Duckduckgo blocking Digioh

[keithsibson]

Digioh is a JavaScript tag that provides tools for site owners to do newsletter signups, content walls, and product recommendation widgets on their site. Duckduckgo is blocking the Digioh CDN domain www.lightboxcdn.com, which causes sites not to function correctly. Two examples:

https://www.adweek.com - premium content wall does not function https://powerstep.com/pages/insole-finder - insole finder does not function

There are hundreds of sites that are (to a greater or lesser degree) functionally broken by this blocking. Can we please add an exception for www.lightboxcdn.com?

[sammacbeth]

I looked into our blocklist and found we are just blocking a script call user.js on lightboxcdn.com. Looking at our tracker-radar crawl data for lightboxcdn.com I can see that this script regularly uses multiple JS APIs which are associated with browser fingerprinting. In order to protect our users from fingerprinting we block such scripts in our browsers and extension.

Further debugging on your https://powerstep.com/pages/insole-finder example, I can see that the script https://www.lightboxcdn.com/vendor/835371ef-cf06-45c9-995e-67c81f074cf5/user.js is loaded. This code creates a global DeviceAtlas which seems to be one of the sources of these fingerprinting calls and is extracting a property list of device features - akin to a browser fingerprint. It seems possible that this code snippet may be associated with DeviceAtlas which offers features around identifying individual devices, which seems to confirm the suspicion that this code is actually generating a browser fingerprint.

In summary, we're blocking this script because it is fingerprinting users' browsers. To get this script unblocked, I would advise you to remove the fingerprinting code from it. Once you have done that, as we run our crawls monthly, it should only take around a month until our next blocklist update removes this entry from the blocklist.

[keithsibson]

Thank you Sam for your research findings and detailed response. Digioh does use DeviceAtlas, but not for fingerprinting. Instead it allows targeting/personalization based on region and device type. For example, if the user is in the EU, we would show GDPR compliant forms with affirmative opt-in. And/or, if the user is on iOS or Android, we'd show different app store links, or different creative, for example. We could remove DeviceAtlas for specific websites (e.g. powerstep.com) but cannot disable it across the board, so if the blocking issue is on user.js "by association" with DeviceAtlas, then aside from porting to something other than DeviceAtlas I'm not sure how we can address this. Any alternative to DeviceAtlas may trigger the same suspicion of fingerprinting... Any suggestions?

On Thu, Feb 10, 2022 at 10:52 AM Sam Macbeth @.***> wrote:

I looked into our blocklist and found we are just blocking a script call user.js on lightboxcdn.com. Looking at our tracker-radar crawl data for lightboxcdn.com https://github.com/duckduckgo/tracker-radar/blob/66c099126034388ff1f9fc0168200e8397d33714/domains/US/lightboxcdn.com.json#L196-L220 I can see that this script regularly uses multiple JS APIs which are associated with browser fingerprinting. In order to protect our users from fingerprinting we block such scripts in our browsers and extension.

Further debugging on your https://powerstep.com/pages/insole-finder example, I can see that the script https://www.lightboxcdn.com/vendor/835371ef-cf06-45c9-995e-67c81f074cf5/user.js is loaded. This code creates a global DeviceAtlas which seems to be one of the sources of these fingerprinting calls and is extracting a property list of device features - akin to a browser fingerprint. It seems possible that this code snippet may be associated with DeviceAtlas https://deviceatlas.com/products/web which offers features around identifying individual devices, which seems to confirm the suspicion that this code is actually generating a browser fingerprint.

In summary, we're blocking this script because it is fingerprinting users' browsers. To get this script unblocked, I would advise you to remove the fingerprinting code from it. Once you have done that, as we run our crawls monthly, it should only take around a month until our next blocklist update removes this entry from the blocklist.

— Reply to this email directly, view it on GitHub https://github.com/duckduckgo/privacy-configuration/issues/136#issuecomment-1035157851, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXWCNGZM7LXMZ3SY3IUO56LU2PUNJANCNFSM5OBH744A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

[sammacbeth]

I would look at trying to reduce the calls to such APIs to as few as possible - our fingerprinting detection calculates the likelihood that each API is used for fingerprint and then generates a score based on the set used. Therefore, using fewer APIs reduces the likelihood your script will be blocked for fingerprinting.

For your use-case, it seems unlikely that you need to check the client's battery level (Navigator.prototype.getBattery), screen colorDepth, the mimeTypes recognised by the browser, the exact device orientation in degrees (DeviceOrientationEvent.prototype.alpha), nor do you need to check all of cookies, localStorage and indexedDB. If DeviceAtlas are doing all this automatic, you could perhaps ask them to not eagerly check all these APIs, or look for a less invasive alternative.