Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy

DuckDuckGo Denies Using Fingerprinting To Track Its Users (betanews.com) 165

Mark Wilson writes: Responding to a forum post that accused it of 'fingerprinting users', privacy-centric search engine DuckDuckGo says that fears are unfounded and that it is not tracking its users. The allegation was made after the Firefox extension CanvasBlocker showed a warning to users. The suggestion of fingerprinting -- gathering as much information as possible about a user through their browser to create a unique identifier that can be used for tracking -- is clearly something that would seem to sit in opposition to what DuckDuckGo claims to stand for. The company CEO says the accusation is simply wrong.
This discussion has been archived. No new comments can be posted.

DuckDuckGo Denies Using Fingerprinting To Track Its Users

Comments Filter:
  • ... so far everything to it being a Google subsidiary to a CIA honeypot. Anyone have any proof at all, or are we just going to do everything by conjecture now?

  • by GregMmm ( 5115215 ) on Monday January 07, 2019 @02:44PM (#57919274)

    So, one guy on posts on a forum a certain API is being blocked by his Firefox extension CanvasBlocker. Not that the one individual has anything showing some tracking and data gathering, he just sees an API being used. Without any real evidence what so ever. Sounds like someone wants to sow seeds of mistrust at DuckDuckGo.

  • is something that should be disabled (by default).

    My browser knows how what to do with different file types, and if it doesn't, it prompts me to select an application.

    • is something that should be disabled (by default).

      It's not a feature that can be switched off. Fingerprinting works by collecting as many attributes about the host browser as possible. This might be things like your language, browser version, installed plugins, settings, IP address, and many other things. Most of these have potential legit uses, but when combined they build a "fingerprint" of you.

      I suppose you could disable collection of some of the fingerprint components. This is however contradictory to a world where we want web apps to have the same po

      • As you point out, there's no need for my browser to report back version, plugins, settings, or pretty much anything else. "Desired language" and "IP address" seem to be the only vital ones.

        It may be contradictory to a world where we want web apps to have the same power as native apps, except a) I have no desire to run a random native app by some asshole on the internet by default - the same power would be opt-in only and b) I want the browser to show me pages by default. A single-page webapp is a special

        • As you point out, there's no need for my browser to report back version, plugins, settings, or pretty much anything else. "Desired language" and "IP address" seem to be the only vital ones.

          I was giving examples, not an exhaustive list.

          Versions are used for compatibility, and settings are things like "allows local storage" (again, this is just ONE example) are things web apps can figure out by attempting to use the feature.

          Plugins can be derived. E.g., is there an adblocker installed? Let's test if ads are blocked.

          • I was giving examples, not an exhaustive list.

            I was giving an exhaustive list. Web sites should get "desired language" and "ip address". None of the others are needed. Local storage, fuck off. Try to set a cookie, you'll know if I let you because it'll get reported back when I return.

            I think SPAs are pretty stupid in general. And you said we had to choose between security/privacy or webapps. I vote for security/privacy thanks.

            • I was giving an exhaustive list.

              So a browser say wouldn't need to know the screen size? That was the #1 most unique attribute for my browser (seems to be the canvas size, so perhaps my choice of UI element sizes made this unique). A web app wouldn't need to know my timezone? My browser's time (clock skew is an identifying attribute)? My host OS (you know, for suggesting the right download package for things)? Again, NOT an exhaustive list. I can keep going.

              I think you are being naive about what could reasonably be done without breaking a

              • by Actually, I do RTFA ( 1058596 ) on Monday January 07, 2019 @05:42PM (#57920714)

                So a browser say wouldn't need to know the screen size?

                A browser needs to know it to render properly. A website serving it certainly doesn't. And I have no idea why it would.

                . A web app wouldn't need to know my timezone?

                Why would it? And why would a website? Why would Slashdot? Or (choose a news site)? Or Reddit?

                My browser's time (clock skew is an identifying attribute)?

                Certainly not. Unlike timezone where a webapp might need to know it, knowing time isn't something that should be communicated client-to-server ever.

                My host OS (you know, for suggesting the right download package for things)?

                This is the only time you actually suggested a use case for the data you're collecting. That said, why does it need to get reported back to the server. The whole point you're making is that the site can display it on its own. So, again, it wouldn't be usable for fingerprinting if it stayed clientside

                Again, NOT an exhaustive list. I can keep going.

                Instead of just listing features, you should explain what benefit I get out of letting that data leak out of my browser. Cause I don't see it.

                So you want to go back to the web of 1992.

                Whoa. First, I would think 2002 would be far enough back. Second, the cool stuff that happened since then are things like embedded video/audio. Or CSS advances. I'm not sure what cool stuff's been enabled by new tech since then, rather than faster pipes and the smartphone form-factor.

                • So a browser say wouldn't need to know the screen size?
                  A browser needs to know it to render properly. A website serving it certainly doesn't. And I have no idea why it would.

                  So if you are drawing graphics on a canvas you don't need to know the canvas size? You do.

                  . A web app wouldn't need to know my timezone?
                  Why would it? And why would a website? Why would Slashdot? Or (choose a news site)? Or Reddit?

                  To render a site like this?
                  https://www.worldtimebuddy.com... [worldtimebuddy.com]

                  There are websites other than slashdot or reddit.

                  That said, why does it need to get reported back to the server.

                  It's really hard to allow code to use a value but somehow prevent that value from being passed as data somewhere else.

                  Instead of just listing features, you should explain what benefit I get out of letting that data leak out of my browser. Cause I don't see it.

                  If all you do is read /. and reddit, then you don't. You see however I thought you were discussing things in general, not your narrow, unusual use case compared to the rest of the web users out t

                  • If all you do is read /. and reddit, then you don't. You see however I thought you were discussing things in general

                    It also works for YouTube, Twitch, YouPorn, etc. I mean, the dynamic links to the next video changing wouldn't, but the rest of it would. That's kinda my point, 95% of the web would work well. GMail does. The only thing that really messes up are sites like Trello and GoogleDocs. And those are small and should be native apps anyway

                    To render a site like this? https://www.worldtimebuddy.com.. [www.worldtimebuddy.com]

                • by AmiMoJo ( 196126 )

                  So a browser say wouldn't need to know the screen size?

                  A browser needs to know it to render properly. A website serving it certainly doesn't. And I have no idea why it would.

                  It's used for adaptive layouts, so that the same page can render well on desktop, tablet and phone.

                  Unfortunately it's hard to avoid that information then getting back to the server. For example different images might be selected depending on the screen resolution (no point loading 4k photos on a 720p screen), different CCS might be loaded to alter the layout to move side menus on a narrow phone screen etc.

                  Well, there is one way, which is to go back to really basic HTML pages, but in these days of webapps th

      • by gweihir ( 88907 )

        Indeed. The approach here is to render something (including some text) and then to "screen-grab" that (canvas-grab). Small differences in configuration can be detected in that. If that is not what is done by DuckDuckGo, then it is probably not actually tracking and the blocking add-on is overly sensitive. False positives are a huge problem in the security sphere.

        • False positives are a huge problem in the security sphere.

          Not as much as false negatives.

          • by gweihir ( 88907 )

            False positives are a huge problem in the security sphere.

            Not as much as false negatives.

            I disagree. False positives often swamp analysis capabilities to a degree that true positives cannot be dealt with anymore.

    • "fingerprinting" is just a catch all for various bits of information that can be combined to uniquely identify a browser. There's nothing specific to enable or disable, unless you want your browser to decline such information as window size, content-types accepted, etc. You know, now that I say that maybe it would work just fine.
  • by OneHundredAndTen ( 1523865 ) on Monday January 07, 2019 @02:44PM (#57919290)
    The problem with DuckDuckGo is that, when it comes to searching, it simply sucks. I used it as my default search engine for a week, and I had to return to Google - the results from DuckDuckGo were very mediocre. Which is a shame, for I am really sick and tired of the Google bastards (Don't Be Evil? Assholes!) but DuckDuckGo will have to improve a heck of a lot before that quality of its search results is comparable to Google's.
    • by gringer ( 252588 ) on Monday January 07, 2019 @02:50PM (#57919326)

      Use "!g " in the DDG search box to initiate a google search with those terms.

      • by Anonymous Coward on Monday January 07, 2019 @03:09PM (#57919486)

        If you use !sp instead, you can use Startpage, which anonymizes Google search results.

    • The problem with DuckDuckGo is that, when it comes to searching

      Who would have thought that indexing the internet and the algorithms behind it would be a hard problem?

      • The problem with DuckDuckGo is that, when it comes to searching

        Who would have thought that indexing the internet and the algorithms behind it would be a hard problem?

        Oh, it's not the search and indexing of the internet that's hard.. I participated in building a web crawler that could index the internet if you let it run long enough, problem was the indexes quickly got huge and unmanageable. What's hard? It's the return of results in a reasonable amount of time that's hard..

        • Oh, it's not the search and indexing of the internet that's hard.. I participated in building a web crawler that could index the internet if you let it run long enough

          def index(url):
              links = parse_page(url)
              for (u in links):
                  index(u)

          I just wrote Google for you.

    • by BenFenner ( 981342 ) on Monday January 07, 2019 @03:00PM (#57919412)
      My experience is the exact opposite. I've been using DuckDuckGo since I moved away from AltaVista, and it has always provided me with the results I desire.

      This is just one example, but search Google for "how many stars in the solar system" and the first handful of results are not related, and the quick-answer is absolutely wrong.
      http://lmgtfy.com/?q=how+many+... [lmgtfy.com]

      Search DuckDuckGo for the same and you'll get the right answer in the first result.
      https://lmddgtfy.net/?q=how%20... [lmddgtfy.net]

      As a bonus, my custom captcha uses these horrible results from Google to weed out bots (and ignorant users I'd rather not have to deal with).
    • I think DDG search is actually very good. To analogize, the problem is this: Google is fast-food, and everyone loves how fast-food is yummy and convenient. Hence, when it comes to alternatives, we compare everything to the fast food rather than realizing that maybe the fast food isn't as good as we think it is.
    • Re: (Score:3, Insightful)

      by lgw ( 121541 )

      The problem with DuckDuckGo is that, when it comes to searching, it simply sucks.

      You post this every time DDG comes up, presumably b/c you're astroturfing for Google. You've never given an example, or shown anything but FUD. DDG's search results are fine.

      • by AmiMoJo ( 196126 )

        Here's an example for you. Search for "BC137" on both.

        On Google you get live flight details on flight BC 137 (note how it isn't phased by the extra space), and then working links to datasheets for that transistor. No matter which one you wanted, the right info is in the first couple of hits.

        On DDG you don't get any flight info, and it's actually a bit awkward to search for it because of the space. There is a link to Flightradar some way down the page, but that's probably not what you want. The links relatin

        • You are missing the fact that google results are personalised. Meaning your results are more relevant because they've probably been personalised to your profile / locality. When I perform the same search, DDG results seem to be more relevant if anything (Google includes lots of spammy looking stuff). And adding 'flight' to the term immediately brings the right results unambiguously.

          Effectively you're saying you prefer the so-called 'filter bubble' (which is fine, but I don't).

          For what it's worth, I typicall

          • by AmiMoJo ( 196126 )

            It's easy to disable personalization, just open a private browsing window in the EU. The EU bit is important because then Google needs all your opt-in permissions again to do any personalization.

      • I use DDG as my default search engine everywhere, as for the last year I have been taking steps to de-Google my digital life as much as I can. That said, I can vouch that I end up falling back to the `g!` modifier to get Google results far more often than I would like. DDG is great, and I encourage everyone to use the best alternatives to Google's products available, but DDG search results definitely have room for improvement.

    • by fbobraga ( 1612783 ) on Monday January 07, 2019 @05:41PM (#57920710) Homepage

      results from DuckDuckGo were very mediocre

      not lately to me: I migrated from google to exclusively DDG about a year ago

    • >"The problem with DuckDuckGo is that, when it comes to searching, it simply sucks. I used it as my default search engine for a week, and I had to return to Google"

      No you didn't, simply use:

      https://startpage.com/ [startpage.com]

      instead. Same Google search results, but through a proxy so Google cannot track you.

  • by Anonymous Coward

    I can't think of anyone I know who uses DDG and doesn't employ obfuscation techniques. Out of any search engine out there, it would benefit DDG the least to even try tracking its users -- and they know it.

    Accusation doesn't pass the sniff test.

  • by Lucas123 ( 935744 ) on Monday January 07, 2019 @02:51PM (#57919328) Homepage

    Support Duckduckgo.com. I've been using it for years and have seen the amount of spam in my inbox and even social media go WAY down. We need more services like Duckduckgo.com, not fewer.

    But, perhaps the inevitable attack on them is showing some success. I'm hopeful.

  • by Anonymous Coward

    How does Duck Duck Go get paid.

    You are not paying for their service. Therefore, you are not the customer. You are the product.

    They are no different than facebook or any other 'free' thing.

    • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Monday January 07, 2019 @03:02PM (#57919442) Homepage Journal

      The difference is that while some other services show ads based on interests inferred from your previous viewing history, DuckDuckGo shows ads based only on the context of your search query. DuckDuckGo also adds its referral tag to Amazon product URLs in search results.

      (Source: "How Does DuckDuckGo Make Money? DuckDuckGo Business Model Explained" [fourweekmba.com])

      • DuckDuckGo also adds its referral tag to Amazon product URLs in search results.

        That's cool! I will now do more of my amazon searching through DDG to help support them.

    • You are not paying for their service. Therefore, you are not the customer. You are the product.

      Ok, but only in the sense of being exposed to ads. If that makes me the product, then I know about the extents and times when I am said product and can make an informed choice.

      They are no different than facebook or any other 'free' thing.

      Facebook, by design, is a privacy-invading/selling ethics-free piece of shit. They sell all kinds of thing about you to people behind your back, make inferences about you that you have no idea of (and in many cases are not supportable, yet are packaged as "truths" to the buyers), and would deprive you of oxygen if they could think o

    • by mspohr ( 589790 )

      DDG sells ads. The difference is that Google sells ads based on their deep knowledge of your innermost thoughts since they've been watching you for years. DDG just tailors the ad to what you entered in the search box.
      I doubt that advertisers appreciate the difference.

  • by gweihir ( 88907 ) on Monday January 07, 2019 @03:03PM (#57919450)

    It maybe, but does not need to be a tracking attempt. It should be conclusively explained and removed.

    • by AmiMoJo ( 196126 )

      It's unnecessary, especially on a minimal search site like DDG. If you block DDG from using the canvas it doesn't break anything. They really need to explain what they are doing with it.

    • The first rational series of words so far. Let's find out why it is grabbing the "canvas". If moral outrage is appropriate, then we can move on to the moral outrage department. In the meantime, let's just find out exactly WTF is happening and why it is happening.

  • by Anonymous Coward

    I've had canvasblocker give it's fingerprint warning on simple 1-page webapps I've written that don't employ any user tracking of any kind, using only vue.js in it's simplified mode and no other 3rd party components.

    Canvasblocker is a "this page uses canvas objects" detector, not a fingerprinting detector.

    • by gweihir ( 88907 )

      The only problem is when canvas actually gets grabbed, i.e. the color of pixels is detected. Anything else should be non-problematic. Maybe with high resolutions the browser window size can be used for tracking, but I do not think that works well yet and may not actually work at all.

  • ... and the results are, today, good as google searches - no tracking bullshit on all links (it's why I avoid using Gmail without a IMAP client too)
  • If they are doing this, it means that DDG has a business model., which you are free to take or leave. In the absence of one, I have always suspected that DDG is a gummint-operated honeypot to attract people searching for bomb details, child porn and drugs.

Keep up the good work! But please don't ask me to help.

Working...