DuckDuckGo browser seemingly sends domains a user visits to DDG servers

Hi all, Founder and CEO of DuckDuckGo here. I’m literally just waking up and reading the comments here.<p>I’m new to this issue and happy to commit us to move to doing this locally in the browser and will have us move on that ASAP.<p>That said, I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.

DuckDuckGo staff here. As mentioned in the linked page, the purpose of the request is to retrieve a website&#x27;s favicon so that it can be displayed in certain places within the app or on the results page. We use an internal favicon service because it can be complicated to locate a favicon for a website. They can be stored in a variety of locations and in a variety of formats. The service understands these edge cases and simplifies retrieval within our apps and our search engine.<p>Like our search results, the favicon service adheres to our strict privacy policy[1] in that the requests are anonymous and we do not collect or share any personal information.<p>[1] <a href="https:&#x2F;&#x2F;duckduckgo.com&#x2F;privacy" rel="nofollow">https:&#x2F;&#x2F;duckduckgo.com&#x2F;privacy</a>

There&#x27;s an interesting disease showing up here in the responses.<p>I accept DDG&#x27;s statement that this is about a favicon and that they &quot;do not collect or share any personal information&quot;, and despite that, I also agree with others that DDG should be on the safe side and just stop doing this small thing. It&#x27;s just the safer and more moral thing to do (So DDG, as many are suggesting, plz stop doing it. Today is good).<p>But... the reaction here is &quot;they made a mistake, let&#x27;s pile on like kids in a playground&quot; ignoring the genuinely huger issue of the amount of info and mining that google et al. do. There&#x27;s no measure of proportion in the responses, someone is making a mistake then there&#x27;s a wolfish, pack-like desire to get stuck in and hurt someone.<p>Which is why politicians rarely admit mistakes, because it&#x27;s taken as a sign of weakness, not strength, to admit you were wrong. DDG isn&#x27;t the big evil on the web but from reading some of these you&#x27;d think it was the 2nd google.<p>This isn&#x27;t about DDG, just the proportionality of responses in public errors and what society you&#x27;d like to have.<p>(no affiliation to DDG)

Ubiquity did the same thing with their routers. They couldn’t understand why users had such a problem with their phone home feature that was on by default when the purpose of it was to ultimately “improve” the user experience. I didn’t buy their router as a result. I also removed kaspersky from my computer because I didn’t like their phone home feature. Turns out they were selling my data despite holding my trust as a security company. DDG, don’t turn this into a PR nightmare. We don’t trust anyone anymore. Privacy policies are worthless. Nobody cares about favicons anyway.<p>Source: <a href="https:&#x2F;&#x2F;www.theregister.com&#x2F;2019&#x2F;11&#x2F;07&#x2F;ubiquiti_networks_phone_home&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.theregister.com&#x2F;2019&#x2F;11&#x2F;07&#x2F;ubiquiti_networks_pho...</a> <a href="https:&#x2F;&#x2F;palant.info&#x2F;2019&#x2F;08&#x2F;19&#x2F;kaspersky-in-the-middle-what-could-possibly-go-wrong&#x2F;" rel="nofollow">https:&#x2F;&#x2F;palant.info&#x2F;2019&#x2F;08&#x2F;19&#x2F;kaspersky-in-the-middle-what-...</a>

This is a bad look for a company that is trying to build its brand on privacy and trust. Even though I don&#x27;t use the DDG browser I hope they own up to this, rectify it quickly, and learn from it.

The favicons on the duckduckgo browser are often worse than other browsers in my opinion. For example the BBC website where DDG interestingly enough just uses &#x2F;favicon.ico and the other browsers use the apple touch icon. (Information I found from just looking at the pages headers)<p>Don&#x27;t really understand why they do extra work to get worse results... This feels to me slightly worse than just a privacy concern, it&#x27;s a misunderstanding of their domain which leads me to the question of what else do they not fully understand.<p>The good news is that you can have the DDG search engine as a default in other browsers.<p>(I understand that the DDG browser is probably not their main focus and any lack of knowledge can potentially be just on their mobile browser.)

Very weak argument for why they do it. Using a service to retrieve a favicon? Surely there&#x27;s a way to implement the same logic locally.

Looks like this was an issue posted in 2019. From the looks of it, the code remains unchanged.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;duckduckgo&#x2F;Android&#x2F;blob&#x2F;b2131d7d2f47fb09d88e1a7768c67454a639518b&#x2F;app&#x2F;src&#x2F;main&#x2F;java&#x2F;com&#x2F;duckduckgo&#x2F;app&#x2F;global&#x2F;UriExtension.kt#L83" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;duckduckgo&#x2F;Android&#x2F;blob&#x2F;b2131d7d2f47fb09d...</a>

Product description (play store):<p>&quot;Tired of being tracked online? We can help.&quot;<p>And then they track you.<p>Yes, that might not be intentional and is used &quot;just&quot; for the favicon, yes they might not use the info on the domains you visit for tracking you today, but the data is there.<p>Why not use that data tomorow &quot;just&quot; to see what kinds of pages their customers (browser users) are visiting so they can better place their ads.. and then maybe some other idea.. this is a path that many such companies went (&quot;don&#x27;t be evil&quot;).<p>You either respect the user privacy or you don&#x27;t - there is no middle &quot;just for this little feature&quot; ground

Seems a bit much, but k-anonymity could work here. Hash the domain, take the prefix, get a batch of favicons back. They won’t know which you visited, but still get the benefits of consistent favicon support.

Formerly worked with DuckDuckGo<p>My advice:<p>Install ungoogled-chromium: <a href="https:&#x2F;&#x2F;github.com&#x2F;Eloston&#x2F;ungoogled-chromium" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Eloston&#x2F;ungoogled-chromium</a><p>Install these extensions: <a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;ilGur1132&#x2F;Smart-HTTPS" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ilGur1132&#x2F;Smart-HTTPS</a><p>There is also a Chromium extension that lets you install from Chrome Web Store: <a href="https:&#x2F;&#x2F;github.com&#x2F;NeverDecaf&#x2F;chromium-web-store" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;NeverDecaf&#x2F;chromium-web-store</a><p>Set duckduckgo.com as your default search engine with a blank home page. But you could also use @pkrumins home pages of <a href="https:&#x2F;&#x2F;techurls.com" rel="nofollow">https:&#x2F;&#x2F;techurls.com</a> or <a href="https:&#x2F;&#x2F;finurls.com" rel="nofollow">https:&#x2F;&#x2F;finurls.com</a> as nice home pages.<p>Use Mullvad VPN: <a href="https:&#x2F;&#x2F;mullvad.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mullvad.net&#x2F;</a> (They are EVEN available on F-Droid now, which is AMAZING)<p>Security harden your Android device: <a href="https:&#x2F;&#x2F;niftylettuce.com&#x2F;posts&#x2F;google-free-android-setup&#x2F;" rel="nofollow">https:&#x2F;&#x2F;niftylettuce.com&#x2F;posts&#x2F;google-free-android-setup&#x2F;</a><p>Security harden your Mac: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;niftylettuce&#x2F;39597a7b3bc0660ffe1e09d77588bcf6" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;niftylettuce&#x2F;39597a7b3bc0660ffe1e09d...</a><p><i>P.S.</i> If you need email forwarding for your domain name, you can use something I made. <a href="https:&#x2F;&#x2F;forwardemail.net" rel="nofollow">https:&#x2F;&#x2F;forwardemail.net</a> - it is 100% open source.<p>Follow me @niftylettuce on GitHub and Twitter for more

This is concerning because it indicates a lack of care in terms of privacy and understanding that the best privacy is achieved by knowing the least. Does this approach permeate their backend as well?

Speaking of leaks, I never understood why people use DDG&#x27;s bangs.<p>By using bangs you&#x27;re sending your search history to DDG even when using search engines that aren&#x27;t DDG.

&gt; At DuckDuckGo, we do not collect or share personal information. That&#x27;s our privacy policy in a nutshell<p>Except that you do, exactly in the way that the reporter of the issue explained to you.<p>But you choose to patronize them and ignore the issue.

Haha, amazing to witness. This is the problem with catering to this crowd: your audience is suddenly full of people who just want to see you fail. Good luck, DDG.

I think we&#x27;re due a full disclosure on this favicon service, what information is collected and what is stored.<p>DDG has repeatedly said that they have &quot;not collected any personal information&quot;.<p>For example,<p>1. Does the service store the fact that it got a request for a domain?<p>2. Does it store any ID along with that information and if so, how unique is that ID? How is it generated and what is it linked to?<p>3. What other information is stored along with the request?<p>4. How does DDG process this information?<p>5. Who has or can get access to this information?

Something is not adding up. Why would you go through so much trouble and over-engineer a favicon retrieval service? Really, favicon? Since when did they become so essential?<p>I&#x27;m pretty sure 90% of websites provide one in a standard way. If not, just draw a letter there, or anything.<p>But I don&#x27;t know. I think that either there is more to this story, or DDG team completely lost common sense.

I don&#x27;t want to have to trust everything follows a policy.<p>It&#x27;s much easier if I don&#x27;t even have to trust you. Please change this.

Nevermind privacy. How are favicons so complicated that they need a special service that understands edge cases. Just do it one standard way and if a minority of websites don&#x27;t work, then exclude them. We&#x27;ve been through this mess before with all kinds of web standards devolving into mess.

DDG mobile apps ~= Web Browser or == Web Browser<p>I think that distinction needs to be made. I think DDG should treat this app as a web browser which means phoning home to this endpoint is unacceptable.

Whoever ever put their trust into American for profit companies which use slogans like &quot;private secure and fast&quot; should not be surprised at leaking all their data.<p>I never got how people trust companies like ddg or Brave. If you don&#x27;t trust Google and Apple why would you trust a smaller company in the same jurisdiction. They will be forced to hand out all data as well regardless what they say.

From st3fan&#x27;s links, this[0] seems to be something that DDG developers can use. Took me about 30 seconds to dig it up from the repository.<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;mozilla-mobile&#x2F;android-components&#x2F;tree&#x2F;master&#x2F;components&#x2F;browser&#x2F;icons" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mozilla-mobile&#x2F;android-components&#x2F;tree&#x2F;ma...</a>

This doesn&#x27;t seem like an issue to me.

It is a hilarious excuse for DDG to claim they are doing this for a favicon. Even if DDG is legitimately not <i>using</i> the data they are definitely collecting the data.<p>The problem with that is that it requires users to &quot;trust&quot; DDG, which is not how the world works today. If you are a company that collects info, and you expect users to trust that the info will remain safe, secure, and never get misuse that is downright foolish for anyone to believe a word of that.<p>We all know that DDG cannot claim it&#x27;s impossible for them to get hacked and have all that data leak out. Hacks happen all the time and so the solution for DDG is to simply NOT collect the data, rather than collect and claim it&#x27;s all secure.<p>And we all also know DDG has (or will) get a NSL (National Security Letter) from the NSA to secretly turn over the data anyway, and when that does happen the DDG employees are not even allowed to admit it ever happened.

seems like the ticket author found this by reading code (presumably was grepping for duckduckgo.com URLs)<p>this would <i>never</i> happen with a consumer-facing product from apple or google; someone would have to MITM their whole OS to discover phone-home

Do they release the source of the webservice? Seemingly not. This is extremely shady.

By now it has been sufficiently proven that it is physically impossible to even exist without sending surveillance data to someone on the internet. We should probably update the laws of thermodynamics to include that.

If DDG cannot fetch the favicon in different, reasonable way, then the question is whether or not the ability to display a favicon in search results is really worth it.<p>Personally, no.

Does this only occur in DuckDuckGo’s Android browser?

Can someone please explain like I&#x27;m five how this line of code sends the domain a user visited to DDG&#x27;s servers?

created a new issue to track this again: <a href="https:&#x2F;&#x2F;github.com&#x2F;duckduckgo&#x2F;Android&#x2F;issues&#x2F;876" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;duckduckgo&#x2F;Android&#x2F;issues&#x2F;876</a>

I guess they collect statistics of the sites that people visit. This is anonymous but valuable information.

<i>EDIT: I didn&#x27;t notice that this topic was about the DDG browser (which I didn&#x27;t know existed) and responded assuming this was about the site&#x2F;extension. For a browser, yes, a client-side solution is possible and probably preferable. Please check and upvote other comment trees.</i><p>This makes sense to me and is not alarming. Getting favicons actually is difficult to do robustly; many applications and websites use Google&#x27;s service to do so, which then leaks the request to Google: <a href="https:&#x2F;&#x2F;www.google.com&#x2F;s2&#x2F;favicons?domain=ycombinator.com" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;s2&#x2F;favicons?domain=ycombinator.com</a><p>Putting this logic in the client is not feasible. You want to send requests directly to every shady site that shows up in your search results, load their pages in the background, work through network delays and HTTP errors, and parse out the location&#x2F;format of the favicon files?<p>DuckDuckGo hosting this functionality themselves is also a positive. They have previously been burned when the Web of Trust service they were originally using was found to be farming data, and turned it off immediately once discovered. Processing, hosting, and serving the icon themselves prevents that from happening again.<p>This is not to say that DDG is perfect: links you click do seem to be redirected through a &#x2F;l&#x2F; page on their domain, which can cause problems: <a href="https:&#x2F;&#x2F;lapcatsoftware.com&#x2F;articles&#x2F;duckduckgo.html" rel="nofollow">https:&#x2F;&#x2F;lapcatsoftware.com&#x2F;articles&#x2F;duckduckgo.html</a>

I don&#x27;t really trust DuckDuckGo, but I use their search service because I trust Google less... I still trust Firefox more for a browser although it won&#x27;t take much at this point to make me switch.

I didn&#x27;t know they had a browser. I&#x27;ll have to give it a try. Can&#x27;t be any worse than Google&#x27;s browser. Or their OS. Or their video monopoly. Or their search monopoly. Or their secret partnerships with governments. Or their ad monopoly. Or their email monopoly.

Looks like its time to ditch duck duck go

Don&#x27;t think it&#x27;s air tight. But still better than most browsers.

Essentially a way to collect where people are visiting. I believe them that it’s anonymous, this valuable info wouldn’t need to be identifiable to be of value.<p>They should probably change the behavior to how it’s suggested in the thread, but I’m still going to use DDG over alternatives for the bang feature.

I have a hard time understanding the problem.<p>The favicon is acquired from DDG servers for the result you&#x27;ve just retrieved from DDG servers.<p>How is this leaking anything? What additional privacy would you gain from getting the favicons from the domains directly of search results delivered by DDG?

Everyone is missing the point here. Let me break this down as simple as I can:<p>1. End user does a DDG search for &quot;food&quot; 2. The &quot;food&quot; query returns a list of search results, these results have each have a link, DDG wants to display the favicon for each link. 3. To be clear, DDG does not store or log the IP address of the user doing the query. They do, however, know what was queried, so they know &quot;somebody&quot; somewhere searched for &quot;food&quot;. They have to know this, they are a search engine after all. 4. Since DDG wants to show the favicon &quot;privately&quot;, and they dont want to put that logic&#x2F;work on the client side (which could leak your IP), so instead DDG finds the favicon internally. 5. A DDG server, completely separate from anything search-related is then tasked with finding the favicon for your &quot;food&quot; query results, lets say the #1 result is www.allrecipes.com, so a DDG server goes to www.allrecipes.com and finds the exact favicon location. 6. The &quot;found&quot; favicons are then stored in a cache, and displayed from the cache like this: <a href="https:&#x2F;&#x2F;external-content.duckduckgo.com&#x2F;ip3&#x2F;www.allrecipes.com.ico" rel="nofollow">https:&#x2F;&#x2F;external-content.duckduckgo.com&#x2F;ip3&#x2F;www.allrecipes.c...</a> (and if no favicon is found in the local cache, you get a grey arrow by default) 7. I&#x27;d like to note, even with all this action, DDG doesn&#x27;t know if you actually &quot;visited&quot; www.allrecipes.com, they simply know that some anonymous user did a search for &quot;food&quot;, www.allrecipes.com was a search result, and a favicon was displayed. They dont know who searched for it because the users IP is not stored anywhere, they dont know if you visited www.allrecipes.com, they prevented you from leaking your IP to allrecipes.com since they didn&#x27;t force the end user to load the favicon.<p>So whats the issue? What am I missing here?<p>PS: You know this works because after doing all these searches for food and seeing allrecipes.com (and even clicking allrecipes.com result in the DDG Mobile App or browser extension), guess what? allrecipes.com doesn&#x27;t follow you around with re-targeting ads! Why? Because DDG prevented that from happening!