Privacy-focused search engine makes changes to favicon handling, per user request

DuckDuckGo is a privacy-focused organization offering a popular search engine that doesn’t store results or personal information, in direct opposition to Google.

However, when founder and CEO Gabriel Weinberg woke up on Thursday morning, he was met with a new narrative for the company – one that rode on a wave of concern and criticism relating to a ‘design flaw’ that could expose the information of users.

The issue at hand is how DuckDuckGo fetches favicons, bookmark images associated with a website domain.

First submitted as an issue in July 2019, GitHub user Tritonio flagged the offending script, saying: “This seems to be leaking all(?) the domains that users visit to your servers.”

The script in the Android version of the DuckDuckGo application showed that favicon fetching was routed through DuckDuckGo systems, rather than made via direct website requests.

Daniel “tagawa” Davis, communications manager at DuckDuckGo, said at the time that the “internal” favicon service was used to simplify the favicon location process, but as the service is rooted in DuckDuckGo’s existing systems, the script adhered to the company’s privacy policy which pledges not to collect or store any personal user information.

The case was then closed.

However, when the issue became public on the GitHub tracker this week, this assurance was not enough for everyone.

Some users requested that the case be re-examined, citing potential information leaks caused by the script choice, considered by some as an inherent ‘design’ flaw or human error.

No saved data

In response to the discussion concerning the favicon telemetry, Weinberg said he was “happy to commit us to move to doing this locally in the browser” and will address it as a matter of priority.

He added that as DuckDuckGo’s services are encrypted and “throw away PII [personally identifiable information] like IP addresses by design”, no information was collected, stored, or leaked.

The company’s slogan is “Privacy Simplified”. It is this concept, Weinberg told The Daily Swig, that led to the rapid decision in changing how favicons are managed.

Weinberg acknowledged that there is an ongoing security debate concerning which option for fetching favicons is more secure, and arguments can be made for each choice – but added they both offer “basically a similar amount” of privacy.

He explained that there are pros and cons to either method available. You can ask a browser to connect to a website and fetch the favicon – potentially making multiple requests in the process – or you can use the firm’s encrypted service.

Read more of the latest browser security news

While this requires a separate request to a distinct domain that traverses another path on the internet, it is a known trusted and anonymous service.

“If you use our anonymous service, it’s a known anonymous service,” Weinberg told us.

“You’re already connected to DuckDuckGo because you’re using the app. It’s not that it is leaking any more information, because you conduct a search with us which has the favicons anyway.”

DuckDuckGo’s service is also faster and uses less bandwidth as the service is running server-side and favicons are cached, Weinberg says.

However, the disadvantage is that the server-side option makes it “look like you can be tracked… and [it] looks worse” by having a ‘phone home’ request sent to servers.

The internal method was the chosen approach.

Direct line

In light of user concerns and the “perception that it is less private”, engineers were quick to change tactics and switch to the direct route.

According to DuckDuckGo’s CEO, the company does not want users to have to understand complex nuances in order to feel safe, which would fly in the face of the company’s simple privacy promise. Instead, the organization wants users to simply feel that their privacy is protected.

“We want to do what our users want… as long as it’s private,” the executive told us. ”If everyone really wants this way, we are okay doing that.”

The Android change has already been rolled out and the iOS version has been submitted for review, per Apple’s rules.

“We are glad people are giving us feedback,” Weinberg added. “There was never any personal information exposed and we want to keep to our product vision and Privacy Simplified [message], implementing things in the simplest way and the most private way.”

RECOMMENDED Behave! browser extension alerts users to website port scanning, DNS rebinding