DuckDuckGo collecting user browsing data without consent (Updated)

An ethical hacker on Twitter revealed how DuckDuckGo intentionally…

An ethical hacker on Twitter claimed DuckDuckGo intentionally or unintentionally tracked websites a user visited on Android browsers.

Update 14:00 Saturday, 4 July 2020 (BST): The issue has been fixed by DuckDuckGo with favicons being obtained directly from websites now.

Google is quite infamous in some circles for collecting user data and tracking it to perform various functions as a part of its services. This naturally makes privacy-conscious users paranoid and therefore, anonymity centric search engines like DuckDuckGo (DDG) have captured those valuable users.

However, just recently, an ethical hacker on Twitter going by the online handle of @Cowreth has revealed that DuckDuckGo is also tracking/collecting the names of the websites that a user visits violating its strong privacy policy.

See: 8 best dark web search engines for 2020

The issue starts with the fact that the search engine stores the favicons (icon displayed on browser tabs) of websites on one of its servers at Therefore, let’s say, you happen to visit a website. As a result, DuckDuckGo’s Android browser would request the favicon from its server transmitting the browsing data of the user to that server in the process without asking the user.

In regular circumstances, on the other hand, the favicon is requested from the visited website’s servers or the user’s browser cache which would prohibit this from happening. The implications of this in DuckDuckGo’s case are that the user can be personally identified to be the one visiting a particular site and hence compromise their anonymity.

Hide your IP address & surf Internet anonymously with IPVanish

Clarifying their reasons for doing so, DuckDuckGo’s privacy statement related to favicons explains,

These favicons are requested from our servers rather than from websites directly, because it can be surprisingly complicated to locate a favicon for a website — they can be stored in a variety of locations and in a variety of formats.

An important thing to note is that the same exact issue was raised about 1 year ago on July 9, 2019, on Github but it was closed down due to some reason. Now, DuckDuckGo has responded stating that they have “re-opened the issue” along with citing a post by their CEO.

Weinberg has said the following:

…I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.

Nonetheless, the damage has already been done and users are accusing the company of acting irresponsibly when their trust was placed in them even if some are still defending the company.

For the future, DuckDuckGo should not only patch up this issue but also any other potential ones that may be unknown currently to the public.

Furthermore, it should remember that even if PII is stripped, users will not be satisfied and so the only way to move forward should be to not collect any user information at all.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

  1. “The issue starts with the fact that the search engine stores the favicons (icon displayed on browser tabs) of websites on one of its servers at” – No, the search engine doesn’t do this, the Android browser was doing this.

    Also, the issue was rectified before you post was released, yet you have no update indicating such.

    If people really want to know what happened, they should read this thread, where the entire issue was discussed/debated:

    Your lack of research/understanding severely reduces whatever credibility you had.

    1. Hi, thank you for your feedback. Although I did mention the search engine pointing towards DDG as a company since that is what it is known for, you’ll notice that a couple of lines below, I have specified that the Android browser was at play. As for the issue being rectified, we’ve checked Github and it’s true that the issue was fixed but no official sources or the company even itself for the matter made any announcement indicating so making it hard to learn of the news and report it in a timely manner.

      Secondly, we did read the thread on Hacker News and even cited it in the article which is why all factualities are correct nor have we pinned the entire blame on DDG but hinted towards the actual reaction users would have which is quite evident from various forums.

Comments are closed.

Related Posts