DuckDuckGo promises privacy to users of their Android, iOS and macOS browsers – but it does allow certain data to flow from third-party websites to Microsoft-owned services.
Security researcher Zach Edwards recently reviewed DuckDuckGo’s mobile browsers and found that they unexpectedly do not block, for example, the Metas Workplace domain from sending information to Microsoft’s Bing and LinkedIn domains.
Specifically, DuckDuckGo’s software did not prevent Microsoft’s Workplace Trackers from chatting user information about Bing and LinkedIn for custom advertising purposes. Other trackers, such as Google, are blocked.
“I tested DuckDuckGo so-called private browser for both iOS and Android, yet none of the versions blocked data transfers to Microsoft’s Linkedin + Bing ads while viewing Facebook’s workplace[.]com website, “Edwards explained in a Twitter thread.
The situation is the same for DuckDuckGo’s macOS browser, a company spokesman confirmed.
In response to Edwards, DuckDuckGo CEO Gabriel Weinberg stressed that their browsers do not allow ad tracking data to flow to DuckDuckGo’s Microsoft Bing-powered search engine, which last year faced separate criticism for inheriting Redmond’s censorship of Tiananmen Square images.
According to Weinberg, DuckDuckGo Search users who see ads delivered through Microsoft Advertising do not provide data when these ads load on the page. If a user clicks on an ad, Microsoft Advertising gets the user’s IP address and user-agent string for ad attribution and billing, even though there appears to be no link to that click to a user profile that DuckDuckGo explains on its website.
Regarding corporate browsers, he said that DuckDuckGo blocks Microsoft’s third-party cookies (used for ad tracking) on third-party websites, but acknowledged that there are some trackers (scripts used for tracking) that DuckDuckGo’s browsers do not block due to contractual obligations with Microsoft. .
“For non-search tracking block (eg in our browser), we block most third-party trackers,” said Weinberg. “Unfortunately, our Microsoft Search Syndication Agreement prevents us from doing more on Microsoft-owned properties. However, we are constantly pushing and expecting to do more soon.”
What we are talking about here is an over-and-beyond protection that most browsers do not even try to do
“What we’re talking about here is an over-and-over protection that most browsers don’t even try to do – that is, block third-party tracking scripts before loading them on third-party sites,” Weinberg added in a statement. to The register.
“Because we do this where we can, users still get significantly more privacy with DuckDuckGo than they would with Safari, Firefox, and other browsers.”
In other words, DuckDuckGo offers better-than-average privacy protection in its browsers, but looks the other way for Microsoft-owned scripts – for Bing and LinkedIn – so they can continue to load on third-party sites like Workplace and collect data.
DuckDuckGo, Weinberg said, does not promise anonymity when browsing, “because it honestly is not possible given how fast trackers are changing how they work to avoid protection and the tools we currently offer.”
Anonymity is also contractually ruled out, as DuckDuckGo had noted in recent revisions of its browser descriptions in Google Play, iOS App Store and Mac App Store – presumably to avoid control by regulatory agencies to promise privacy and not reveal exceptions.
The added text says, “Note about our Tracker Blocking: Although we block all cross-site (third-party) cookies on other sites you visit, we may not block all hidden tracking scripts on non-DuckDuckGo sites for a number of reasons, including “new scripts are popping up all the time, making them difficult to find, blocking some scripts is breaking, making parts or the entire page useless, some we are prevented from blocking due to contractual restrictions with Microsoft.”
In a post to Hacker News and an even longer essay on Reddit, Weinberg sought to explain the limitations involved to the extent possible without violating its contractual obligation to Microsoft to keep the terms of the agreement private.
“This is only about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, even though we may still use our browser protection after loading (as a third-party blockchain). of cookies and others mentioned above, and does so), he wrote on HN.
Weinberg insists that DuckDuckGo is trying to change the terms of its search syndication agreement with Microsoft, but can only say so much.
“Our syndication agreement also has broad confidentiality provisions, and the claim documents themselves are explicitly marked as confidential,” he said. ®
Speaking of anonymity … Users of the Tor browser in the Tails 5.0 operating system, which is pro-privacy, have been asked to stop using the software until the release of 5.1, as a vulnerability in the underlying Mozilla Firefox browser could be exploited by “a malicious site to bypass some of the security built into Tor Browser and access information from other sites. “
“Mozilla is already aware that websites are exploiting this vulnerability,” the Tails team wrote.
“This vulnerability will be addressed in Tails 5.1 (May 31), but our team does not have the capacity to release an emergency release sooner.”