An ethical hacker, who goes by the username of @cowereth has revisited the issue that was reported a year back on Github as a bug. It was brushed under the carpet then due to various overlapping reasons.
The Issue at Hand – Again
DuckDuckGo stores the favicons(a small website icon that shows in the address bar or bookmark tabs) of the websites on a different internal server hosted at a subdomain icons.duckduckgo.com.
The Issue at Hand – AgainDuckDuckGo’s official reason on the issueWhat is the norm?The Concern from users and expertsDuckDuckGo CEO Acknowledges the Issue
In general, when you visit a website the hostnames of the visited website calls its own server or checks with the local browser cache(whichever is latest) to fetch the favicon. However, in the Duckduckgo Android browser, instead of calling up for the favicon from the visited website server or the browser’s cache(local client, for a predetermined time), it calls their server as mentioned earlier to request the favicon of the website. In easier words, it transfers the user’s browsing data to one of its servers without the user’s consent.
The issue : https://t.co/99AgRxfJn5The (re-)answer, this morning : https://t.co/TIThLXvK13 — ? Seb ? (@cowreth) July 2, 2020
DuckDuckGo’s official reason on the issue
DuckDuckGo has brushed this a regular thing, citing error reports based on favicon display being a complex exercise for their android browser app. Furthermore, they have also stated the usage policy addressing the uncertainty over Favicons, in their privacy policy section. Different service is used because the favicon is saved in different formats and sizes. Furthermore, DDG reiterates on the promises to not collect any user information. Also Read – DuckDuckGo banned by the Indian Government
What is the norm?
While DDG is correct on the different ways of favicon being referenced in HTML, it is not a convincing reason for storing user’s data(of favicons and hostnames of websites visited) on a different service instead of the user’s end(the host).
The Concern from users and experts
The DuckDuckGo Android browser app could use the retrieved used data to tailor user profiles based on individuals, find out the IP address from which a particular website is visited. Other major browsers stores the favicons and other related stuff on their storage itself, relying less on the website’s server. That has been the norm since Internet explorer, the browser which introduced favicons. W3 also states it for favicons, which sets the web standards for the Internet.
DuckDuckGo CEO Acknowledges the Issue
After the criticism started pouring in, the CEO of DDG, Gabriel Weinberg posted on Hacker News, acknowledging the issue, while reassuring the users on not using the favicons for anything other than displaying them on their Android browser. After that, he replied to comments on the thread, reassuring the company’s commitment to user privacy. DuckDuckGo has committed an update to fix the issue soon.