SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Is this for real? DuckDuckGo has grown in popularity primarily on its claim: We don't track you. Is this no longer true?
DuckDuckGo now fingerprinting visitors
DuckDuckGo is using the Canvas DOMRect API on their search engine. Canvas is used to make unique geometry measurements on target browsers, and DOMRect API uses rectangles. This can be verified with the CanvasBlocker Firefox add-on by Korbinian Kapsner. DDG has recently been redirecting some website navigations to cute pictures with remarks about their privacy promises. The organization is now seeking to expand their Internet presence. DDG are without question data brokers, and commercial websites that make promises like DDG does will not survive for long if they actually keep them.
(Score: 5, Insightful) by Anonymous Coward on Thursday January 10 2019, @04:30PM (21 children)
All I see is a forum post saying that duckduckgo is using some drawing library functions and therefore they are tracking you. Unless I am seriously misunderstanding what "the Canvas DOMRect API" is, the conclusion does not follow from the premise. Details would be nice.
Anyway, DuckDuckGo search works perfectly fine without running any ECZEMAscript, which privacy-conscious users should be doing anyway.
(Score: 1, Interesting) by Anonymous Coward on Thursday January 10 2019, @05:27PM (6 children)
I'd like to see a response from them. Considering that their main selling points are not tracking users and not bubbling them either. It seems suicidal for them to start tracking people.
That's not to say that they haven't had a change of heart, but I would like to hear from them before assuming that they're using this to track people rather than for a productive reason. These features were not added to browsers for spying on users, that came later as a consequence of being there.
(Score: 1, Interesting) by Anonymous Coward on Thursday January 10 2019, @06:20PM (4 children)
Yeah, it would be an immensely stupid move on DuckDuckGo's part, which is why claims that DuckDuckGo are doing exactly opposite of their raison d'être need to be backed up with evidence. On that front there appears to be no evidence whatsoever, at least not in this anonymous forum post.
TBH the entire post looks more like a shill for another search engine.
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @09:21PM
Any accusation needs to be backed by evidence on part of the accuser, no matter what their raison d'être happens to be.
(Score: 3, Interesting) by FatPhil on Friday January 11 2019, @02:29AM (2 children)
"""
brianstoner 2019-01-07 15:42:43 UTC #9
Hi, I work for DuckDuckGo and wanted to clarify that We absolutely do NOT doing
any fingerprinting whatsoever. Our privacy policy is very clear on this: ?We
don?t collect or share personal information.? https://duckduckgo.com/privacy
We use a variety of browser API?s to deliver a search experience that is
competitive with Google?s. Many ?fingerprint? protection extensions take a
scorched earth approach, blocking any browser API that could be exploited by a
bad actor.
"""
It's an admission they're using tech that can be associated with being evil.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday January 11 2019, @04:22AM (1 child)
Which doesn't make their use evil. For almost every API in the browser, there is a non-evil reason it was provided. If you are going to call everything that has at least one bad use, then you should add all of HTML, let alone CSS and JavaScript, to your list too.
(Score: 2) by FatPhil on Friday January 11 2019, @11:16AM
Do you think that a website that is trying to get you to trust them will achieve that goal using unnecessary suspicious techniques?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Informative) by Anonymous Coward on Friday January 11 2019, @12:08AM
They deny it.
https://techcrunch.com/2019/01/07/duckduckgo-browser-fingerprinting/ [techcrunch.com]
https://betanews.com/2019/01/07/duckduckgo-fingerprinting-accusation/ [betanews.com]
(Score: 3, Informative) by mmh on Thursday January 10 2019, @05:56PM (12 children)
See this site for an example and full explanation: https://browserleaks.com/canvas [browserleaks.com]
(Score: 2, Interesting) by Anonymous Coward on Thursday January 10 2019, @06:12PM (11 children)
Obviously these drawing features, like basically every feature implemented in web browsers, can be used for tracking purposes.
But that does not imply that DuckDuckGo actually is using this feature to track users. The linked forum post does not provide any evidence of such tracking and simply says "DuckDuckGo is doing X. Bad actors who track their users also do X. Therefore DuckDuckGo is a bad actor and is tracking users". This is not a sound argument.
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @06:47PM (4 children)
We're never going to get "evidence" that they're tracking us, and if they tracking us are they won't tell. But, since duckduckgo claims to not be tracking users and claims it is their reason for existing, they should avoid using technologies that are commonly used for tracking and invading privacy.
If they want to show graphics, they should use <img src=...
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @07:10PM
I'm never going to get "evidence" that you brutally murdered your first girlfriend, and if you did murder her you won't tell.
Come on. If you want to assume everyone and their dog is tracking their users regardless of what they say then by all means, take steps to avoid browser fingerprinting. At minimum this means using Tor and never executing scripts on websites. Just don't go pointing fingers at everyone without any evidence saying "that person runs a website and says they don't track users, therefore he's a bad person and tracks users" because that just makes you an asshole.
Unfortunately, this is simply impossible for any web site, because essentially every technology related to the world wide web is a technology that is commonly used for tracking and invading privacy.
(Score: 1, Insightful) by Anonymous Coward on Thursday January 10 2019, @07:29PM (2 children)
If they were tracking you using this method, then the required JavaScript would be executed on your computer. You could see everything they're doing on your computer if you so desired, and could validate for yourself whether or not their usage of canvas is for tracking purposes.
(Score: 3, Informative) by edIII on Thursday January 10 2019, @11:52PM (1 child)
Absolutely incorrect. The fingerprinting works by analyzing the rendering differences. That's data that is sent back anyways, AFAIK.
So there is no way to tell from a valid use of the canvas, versus a tracking one, on your computer. You would need to be server side to see what they're doing with that information. If it were solely for the purposes of some display time use of the canvas, then that information wouldn't be stored after the fact. If they're storing that metadata and associating with sessions and other tracking data, then yes, they're tracking us.
The problem is that so many valid uses of client-side tech exist beyond tracking. In this case, it's perfectly possible the DDG is using canvas for advanced rendering of images and videos.
Like another poster stated, DDG works with Javascript disabled.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @05:34PM
Absolutely incorrect. The code which would send the canvas content back to the server runs, you guessed it, on your computer, and a "valid use" of the canvas won't be sending any canvas content back to the server at all.
(Score: 0) by Anonymous Coward on Thursday January 10 2019, @06:49PM (5 children)
Then surely DDG is denying this and providing an explanation of why they have started using canvases, right?
(Score: 2, Interesting) by Anonymous Coward on Thursday January 10 2019, @06:56PM (4 children)
Yes, that is exactly what they are doing [betanews.com].
(Score: 1, Insightful) by Anonymous Coward on Thursday January 10 2019, @09:28PM (1 child)
I wish people would stop using scripting for things that % weights in CSS and HTML are perfectly sufficient for.
(Score: 2) by coolgopher on Thursday January 10 2019, @11:41PM
That and media queries.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @01:21AM
We have a browser for laying out the page.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @12:49PM
Ok, this makes no sense. There is no need to use a huge heavyweight system like DOM Canvas to "determine size of browser and how to layout the page" when CSS percentages and media queries have existed since the CSS 2.1 era.
So if this is correct, the DDG devs used a heavyweight library, one that can be used for fingerprinting and tracking purposes, to perform the function of a few CSS 2.1 declarations. That seems either incompetent, or else they do eventually plan to quietly begin fingerprinting, and this is just the first tentative step towards that goal (but with no fingerprinting yet, to get people to stop noticing they are using DOM canvas first by 'not fingerprinting'). Then, later, slowly, bits of JS code appear that start fingerprinting when no one is looking.
(Score: 4, Informative) by The Mighty Buzzard on Thursday January 10 2019, @07:59PM
The bits in question appear to be part of the jQuery Throttle Debounce plugin [benalman.com] by Cowboy Ben Alman by a quick glance at line 43 of l110.js [duckduckgo.com]. Seems to be about as nefarious as a month old puppy with a spiked collar but I'm not going to do any serious digging today.
My rights don't end where your fear begins.