The DuckDuckGo Browser Purposely Allows Some Microsoft Trackers

DuckDuckGo currently offers one of the most comprehensive privacy-focused web browsers (and search engines) on the market. The search engine and browser are widely used by security-focused individuals to protect their online privacy.

The DuckDuckGo browser is known for taking a multi-layered approach to privacy. Like the search engine (which can be used on other browsers), it doesn’t incorporate any trackers. The browser also provides other web protections, including HTTPS-always encryption, fingerprinting protection, cookie consent handling, first-party cookie expiration, data clearing, and more.

Yet, as security researcher Zach Edwards discovered quite recently, not even giants are infallible. He found that the DuckDuckGo browser for Android, iOS, and macOS allows Microsoft scripts to run while a page is loading. These trackers gather information — like a person’s IP address — and sends it to Microsoft servers. According to DuckDuckGo’s CEO, Gabriel Weinberg, that information isn’t linked to any ad profiles.

Some Tracking is Allowed (Evidently)

Edwards recently performed a security audit of the DuckDuckGo Privacy Browser and found that it allowed trackers used by Microsoft-owned LinkedIn and Bing. He revealed on a Twitter post that he had tested the browser’s tracker-blocking capabilities using Facebook’s new Workplace website for the experiment.

Twitter post detailing DuckDuckGo security audit with screenshots from the research.

Edwards found that DuckDuckGo doesn’t block Microsoft-owned scripts from running while a website is loading. To be fair, DuckDuckGo hasn’t hidden the fact that Microsoft is one of its ad partners and that it provides context-based ads from its partners on searches. The company is also adamant that it never creates ad profiles that can be used to compile information on and identify users.

According to DuckDuckGo, its private browser shows ads based on what you searched at that moment and doesn’t track your searches or activity across the web. This isn’t news, but what’s surprising is the company failed to adequately provide context on the scripts its ad partners use.

Once Again Money Trumps Personal Privacy

DuckDuckGo’s CEO says the company currently has a search syndication agreement that prevents it from stopping Microsoft-owned scripts from loading. That means, while the DDG browser is able to prevent other scripts from loading, it can only apply script blockers against Microsoft trackers after a website has loaded. According to Weinberg, this only applies to non-DuckDuckGo and non-Microsoft sites and doesn’t affect the search engine in any way.

The result is, while the DuckDuckGo browser offers more privacy than many others currently do, it doesn’t protect users as much as it implies to. Let’s be clear: the browser is capable of stopping those scripts before they load but willingly entered into an agreement with an ad partner that prevents it from doing so.

That isn’t in line with a browser which claims to put users’ privacy first – now with the caveat that it does so only as far as its marketing partners allow. In a way, it’s not a surprise. DuckDuckGo is a free service and, like other browsers, makes its money via advertising and affiliate marketing. Marketing and privacy don’t traditionally go hand-in-hand.

The other problem with this revelation is, DuckDuckGo has failed to relay the information sufficiently. Instead, DuckDuckGo users thought the service was protecting their information by preventing all scripts from loading and now had to find out that’s not the case.

Despite DuckDuckGo’s long-running efforts in building user trust, this also opens up a new avenue of reasonable doubt. Are there similar agreements (or worse) with other ad partners?

DuckDuckGo Responds

For its part, the company has responded on social media and on the Hacker News aggregator by explaining that its efforts to increase privacy are ongoing. According to a post by Weinberg, the company is currently working with Microsoft to change the restrictions in the agreement.

Presumably, these changes would then allow the browser to block Microsoft-owned scripts before third-party pages load – but that isn’t specified.

Screenshot of an excerpt of DuckDuckGo CEO Gabriel Weinberg's statement

The company has also indicated that it will change its app store descriptions to provide a more detailed disclosure. Again, presumably that will include all there is to know about which scripts the browser allows while pages are loading. The company did not reveal whether Microsoft is its only ad partner that imposes these or other types of requirements.

This news might be a wake-up call for many users who thought their privacy was intact while using the browser. It’s undeniable that DuckDuckGo is still one of the most privacy-focused browsers available, but absolute trust is never a good idea. That’s why, like DucDuckGo, many security experts promote a multi-layered approach when it comes to privacy and security.

Aside from a trustworthy private browser, users also have to be careful with what information they share with other privacy-oriented tools. DuckDuckGo is one part of the equation (prevents website trackers), but there are also antivirus programs (prevent malware) and VPNs (encrypt traffic).

Don’t trust free VPNs either. CyberGhost VPN doesn’t rely on ad partners (or anyone else) to make money. Our only source of income is our affordable monthly subscription, which we use to maintain our secure server network. Our strict No Logs policy and RAM-only servers also prevent us from collecting or storing any user browsing data.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*