DuckDuckGo: No, we’re not using browser fingerprinting to track you

Non-tracking search engine DuckDuckGo has denied a claim made in a forum post suggesting it’s using browser fingerprinting as “absolutely false”. The post has been shared on social medium by some security professionals.

Browser fingerprinting is a common but controversial technique. Many websites — and their advertisers — try to track you by collecting as much information about your browser, including its plugins and extensions, and your device, such as its make, model, and screen resolution, to create a “fingerprint” that’s unique to you.

That fingerprint is used to track you across websites to figure out which sites you visit — and which targeted ads to serve up.

No wonder some users were surprised.. We checked the site using CanvasBlocker, a popular privacy extension used to block trackers from fingerprinting your browser, and obtained the following readout:

(Screenshot: TechCrunch)

DDG has carved out a small but growing space for itself in the search market as a pro-privacy Google alternative by saying it does not track or profile users — but instead displays ads based on basic keyword search.

If it was using browser fingerprinting to track users, that would very clearly go against long-stated non-tracking principles.

But founder and CEO Gabe Weinberg assures us it is not, saying this is a case of a false positive.

He told TechCrunch: “Fingerprinting-detection libraries unfortunately create false positives because they don’t anticipate good actors using some browser APIs for non-nefarious purposes for which they were designed. We know this not only because we’re falsely identified here (and have been elsewhere) but because we are building this type of detection into our mobile app and browser extension and don’t similarly want to make false claims.”

Asked which browser APIs might be triggering the flag Weinberg said DDG uses getBoundingClientRect() to “determine size of browser and how to layout the page”, adding: “I think that is the one that set this one off in particular.”

CanvasBlocker’s default setting is to not block fingerprinting but to return “fake readouts,” which returns a new random value each time a website tries to fingerprint. In this case, it seems that the site’s browser resizing code was triggering the plugin.

The company’s head of search, Brian Stoner, has also responded to the forum claim via Reddit, writing: “We are absolutely NOT doing any fingerprinting whatsoever. Please see our privacy policy, it’s pretty clear on this: ‘We don’t collect or share personal information’.”

“We use a variety of browser API’s to deliver a search experience that is competitive with Google’s. Many “fingerprint” protection extensions take a scorched earth approach, blocking any browser API that could be exploited by a bad actor.”

DuckDuckGo said late last year that it’s now processing 30 million daily searches, up by more than 50 percent year-over-year.