An ethical hacker on Twitter claimed DuckDuckGo intentionally or unintentionally tracked websites a user visited on Android browsers.
Update 14:00 Saturday, 4 July 2020 (BST): The issue has been fixed by DuckDuckGo with favicons being obtained directly from websites now.
Google is quite infamous in some circles for collecting user data and tracking it to perform various functions as a part of its services. This naturally makes privacy-conscious users paranoid and therefore, anonymity centric search engines like DuckDuckGo (DDG) have captured those valuable users.
The issue starts with the fact that the search engine stores the favicons (icon displayed on browser tabs) of websites on one of its servers at icons.duckduckgo.com. Therefore, let’s say, you happen to visit a website. As a result, DuckDuckGo’s Android browser would request the favicon from its server transmitting the browsing data of the user to that server in the process without asking the user.
In regular circumstances, on the other hand, the favicon is requested from the visited website’s servers or the user’s browser cache which would prohibit this from happening. The implications of this in DuckDuckGo’s case are that the user can be personally identified to be the one visiting a particular site and hence compromise their anonymity.
Clarifying their reasons for doing so, DuckDuckGo’s privacy statement related to favicons explains,
These favicons are requested from our servers rather than from websites directly, because it can be surprisingly complicated to locate a favicon for a website — they can be stored in a variety of locations and in a variety of formats.
An important thing to note is that the same exact issue was raised about 1 year ago on July 9, 2019, on Github but it was closed down due to some reason. Now, DuckDuckGo has responded stating that they have “re-opened the issue” along with citing a post by their CEO.
Hi Seb. We've re-opened the issue and are now working on making an update to the app as soon as possible.
Please see the response from our Founder & CEO, Gabriel Weinberg, here:https://t.co/jARcqrHThs
— DuckDuckGo (@DuckDuckGo) July 2, 2020
Weinberg has said the following:
…I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.
Nonetheless, the damage has already been done and users are accusing the company of acting irresponsibly when their trust was placed in them even if some are still defending the company.
For the future, DuckDuckGo should not only patch up this issue but also any other potential ones that may be unknown currently to the public.
Furthermore, it should remember that even if PII is stripped, users will not be satisfied and so the only way to move forward should be to not collect any user information at all.