“Quite misleading”: DuckDuckGo CEO responds to Microsoft tracker controversy

Update: DuckDuckGo CEO Gabriel Weinberg took to Twitter on Saturday, calling our headline “quite misleading” since “this isn’t about our search engine and we actually restrict Microsoft scripts in our browsers, including blocking their 3rd party cookies.”

FYI — this is a quite misleading headline since this isn’t about our search engine and we actually restrict Microsoft scripts in our browsers, including blocking their 3rd party cookies. For full context, I left detailed explanation on reddit:https://t.co/AfDSKceldw

— Gabriel Weinberg (@yegg) May 29, 2022

(Article by Tyler Durden republished from ZeroHedge.com)

Weinberg links to a Reddit thread he created on Wednesday when the tracking controversy broke. In it, he explains: “this article is not about our search engine, but about our browsers,” adding that “When most other browsers on the market talk about tracking protection they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers impose these same restrictions on all third-party tracking scripts, including those from Microsoft.”

And while Redditors appeared sympathetic in the replies, users in the more technically oriented YCombinator Hacker News forum weren’t buying it.

The top response refutes Weinberg’s claim that “this is not about search,” explaining; “Your competitors in the privacy-centric browser space don’t have this restriction because they’re not search engines acquiring the majority of their data from an entity with a conflicting interest.”

Another user replied: “The thread by the security engineer shows that the scripts are communicating back to the servers. That means your multi-pronged protection has failed, unless you’ve suddenly discovered a way for browsers to block IP addresses from being sent by scripts (and since they can be extracted from the request itself that doesn’t seem likely).”

The criticism continued further into the thread.

““multi-pronged privacy”, “easy button”, “capabilities”, and repeated use of the word “protection” are all signals that what is being said is an attempt to sell me something and that the salesman should be doubted,” wrote user Colechristensen. “What’s actually happening is you’re forced to allow Microsoft scripts which do indeed do telemetry on users despite some restrictions you put on them, and they’re still effective because fingerprinting works. That fact is embarrassing for a product you’re trying to sell as promoting privacy so there’s this mildly deceptive attempt to hide what’s going on with lots of words and claims of protection instead of straightforward disclosure.”

Another user slammed DuckDuckGo’s relationship with Microsoft Advertising, in which DDG admits: “If you click on a Microsoft-provided ad, you will be redirected to the advertiser’s landing page through Microsoft Advertising’s platform. At that point, Microsoft Advertising will use your full IP address and user-agent string so that it can properly process the ad click and charge the advertiser.”

Weinberg (username: Yegg) responded, arguing that they “got Microsoft to contractually agree and publicly commit (on this page) that “Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes.“

To which user Tedivm replied:

So instead of an actual set of real protections, like offered by things such as UBlock, you want us to rely on Microsoft being ethical.

It also ignores that governments like the NSA have tapped these very networks for data (this is what prompted Google’s internal SSL drive). Even if we trust the legal entity, the fact is that the information itself is a target and so are those entities. It is always safer not to send the data, but in this case you’re explicitly sacrificing that safety to benefit your ad partners.

When asked what an appropriate headline should be for the controversy, “Yegg” replied: “Microsoft contractually prevents DuckDuckGo’s browser from stopping Microsoft scripts from loading on 3rd party sites (FYI: not search related)“

It seems like DuckDuckGo may have some more convincing to do.

Or as ZeroHedge reader koan put it: fuckfuckno

*  *  *

DuckDuckGo, the search engine which claims to offer ‘real privacy’ because it doesn’t track searches or store users’ history, has come under fire after a security researcher discovered that the mobile DuckDuckGo browser app contains a third-party tracker from Microsoft.

Researcher Zach Edwards found that while Google and Facebook’s trackers are blocked, trackers related to bing.com and linkedin.com were also being allowed through.

You can capture data within the DuckDuckGo so-called private browser on a website like Facebook’s https://t.co/u8W44qvsqF and you’ll see that DDG does NOT stop data flows to Microsoft’s Linkedin domains or their Bing advertising domains.

iOS + Android proof:
????????????? pic.twitter.com/u3Q30KIs7e

— ???? ??????? (@thezedwards) May 23, 2022

In response to the revelation, CEO Gabriel Weinberg essentially shrugged – telling BleepingComputer that the company offers “above-and-beyond protection” that other browsers don’t, but that he ‘never promised’ anonymity when browsing.

“We have always been extremely careful to never promise anonymity when browsing, because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer,” he said.

“When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft. What we’re talking about here is an above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites,” he continued.

“Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would using other browsers.”

In short, DuckDuckGo doesn’t provide the type of privacy they’ve earned a reputation for – they simply betray users the least.

As TechRadar notes, this didn’t go over well.

The news quickly drew in crowds of dissatisfied users, with DuckDuckGo founder and CEO Gabriel Weinberg, soon chiming in to confirm the authenticity of the findings. 

Apparently, DuckDuckGo has a search syndication agreement with the software giant from Redmond, with Weinberg adding that the restrictions are only found in the browser, and are not related to the search engine. 

What remains unknown is why the company who is known for its transparency decided to keep this agreement a secret for as long as it could. -TechRadar

See Edwards’ entire May 23 Twitter thread below:

Sometimes you find something so disturbing during an audit, you’ve gotta check/recheck because you assume that *something* must be broken in the test.

But I’m confident now.

The new @DuckDuckGo browsers for iOS/Android don’t block Microsoft data flows, for LinkedIn or Bing.? pic.twitter.com/ol7Ydfo3BJ

— ???? ??????? (@thezedwards) May 23, 2022

I don’t have the full list of advertising domains that the DuckDuckGo browser is allowing to collect data within their new “private” browser ((anyone have that or parsed it somewhere??) but any list that doesn’t include “linkedin[.]com” + “bing[.]com” is *purposefully* broken. pic.twitter.com/xjkcWafZqD

— ???? ??????? (@thezedwards) May 23, 2022

It’s public knowledge that DuckDuckGo has been creating exemptions for Microsoft for awhile, which they’ve been required to explain on a page like @ https://t.co/6W3NfyQxJX / DDG openly says they are sending your user IP address & user agent to Microsoft for the DDG ads on-click. pic.twitter.com/mMNnupgVi2

— ???? ??????? (@thezedwards) May 23, 2022

You can capture data within the DuckDuckGo so-called private browser on a website like Facebook’s https://t.co/u8W44qvsqF and you’ll see that DDG does NOT stop data flows to Microsoft’s Linkedin domains or their Bing advertising domains.

iOS + Android proof:
????????????? pic.twitter.com/u3Q30KIs7e

— ???? ??????? (@thezedwards) May 23, 2022

And you can see proof that the DuckDuckGo team *knows* that Microsoft’s domains are crossite tracking vectors @ https://t.co/gAoEEUoeDR – that’s the DDG feedback loop to help them populate blocklists.

So if DDG’s researchers *know* MSFT/Bing/Linkedin=tracking, why exclude them? pic.twitter.com/LXcpW1halo

— ???? ??????? (@thezedwards) May 23, 2022

And if you are a privacy researcher working at DDG, do you think it’s appropriate to push rhetoric about why this is a good browser, knowing that there are global data brokers – your own partners – who you are purposefully not stopping data flows for, on domains they don’t own?? pic.twitter.com/yKJPx86BUw

— ???? ??????? (@thezedwards) May 23, 2022

There are a variety of lists from DuckDuckGo to help parse this, like “Domains which should have cookie protections disabled due to site breakage issues” https://t.co/WaJAP3LjKX – which includes the bat.]bing.]com domain but does NOT include the Linkedin domain, so 100% unclear:

— ???? ??????? (@thezedwards) May 23, 2022

I won’t hold my breath that DuckDuckGo will update their own so-called private browser to actually stop data flows to their own ad tech partners, but this is one of those things that makes a privacy auditor … annoyed? bitter? confrontational?

Does Google / Apple care? </?> pic.twitter.com/SB0jrizrVi

— ???? ??????? (@thezedwards) May 23, 2022

Read more at: ZeroHedge.com