Hi all, Founder and CEO of DuckDuckGo here. I’m literally just waking up and reading the comments here.
I’m new to this issue and happy to commit us to move to doing this locally in the browser and will have us move on that ASAP.
That said, I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.
DuckDuckGo staff here. As mentioned in the linked page, the purpose of the request is to retrieve a website's favicon so that it can be displayed in certain places within the app or on the results page. We use an internal favicon service because it can be complicated to locate a favicon for a website. They can be stored in a variety of locations and in a variety of formats. The service understands these edge cases and simplifies retrieval within our apps and our search engine.
Like our search results, the favicon service adheres to our strict privacy policy[1] in that the requests are anonymous and we do not collect or share any personal information.
I appreciate you answering, probably knowing you'd face some negative feedback. Saying "we should trust you, it's for a good reason" is what google and everyone else says. You'll be better off if you just end this. The loss of the fav icon is less important than keeping your credibility.
In germany we have the words "Datensparsamkeit" (data parsimony) and "Datenvermeidung" (data prevention) [1]. Which wikipedia merely translates as "Privacy by design" [2].
DDG is unneccessaryly producing (aggregating), transmitting (and collecting?) very sensitive user data here, which is just the opposite of data protection. I can't even understand why they try to justify their actions. It's like omitting the seat-belt in a car, then telling customers that this was required to make the in-car entertainment system more usable.
You really can't use "we promise we won't misuse the information" as an argument, that's what everyone says whether it's true or not, and the whole point of using a privacy-centric browser is that as a user you can't trust those kinds of promises.
I’ve been an avid DDG user for years and it worries me that DDG staff don’t see why this is an issue. We shouldn’t have to trust your privacy policy if you minimize exposure.
Does Gabriel know about this? If not could you please clue him in and get some guidance because you are absolutely getting roasted here and are wrecking DDG's carefully built up reputation. I can easily see how this might seem to be a good idea to you and other DDG engineers but it goes 180 degrees against DDG's stated mission. In other words: you may be well outside your paygrade on this.
I’m very disappointed in how you guys responded to this. As a privacy focused company I would not have expected an answer that sounds like it came from a data collecting company like Google.
I just switched to DDG browser a week ago and will now be looking for a new browser now. I hope you know this is not an appropriate response to the situation. Especially because all you guys do is preach about how much you protect your users’ privacy. Now you’re here asking us to trust you not to abuse our data and just linking us your privacy policy. I’m sad to say that my faith in the DuckDuckGo company and team is now lost.
Are all these edge cases part of the html/w3c/whichever standard? If not, let the edge cases fail. I'm not going to lose sleep over an icon not showing for a site I'm visiting once.
I'll state this in no uncertain terms: this is not acceptable, and you need to stop doing it. It makes sense on your search engine, but adding it to your web browser is very much over the line.
I have read your explanations in good faith and they don't cut it. This behavior cannot continue. Good privacy promises are not based on trust - they're based on not ever handling private data in the first place. If you don't quickly admit your mistake and roll this back, it will jepoardize your entire brand - and rightfully so. If you believe this behavior is okay, then it demonstrates incompetence; if you don't believe this behavior is okay but do it anyway, it demonstrates malice.
I'm surprised at how you're handling this. DDG is supposed to be friendly to privacy-aware users. You're dismissing people's valid points and asking them to trust you, just like any other privacy-non-friendly service would do.
Edit: I'm speculating here. But specifically because of the way you've replied here and on Github, my actual level of trust in DDG team went down.
What a bizarre potential privacy flaw to introduce for a tiny little icon nobody cares about. I understand it, usability and UX is important - but you guys are DDG! Come on! Your customers all have tinfoil hats!
At this point we're all well aware why the app phones home. Continuing to spout that like it's some ward against the fact that this is a very real vulnerability is an insult. Trust me, your target audience doesn't give a crap if favicons work; they care that DDG acknowledges the risk of a glaringly obvious vulnerability. Who do you even think you're arguing with on HN and GitHub? My children can't multiply yet but they'd be able to understand why this is bad practice.
The repeated handwaving that no one in your company is ever going to do something bad or stupid when the browser phones home for what amounts to a cute sticker is extremely suspicious.
Maybe I'm too old for this, but wasn't a favicon supposed to be located at "fancy.url/favicon.ico", or alternatively as a "<link rel="shortcut icon" \>"?
Doubling down is fairly ridiculous when one has to imagine the original reason for doing this was to save on time and engineering for the app by leveraging what DDG had already built, but a mindful response would be that you are aware of the downsides of this approach and you'll be working to change it.
Besides, how do you handle Intranet, VPN sites, and auth-only sites where DDG's god-tier favicon parser in the cloud couldn't fetch the URL anyway?
The reviews are in for this response and they are bad. It's concerning that given the react it got, there's no edit addressing the concerns. The HN audience has to be the power user, bread and butter of a product like this and when you see a company ignore the concerns of a key constituency like this, their future almost never looks bright.
It’s amazing how tone deaf technologists can be when it comes to privacy, even when they have nothing to gain by exploiting the user’s data. DDG’s response reminds me of Mark Shuttleworth’s argument that they “have root”, so we can trust them with our life.
Dear DDG, you are getting complaints on GitHub and Hacker News. This is not the general public, it’s people who understand the issue. You should definitely reconsider whether you’re doing something wrong.
The road to hell is paved with good intentions. At the end of the day, your privacy policy is just a bunch of words with nothing to actually prevent you from abusing the data collected. Instead of us relying on DuckDuckGo to act ethically, just don’t collect the data in the first place.
There's an interesting disease showing up here in the responses.
I accept DDG's statement that this is about a favicon and that they "do not collect or share any personal information", and despite that, I also agree with others that DDG should be on the safe side and just stop doing this small thing. It's just the safer and more moral thing to do (So DDG, as many are suggesting, plz stop doing it. Today is good).
But... the reaction here is "they made a mistake, let's pile on like kids in a playground" ignoring the genuinely huger issue of the amount of info and mining that google et al. do. There's no measure of proportion in the responses, someone is making a mistake then there's a wolfish, pack-like desire to get stuck in and hurt someone.
Which is why politicians rarely admit mistakes, because it's taken as a sign of weakness, not strength, to admit you were wrong. DDG isn't the big evil on the web but from reading some of these you'd think it was the 2nd google.
This isn't about DDG, just the proportionality of responses in public errors and what society you'd like to have.
Ubiquity did the same thing with their routers. They couldn’t understand why users had such a problem with their phone home feature that was on by default when the purpose of it was to ultimately “improve” the user experience. I didn’t buy their router as a result. I also removed kaspersky from my computer because I didn’t like their phone home feature. Turns out they were selling my data despite holding my trust as a security company. DDG, don’t turn this into a PR nightmare. We don’t trust anyone anymore. Privacy policies are worthless. Nobody cares about favicons anyway.
This is a bad look for a company that is trying to build its brand on privacy and trust. Even though I don't use the DDG browser I hope they own up to this, rectify it quickly, and learn from it.
The favicons on the duckduckgo browser are often worse than other browsers in my opinion. For example the BBC website where DDG interestingly enough just uses /favicon.ico and the other browsers use the apple touch icon. (Information I found from just looking at the pages headers)
Don't really understand why they do extra work to get worse results... This feels to me slightly worse than just a privacy concern, it's a misunderstanding of their domain which leads me to the question of what else do they not fully understand.
The good news is that you can have the DDG search engine as a default in other browsers.
(I understand that the DDG browser is probably not their main focus and any lack of knowledge can potentially be just on their mobile browser.)
Yes, that might not be intentional and is used "just" for the favicon, yes they might not use the info on the domains you visit for tracking you today, but the data is there.
Why not use that data tomorow "just" to see what kinds of pages their customers (browser users) are visiting so they can better place their ads.. and then maybe some other idea.. this is a path that many such companies went ("don't be evil").
You either respect the user privacy or you don't - there is no middle "just for this little feature" ground
Seems a bit much, but k-anonymity could work here. Hash the domain, take the prefix, get a batch of favicons back. They won’t know which you visited, but still get the benefits of consistent favicon support.
Set duckduckgo.com as your default search engine with a blank home page. But you could also use @pkrumins home pages of https://techurls.com or https://finurls.com as nice home pages.
Use Mullvad VPN: https://mullvad.net/
(They are EVEN available on F-Droid now, which is AMAZING)
This is concerning because it indicates a lack of care in terms of privacy and understanding that the best privacy is achieved by knowing the least. Does this approach permeate their backend as well?
Haha, amazing to witness. This is the problem with catering to this crowd: your audience is suddenly full of people who just want to see you fail. Good luck, DDG.
Something is not adding up. Why would you go through so much trouble and over-engineer a favicon retrieval service? Really, favicon? Since when did they become so essential?
I'm pretty sure 90% of websites provide one in a standard way. If not, just draw a letter there, or anything.
But I don't know. I think that either there is more to this story, or DDG team completely lost common sense.
Nevermind privacy. How are favicons so complicated that they need a special service that understands edge cases. Just do it one standard way and if a minority of websites don't work, then exclude them. We've been through this mess before with all kinds of web standards devolving into mess.
[+] [-] yegg|5 years ago|reply
I’m new to this issue and happy to commit us to move to doing this locally in the browser and will have us move on that ASAP.
That said, I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.
[+] [-] tagawa|5 years ago|reply
Like our search results, the favicon service adheres to our strict privacy policy[1] in that the requests are anonymous and we do not collect or share any personal information.
[1] https://duckduckgo.com/privacy
[+] [-] st3fan|5 years ago|reply
https://github.com/mozilla-mobile/android-components
https://github.com/mozilla-mobile/Firefox-iOS
[+] [-] NotSammyHagar|5 years ago|reply
[+] [-] dvdkhlng|5 years ago|reply
DDG is unneccessaryly producing (aggregating), transmitting (and collecting?) very sensitive user data here, which is just the opposite of data protection. I can't even understand why they try to justify their actions. It's like omitting the seat-belt in a car, then telling customers that this was required to make the in-car entertainment system more usable.
[1] https://de.wikipedia.org/wiki/Datenvermeidung_und_Datenspars...
[2] https://en.wikipedia.org/wiki/Privacy_by_design
[+] [-] ajnin|5 years ago|reply
[+] [-] fiddlerwoaroof|5 years ago|reply
[+] [-] ViViDboarder|5 years ago|reply
I’ve been an avid DDG user for years and it worries me that DDG staff don’t see why this is an issue. We shouldn’t have to trust your privacy policy if you minimize exposure.
[+] [-] jacquesm|5 years ago|reply
[+] [-] byteshock|5 years ago|reply
I just switched to DDG browser a week ago and will now be looking for a new browser now. I hope you know this is not an appropriate response to the situation. Especially because all you guys do is preach about how much you protect your users’ privacy. Now you’re here asking us to trust you not to abuse our data and just linking us your privacy policy. I’m sad to say that my faith in the DuckDuckGo company and team is now lost.
[+] [-] mysterydip|5 years ago|reply
[+] [-] ddevault|5 years ago|reply
I have read your explanations in good faith and they don't cut it. This behavior cannot continue. Good privacy promises are not based on trust - they're based on not ever handling private data in the first place. If you don't quickly admit your mistake and roll this back, it will jepoardize your entire brand - and rightfully so. If you believe this behavior is okay, then it demonstrates incompetence; if you don't believe this behavior is okay but do it anyway, it demonstrates malice.
This is the one thing you Should Not Have Done.
[+] [-] beshrkayali|5 years ago|reply
Edit: I'm speculating here. But specifically because of the way you've replied here and on Github, my actual level of trust in DDG team went down.
[+] [-] Mandatum|5 years ago|reply
[+] [-] Igelau|5 years ago|reply
The repeated handwaving that no one in your company is ever going to do something bad or stupid when the browser phones home for what amounts to a cute sticker is extremely suspicious.
[+] [-] ximeng|5 years ago|reply
[+] [-] MrGilbert|5 years ago|reply
Curious to know why this is an issue.
[+] [-] iandanforth|5 years ago|reply
[+] [-] rezonant|5 years ago|reply
Besides, how do you handle Intranet, VPN sites, and auth-only sites where DDG's god-tier favicon parser in the cloud couldn't fetch the URL anyway?
[+] [-] SimeVidas|5 years ago|reply
[+] [-] bn7t|5 years ago|reply
[+] [-] alistproducer2|5 years ago|reply
[+] [-] ComodoHacker|5 years ago|reply
[+] [-] gap|5 years ago|reply
Dear DDG, you are getting complaints on GitHub and Hacker News. This is not the general public, it’s people who understand the issue. You should definitely reconsider whether you’re doing something wrong.
[+] [-] dna_polymerase|5 years ago|reply
That must be the worst justification for this possible. Favicons. Complicated to locate? Who are you trying to fool, 5 year olds?
[+] [-] aronpye|5 years ago|reply
[+] [-] bluetwo|5 years ago|reply
Can you tell how many visited site A and also site B?
[+] [-] izietto|5 years ago|reply
[+] [-] bluesign|5 years ago|reply
- Would you be ok to use a third party for this with same privacy policy?
[+] [-] scoutt|5 years ago|reply
why?
[+] [-] Sir_Substance|5 years ago|reply
If you think the next time I hit the shitter I'm not going to be looking for a new browser, you're dead wrong.
Just do the basic checks and then fall back to a DDG logo, no one cares that much about the favicon.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] throwaway_pdp09|5 years ago|reply
I accept DDG's statement that this is about a favicon and that they "do not collect or share any personal information", and despite that, I also agree with others that DDG should be on the safe side and just stop doing this small thing. It's just the safer and more moral thing to do (So DDG, as many are suggesting, plz stop doing it. Today is good).
But... the reaction here is "they made a mistake, let's pile on like kids in a playground" ignoring the genuinely huger issue of the amount of info and mining that google et al. do. There's no measure of proportion in the responses, someone is making a mistake then there's a wolfish, pack-like desire to get stuck in and hurt someone.
Which is why politicians rarely admit mistakes, because it's taken as a sign of weakness, not strength, to admit you were wrong. DDG isn't the big evil on the web but from reading some of these you'd think it was the 2nd google.
This isn't about DDG, just the proportionality of responses in public errors and what society you'd like to have.
(no affiliation to DDG)
[+] [-] davidhyde|5 years ago|reply
Source: https://www.theregister.com/2019/11/07/ubiquiti_networks_pho... https://palant.info/2019/08/19/kaspersky-in-the-middle-what-...
[+] [-] CivBase|5 years ago|reply
[+] [-] jpangs88|5 years ago|reply
Don't really understand why they do extra work to get worse results... This feels to me slightly worse than just a privacy concern, it's a misunderstanding of their domain which leads me to the question of what else do they not fully understand.
The good news is that you can have the DDG search engine as a default in other browsers.
(I understand that the DDG browser is probably not their main focus and any lack of knowledge can potentially be just on their mobile browser.)
[+] [-] tananaev|5 years ago|reply
[+] [-] rickyc091|5 years ago|reply
https://github.com/duckduckgo/Android/blob/b2131d7d2f47fb09d...
[+] [-] mhaberl|5 years ago|reply
"Tired of being tracked online? We can help."
And then they track you.
Yes, that might not be intentional and is used "just" for the favicon, yes they might not use the info on the domains you visit for tracking you today, but the data is there.
Why not use that data tomorow "just" to see what kinds of pages their customers (browser users) are visiting so they can better place their ads.. and then maybe some other idea.. this is a path that many such companies went ("don't be evil").
You either respect the user privacy or you don't - there is no middle "just for this little feature" ground
[+] [-] zeckalpha|5 years ago|reply
[+] [-] niftylettuce|5 years ago|reply
My advice:
Install ungoogled-chromium: https://github.com/Eloston/ungoogled-chromium
Install these extensions: https://github.com/gorhill/uBlock https://github.com/ilGur1132/Smart-HTTPS
There is also a Chromium extension that lets you install from Chrome Web Store: https://github.com/NeverDecaf/chromium-web-store
Set duckduckgo.com as your default search engine with a blank home page. But you could also use @pkrumins home pages of https://techurls.com or https://finurls.com as nice home pages.
Use Mullvad VPN: https://mullvad.net/ (They are EVEN available on F-Droid now, which is AMAZING)
Security harden your Android device: https://niftylettuce.com/posts/google-free-android-setup/
Security harden your Mac: https://gist.github.com/niftylettuce/39597a7b3bc0660ffe1e09d...
P.S. If you need email forwarding for your domain name, you can use something I made. https://forwardemail.net - it is 100% open source.
Follow me @niftylettuce on GitHub and Twitter for more
[+] [-] marcinzm|5 years ago|reply
[+] [-] bad_user|5 years ago|reply
By using bangs you're sending your search history to DDG even when using search engines that aren't DDG.
[+] [-] hota_mazi|5 years ago|reply
Except that you do, exactly in the way that the reporter of the issue explained to you.
But you choose to patronize them and ignore the issue.
[+] [-] renewiltord|5 years ago|reply
[+] [-] olafure|5 years ago|reply
DDG has repeatedly said that they have "not collected any personal information".
For example,
1. Does the service store the fact that it got a request for a domain?
2. Does it store any ID along with that information and if so, how unique is that ID? How is it generated and what is it linked to?
3. What other information is stored along with the request?
4. How does DDG process this information?
5. Who has or can get access to this information?
[+] [-] sonicggg|5 years ago|reply
I'm pretty sure 90% of websites provide one in a standard way. If not, just draw a letter there, or anything.
But I don't know. I think that either there is more to this story, or DDG team completely lost common sense.
[+] [-] mikaeluman|5 years ago|reply
It's much easier if I don't even have to trust you. Please change this.
[+] [-] lopmotr|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]