DuckDuckGo has been quietly permitting Microsoft trackers in its 'private' web browser
Many internet users with concerns about online privacy have turned to DuckDuckGo with the impression that the browser will enable them to enjoy the web without having their activity tracked. But a discovery by a security researcher reveals that things are not as private as users would have hoped and expected.
DuckDuckGo was spotted allowing data to be transmitted via Microsoft trackers to LinkedIn and Bing ad domains. What's more, DuckDuckGo admits that an agreement exists between itself and Microsoft that allows trackers from the Windows-maker on third-party sites.
- Microsoft releases preview of KB5014019 update for Windows 11 bringing new features and fixes
- The Windows 11 Microsoft Store opens up to all Win32 apps... oh, and ads, too
- Microsoft announces that third-party widgets are coming to Windows 11 this year
The discovery was made by security researcher Zach Edwards who reported that: "The new DuckDuckGo browsers for iOS/Android don't block Microsoft data flows, for LinkedIn or Bing".
He goes on to explain in a tweet thread of gargantuan length about his findings:
If you download the current version of the DuckDuckGo browser for iOS/Android, & if you hope this browser actually stops data transfers to super common advertising subsidiaries owned by a company like Microsoft... well too bad, the browser has a secret allow data flow list
The permission that Microsoft trackers have -- while those from the likes of Facebook and Google are blocked -- stems from a search syndication agreement that exists between DuckDuckGo and Microsoft.
In a statement given to BleepingComputer, DuckDuckGo CEO Gabriel Weinberg said:
We have always been extremely careful to never promise anonymity when browsing, because that frankly isn't possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to third-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.
What we're talking about here is an above-and-beyond protection that most browsers don't even attempt to do -- that is, blocking third-party tracking scripts before they load on thirdparty websites. Because we're doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would using Safari, Firefox and other browsers. This blog post we published gets into the real benefits users enjoy from this approach, like faster load times (46 percent average decrease) and less data transferred (34 percent average decrease). Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.
In a tweet, Weinberg also said that "we are working with Microsoft to remove this limited restriction", adding "we're also working on updates to our app store descriptions to have more information".
The question is just how damaging the revelation and admission will be to DuckDuckGo, and the impact it will have on the number of users it manages to attract.
In the meantime, the App Store description of DuckDuckGo has been amended to say:
Note About our Tracker Blocking: While we block all cross-site (3rd party) cookies on other sites you visit, we cannot block all hidden tracking scripts on non-DuckDuckGo sites for a variety of reasons including: new scripts pop up all the time making them difficult to find, blocking some scripts creates breakage making parts or all of the page unusable, some we are prevented from blocking due to contractual restrictions with Microsoft.