The reason why services like DuckDuckGo thrive lies in their focus on users’ privacy. Nonetheless, a researcher observed how this service potentially behaved somewhat similar to Google. As observed, the DuckDuckGo Android browser could potentially collect users’ browsing data due to a glitch. Nonetheless, DuckDuckGo has now fixed the bug. They have also made it clear that the service did not collect any user data respecting their privacy.
DuckDuckGo Glitch Allowed Collecting Browsing Data
Reportedly, a researcher with Twitter handle Cowreth caught how DuckDuckGo could potentially collect users’ browsing data. In his tweet, he mentioned that DuckDuckGo stealthily tracked what websites users visited.
— ⠵ koreth ⠵ (@cowreth) July 2, 2020
Briefly, the issue existed in how the DuckDuckGo browser dealt with the websites’ favicons. The service did not fetch the favicons from the websites directly. Rather, whenever a user requested a website, the DuckDuckGo Android browser would send the request to its server icons.duckduckgo.com to fetch the favicon.
That’s where the issue resides. This behavior seemingly allowed the service to track whatever websites the users would visit.
These favicons are requested from our servers rather than from websites directly, because it can be surprisingly complicated to locate a favicon for a website — they can be stored in a variety of locations and in a variety of formats. We’ve developed our behind-the-scenes service to understand these edge cases and simplify retrieval within our app and search engine.
Search Engine Fixed The Bug
Though, this matter surfaced on GitHub around a year ago. However, DuckDuckGo paid no heed at that time. Hence, recently, Cowreth highlighted the matter again.
However, this time, DuckDuckGo paid attention and reopened the matter on GitHub. Clarifying their stance on users’ privacy, the DuckDuckGo CEO commented,
I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.
Consequently, they developed and released a fix by removing the code responsible for the said browser behavior. So now, the browser will fetch the favicons directly from the websites, as explained on GitHub.
Hence, the glitch is now over, and thus, the users may continue to use the service. Likewise, we expect DuckDuckGo to continue respecting the users’ privacy at all costs – the thing they advocate for.