DuckDuckGo, which calls itself an “internet privacy company” and has built its brand around the idea that it doesn’t track web searches and recently released a “private” browser with built-in tracker blocking, is in “deep shit” after a privacy and data supply chain expert, Zach Edwards, found hidden limits on its tracking protection that make an exception for certain advertising data requests by its search syndication partner, Microsoft.
Edwards conducted an audit and discovered that the internet privacy company’s mobile browsers don’t restrict advertising requests made by Microsoft scripts on non-Microsoft web domains. He conducted tests on browser data flows on a website that was owned by Facebook called Workplace.com. He discovered that while DDG told users that it had blocked Google and Facebook trackers, it did not prevent Microsoft from obtaining data flows that were linked to their surfing on a website that was not owned by Microsoft.
Gabe Weinberg, the CEO of DDG, had a Twitter debate with Edwards in which he looked to be trying to downplay the significance of the discovery by focusing on the things that DDG’s browser does restrict (like third-party tracking cookies, including those from Microsoft). Weinberg was also eager to clarify that the data flow issue had nothing to do with the DuckDuckGo search.
Nonetheless, the restriction on DDG’s browser’s tracker blocking amounts to an exemption from protection against some advertising data transfers to Microsoft companies (Bing, LinkedIn) — which could be used for cross-site tracking of web users for ad targeting reasons. In other words, to compromise the privacy of DDG browser users.
Weinberg acknowledged Edwards’ audit was right on Twitter, “owning up to a contractual arrangement that, according to him, “limited DDG’s ability to disable trackers in this scenario by writing that DDG’s’search syndication agreement’ with Microsoft prevents us from stopping Microsoft-owned scripts from loading.” According to him, the DDG is “working to change that.”
It was quite shocking for Weinberg to publicly respond to Edwards’ audit on Twitter, and for having what he summed up as “no public solutions for the problems created through the secret partnership between DuckDuckgo and Microsoft.”
Hacker News has seen a spike in the discussion, and Weinberg (as yegg) has responded with additional firefighting in the comments section, reiterating that DDG’s contract with Microsoft restricts its ability to remove “this limited restriction.”
Per Weinberg, “This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser’s protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We’ve also been tirelessly working behind the scenes to change this limited restriction.”
Conclusion
There is no tracker blocker that can be 100% effective due to the constant evolution of tracking techniques, but this exemption for Microsoft scripts seems unusual because it is part of a contractual arrangement tied to a business relationship that allows DDG to use Microsoft’s search index in its core product; none of this was (apparently) public knowledge prior to Edwards’ revelations about it.
Weinberg hinted that DDG is trying to balance giving browser users an easy tracker blocker experience (to promote accessibility) with beefing up protections that might further enhance user privacy but at a cost to the experience (e.g., broken webpages).