StartPage has apparently started to fingerprint users

According to this Reddit post, it appears that StartPage has started to fingerprint users.

Edit: I can also confirm the canvas fingerprinting because it was blocked by Mullvad Browser.

UPDATE: The URL parameters of the vf.startpage.com/ct network request (F12 > Network) from startpage.com contain a fingerprint. Taking the contents of the di URL parameter of this request and pasting it into your base64 decoder will give an output that contains among other things: browser plugin info, canvas data, User Agent, your Do Not Track setting, and some other data points.

I have suddenly been getting JShelter (browser extension) fingerprint detection warnings about Startpage. It appears that Startpage is accessing WebGL data (JShelter Fingerprint Detector Report), Canvas data (JShelter Fingerprint Detector Report), and Speech Synthesis (from a Firefox banner saying Speech Synth. is not supported).

The script that is collecting this data is on the subdomain vf.startpage.com. Disabling the script (along with the entire subdomain) via uBlock Origin does not appear to affect Startpage’s ability to provide search results. The subdomain did not exist before the suspected fingerprinting started.

In the Network tab in Firefox’s debugger, POST requests appear to be sent to vf.startpage.com, containing at minimum my window size (ws: “1290x296”, changes on window resize).

I have a screen recording of this phenomenon from a fresh virtual machine: Proton Drive

What’s the community’s opinion on this? Is this a valid concern, and could it possibly warrant the removal of StartPage from PrivacyGuides?

8 Likes

That sure looks sketchy AF

Ok, that is some upsetting news. I’ve been using startpage for a while now and liked it a lot. Any news on this front?

@Encounter5729 could you tell me what you’re seeing that’s sketchy? I’m no familiar with this type of analysis, not as tech savyy. Thank you!

I have always been suspect of Startpage…it is google results

I have been enjoying Mojeek lately, though its best to use a few different engines

Taggin some people as this is very concerning, we should at least warn to only use it with Javascript disabled (as pretty much all features including image and video search is available) and we might consider whether it should be in the list at all.
@jonah @dngray

Oh. Thats not nice. Ive been suspecting it for long time. Another product thats not to be used…

Oof. And PG recommends it. I never used it because i didn’t trust it. Always make your own choices peeps, everyone makes mistakes. Dodged another bullet :grin:

1 Like

Well, it’s not PG’s fault, all the sites talking about privacy recommend Startpage, what with DDG, which at one time filtered everything except Microsoft domain names.
And the case of Brave, which at one time was tracking with their browser, and nothing says that their search engine is safer, it’s just that we haven’t found anything yet.

2 Likes

thanks, time to change search engine.

This is absolutely irrelevant. It doesn’t matter if StartPage uses Bing or Google results.

1 Like

If you expect the Privacy Guides team and community to be able to guess the future, then you’re at the wrong place, pal.

5 Likes

No time to really to look into this yet, but some relevant links:

And we were aware that they already log some info:

https://www.privacyguides.org/en/search-engines/#fn:3

We need to look into if something changed. Anyhow, i don’t believe that we should drop startpage over this, we have to figuire out whats exactly happening, I will be emailing them about this tonight.

EDIT: send them a contact request over this. Will post updates.

6 Likes

changed to searx can’t trust companies

If you want proxied Google results, there is still Mullvad Leta. However, this only works if you access it with Mullvad VPN on.
Or you use Whoogle.

Such a shame it’s white on blue. Too hard to read for me.

Also changed to Searx.

I thought the writing was kind of on the wall when u/LizMcIntyre quit doing consulting with Startpage in 2020.

RE Searx, I like to use the instances page and for fun, select instances that are listed as located outside the 14 eyes and are reasonably fast. Then, make them favorites for search in Firefox (Librewolf in my instance), then rotate the search engine fav every few weeks.

Are the trackers on vf.startpage.com solely used on Startpage? I find it odd they would create an entire new subdomain just for tracking a single website. Surely, if it was intended for Startpage only, they would have included it somehow in startpage.com? (This is speculation, however.)

I’m curious as to what the reasoning behind this is as a business. The only selling point of the StartPage search engine is that you get Google results in a more private way. I suppose they’re hoping most users won’t find out and will just continue to use their search engine for years to come?

Surely, eventually word will get around. Even if it takes a couple years. So I still don’t quite get how this makes any sense business-wise.

edit: see here

I’m okay with dropping Startpage. We already dropped Startmail, and they don’t seem to care about responding to community feedback more generally anymore.

I was more willing to work with them 4-5 years ago when they actually made an effort, but I don’t think I’ve even heard from a single person related to Startpage in the past few years. These days I also definitely judge companies based on whether they’re on this list lol

1 Like

As far as I can tell, the requests to startpage.com/sxpra and the requests to vf.startpage.com are two different things. Both were blocked by EasyList, but I think assuming they were connected was an error.

I’m not sure about that, so erring on the side of caution and blocking both was a fine move on EasyList’s part, but I’ll tell you what I think about both.

startpage.com/sxpra

Startpage is using https://www.searchexpander.com/ in order to generate knowledge panels in their search results.

Background: Knowledge panels are the boxes of info that show to the right of search results in most search engines if you look up someone notable like Bill Gates, for example. They won’t currently show up in Startpage if you have uBlock Origin now that EasyList blocked these requests.

How this seems to work is that your search queries are sent to Search Expander in order for them to generate these knowledge panel results, but those requests are proxied through Startpage’s domains so that Search Expander doesn’t get any other data from you, like your IP address. Which is good.

Overall, I actually think Search Expander’s product and privacy policy are fairly reasonable, but at the same time… it’s kind of basic functionality other search engines just do themselves.

vf.startpage.com

This one is the suspicious one.

Despite a seeming similarity to the first requests (because this one has “sxp” in one of the paths) I don’t think this is related to the first requests. I can’t find anything related to tracking that looks like this in Search Expander’s documentation or privacy policy, and there are no similar requests on Search Expander’s demo search engine.

Searching for tc_imp.gif shows that it might be a (self-hosted?) tracker used on a few other websites, but the other websites I’m finding it on look pretty shady, and I can’t figure out what analytics product it actually is.

I see it hosted on various domains like:

  • hxxps://obs.brilliantchap.com/tracker/tc_imp.gif
  • hxxps://obseu.testrobotflower.com/tracker/tc_imp.gif
  • hxxps://obs.cheqzone.com/tracker/tc_imp.gif
  • hxxps://angel.mcangelus.com/tracker/tc_imp.gif
  • hxxps://ob.fishrobotflower.com/tracker/tc_imp.gif
  • hxxps://heart.mysingleromance.com/tracker/tc_imp.gif

Searching for terms like “obseu analytics” yields no results though, so I have no idea what the subdomains are referring to, or what software is hosted on them. Maybe it’s just shorthand for observation and has nothing to do with the software name.

If anyone can figure out where hxxps://vf.startpage.com/sxp/i/fa4874d0f7f644dec8ad457f0db0a852.js or hxxps://vf.startpage.com/tracker/tc_imp.gif comes from, please share! It doesn’t appear to be Matomo, which is the usual suspect.

It’s worth noting that vf.startpage.com is just a CNAME (DNS alias) for startpage.com, so it is not a third-party service (or it is and they proxy it).

6 Likes