DuckDuckGo Denies Using Fingerprinting To Track Its Users (betanews.com) 165
Mark Wilson writes: Responding to a forum post that accused it of 'fingerprinting users', privacy-centric search engine DuckDuckGo says that fears are unfounded and that it is not tracking its users. The allegation was made after the Firefox extension CanvasBlocker showed a warning to users. The suggestion of fingerprinting -- gathering as much information as possible about a user through their browser to create a unique identifier that can be used for tracking -- is clearly something that would seem to sit in opposition to what DuckDuckGo claims to stand for. The company CEO says the accusation is simply wrong.
Re: (Score:3, Interesting)
Because of the aforementioned not-tracking stuff? And the results are as good as Google, which is apparently a non-goofy name now?
If you care about your privacy then you use DuckDuckGo.
Re:Silly name (Score:5, Insightful)
Because of the aforementioned not-tracking stuff? And the results are as good as Google.
In my experience they are not. Not even close. I wish I could ditch Google, but DuckDuckGo cannot (yet) fill Google's search shoes.
Re: (Score:2)
they are close but not there yet, i end up having to gulag things pretty much every day.
Re: (Score:1)
It's okay for a daily driver, but for highly technical or complicated search strings with say boolean qualifiers, yeah, I have to revert to the white devil. Fortunately, most of that traffic originates from my place of work, and fuck if I care what they track from that place.
Re:Silly name (Score:4, Insightful)
Re: (Score:2)
https://support.google.com/web... [google.com]
Re: (Score:3)
Just because Google documents it that way doesn't mean it actually works. I just searched for "ibanez and rb-800", and it wasn't until the third result that it actually matched.
Re:Silly name (Score:5, Informative)
That's not the right syntax for Google, hasn't been for years. The syntax is now that double quotes mean the search term must appear on the page for it to be included in the results. So double quotes are like a logical AND, everything else is logical OR but obviously heavily weighted.
You correct search term should be:
"ibanez" "rb-800"
First result looks correct but I don't know much about guitars.
Re: (Score:2)
The first result doesn't have both search terms in the content, but it does in the URL so I'll consider it correct. Further down, there are matches for "RB 800" that don't have "RB-800" in either the content or the URL, though. Just the same, thanks for the tip. The problem appears to remain, however, that Google does "intelligent matching", which is exactly what is *not* needed sometimes.
Re:Silly name (Score:5, Informative)
They still index torrent sites while google keeps shuffling them further down the listings.
Re: (Score:3)
Re: (Score:1)
I use it. I find it much better than DDG.
On Android I find the combination of Qwant and Brave to be very fast and functional.
Re:Silly name (Score:5, Informative)
Google search has become useless for me (search tech related issues) - too many sponsored ads and content farms.
Duck Duck go doesn't have all the advertising, and I am getting useful results when searching for issues.
Re: (Score:1)
Have you tried Startpage.com? It's anonymized Google and based in the EU.
Re: (Score:2)
I've been using DDG exclusively for several years. I always find what I need. I've never felt that I needed to use a different search engine to get "better" results.
YMMV
Re:Silly name (Score:4, Informative)
>"In my experience they are not. Not even close. I wish I could ditch Google"
You can. Just use:
https://startpage.com/ [startpage.com]
and get the same Google results but without the tracking.
Re: (Score:2)
Re: (Score:2)
And the results are as good as Google,
Every year or two I give DuckDuckGo another try, because I really want to like them and prefer how they're trying to be less of a privacy nightmare than Google...
Every year or two I think "meh, still not there" and give them a pass. Unfortunately, they're not anywhere near as good as Google for searching yet. They're not even as good as Bing yet.
Re: (Score:2)
How so? DDG uses Google under the hood, it just anonymizes the data. It's the exact same search engine, DDG is not doing its own searches. Now if you're getting better results with Google then it's because Google has built up memory about you and knows that when you search for Ruby that you want the programming language and not the gem, things like that.
So it's up to you, you get more personalized results but less privacy, or vice-versa.
Re: (Score:3)
https://duck.co/help/results/sources
"In fact, DuckDuckGo gets its results from over four hundred sources. These include hundreds of vertical sources delivering niche Instant Answers, DuckDuckBot (our crawler) and crowd-sourced sites (like Wikipedia, stored in our answer indexes). We also of course have more traditional links in the search results, which we also source from a variety of partners, including Oath (formerly Yahoo) and Bing."
Re: (Score:2)
How so? DDG uses Google under the hood, it just anonymizes the data. It's the exact same search engine, DDG is not doing its own searches. Now if you're getting better results with Google then it's because Google has built up memory about you and knows that when you search for Ruby that you want the programming language and not the gem, things like that.
So it's up to you, you get more personalized results but less privacy, or vice-versa.
It's only the same as Google if you "!g" it - and if you're doing that and giving google your data anyway... might as well use google.
Re: (Score:2)
Google tracks users because it can identify that multiple queries came from the same computer. DDG is supposed to anonymize this so that it can't correlate to a particular user. Google might now that all the searches came from DDG but not that they came from me. It does seem to work because I am not seeing the sort of creepy search results with DDG that I used to get when using Google directly.
Re: (Score:2)
Well, DDG use Bing on the back end for web results but if you experience Bing itself is better it may have something to do with tracking, I dunno..
Re: Silly name (Score:2)
Re: (Score:2)
If handwashers cared about germs, they would not eat produce grown by others, food prepared by others, animals raised by others.
Or maybe you're full of shit and privacy/germs exist in spectrums, not a single binary state. Unfortunately that's a complicated reality to keep up with, since you're a dumbfuck.
Handwashing helps, whether or not it "solves" salmonella.
As if washing was a targeted protection.
I'll continue employing general defenses. You can continue bitching about how IT SHOULD BE ILLEGAL TO DO THAT
Been hearing a lot of FUD about duckduckgo... (Score:1)
... so far everything to it being a Google subsidiary to a CIA honeypot. Anyone have any proof at all, or are we just going to do everything by conjecture now?
Re: (Score:1)
Are you alleging that they're not fingerprinting everyone but they are targeting employees of specific companies for illegal data harvesting? That's a very interesting idea...
Re: (Score:2)
nice conjecture... :)
Re: (Score:2)
You can but it uses an anonymized search. It's similar to opening a browser tab in privacy mode and searching in Google.
Re:Been hearing a lot of FUD about duckduckgo... (Score:4)
Duckduckgo doesn't do their own web indexing. They purchase web indexing from many sources. Most of Duckduckgo's results are actually purchased through Bing, some is from Google. Many smaller search engines purchase and offer search results from larger entities. The fact that Google, Bing, or anyone else is selling them raw data doesn't mean that Duckduckgo is collecting information for them. None of what you are searching for makes it to Google or Bing that way.
A bang, of which "!g" is just one (!w for wikipedia, !r is reddit, etc) is something different. It's just a quick way of getting results directly from somewhere else - a way that you can have Duckduckgo as your home page but get quick results from other places directly. Of course, when you use one and are redirected, you have no guarantees what the target site is doing with that search data. But if you are coming up dry with the results from Duckduckgo, then !g is one way to try the query to see what Google makes of it.
My personal assessment of Duckduckgo is this. I use it directly for about 95% of my search, and for normal to moderately difficult queries, it works great. For more advanced searches, searches where there might be less signal and more noise (searches with key words that are common jargon but in the context of the search it's not the jargon I'm looking for), then I do find that Google is slightly superior at parsing the search and returning what I want to see. At times like that, when getting the result is more important to me than watching my privacy, then I'll use a !g and try Google if I come up dry on Duckduckgo. Though I find that Duckduckgo is getting better, and there have even been cases where I've gone directly to Google with something I didn't expect would work well on DDG and where I came up dry there and where DDG found me what I wanted.
Re: (Score:2)
>"At times like that, when getting the result is more important to me than watching my privacy, then I'll use a !g and try Google if I come up dry on Duckduckgo."
Or just use:
https://startpage.com/ [startpage.com]
and get the same Google results with zero tracking from/by Google. You can have your cake and eat it too.
Re: (Score:3)
I don't trust Google with 100% of my search traffic. I prefer to keep them as a secondary resource - I don't trust that startpage.com can have zero tracking by Google and here's why. About 75% of web sites have some sort of traffic monitoring aid or ad source that relates in some way back to Google. However Startpage.com munges Google's results, when I click on one of their links and end up on a page that has any Google presence, Google knows two things. It knows that it served up search results through
Re: (Score:2)
>"I don't trust that startpage.com can have zero tracking by Google and here's why. About 75% of web sites have some sort of traffic monitoring aid or ad source that relates in some way back to Google"
That is a good point, but it is why it is best to combine it with Firefox, with tracking limiting controls enabled :)
Re: (Score:2)
Sure, but what does tracking limiting do? According to their blog [mozilla.org] it simply limits cookies identified by Mozilla as tracking cookies. Are Google ones included, considering that Google is still a major funder of Mozilla? Somehow I doubt it. Is the HTTP referrer scrubbed? Doesn't appear to be when I tested it.
So Google still gets all the same information, maybe with a limitation on some cookies, which I never factored into my original analy
this is based on a forum post? (Score:5, Insightful)
So, one guy on posts on a forum a certain API is being blocked by his Firefox extension CanvasBlocker. Not that the one individual has anything showing some tracking and data gathering, he just sees an API being used. Without any real evidence what so ever. Sounds like someone wants to sow seeds of mistrust at DuckDuckGo.
Re: (Score:1)
Re: (Score:1)
It is still the case that every cookie set by a site on which you have not created an account has only malicious uses.
I think browsers allowing fingerprinting (Score:2)
is something that should be disabled (by default).
My browser knows how what to do with different file types, and if it doesn't, it prompts me to select an application.
Re: (Score:3)
is something that should be disabled (by default).
It's not a feature that can be switched off. Fingerprinting works by collecting as many attributes about the host browser as possible. This might be things like your language, browser version, installed plugins, settings, IP address, and many other things. Most of these have potential legit uses, but when combined they build a "fingerprint" of you.
I suppose you could disable collection of some of the fingerprint components. This is however contradictory to a world where we want web apps to have the same po
Re: (Score:2)
As you point out, there's no need for my browser to report back version, plugins, settings, or pretty much anything else. "Desired language" and "IP address" seem to be the only vital ones.
It may be contradictory to a world where we want web apps to have the same power as native apps, except a) I have no desire to run a random native app by some asshole on the internet by default - the same power would be opt-in only and b) I want the browser to show me pages by default. A single-page webapp is a special
Re: (Score:2)
As you point out, there's no need for my browser to report back version, plugins, settings, or pretty much anything else. "Desired language" and "IP address" seem to be the only vital ones.
I was giving examples, not an exhaustive list.
Versions are used for compatibility, and settings are things like "allows local storage" (again, this is just ONE example) are things web apps can figure out by attempting to use the feature.
Plugins can be derived. E.g., is there an adblocker installed? Let's test if ads are blocked.
Re: (Score:2)
I was giving an exhaustive list. Web sites should get "desired language" and "ip address". None of the others are needed. Local storage, fuck off. Try to set a cookie, you'll know if I let you because it'll get reported back when I return.
I think SPAs are pretty stupid in general. And you said we had to choose between security/privacy or webapps. I vote for security/privacy thanks.
Re: (Score:2)
I was giving an exhaustive list.
So a browser say wouldn't need to know the screen size? That was the #1 most unique attribute for my browser (seems to be the canvas size, so perhaps my choice of UI element sizes made this unique). A web app wouldn't need to know my timezone? My browser's time (clock skew is an identifying attribute)? My host OS (you know, for suggesting the right download package for things)? Again, NOT an exhaustive list. I can keep going.
I think you are being naive about what could reasonably be done without breaking a
Re:I think browsers allowing fingerprinting (Score:4, Insightful)
A browser needs to know it to render properly. A website serving it certainly doesn't. And I have no idea why it would.
Why would it? And why would a website? Why would Slashdot? Or (choose a news site)? Or Reddit?
Certainly not. Unlike timezone where a webapp might need to know it, knowing time isn't something that should be communicated client-to-server ever.
This is the only time you actually suggested a use case for the data you're collecting. That said, why does it need to get reported back to the server. The whole point you're making is that the site can display it on its own. So, again, it wouldn't be usable for fingerprinting if it stayed clientside
Again, NOT an exhaustive list. I can keep going.
Instead of just listing features, you should explain what benefit I get out of letting that data leak out of my browser. Cause I don't see it.
Whoa. First, I would think 2002 would be far enough back. Second, the cool stuff that happened since then are things like embedded video/audio. Or CSS advances. I'm not sure what cool stuff's been enabled by new tech since then, rather than faster pipes and the smartphone form-factor.
Re: (Score:2)
So a browser say wouldn't need to know the screen size?
A browser needs to know it to render properly. A website serving it certainly doesn't. And I have no idea why it would.
So if you are drawing graphics on a canvas you don't need to know the canvas size? You do.
. A web app wouldn't need to know my timezone?
Why would it? And why would a website? Why would Slashdot? Or (choose a news site)? Or Reddit?
To render a site like this?
https://www.worldtimebuddy.com... [worldtimebuddy.com]
There are websites other than slashdot or reddit.
That said, why does it need to get reported back to the server.
It's really hard to allow code to use a value but somehow prevent that value from being passed as data somewhere else.
Instead of just listing features, you should explain what benefit I get out of letting that data leak out of my browser. Cause I don't see it.
If all you do is read /. and reddit, then you don't. You see however I thought you were discussing things in general, not your narrow, unusual use case compared to the rest of the web users out t
Re: (Score:2)
It also works for YouTube, Twitch, YouPorn, etc. I mean, the dynamic links to the next video changing wouldn't, but the rest of it would. That's kinda my point, 95% of the web would work well. GMail does. The only thing that really messes up are sites like Trello and GoogleDocs. And those are small and should be native apps anyway
Re: (Score:2)
So a browser say wouldn't need to know the screen size?
A browser needs to know it to render properly. A website serving it certainly doesn't. And I have no idea why it would.
It's used for adaptive layouts, so that the same page can render well on desktop, tablet and phone.
Unfortunately it's hard to avoid that information then getting back to the server. For example different images might be selected depending on the screen resolution (no point loading 4k photos on a 720p screen), different CCS might be loaded to alter the layout to move side menus on a narrow phone screen etc.
Well, there is one way, which is to go back to really basic HTML pages, but in these days of webapps th
Re: (Score:2)
Indeed. The approach here is to render something (including some text) and then to "screen-grab" that (canvas-grab). Small differences in configuration can be detected in that. If that is not what is done by DuckDuckGo, then it is probably not actually tracking and the blocking add-on is overly sensitive. False positives are a huge problem in the security sphere.
Re: (Score:2)
False positives are a huge problem in the security sphere.
Not as much as false negatives.
Re: (Score:2)
False positives are a huge problem in the security sphere.
Not as much as false negatives.
I disagree. False positives often swamp analysis capabilities to a degree that true positives cannot be dealt with anymore.
Re: (Score:2)
The problem with DuckDuckGo (Score:3, Insightful)
Re:The problem with DuckDuckGo (Score:5, Informative)
Use "!g " in the DDG search box to initiate a google search with those terms.
Why use !g when you can use !sp (Score:4, Informative)
If you use !sp instead, you can use Startpage, which anonymizes Google search results.
Re: (Score:2)
Indeed.
DDG does a great job on about 90% of the queries I search. And the other 10% are difficult ones, where Google might be a bit better. But then I do not know when DFG is better than Google.
Overall, Google is probably a bit better, but DDG is fine.
Re: (Score:1)
Either SP is mangling the results or Google is returning different results to the SP servers than it returns directly to users.
The latter case. Google skews its search results based on the profile it builds of its users. Even the same search on Google might return different results for two different people.
Re: (Score:2)
The problem with DuckDuckGo is that, when it comes to searching
Who would have thought that indexing the internet and the algorithms behind it would be a hard problem?
Re: (Score:2)
The problem with DuckDuckGo is that, when it comes to searching
Who would have thought that indexing the internet and the algorithms behind it would be a hard problem?
Oh, it's not the search and indexing of the internet that's hard.. I participated in building a web crawler that could index the internet if you let it run long enough, problem was the indexes quickly got huge and unmanageable. What's hard? It's the return of results in a reasonable amount of time that's hard..
Re: (Score:3)
Oh, it's not the search and indexing of the internet that's hard.. I participated in building a web crawler that could index the internet if you let it run long enough
def index(url):
links = parse_page(url)
for (u in links):
index(u)
I just wrote Google for you.
Re:The problem with DuckDuckGo (Score:4, Interesting)
This is just one example, but search Google for "how many stars in the solar system" and the first handful of results are not related, and the quick-answer is absolutely wrong.
http://lmgtfy.com/?q=how+many+... [lmgtfy.com]
Search DuckDuckGo for the same and you'll get the right answer in the first result.
https://lmddgtfy.net/?q=how%20... [lmddgtfy.net]
As a bonus, my custom captcha uses these horrible results from Google to weed out bots (and ignorant users I'd rather not have to deal with).
Re: (Score:2)
I don't think a trick questions is the best test of a search engine.
Re: (Score:2)
Re: (Score:2)
What's a tortoise ?
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Insightful)
The problem with DuckDuckGo is that, when it comes to searching, it simply sucks.
You post this every time DDG comes up, presumably b/c you're astroturfing for Google. You've never given an example, or shown anything but FUD. DDG's search results are fine.
Re: (Score:2)
Here's an example for you. Search for "BC137" on both.
On Google you get live flight details on flight BC 137 (note how it isn't phased by the extra space), and then working links to datasheets for that transistor. No matter which one you wanted, the right info is in the first couple of hits.
On DDG you don't get any flight info, and it's actually a bit awkward to search for it because of the space. There is a link to Flightradar some way down the page, but that's probably not what you want. The links relatin
Re: (Score:2)
You are missing the fact that google results are personalised. Meaning your results are more relevant because they've probably been personalised to your profile / locality. When I perform the same search, DDG results seem to be more relevant if anything (Google includes lots of spammy looking stuff). And adding 'flight' to the term immediately brings the right results unambiguously.
Effectively you're saying you prefer the so-called 'filter bubble' (which is fine, but I don't).
For what it's worth, I typicall
Re: (Score:2)
It's easy to disable personalization, just open a private browsing window in the EU. The EU bit is important because then Google needs all your opt-in permissions again to do any personalization.
Re: (Score:2)
I use DDG as my default search engine everywhere, as for the last year I have been taking steps to de-Google my digital life as much as I can. That said, I can vouch that I end up falling back to the `g!` modifier to get Google results far more often than I would like. DDG is great, and I encourage everyone to use the best alternatives to Google's products available, but DDG search results definitely have room for improvement.
Re:The problem with DuckDuckGo (Score:4, Insightful)
not lately to me: I migrated from google to exclusively DDG about a year ago
Re: (Score:2)
>"The problem with DuckDuckGo is that, when it comes to searching, it simply sucks. I used it as my default search engine for a week, and I had to return to Google"
No you didn't, simply use:
https://startpage.com/ [startpage.com]
instead. Same Google search results, but through a proxy so Google cannot track you.
Meh (Score:1)
I can't think of anyone I know who uses DDG and doesn't employ obfuscation techniques. Out of any search engine out there, it would benefit DDG the least to even try tracking its users -- and they know it.
Accusation doesn't pass the sniff test.
The inevitable attack could be a good sign (Score:5, Interesting)
Support Duckduckgo.com. I've been using it for years and have seen the amount of spam in my inbox and even social media go WAY down. We need more services like Duckduckgo.com, not fewer.
But, perhaps the inevitable attack on them is showing some success. I'm hopeful.
Re: (Score:2)
How is choice of search engine related to the amount of email spam you get?
Follow the Money (Score:1)
How does Duck Duck Go get paid.
You are not paying for their service. Therefore, you are not the customer. You are the product.
They are no different than facebook or any other 'free' thing.
Sources of DuckDuckGo's revenue (Score:5, Informative)
The difference is that while some other services show ads based on interests inferred from your previous viewing history, DuckDuckGo shows ads based only on the context of your search query. DuckDuckGo also adds its referral tag to Amazon product URLs in search results.
(Source: "How Does DuckDuckGo Make Money? DuckDuckGo Business Model Explained" [fourweekmba.com])
Re: (Score:2)
DuckDuckGo also adds its referral tag to Amazon product URLs in search results.
That's cool! I will now do more of my amazon searching through DDG to help support them.
Re: (Score:3)
You are not paying for their service. Therefore, you are not the customer. You are the product.
Ok, but only in the sense of being exposed to ads. If that makes me the product, then I know about the extents and times when I am said product and can make an informed choice.
They are no different than facebook or any other 'free' thing.
Facebook, by design, is a privacy-invading/selling ethics-free piece of shit. They sell all kinds of thing about you to people behind your back, make inferences about you that you have no idea of (and in many cases are not supportable, yet are packaged as "truths" to the buyers), and would deprive you of oxygen if they could think o
Re: (Score:2)
DDG sells ads. The difference is that Google sells ads based on their deep knowledge of your innermost thoughts since they've been watching you for years. DDG just tailors the ad to what you entered in the search box.
I doubt that advertisers appreciate the difference.
A canvas grab is suspicious (Score:3)
It maybe, but does not need to be a tracking attempt. It should be conclusively explained and removed.
Re: (Score:2)
It's unnecessary, especially on a minimal search site like DDG. If you block DDG from using the canvas it doesn't break anything. They really need to explain what they are doing with it.
Re: (Score:2)
The first rational series of words so far. Let's find out why it is grabbing the "canvas". If moral outrage is appropriate, then we can move on to the moral outrage department. In the meantime, let's just find out exactly WTF is happening and why it is happening.
Re: (Score:2)
Just my thought. Misdirected outrage makes things worse.
CanvasBlocker is too sensitive (Score:1)
I've had canvasblocker give it's fingerprint warning on simple 1-page webapps I've written that don't employ any user tracking of any kind, using only vue.js in it's simplified mode and no other 3rd party components.
Canvasblocker is a "this page uses canvas objects" detector, not a fingerprinting detector.
Re: (Score:2)
The only problem is when canvas actually gets grabbed, i.e. the color of pixels is detected. Anything else should be non-problematic. Maybe with high resolutions the browser window size can be used for tracking, but I do not think that works well yet and may not actually work at all.
I use DDG because there I can direct copy links... (Score:3)
I HOPE that DuckDuckGo is fingerprinting (Score:2)
If they are doing this, it means that DDG has a business model., which you are free to take or leave. In the absence of one, I have always suspected that DDG is a gummint-operated honeypot to attract people searching for bomb details, child porn and drugs.
U.S. law doesn't compel operating in the 1st place (Score:2)
why do you think Duck Duck Go would magically be able to avoid the law?
Should worse come to worst, DuckDuckGo could go the way of Lavabit in 2013: discontinuing service under that brand and offering refunds to paying customers (if any).
Re: (Score:2)
I use Safari on Macbook. When using private mode, each tab is a separate session. I also use vpn. I don't log into google services. I recycle my tabs about every 30 min. How does google track me?
The track you with browser fingerprinting. Even in "private mode," your browser sends an awful lot of information about your computer & its settings, which can make up a unique identity of it, with every request so it's relatively easy to track most people in most cases.
The internet was originally conceived of by the US military as a surveillance network & this aspect of it hasn't changed at all. If you think it's only about selling targeted advertising, you misunderstand the scale & scope of th