DuckDuckGo CEO Responds To Backlash Over Controversial Microsoft Tracking Agreement
The pursuit of internet privacy is something akin to an ever-evolving game of Whac-A-Mole, as new tracking techniques are revealed by researchers and addressed by privacy-preserving tools. Fortunately, there are a great many privacy tools available and under active development. DuckDuckGo offers a number of such tools, including a private search engine and browser. The company’s browser, which is a newer addition to its suite of privacy tools, is publicly available for iOS and Android, but a desktop version for macOS is currently in development as well. The browser includes a number of privacy-preserving features, such as the recently introduced ability to redirect users away from Google’s AMP webpages and towards publishers’ original webpages.
However, it seems that DuckDuckGo’s browser is unable to protect users from a particular subset of trackers. Zach Edwards, a privacy researcher, recently discovered in the course of an audit that the company’s browser doesn’t block third-party tracking scripts that connect to Microsoft’s LinkedIn and Bing advertising domains. We tested this claim ourselves with the DuckDuckGo Android browser, and, sure enough, PCAPDroid showed connections to px.ads.linkedin.com and bat.bing.com while visiting workplace.com. The browser blocks other third-party tracking scripts, such as those from Facebook and Google, but not these two. We performed this same exercise with the Brave browser and didn’t observe connections to these two domains.
When a user first install’s DuckDuckGo’s browser, it prompts the user to visit a website to see what trackers the browser blocks. Interestingly, if the third-party clarity.ms tracker, which is a Microsoft-owned user behavior analytics tool, is present on the first site visited by the user, the app informs the user that it blocked Microsoft’s attempt to track the user. This message may give the user the impression that the browser blocks all Microsoft-owned third-party trackers, but, as the PCAPDroid connection logs show, that impression would be mistaken.
DuckDuckGo’s Privacy Configuration repository includes bat.bing.com among a list of domains for which cookie protections are disabled “due to site breakage issues.” However, this list does not include px.ads.linkedin.com. The lack of an explanation for this tracking protection exemption raises questions regarding the purpose and motivation for this divergence from DuckDuckGo’s outspoken stance on protecting user privacy.
As it turns out, the DuckDuckGo search engine is powered by Microsoft’s own Bing search engine, and DuckDuckGo’s agreement with Microsoft includes stipulations that DuckDuckGo not block Microsoft’s LinkedIn and Bing advertising domains. Gabriel Weinberg, CEO of DuckDuckGo, confirmed this fact in a tweet, stating, “For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
The CEO further explained in a comment on Hacker News that the “search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser's protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We've also been tirelessly working behind the scenes to change this limited restriction.”
DuckDuckGo’s Privacy Configuration repository includes bat.bing.com among a list of domains for which cookie protections are disabled “due to site breakage issues.” However, this list does not include px.ads.linkedin.com. The lack of an explanation for this tracking protection exemption raises questions regarding the purpose and motivation for this divergence from DuckDuckGo’s outspoken stance on protecting user privacy.
As it turns out, the DuckDuckGo search engine is powered by Microsoft’s own Bing search engine, and DuckDuckGo’s agreement with Microsoft includes stipulations that DuckDuckGo not block Microsoft’s LinkedIn and Bing advertising domains. Gabriel Weinberg, CEO of DuckDuckGo, confirmed this fact in a tweet, stating, “For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
The CEO further explained in a comment on Hacker News that the “search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser's protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We've also been tirelessly working behind the scenes to change this limited restriction.”
Weinberg has also emphasized that this limitation is specific to DuckDuckGo’s browser and does not apply to the company’s search engine. That said, users should be aware that DuckDuckGo’s search documentation states that the contextual ads listed above search results are provided by Microsoft and that once users click on these ads, “Microsoft Advertising will use your full IP address and user-agent string so that it can properly process the ad click and charge the advertiser.” The documentation goes on to say that, unlike many other search engine advertisements, “when you click on a Microsoft-provided ad that appears on DuckDuckGo, Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes.”
Two days after Zach Edwards pointed out that the DuckDuckGo browser doesn’t block LinkedIn and Bing advertising domains, DuckDuckGo updated the description of its browser in the Apple App Store and Google Play Store to be less misleading. The original description simply stated that “Tracker Radar automatically blocks hidden third-party trackers.” The new description splits third-party cookie blocking and third-party tracking script blocking into two different sections. The cookie section states that the browser prevents third-party cookies from tracking users without any caveats. Meanwhile, the tracking scripts section states that the browser “automatically blocks most hidden third-party tracking scripts” (emphasis added). This section also directs readers to “See notes and links below for more information.”
Two days after Zach Edwards pointed out that the DuckDuckGo browser doesn’t block LinkedIn and Bing advertising domains, DuckDuckGo updated the description of its browser in the Apple App Store and Google Play Store to be less misleading. The original description simply stated that “Tracker Radar automatically blocks hidden third-party trackers.” The new description splits third-party cookie blocking and third-party tracking script blocking into two different sections. The cookie section states that the browser prevents third-party cookies from tracking users without any caveats. Meanwhile, the tracking scripts section states that the browser “automatically blocks most hidden third-party tracking scripts” (emphasis added). This section also directs readers to “See notes and links below for more information.”
