DDG has a blocking tracker tied to a Microsoft contract

DDG has a blocking tracker tied to a Microsoft contract

DuckDuckGo, the self-styled “internet privacy company” — which, for years, has built a brand around its untracked web search claim, and recently launched its “private” browser with built-in anti-tracking — finds itself in trouble after a researcher finds a frontier Hidden on its tracking protection which creates a cut-off for certain ad data requests by our joint search partner, Microsoft.

Late yesterday, the researcher in question, Zack Edwards, chirp The results of his audit – saying he found that DDG mobile browsers do not block ad requests made by Microsoft scripts on non-Microsoft web properties. (Note: This is a separate matter of what happens if you actually click on an ad when using DDG – the privacy policy clearly discloses that all privacy bets are off at that point.)

Edwards tested browser data streams on a Facebook-owned site, Workplace.com, and found that while DDG reported to users that it blocked Google and Facebook trackers, it did not prevent Microsoft from receiving data streams associated with their browsing on a non-Microsoft website.

Edwards had some Twitter back and forth with DDG founder and CEO Gabe Weinberg, who debuted trying to reduce Score by emphasizing all the things DDG Browser said Do Blocking (for example, third-party tracking cookies, including cookies from Microsoft).

Weinberg was also particularly keen to make it clear that the data flow problem was not related to DuckDuckGo search.

However, the limitation of DDG’s browser tracker ban amounts to a waiver of protection against transmissions of certain ad data to Microsoft affiliates (Bing, LinkedIn) – which can be used for cross-site tracking of web users for ad targeting purposes. Or in other words, to undermine the privacy of DDG browser users.

In a back and forth Twitter, Weinberg confirmed that Edwards’ audit was correct – “acknowledging a connection agreement that he said limits DDG’s ability to block trackers in this scenario by writing DDG’s ‘Search Sharing Agreement’ with Microsoft, which owns and operates the Bing index and search engine.” It prevents us from stopping Microsoft-owned scripts from loading.”

He added that DDG is “working to change that”.

When asked via Twitter if DDG’s contract includes a clause preventing it from publicly complaining about restrictions that Microsoft, the tech giant with its growing ad technology company, has imposed on it, Weinberg Tell us: “Our subscription contract includes extensive confidentiality requirements, and the specific requirements documents themselves are expressly limited to confidentiality.”

While discussing his findings and DDG’s response with TechCrunch, Edwards described himself as “extremely shocked” by Weinberg’s public response to his review — and by what he summarized as “there are no public solutions to problems created through the confidential partnership between DuckDuckgo and Microsoft.”

Edwards added, “I have major concerns … about DDG’s general claims, particularly those they make on their iOS/Android app install sites, which promise tracking protection.” “If you compare the language inside the app details, to the information that the CEO of DuckDuckGo shared yesterday, you can’t help but wonder why they are lying in one place on the Internet, not lying in another area of ​​the Internet, seemingly trying to dump their biggest advertising partner Microsoft under Kind of on the bus — the CEO of DDG basically made a lot of comments about how he was trying and hoping to get out of their current contract with Microsoft — this was a shocking admission to see in public and something I hope regulators will take a serious look at.”

The issue was blown up on Hacker News during the day – Weinberg (aka yegg) was doing more firefighting in the comments, confirming DDG’s hands are tied in its contract with Microsoft and also claiming it has continued to push for changes to “this limited limitation”. .

“This only pertains to non-DuckDuckGo and non-Microsoft sites in our browsers, where the Search Sharing Agreement currently prevents us from stopping loading Microsoft-owned scripts, although we can still apply browser protection after loading (such as a third-party cookie). We have worked tirelessly behind the scenes to change this limited restriction,” Weinberg wrote on the site.

“I also understand that this is confusing because it is a search sharing contract that prevents us from doing something non-research related. This is because our product is a collection of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search sharing agreement. Our sharing agreement also contains provisions Broad confidentiality, and the requirements documents themselves are explicitly limited to confidentiality.”

While DDG Browser obviously does not block all scripts – and no tracking blocker will be 100% effective as tracking technologies are constantly evolving – this exclusion for Microsoft scripts looks different because it is a specific exception associated with a contractual agreement associated with a business transaction that allows DDG Using Microsoft’s search index in its core product – none of which (apparently) was public knowledge prior to the Edwards audit.

In more general comments on the issue, Weinberg noted that DDG attempts to balance the goal of giving browser users a very easy tracker blocker experience (for example, to maximize accessibility), with enhanced protections that might significantly enhance user privacy Larger but with the potential for a costly experience (eg broken web pages).

However, DDG’s failure to disclose to browser users Microsoft’s restrictions on its protections is particularly troubling—particularly in stark contrast to privacy-focused marketing that tells users they will “escape from website tracking” ( Which obviously does not happen in the specific Microsoft cases identified by Edwards). So DDG risks misleading users and undermining its reputation as a pro-privacy company.

In a more recent reply posted in response to Hacker News comments, Weinberg appears to have agreed with DDG’s need for full disclosure, writing: “We’ll be working hard today to find a way to say something in our App Store descriptions in terms of better disclosure – there will likely be something by the end of the day. “

“I understand the concern here that we are working on it in a number of ways but to be clear, no app will provide 100% protection for a variety of reasons, and the scripts in question here currently have significant protections over them in our browser,” he added.

We have reached out to Weinberg with questions. Send us this statement:

We’ve always been very careful not to pledge our anonymity when browsing, which frankly isn’t possible given how quickly trackers change the way they work to evade the protections and tools we currently offer. When most other browsers on the market talk about tracking protection, they usually refer to third-party cookie protection and fingerprint protection, and our new iOS, Android, and Mac beta browsers enforce these restrictions on third-party tracking scripts, including That’s those from Microsoft. We’re talking about protection here that goes beyond one that most browsers don’t attempt to do – that is, block third-party tracking scripts before they’re even uploaded to third-party websites. Since this can cause websites to crash, we can’t do it as often as we want to in any case. However, our goal has always been to provide as much privacy as possible in a single download, by default without any complicated settings, so we took this upon ourselves.

We’re also asking Microsoft questions about the restrictions it places on shared search partners, but at the time of writing, the tech giant hasn’t responded.

The privacy trade-offs are never great, but there seems to be one conclusion inescapable here: Antitrust regulators need to examine the combined search market more closely — since it is primarily made up of two high-tech giants, Google and Microsoft, who have full power. To force (unfair) terms on anyone else who wishes to offer a competitive search product, or in some cases, an alternative web browser.

European regulators recently approved a new pre-competition regime targeting the most powerful broker platforms – which the Digital Markets Act refers to as “internet gatekeepers”. DMA is clearly applicable to search engines but it remains to be seen if the committee will discover the opportunity to use incoming regulations to open up the search market by enforcing fair use terms around search participation on the only two approved indexes.

2022-05-24 18:08:44

Leave a Comment

Your email address will not be published.