Submitted via IRC for Bytram
Is this for real? DuckDuckGo has grown in popularity primarily on its claim: We don't track you. Is this no longer true?
DuckDuckGo now fingerprinting visitors
DuckDuckGo is using the Canvas DOMRect API on their search engine. Canvas is used to make unique geometry measurements on target browsers, and DOMRect API uses rectangles. This can be verified with the CanvasBlocker Firefox add-on by Korbinian Kapsner. DDG has recently been redirecting some website navigations to cute pictures with remarks about their privacy promises. The organization is now seeking to expand their Internet presence. DDG are without question data brokers, and commercial websites that make promises like DDG does will not survive for long if they actually keep them.
(Score: 2, Interesting) by Anonymous Coward on Thursday January 10 2019, @06:12PM (11 children)
Obviously these drawing features, like basically every feature implemented in web browsers, can be used for tracking purposes.
But that does not imply that DuckDuckGo actually is using this feature to track users. The linked forum post does not provide any evidence of such tracking and simply says "DuckDuckGo is doing X. Bad actors who track their users also do X. Therefore DuckDuckGo is a bad actor and is tracking users". This is not a sound argument.
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @06:47PM (4 children)
We're never going to get "evidence" that they're tracking us, and if they tracking us are they won't tell. But, since duckduckgo claims to not be tracking users and claims it is their reason for existing, they should avoid using technologies that are commonly used for tracking and invading privacy.
If they want to show graphics, they should use <img src=...
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @07:10PM
I'm never going to get "evidence" that you brutally murdered your first girlfriend, and if you did murder her you won't tell.
Come on. If you want to assume everyone and their dog is tracking their users regardless of what they say then by all means, take steps to avoid browser fingerprinting. At minimum this means using Tor and never executing scripts on websites. Just don't go pointing fingers at everyone without any evidence saying "that person runs a website and says they don't track users, therefore he's a bad person and tracks users" because that just makes you an asshole.
Unfortunately, this is simply impossible for any web site, because essentially every technology related to the world wide web is a technology that is commonly used for tracking and invading privacy.
(Score: 1, Insightful) by Anonymous Coward on Thursday January 10 2019, @07:29PM (2 children)
If they were tracking you using this method, then the required JavaScript would be executed on your computer. You could see everything they're doing on your computer if you so desired, and could validate for yourself whether or not their usage of canvas is for tracking purposes.
(Score: 3, Informative) by edIII on Thursday January 10 2019, @11:52PM (1 child)
Absolutely incorrect. The fingerprinting works by analyzing the rendering differences. That's data that is sent back anyways, AFAIK.
So there is no way to tell from a valid use of the canvas, versus a tracking one, on your computer. You would need to be server side to see what they're doing with that information. If it were solely for the purposes of some display time use of the canvas, then that information wouldn't be stored after the fact. If they're storing that metadata and associating with sessions and other tracking data, then yes, they're tracking us.
The problem is that so many valid uses of client-side tech exist beyond tracking. In this case, it's perfectly possible the DDG is using canvas for advanced rendering of images and videos.
Like another poster stated, DDG works with Javascript disabled.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @05:34PM
Absolutely incorrect. The code which would send the canvas content back to the server runs, you guessed it, on your computer, and a "valid use" of the canvas won't be sending any canvas content back to the server at all.
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @06:49PM (5 children)
Then surely DDG is denying this and providing an explanation of why they have started using canvases, right?
(Score: 2, Interesting) by Anonymous Coward on Thursday January 10 2019, @06:56PM (4 children)
Yes, that is exactly what they are doing [betanews.com].
(Score: 1, Insightful) by Anonymous Coward on Thursday January 10 2019, @09:28PM (1 child)
I wish people would stop using scripting for things that % weights in CSS and HTML are perfectly sufficient for.
(Score: 2) by coolgopher on Thursday January 10 2019, @11:41PM
That and media queries.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @01:21AM
We have a browser for laying out the page.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @12:49PM
Ok, this makes no sense. There is no need to use a huge heavyweight system like DOM Canvas to "determine size of browser and how to layout the page" when CSS percentages and media queries have existed since the CSS 2.1 era.
So if this is correct, the DDG devs used a heavyweight library, one that can be used for fingerprinting and tracking purposes, to perform the function of a few CSS 2.1 declarations. That seems either incompetent, or else they do eventually plan to quietly begin fingerprinting, and this is just the first tentative step towards that goal (but with no fingerprinting yet, to get people to stop noticing they are using DOM canvas first by 'not fingerprinting'). Then, later, slowly, bits of JS code appear that start fingerprinting when no one is looking.