DDG has a tracker that blocks carve-outs associated with Microsoft contracts.

DuckDuckGo, a self-proclaimed “internet privacy company,” has built its brand around claims of not tracking web searches over the years, and recently launched its own ‘private’ browser with built-in tracker blocking. It’s been hot water since researchers discovered the hidden limits of tracking protection that made a frontier for certain ad data requests from search syndication partner Microsoft.

Late last night, the researcher in question Zach Edwards, Tweet Audit Results — DDG’s mobile browser says it has discovered that it does not block ad requests from Microsoft scripts in non-Microsoft web properties. (Note: this is separate from what happens when you actually click on an ad when using DDG. Privacy Policy We make it clear that all privacy bets have been lifted at that point.)

Edwards tested browser data flow on the Facebook-owned site Workplace.com and found that DDG informed users that it had blocked Google and Facebook trackers, but that did not prevent Microsoft from receiving navigation-related data flows from third-party websites. Found it. …

Edwards tweeted with Gabe Weinberg, founder and CEO of DDG. try play down DDG’s browser, discovered by highlighting everything he said Do Blocking (e.g., third-party tracking cookies, including cookies from Microsoft).

Weinberg specifically wanted to make it clear that the data flow issue was not related to DuckDuckGo searches.

However, the DDG browser’s restriction on tracker blocking constitutes an exemption from protection for the transmission of certain advertising data to Microsoft subsidiaries (Bing, LinkedIn), which may be used to cross-site tracking of web users for advertising targeting purposes. In other words, it violates the privacy of DDG browser users.

On Twitter, Weinberg confirmed that Edwards’ audit was correct. The Bing search engine and index “prevents Microsoft-owned scripts from being loaded”.

He added that DDG is “working to change that.”

Twitter asks if DDG’s contract contains a clause that prevents it from publicly complaining about restrictions imposed by Microsoft. Growing ad-tech businessWeinberg told us: “Our syndication agreement has a wide range of confidentiality requirements, and the specific requirements document itself is additionally explicitly marked confidential.”

Discussing his findings on TechCrunch and DDG’s response, Edwards described Weinberg’s public response to the audit as “very shocked”. .

“I have serious concerns about DDG’s public claims, especially those made by iOS/Android app installation websites that promise tracking protection,” Edwards added. “Comparing the information shared by the CEO of DuckDuckGo yesterday with the language in the app description, we can’t help but wonder why they are in one place on the internet and not lying in other areas of the internet. , and seemingly trying to put Microsoft, its premier advertising partner, under some sort of bus. Essentially, DDG’s CEO has made numerous comments about how he intends to and hopes to break away from his current contract with Microsoft. He wants regulators to take it seriously,” he said.

a problem broke out hacker news During the day — Weinberg (aka yegg) argued in comments that he was doing more firefighting, reiterating that DDG’s hands were tied to a contract with Microsoft, and further urging changes to “this limited limit”.

“This is about non-DuckDuckGo and non-Microsoft sites in our browser. Current search syndication agreements do not allow stopping Microsoft-owned scripts from loading, but may apply browser protections (such as third-party cookies) after loading. Block and perform other actions mentioned above. We also worked tirelessly behind the scenes to change this limited limit,” Weinberg wrote on the site.

“I also understand that this is confusing because it’s a search syndication contract that prevents you from doing anything other than a search. That’s because our product is a bundle of several privacy features and is a deployment requirement imposed on us as part of our search syndication agreement. Our syndication agreement has extensive confidentiality clauses and the requirements document itself is explicitly marked confidential,” he added.

DDG’s browser obviously doesn’t block all scripts, and tracker blockers won’t be 100% effective as tracking technology continues to advance. DDG is linked to a commercial deal that will allow the use of Microsoft’s search index in its core products.

In further public remarks on this matter, Weinberg stated that DDG aims to provide browser users with a very easy tracker blocking experience (i.e. maximized accessibility) and to further enhance user privacy, but with potentially costly protections. hinted at trying to balance the Experience (eg broken webpages).

However, the failure of DDG to disclose Microsoft-related restrictions on protection to browser users is of particular concern. In particular, privacy-focused marketing that informs users to “avoid website tracking” (obviously does not occur in the specific Microsoft-related instances that Edwards has identified. Therefore, DDG risks misleading users and damaging its reputation as a privacy company. There is.

In a more recent answer posted in response to a comment on Hacker News, Weinberg appears to have embraced the need for DDG to be fully disclosed.We’ll be working hard today to find a way to say something in the app store description in terms of better disclosure.

“We are trying to solve this in various ways, but for various reasons no app offers 100% protection, and I understand that the script in question here has significant protection in current browsers,” he added.

I asked Weinberg a question. He sent us the following statement:

“We have always been extremely careful not to promise anonymity when browsing. Because that’s honestly impossible given how quickly trackers change the way they work to circumvent the protections and tools they currently provide. When most other browsers on the market talk about tracking protection, they usually refer to third-party cookie protection and fingerprint protection, and browsers for iOS, Android, and the new Mac beta impose these restrictions on third-party tracking scripts, including: People from Microsoft. Here we are talking about excellent protection that most browsers don’t even try. In other words, it blocks third-party tracking scripts before they are loaded onto third-party websites. We can’t do this as much as we want under any circumstances, as this can cause your website to crash. However, our goal was basically to provide maximum privacy in a single download without complicated setup. So we chose this.”

We also asked Microsoft about the restrictions it imposes on search syndication partners, but at the time of this writing, the tech giant has not responded.

The privacy trade-off is by no means huge, but one unavoidable conclusion appears here. Antitrust regulators should scrutinize the search syndication market. This is because the search syndication market is essentially made up of two gatekeeping ad-tech giants, Google and Microsoft, that have the power to enforce (unfair) conditions. Anyone who wants to offer a competitive search product or alternative web browser in certain cases.

European regulators have recently agreed on a new pre-competition regime targeting the strongest brokerage platforms. DMA is obviously applicable to search engines, but it remains to be seen whether the Commission will seize the opportunity to use incoming regulations to open up the search market by applying fair-use terms related to search syndication to the two indexes it counts against.

Leave a Comment