"Privacy" Search Engine DuckDuckGo smoked over Hidden Tracking Agreement with Microsoft

by Tyler Durden
May 29, 2022
from ZeroHedge Website

"Quite Misleading":

DuckDuckGo CEO Responds to

Microsoft Tracker Controversy

Update

DuckDuckGo CEO Gabriel Weinberg took to Twitter on Saturday, calling our headline "quite misleading" ,

"this isn't about our search engine and we actually restrict Microsoft scripts in our browsers, including blocking their 3^rd party cookies."

I tested the DuckDuckGo so-called private browser for both iOS and Android, yet *neither version* blocked data transfers to Microsoft's Linkedin + Bing ads while viewing Facebook's workplace[.]com homepage.

Look at DDG bragging about stopping Facebook on Workplace, no MSFT..: pic.twitter.com/xfqhUOZMmf
— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) May 23, 2022

Weinberg links to a Reddit thread he created on Wednesday when the tracking controversy broke. In it, he explains:

"this article is not about our search engine, but about our browsers."

"When most other browsers on the market talk about tracking protection they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers impose these same restrictions on all third-party tracking scripts, including those from Microsoft."

And while Redditors appeared sympathetic in the replies, users in the more technically oriented YCombinator Hacker News forum weren't buying it.

The top response refutes Weinberg's claim that,

"this is not about search," explaining "your competitors in the privacy-centric browser space don't have this restriction because they're not search engines acquiring the majority of their data from an entity with a conflicting interest."

Another user replied:

"The thread by the security engineer shows that the scripts are communicating back to the servers.

That means your multi-pronged protection has failed, unless you've suddenly discovered a way for browsers to block IP addresses from being sent by scripts (and since they can be extracted from the request itself that doesn't seem likely)."

The criticism continued further into the thread.

"'Multi-pronged privacy', 'easy button', 'capabilities', and repeated use of the word 'protection' are all signals that what is being said is an attempt to sell me something and that the salesman should be doubted," wrote user Colechristensen.

"What's actually happening is you're forced to allow Microsoft scripts which do indeed do telemetry on users despite some restrictions you put on them, and they're still effective because fingerprinting works.

That fact is embarrassing for a product you're trying to sell as promoting privacy so there's this mildly deceptive attempt to hide what's going on with lots of words and claims of protection instead of straightforward disclosure."

Another user slammed DuckDuckGo's relationship with Microsoft Advertising, in which DDG admits:

"If you click on a Microsoft-provided ad, you will be redirected to the advertiser's landing page through Microsoft Advertising's platform.

At that point, Microsoft Advertising will use your full IP address and user-agent string so that it can properly process the ad click and charge the advertiser."

Weinberg (username: Yegg) responded, arguing that they,

"got Microsoft to contractually agree and publicly commit (on this page) that, 'Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes'."

To which user Tedivm replied:

So instead of an actual set of real protections, like offered by things such as UBlock, you want us to rely on Microsoft being ethical.

It also ignores that governments like the NSA have tapped these very networks for data (this is what prompted Google's internal SSL drive).

Even if we trust the legal entity, the fact is that the information itself is a target and so are those entities. It is always safer not to send the data, but in this case you're explicitly sacrificing that safety to benefit your ad partners.

When asked what an appropriate headline should be for the controversy, "Yegg" replied:

"Microsoft contractually prevents DuckDuckGo's browser from stopping Microsoft scripts from loading on 3rd party sites (FYI: not search related)"

It seems like DuckDuckGo may have some more convincing to do.

Or as ZeroHedge reader koan put it:

fuckfuckno...

DuckDuckGo, the search engine which claims to offer "real privacy" because it doesn't track searches or store users' history, has come under fire after a security researcher discovered that the mobile DuckDuckGo browser app contains a third-party tracker from Microsoft.

Researcher Zach Edwards found that while Google and Facebook's trackers are blocked, trackers related to bing.com and linkedin.com were also being allowed through.

Sometimes you find something so disturbing during an audit, you've gotta check/recheck because you assume that *something* must be broken in the test.

But I'm confident now.

The new @DuckDuckGo browsers for iOS/Android don't block Microsoft data flows, for LinkedIn or Bing.🧵 pic.twitter.com/ol7Ydfo3BJ
— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) May 23, 2022

In response to the revelation, CEO Gabriel Weinberg essentially shrugged - telling BleepingComputer that the company offers,

"above-and-beyond protection" that other browsers don't...

But he said "never promised" anonymity when browsing.

"We have always been extremely careful to never promise anonymity when browsing, because that frankly isn't possible given how quickly trackers change how they work to evade protections and the tools we currently offer," he said.

"When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.

What we're talking about here is an above-and-beyond protection that most browsers don't even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites," he continued.

"Because we're doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would using other browsers."

In short, DuckDuckGo doesn't provide the type of privacy they've earned a reputation for - they simply betray users the least.

As TechRadar notes, this didn't go over well.

The news quickly drew in crowds of dissatisfied users, with DuckDuckGo founder and CEO Gabriel Weinberg, soon chiming in to confirm the authenticity of the findings.

Apparently, DuckDuckGo has a search syndication agreement with the software giant from Redmond, with Weinberg adding that the restrictions are only found in the browser, and are not related to the search engine.

What remains unknown is why the company who is known for its transparency decided to keep this agreement a secret for as long as it could. -TechRadar

See Edwards' entire May 23 Twitter thread below:

Return Home

Return to The End of The Internet... As We Know It?