have options, and yes, using your weird API is an option (which I still don't like, but ok). But sending private information to your servers even when sites follow the standard show either that you're probably not trustworthy, or that your product team is so painfully incompetent that I'd be afraid to use their browser at all.


I think people here are more interested to know if you’re going to fix it.


> The service is private as we do not collect any personal information

This sentence is 100% meaningless. I understand you have good intentions, but these things must rely on proof, never on trust. Either you get this information or you don't; whether you say you "collect" it is inconsequential.


You may not collect it, but your upstream could collect it, and encryption has a shelf life.

It's a really bad look and you should ditch it.


> We had already had created this anonymous favicon service for our private search engine.

Which presumably means you've already created the logic for determining favicons. I'm not sure why this couldn't be implemented in the browser.


> We had already had created this anonymous favicon service for our private search engine.

I don't think here's a need for adjectives here. Why stress that it's anonymous (when that's hard to verify) or that the search engine is private, when that too is starting to come into question? Repeating these things won't will them into the reader's perception.

> In addition, doing it this way avoids another request (and potentially multiple) to the end site.

This isn't true, unless I'm missing something here? When I access a website, the HTML response I get from that website includes all the information my browser needs to, on its own, get and display the favicon. Can you clarify why you think/say this avoids one or more requests? What mechanism is this service a substitute for?


Saving a request is not a good reason to phone home, especially given what the DDG brand is built on and the main reason I would use it over Google. Please reconsider.


It's alright, folks. We got E2EE and a pinky-swear.


Please ask your higher-ups to educate you about essentials of privacy in the modern age. It's not about what you may be doing wrong, it's about what you technically could do wrong.


Complicated code can run just fine on device.

I’ve been an avid DDG user for years and it worries me that DDG staff don’t see why this is an issue. We shouldn’t have to trust your privacy policy if you minimize exposure.


This. No matter how tricky the logic is, there's literally no reason to run that code on DDG server's and throw in a remote connection. What the hell?


That's not fair. There is a very clear reason: it simplifies development for them and avoids duplicating functionality in two different codebases. You can argue about whether or not that's a good trade-off given the privacy implications (and I would agree that it's not) but you can't claim that there is "literally no reason".


Does Gabriel know about this? If not could you please clue him in and get some guidance because you are absolutely getting roasted here and are wrecking DDG's carefully built up reputation. I can easily see how this might seem to be a good idea to you and other DDG engineers but it goes 180 degrees against DDG's stated mission. In other words: you may be well outside your paygrade on this.


> you may be well outside your paygrade on this.

Not as worse as publicly denouncing an honest engineer while referencing his paygrade. I hope there is no affiliation you have with DDG to be honest, because this is much, much worse.


What do you mean? This response is fine. It’s honest feedback, and it isn’t a personal swipe to say it’s above someone’s pay grade to be responding to a PR crisis as an honest engineer.

I was once an honest engineer too, publicly. Being honest in private is enough for me now. It’s a lesson worth learning.

That said, it’s not like a single HN comment will make or break a company, so if they’re really just a rank-and-file engineer, I hope the company won’t come down on them too hard. A simple “don’t do that” would suffice.


Yes, but chastising an employee is not in the interest of good PR, even if we sadly see that quite often in the days of social media. That is especially true if the employee just honestly laid out the facts, I wouldn't even call that a mistake.

I use DDG and the possibility of getting a statement directly from an engineer conveys much more trust than a carefully crafted PR statement ever could. I would think again about using it if the company does indeed come down on employees that live the values the company writes on its flags to have honest and transparent business practices.

That said, I am careful too when I state things about my company, even if I believe there is nothing to hide. Still, people that think it isn't the place for others with knowledge to comment are often not too impressive and would have difficulties in convincing me that privacy and transparency are real goals instead of just looking decent enough.

Furthermore the naming of management of DDG creates a stark contrast to the suggestion for more professional distance. I don't like PR very much as you might have guessed, but like a good design it needs some congruence.

If people find out that you just shut up for your company, it might give people the wrong impression about their business.


It’s your duty as an employee to shut up for your company. I didn’t learn this until later in my career. Fortunately it didn’t have lasting impact.

By commenting on an ongoing PR crisis without consulting management, you are both undermining their ability to respond in an effective way — imagine how strange it would look to see a “Hey, X from <company> here” after an existing one was already posted — and you’re acting on your own rather than in a team. You’re a part of a team; how could you think it’s a good idea to act alone?

Of course, I am talking to my former self with this comment, since that’s exactly what I did at S2 when working on HoN. It was a mistake, and I gave the community the wrong impression about the company’s priorities.

You have to understand, when you’re given money to do a job, you’re not given authority to become that job. Just because your job is getting beat up on social media doesn’t mean you should just jump in and go “Hey, that’s not true!” It doesn’t matter whether it’s true. Here, let me pretend to be DDG:

“Hi, Shawn from DDG here. You’re right; this was an oversight on our part. Obviously we dropped the ball on this. To clarify, we were unintentionally gathering the data as a side effect of our favicon service. <some technical details here>. We’ll be acting immediately to reverse this, and we’ll be enacting policy changes to ensure that user privacy — our core mission — is maintained going forward.”

But that’s not what they said. And if you’re gonna tell the community the opposite of what they want to hear, you’d better be in charge of the company’s Telling The Community Things division.


Thank you for explaining this all far more eloquently than I ever could. DDG is precious and worth preserving, it wouldn't take much for the press to have a field day with a couple of careless comments. And no, I don't have a stake in DDG other than as a user.


While that last bit was slightly crass, the rest of the comment was dispensing some very sage advice, I thought.


I don't think it's fair to say this comment is 'wrecking DDG's carefully built up reputation'. If what he describes is damaging their reputation to you, that's on the business, not on the commenter. If anything, the commenter seems to have been honest and straightforward with what's going on.

Sounds like you'd prefer him to have run a message past management/public relations first?


If you speak in a public form in response to something that seems damaging to the reputation of the company in a way that is probably even more damaging to the reputation of that company you are either an official spokesperson or way out of your depth. Pointing that out is a service, not a sleight. And yes, if this is not in an official capacity he should either keep quiet or run it by the PR dept. People have lost their jobs for far less. Anyway, I've pinged @yegg, hopefully he can shine some light on this.


This is an asshole response.


No, it is the response of someone who was once upon a time CEO of a startup that fortunately did not operate in the present day news cycle where reputations can be destroyed in a couple of hours. DDG is precious, saying things that are very much against what I know to be the founding principles of the company is something that should only be done by those that have been given the proper authority. The response here is candid but ultimately not the one that DDG would and should give. Gabriels' contribution upthread pretty much confirms that. My comment was simply to ensure things would not get worse than they already were until someone in a position of authority at DDG could step in.

All you have to do is to read this comment thread to see the kind of damage that a single statement by someone affiliated with the company can do.


For me it does the opposite. Hearing engineers speaking off-message inspires trust, while pr-evasion and weasel speak makes me think they have something to hide.


That's nice. But in this particular case the engineer says things that I know for a fact are not in line with DDG's mission statement so even if he speaks off-message he's actually destroying that trust. There is nothing about @yegg's response that strikes me as weasel speak, it is the content that is different and exactly where it matters: privacy first.


> There is nothing about @yegg's response that strikes me as weasel speak

Agree, didn't mean to imply that.


> this might seem to be a good idea to you and other DDG engineers

If that's true, then I am so glad they ghosted me when I applied there.


I’m very disappointed in how you guys responded to this. As a privacy focused company I would not have expected an answer that sounds like it came from a data collecting company like Google.

I just switched to DDG browser a week ago and will now be looking for a new browser now. I hope you know this is not an appropriate response to the situation. Especially because all you guys do is preach about how much you protect your users’ privacy. Now you’re here asking us to trust you not to abuse our data and just linking us your privacy policy. I’m sad to say that my faith in the DuckDuckGo company and team is now lost.


Lost lost lost.

I'ts not like we couldn't have predicted this disaster.

One more reason to never trust a companies "word". Show me the code.


Are all these edge cases part of the html/w3c/whichever standard? If not, let the edge cases fail. I'm not going to lose sleep over an icon not showing for a site I'm visiting once.


I agree. Sometimes it feels that companies throw any possible value out of the bus in order for the perfect UX.


I'll state this in no uncertain terms: this is not acceptable, and you need to stop doing it. It makes sense on your search engine, but adding it to your web browser is very much over the line.

I have read your explanations in good faith and they don't cut it. This behavior cannot continue. Good privacy promises are not based on trust - they're based on not ever handling private data in the first place. If you don't quickly admit your mistake and roll this back, it will jepoardize your entire brand - and rightfully so. If you believe this behavior is okay, then it demonstrates incompetence; if you don't believe this behavior is okay but do it anyway, it demonstrates malice.

This is the one thing you Should Not Have Done.


I'm surprised at how you're handling this. DDG is supposed to be friendly to privacy-aware users. You're dismissing people's valid points and asking them to trust you, just like any other privacy-non-friendly service would do.

Edit: I'm speculating here. But specifically because of the way you've replied here and on Github, my actual level of trust in DDG team went down.


What a bizarre potential privacy flaw to introduce for a tiny little icon nobody cares about. I understand it, usability and UX is important - but you guys are DDG! Come on! Your customers all have tinfoil hats!


> Your customers all have tinfoil hats!

Generally speaking. Mine is shielded with lead.


At this point we're all well aware why the app phones home. Continuing to spout that like it's some ward against the fact that this is a very real vulnerability is an insult. Trust me, your target audience doesn't give a crap if favicons work; they care that DDG acknowledges the risk of a glaringly obvious vulnerability. Who do you even think you're arguing with on HN and GitHub? My children can't multiply yet but they'd be able to understand why this is bad practice.

The repeated handwaving that no one in your company is ever going to do something bad or stupid when the browser phones home for what amounts to a cute sticker is extremely suspicious.


You're repeating what's on that page, which is exactly what everyone is worried about in the first place.


Maybe I'm too old for this, but wasn't a favicon supposed to be located at "fancy.url/favicon.ico", or alternatively as a "<link rel="shortcut icon" \>"?

Curious to know why this is an issue.


There are variations of it now due to mobile devices, social sharing etc that may prefer a larger icon.

An online favicon generator will create these variations

<link rel="apple-touch-icon" sizes="57x57" href="/ico/apple-icon-57x57.png">

<link rel="apple-touch-icon" sizes="60x60" href="/ico/apple-icon-60x60.png">

<link rel="apple-touch-icon" sizes="72x72" href="/ico/apple-icon-72x72.png">

<link rel="apple-touch-icon" sizes="76x76" href="/ico/apple-icon-76x76.png">

<link rel="apple-touch-icon" sizes="114x114" href="/ico/apple-icon-114x114.png">

<link rel="apple-touch-icon" sizes="120x120" href="/ico/apple-icon-120x120.png">

<link rel="apple-touch-icon" sizes="144x144" href="/ico/apple-icon-144x144.png">

<link rel="apple-touch-icon" sizes="152x152" href="/ico/apple-icon-152x152.png">

<link rel="apple-touch-icon" sizes="180x180" href="/ico/apple-icon-180x180.png">

<link rel="icon" type="image/png" sizes="192x192" href="/ico/android-icon-192x192.png">

<link rel="icon" type="image/png" sizes="32x32" href="/ico/favicon-32x32.png">

<link rel="icon" type="image/png" sizes="96x96" href="/ico/favicon-96x96.png">

<link rel="icon" type="image/png" sizes="16x16" href="/ico/favicon-16x16.png">

<link rel="manifest" href="/ico/manifest.json">

<meta name="msapplication-TileColor" content="#ffffff">

<meta name="msapplication-TileImage" content="/ico/ms-icon-144x144.png">

Nonetheless, the browser can see this when parsing the page and choose the appropriate path.


Geez, I've been out of the webdev loop for around 10 years. That's insane.


favicons should be SVGs and done with it. This is really insane!


It's really not an issue. The rest of the browsers handle this without a web service (even Chrome apparently)


This is obviously an insufficient answer. Why risk your one selling point on such a trivial bit of code?


Doubling down is fairly ridiculous when one has to imagine the original reason for doing this was to save on time and engineering for the app by leveraging what DDG had already built, but a mindful response would be that you are aware of the downsides of this approach and you'll be working to change it.

Besides, how do you handle Intranet, VPN sites, and auth-only sites where DDG's god-tier favicon parser in the cloud couldn't fetch the URL anyway?


How can users turn this off?


https://duckduckgo.com/settings#appearance

Uncheck the very last option "Site Icons"


This should be the top response. Just under it should be a DDG staffer telling us they will be turning this config option off by default starting with the the next release.


No, since it's incorrect. We're talking about the browser, not the search engine results.


I'm assuming that doesn't affect the browser, which is what this issue relates to.


Maybe you have to be logged in to DDG for this to work? Which if true feels that much worse.


What advantage does this give you? DDG just gave you a list of URLs, so how can it be "tracking" the results it just presented to you?

The issue, as I understand it, is that the Android app loads the favicon service for search results you actually open in the app.


Route icons.duckduckgo.com to null.

Sidenote: The more I use pi-hole the more I realise how essential it is!


Is there a difference between using pi-hole and edinting etc host on Windows? I've heard about pi-hole but I'm not sure what it does exactly.


This is essentially the same, but pi-hole gives you a nice UI, stats etc, and of course you can point all your machine at a pi-hole instead of editing the hosts file on each.


Are you able to block youtube ads using pi-hole?


Sadly, not anymore - used to be the case quite a while ago, but not today anymore as the ads come from the same domains the videos are streamed from.

Those simpler popover-ads which can be closed clicking an X in the upper right corner still are blocked tho...

Spilling my secret tho (and YouTube execs hate me for it!): i block YouTube in my mind and only rarely go to it if i really need to watch a video (which, for me, is rarer than i ever thought it'd be).


https://invidio.us

Or mpv (for single videos, or local playlists), or mps-youtube, or youtube-dl.


It's complicated and a quickly moving target. I use pi-hole plus local browser blocking like uBlock origin.


Please choose another hill to die on. This is just not worth it. Clearly it's possible to do this on device like mozilla did it.


The reviews are in for this response and they are bad. It's concerning that given the react it got, there's no edit addressing the concerns. The HN audience has to be the power user, bread and butter of a product like this and when you see a company ignore the concerns of a key constituency like this, their future almost never looks bright.


Technical aspects aside, don't you agree it's a legitimate privacy concern from the user's point of view?


It’s amazing how tone deaf technologists can be when it comes to privacy, even when they have nothing to gain by exploiting the user’s data. DDG’s response reminds me of Mark Shuttleworth’s argument that they “have root”, so we can trust them with our life.

Dear DDG, you are getting complaints on GitHub and Hacker News. This is not the general public, it’s people who understand the issue. You should definitely reconsider whether you’re doing something wrong.


> We use an internal favicon service because it can be complicated to locate a favicon for a website

That must be the worst justification for this possible. Favicons. Complicated to locate? Who are you trying to fool, 5 year olds?


The road to hell is paved with good intentions. At the end of the day, your privacy policy is just a bunch of words with nothing to actually prevent you from abusing the data collected. Instead of us relying on DuckDuckGo to act ethically, just don’t collect the data in the first place.


Can you tell, for instance, how many of your users visited site A?

Can you tell how many visited site A and also site B?


You are just repeating what's already written in the link, it isn't very useful. Try to address users' concerns instead.


Sorry but this is not enough reason. There is a simple question you should ask to yourself.

- Would you be ok to use a third party for this with same privacy policy?


This answer and other replies from yourself in this page seem copypasted from here: https://help.duckduckgo.com/duckduckgo-help-pages/privacy/fa...

why?


I don't know how you can misunderstand your core demographic this badly mate.

If you think the next time I hit the shitter I'm not going to be looking for a new browser, you're dead wrong.

Just do the basic checks and then fall back to a DDG logo, no one cares that much about the favicon.


> the purpose of the request...

... is completely irrelevant. Even if they were trying to save babies from a fire (which they really aren't) it wouldn't excuse the fact that they're doing something orthogonal to their stated policy and sole reason for existing.

Everyone makes mistakes, that's not the point. The point is to correct them when they're found, instead of digging one's heels in the ground and pretending it's nothing.


This is a bit concerning that for a company with a marketing so focus on privacy, you guys thought it was a good idea to have such a service.

Nobody in the company at any point thought that it could be a problem?

Your strict privacy policy mean nothing by the way, because you are a USA company and you must respect your local laws such as the patriot act, which are not very privacy friendly.


come on dude. I thought you got a better answer.


Does it have an option to disable the internal favicon service and/or an option to disable favicons entirely? (I disable the favicons on my own computer, since I don't use them.)


so, essentially you blew privacy because of favicons? favicons??


favicon has fairly enough known meta tags in case favicon.ico url is lacking


I don’t care if I get the favicon or not... can I just opt out of this functionality?


From elsewhere in this thread:

https://duckduckgo.com/settings#appearance

Uncheck the very last option "Site Icons"


appears to be the search engine results _not_ the browser.

How if you type a url into the browser how do you stop the browser from sending that url to ddg to get the favicon?


[flagged]


They need to run international ad campaigns, what's that tell you?


What is this possibly meant to imply? Nonprofits run international ad campaigns, governments run international ad campaigns, the military runs international ad campaigns, most organizations could probably find a reason if they have international domain. What is your insinuation specifically?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: