DuckDuckGo is often considered to be a go-to browser for users who are concerned about tech giants collecting data while browsing. However, on May 24 (local time), it was revealed by security researcher Zack Edwards how the browser was blocking Google and Facebook trackers but provided an exception to Microsoft trackers. Reportedly, DuckDuckGo (DDG) has the obligation under a search agreement with Microsoft to allow its tracker to monitor certain details of the users.
According to a report in Bleeping Computers, DDG does not store any personal identifiers of the users associated with the search queries. However, it may track the IP address and other information for ‘accounting purposes’ upon clicking an ad link. It further read that the information collected “is not associated with a user advertising profile”, which is common with other browsers.
Edwards revealed Microsoft trackers were allowed
In a detailed Twitter thread, researcher Zack Edwards said that the DDG does not block Microsoft Data flow while it blocks other trackers.
He further added screenshots of the description of the app on Google Play Store that clearly mentioned that the trackers are blocked on DDG. Notably, after Edwards’ thread went viral, DDG changed the description by adding ‘most’ in the description. From the earlier version that read “Tracker Radar automatically blocks hidden third-party tracking scripts lurking on websites you visit in DuckDuckGo,” it now reads “, Tracker Radar automatically blocks most hidden third-party tracking scripts lurking on websites you visit in DuckDuckGo.”
Notably, DDG has mentioned clearly on one of its help pages titled ‘Ads by Microsoft on DuckDuckGo Private Search’ that it shares data with the tech giant. However, this page is deep inside the Help section, and from the top, the users always remained under the impression that it was not sharing any data by blocking the trackers.
On the page, it says, “Microsoft and DuckDuckGo have partnered to provide a search solution that delivers relevant advertisements to you while protecting your privacy. If you click on a Microsoft-provided ad, you will be redirected to the advertiser’s landing page through Microsoft Advertising’s platform. At that point, Microsoft Advertising will use your full IP address and user-agent string so that it can properly process the ad click and charge the advertiser.”
Edwards also presented proof that the data flow was happening. He said, “You can capture data within the DuckDuckGo so-called private browser on a website like Facebook’s workplace.com, and you’ll see that DDG does NOT stop data flow to Microsoft’s Linkedin domains or their Bing advertising domains.”
DDG’s CEO defended the browser’s privacy stand
Edwards’ thread caught the attention of the Founder and CEO of DDG, Gabriel Weinberg. Replying to his thread, Weinberg said, “When you load our search results, you are completely anonymous, including ads. For ads, we worked with Microsoft to make ad clicks protected. From our public ads page, ‘Microsoft Advertising does not associate your ad-click behaviour with a user profile’. For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.
— Gabriel Weinberg (@yegg) May 23, 2022
He further wrote a detailed post on Reddit explaining the situation. He said, “The issue at hand is, while most of our protections like 3rd-party cookie blocking apply to Microsoft scripts on 3rd-party sites (again, this is off of DuckDuckGo.com, i.e., not related to search), we are currently contractually restricted by Microsoft from completely stopping them from loading (the one above-and-beyond protection explained in the last paragraph) on 3rd party sites. We still restrict them, though (e.g., no 3rd party cookies allowed). The original example was Workplace.com loading a LinkedIn.com script. Nevertheless, we have been and are working with Microsoft as we speak to reduce or remove this limited restriction.”
Pointing towards the cost involved in showing search results, he said, “Really only two companies (Google and Microsoft) have a high-quality global weblink index (because I believe it costs upwards of a billion dollars a year to do), and so literally every other global search engine needs to bootstrap with one or both of them to provide a mainstream search product.”
Privacy is a myth
Online privacy is a myth. Even the best browsers that call themselves ‘champions of privacy’ will have one or the other loophole that would allow them to share the user information as a whole or in parts. Weinberg ended his statement by saying, “Taking a step back, I know our product is not perfect and will never be. Nothing can provide 100% protection. We have always been extremely careful to never promise anonymity when browsing outside our search engine, because that frankly isn’t possible.”