DuckDuckGo is best known as a private search engine, but the company also has a private web browser for mobile devices (with a desktop version on the way). However, the browser is currently in hot water, after a security researcher discovered an exception for Microsoft trackers.
The main feature of DuckDuckGo Browser is that it blocks tracking scripts and most online advertising, in an effort to keep as few servers from collecting data about your behavior as possible. Tracking protection is never 100% effective, since it relies on people to keep adding sites and domains to blocklists (like NoTracking). However, DuckDuckGo Browser has a defined exception for Microsoft-owned ad networks and tracking scripts, allowing them to load even when they are known to compromise privacy.
As our sister site ReviewGeek reported yesterday, Zach Edwards first pointed out the exception in a series of tweets, after noticing DuckDuckGo on iPhone and Android wasn’t blocking LinkedIn and Bing advertisements on Facebook’s Workplace site.
You can capture data within the DuckDuckGo so-called private browser on a website like Facebook's https://t.co/u8W44qvsqF and you'll see that DDG does NOT stop data flows to Microsoft's Linkedin domains or their Bing advertising domains.
iOS + Android proof:
— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) May 23, 2022
DuckDuckGo’s CEO and founder, Gabriel Weinberg, replied with his own series of tweets. “Most all of our other protections also apply to MSFT-owned properties as well, he said, “This is just about non-DuckDuckGo and non-Microsoft sites, where our search syndication agreement prevents us from stopping Microsoft-owned scripts from loading, though we can still apply protections post-load (like 3rd party cookie blocking). We are also working to change that.”
DuckDuckGo says it uses over 400 sources for search engine results, including the company’s own web crawler, but typical link results are sourced “most commonly from Bing.” According to Weinberg, DuckDuckGo’s ability to use Bing search results depends on a carved-out exception for Microsoft’s ads in the mobile browser. A representative from DuckDuckGo told us that third-party cookies from Microsoft services are still blocked.
Private search and browsing is DuckDuckGo’s main claim to fame, so understandably, the news hasn’t gone over well with some long-time fans. The company also hasn’t informed its users about the limitation at all — although its CEO has been doing damage control on Twitter and other platforms, the official DuckDuckGo social media accounts and blog haven’t said anything about the discovery.
DuckDuckGo provided the below statement to us from Gabriel Weinberg (again, instead of communicating the issue to users), which largely re-states his recent comments on social media.
We have always been extremely careful to never promise anonymity when browsing, because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.
What we’re talking about here is an above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would using Safari, Firefox and other browsers. This blog post we published gets into the real benefits users enjoy from this approach, like faster load times (46% average decrease) and less data transferred (34% average decrease). Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.