DuckDuckGo denies using fingerprinting to track its users
Responding to a forum post that accused it of "fingerprinting users", privacy-centric search engine DuckDuckGo says that fears are unfounded and that it is not tracking its users.
The allegation was made after the Firefox extension CanvasBlocker showed a warning to users. The suggestion of fingerprinting -- gathering as much information as possible about a user through their browser to create a unique identifier that can be used for tracking -- is clearly something that would seem to sit in opposition to what DuckDuckGo claims to stand for. The company CEO says the accusation is simply wrong.
The accusation was made recently on the Whonix forum by a user by the name of 9jnc7: "DuckDuckGo is using the Canvas DOMRect API on their search engine. Canvas is used to make unique geometry measurements on target browsers, and DOMRect API uses rectangles. This can be verified with the CanvasBlocker Firefox add-on by Korbinian Kapsner. DDG has recently been redirecting some website navigations to cute pictures with remarks about their privacy promises. The organization is now seeking to expand their Internet presence. DDG are without question data brokers, and commercial websites that make promises like DDG does will not survive for long if they actually keep them".
Over on Reddit, Brian Stoner -- DuckDuckGo's head of search -- denies the accusation:
We use a variety of browser API's to deliver a search experience that is competitive with Google's. Many "fingerprint" protection extensions take a scorched earth approach, blocking any browser API that could be exploited by a bad actor.
Speaking to TechCrunch, DuckDuckGo CEO Gabe Weinberg says that the warning is a false positive:
Fingerprinting-detection libraries unfortunately create false positives because they don't anticipate good actors using some browser APIs for non-nefarious purposes for which they were designed. We know this not only because we're falsely identified here (and have been elsewhere) but because we are building this type of detection into our mobile app and browser extension and don't similarly want to make false claims.
So what is DuckDuckGo using the API for? Weinberg thinks it could be the search engine's use of getBoundingClientRect() to "determine size of browser and how to layout the page" that's causing the problem.