DuckDuckGo promises privacy to users of Android, iOS, and macOS browsers – but it does allow some data to flow from third-party sites to Microsoft-owned services.
Security researcher Zach Edwards recently reviewed DuckDuckGo mobile browsers and found that, contrary to expectations, they do not prevent Meta’s Workplace domain, for example, from sending information to Microsoft Bing and LinkedIn domains.
In particular, DuckDuckGo software did not prevent Microsoft crawlers on the Workplace page from transmitting user information to Bing and LinkedIn for custom advertising purposes. Other trackers, such as Google, are blocked.
“I tried the so-called private browser DuckDuckGo, for both iOS and Android no version blocked data transfers in Microsoft Linkedin + Bing ads while viewing the Facebook workspace[.]com home page “, Edwards explained a thread on Twitter.
The situation is the same as DuckDuckGo’s macOS browser, a company spokesman confirmed.
Responding to Edwards, DuckDuckGo CEO Gabriel Weinberg pointed out that its browsers do not allow ad tracking data to flow into DuckDuckGo’s Microsoft Bing search engine, which last year faced particular criticism for inheriting Redmond’s censorship.
According to Weinberg, DuckDuckGo Search users who see ads displayed through Microsoft Advertising do not provide data when these ads are loaded on the page. If a user clicks on an ad, Microsoft Advertising receives the user’s IP address and user agent string for ad performance and billing, although there is obviously no link between that click and a user profile, as explained by DuckDuckGo on her website.
As for the company’s browsers, he said DuckDuckGo blocks Microsoft third-party cookies (used to track ads) on third-party websites, but acknowledged that there are some crawlers (scripts used for tracking) that DuckDuckGo browsers do not exclude due to contractual commitments with Microsoft.
“To exclude non-tracking tracking (eg in our browser), we exclude most third-party tracking programs.” he said Weinberg. “Unfortunately, the Microsoft Search Distribution Agreement prevents us from doing more on Microsoft-owned properties. However, we are constantly pushing and expecting to do more soon.”
What we are talking about here is an over-the-top protection that most browsers do not even attempt to do
“What we are talking about here is an overprotection that most browsers do not even attempt to do – that is, they block third-party tracking scripts before they are uploaded to third-party sites,” Weinberg said in an email. The Register.
“Because we do it where we can, users still get a lot more privacy protection with DuckDuckGo than they would with Safari, Firefox and other browsers.”
In other words, DuckDuckGo offers better than average privacy protections in its browsers, but it looks the opposite of Microsoft-owned scripts – Bing and LinkedIn – so they can continue to upload to third-party sites like Workplace and to collect data.
DuckDuckGo, Weinberg said, does not promise anonymity when browsing “because this is honestly not possible given how quickly trackers change their mode of operation to avoid the protections and tools we currently offer”.
Anonymity is also conventionally ruled out, as DuckDuckGo noted in recent revisions to its Google Play browser, iOS App Store and Mac App Store – possibly to avoid regulatory scrutiny for promising privacy and non-disclosure. .
The added text says: “Note about blocking tracking: While we block all cookies between sites (third parties) on other sites you visit, we may not block all hidden tracking scenarios on non-DuckDuckGo sites for various reasons, such as: new scripts are constantly appearing, making them difficult to find, blocking certain scripts is breaking, making parts or the whole page unusable, some we can not exclude due to contractual restrictions with Microsoft. “
In a post on Hacker News and an even bigger report on Reddit, Weinberg tried to explain the restrictions involved, as far as possible without violating his contractual commitment to Microsoft to keep the terms of the agreement private.
“These are just non-Microsoft DuckDuckGo sites in our browsers, where the search sharing agreement does not allow us to stop loading Microsoft-owned scripts, although we can still enforce our browser protections after loading “(such as third-party cookie blocking and others mentioned above, and they do)”, he wrote in HN.
Weinberg insists DuckDuckGo is trying to change the terms of its search network deal with Microsoft, but can only say so much.
“Our consortium agreement also includes extensive confidentiality provisions and the required documents themselves are expressly marked as confidential,” he said. ®
Speaking of anonymity … Users of the Tor Browser in the privately protected Tails 5.0 operating system have requested that they stop using the software until release of 5.1, as a vulnerability in the underlying Mozilla Firefox browser could exploit “a malicious site to bypass some of the security built into Tor Browser and access to information from other sites. “
“Mozilla already knows sites that exploit this vulnerability,” the Tails team wrote.
“This vulnerability will be fixed in Tails 5.1 (May 31), but our team does not have the ability to publish an emergency version earlier.”