DuckDuckGo Privacy Browser app does not block Microsoft trackers
DuckDuckGo Privacy Browser isn't totally private, a security researcher has revealed. The privacy-focused search engine's app, for iOS and Android, is not blocking trackers from Microsoft.
The news came to light when security researcher, Zach Edwards, who was conducting a security audit of the browser, found that the app blocked trackers from Google and Facebook. He observed that the app didn't block Microsoft trackers. Screenshots and messages posted by Edwards on Twitter reveal that the app let the trackers run on Bing and LinkedIn's domains. This in turn puts the user's privacy at risk, since the Redmond company can collect information such as the IP address, user agent, and other relevant data.
The app includes, among other things, a tracker blocker and a cookie blocker to protect the privacy of users. The description of DuckDuckGo Privacy Browser on the App Store and Google Play Store reads as follows,
"Escape Website Tracking - Tracker Radar automatically blocks hidden third-party trackers we can find lurking on websites you visit in DuckDuckGo, which stops the companies behind those trackers from collecting and selling your data."
When an app has a description like that, you would expect it to apply to all websites, wouldn't you? That's why the fact that it doesn't block Microsoft's trackers is a problem, it should have been upfront about the issue.
Why does DuckDuckGo Privacy Browser allow trackers from Microsoft?
Bing is one of the many sources from where DuckDuckGo pulls the results from. In case you aren't aware of it, the privacy-focused search engine has an agreement with Microsoft, to display contextual ads in its search results. These ads were generally believed to be non-tracking, as the service does not profile its users.
Gabriel Weinberg, the founder and CEO of DuckDuckGo, responded to Edwards' findings, confirming that the browser allows Microsoft trackers.
He explained that the search engine ensured the anonymity of users when search results are loaded, and that this includes advertisements that are displayed. But, it appears that the internet company's agreement with Microsoft prevents DuckDuckGo from blocking its trackers.
Is DuckDuckGo.com safe to use?
Yes, it is. While the browser has been found guilty of allowing said trackers, Weinberg has confirmed the search engine remains untainted. So, there's a bit of good news amidst this chaos. I would still advise using an ad blocker, like uBlock Origin or AdGuard, to protect yourself from trackers. It is unclear if the macOS browser is affected, but given the nature of the issue, it is likely affected as well.
In a statement sent to Bleeping Computer, Weinberg said that his company is working with Microsoft on removing the restriction to block the trackers. He also defended DuckDuckGo's browser, stating that it blocks third-party tracking scripts before they load on sites, instead of following other browsers that just offer 3rd-party cookie protection and fingerprint protection. The company will also update its app store descriptions to provide more information.
The timing of the discovery is particularly bad for DuckDuckGo, as it had criticized Google's privacy practices just a couple of weeks ago. It had proudly announced that its Chrome extension blocked Google's new tracking methods, such as Topics and FLEDGE.
Practice what you preach, DuckDuckGo.
References: Zach Edwards, Gabriel Weinberg 1,2, DuckDuckGo Ads policy
It’s always about monetizing the users and their searches. Follow the money, whether DDG, Google, Bing, Yahoo!
Pity that I was so easily led to believe that DDG was a case of true altruism…
What about DuckDuckGo ever gave the impression they were “altruistic”?
This isn’t some FOSS program developed by a small group of people and put out into the world to “benefit” society. DDG has always been a for-profit entity. It seems that the entire reason people “trusted” them had less to do with DDG and more that they weren’t Microsoft or Google.
No good news. I hope that DDG will block all kind of trackers or at least to allow to block them. Thanks @Ashwin for the article! :]
I can’t speak for the DuckDuckGo Privacy Browser app which I don’t use but concerning the Search engine uBlock Origin blocks and blocks only access to [improving.duckduckgo.com].
As far as what is revealed here about DDG’s Browser, I’m always surprised that we have to wait a security researcher’s findings to discover what could have been clearly mentioned by the developer in the first place: honesty aside I don’t consider very smart to hide what is inevitably bound to be discovered later on, especially nowadays, especially within code.
I’ll continue to use DDG because, being vaccinated with both anti-guilibility and anti-cynicism I’m never over-excited nor never over-disappointed. Of course I would have preferred that a Web search engine I use be not the center of a pointed-finger attention, but that’s the way it goes…
I share most of my Web searches between DDG and the [searx.tiekoetter.com] SearXNG instance (far better than the previous (still alive) searX instances. I happen to hesitate between typing d+ [quest] for DDG and x+ [quest] for SearXNG. Stories like the one described here may make me even unconsciously favor SearXNG. Time will tell, stay tuned, I’ll report back before the end of the year :=)
@Tom Hawack
DuckDuckGo is a company in the USA. It’s one of the worst imaginable jurisdictions to be under in terms of privacy. I wouldn’t be surprised if they (DDG) actually had to collect data and would hand their stuff over to the government, possibly in secret under gag order. I would generally not trust online services that operate from the US, local software yes, but certainly not online services like search, VPN, E-Mail etc.
Apart from their jurisdiction, DuckDuckGo is also closed source. Their browser applications are open source, yes, but not the actual backend server code of their search engine. As far as we know, they could collect as much data as Google, since they keep their cards close to their chest as far as their search engine is concerned. Whereas with searX / searXNG, the backend code is actually open source and instances running the code vanilla (like your mentioned instance) are far more trustworthy than DDG in my book.
As far as the article’s info is concerned, I am not surprised at all. DuckDuckGo’s tracking protection only consists of a weak default list (similar to default Firefox with its laughable tracking protection) with no way to add custom lists. Since the DDG browsers do not support custom lists and also do not support browser extensions, they are pretty useless to me. I would still use them over Google Chrome or MS Edge of course if I had to, but there are many better alternatives like Bromite, Brave, Kiwi, Fennec F-Droid etc.
@Iron Heart, I read you loud and clear. You’re emphasizing on the cons, but is the company really that bad?
I have in mind the relationship between the EFF (Electronic Frontier Foundation) and DuckDuckGo, at least in these terms :
“HTTPS Everywhere Now Uses DuckDuckGo’s Smarter Encryption” (14 April 2021)
https://www.eff.org/deeplinks/2021/04/https-everywhere-now-uses-duckduckgos-smarter-encryption
One may point out that ‘Smarter Encryption’ doesn’t exclude what you mention but in all regards do you really think DDG is that pernicious?
Anyway searX/SearXNG as a metasearch engine may include many search engines’ results, of which DDG’s. I take into account your remarks and may very well shift towards adopting searXNG as my default search engine.
@Tom Hawack
DDG mgt made a bad business decision that negatively effected its lesser tech savvy users. More than likely, this decision was forced due to MS strong arm business practices which I am positive did not sit well with DDG at all. But, DDG agreed to it and did not disclose it to their users. When privacy is what you are selling, withholding detrimental privacy practices from customers is going to hurt your business. This behavior is now a known business characteristic of DDG. They need to have a come to jesus moment with a massive transparent mea culpa; otherwise, trust is gone for good. To date, DDG customers have only received a, “We hope one day ms will stop forcing us…” bs statement. Other than coming clean with complete certifiable transparency, they will lose users for good.
Search Engines…
I think the best approach is to use many different search engines that are not google nor bing nor yahoo (is y.search still a thing?). It was always nice to know DDG was there and could be used as part of a search pool. But customer trust is immensely hard to earn and should be treated as golden business capital, especially for a company whose reason for existence are promises made about privacy protection. Since it has been found to be less than perfect, DDG has lost trust by not disclosing that which it probably could not (20% chance DDG’s hands were tied by an MS NDA). Willful or not, that does not change the fact that DDG has exposed its customers to MS tracking. So customers must now ask themselves, what other NDAs are DDG being subjected to? Does DDG collect customer profiles on the backend of their search engine due to an NDA? for curiosity? for sale? for etc? User trust takes forever to gain but evaporates in a second. DDG has to do allot more than, “We hope MS will allow us…” because those are statements which intelligent customers immediately discount to zero..
@NooneSpecial, I’ve always been aware that DDG wasn’t as close to probity as it claims. There had been concerns at one time with its Privacy Essentials extension.
After Iron Heart’s comment, confirmed by you and several others here throughout time, I had a deeper look on abouts, privacy blogs, I also noticed that DDG’s IP (52.142.124.215, connected from here at least) is located in the beautiful city of Dublin and indeed has ‘Microsoft Corporation’ as ASN name (ISP) which does confirm its tie to MS. Bad for me : MS and I aren’t good friends :=)
So I’ve removed DDG and because I always have 6 search engines running I’ve replaced DDH with another MetaSearch engine, Swiss, called ‘eTools Search’ which is quite nice. SearXNG has become my default search engine by the way.
At this time none of my search engines connects to elsewhere than Europe. I say this without enthusiasm because i truly love America, at least the nation, its people, less the administration and not at all the latter when businessmen lead the country. But I’ve read over and over that servers within the EU should always be privileged … for what it’s worth given I’m not a specialist.
We’re having duck for supper :=)
True!
They are always your friends when they are small, then you help them grow, then they stab you in the back.
How many times should history repeat itself?
It makes you wonder who’s gonna be next – Vivaldi or Brave? Or maybe even Linux?
This is how I would destroy linux distros, one by one, if I were Microsoft: Anonymously donate a large sum of money to the project. Then go make some popcorn. In notime the developers will start fighting for the money and the distro will soon implode. Friendships destroyed, users angry and disappointed. As a bonus it makes linux look like a very bad alternative. They’ve done it before and it still works like a charm. Anyone can be bought.
Sad. Tarnishes DDG. Browsers in glass houses should not throw stones. They should have revealed the Microsoft tracker issue. Now they look like all the rest.
“Weinberg has confirmed the search engine remains untainted”
AFAIK, Bing applies exactly the same censorship and filtering as Google does. How is that “untainted”?
We are in dire need of an honest search engine, providing honest results and Duckduckgo is not it. Far from it. The small guy was always evil. Was a small guy, is all…
This is disturbing news. How can I trust DuckDuckGo again?
You trusted them before? Like when they censored search results?
>DuckDuckGo – downranking russian search results, aka censorship related to russo ukranian war
>Tiananmen Square Tank Man vanishes from Microsoft Bing, DuckDuckGo, other search engines
I could go on, but it is a hot day and I need rest.
Ah, the quintessential Ghacks user, completely ignoring the context behind each of their points on how you cannot trust any company. You’ll be feign annoyance and anger even if objectively fake news websites and illegal pornography are banned. Kudos, Martin, and now Ashwin, for encouraging this by approving all these kind of comments but not genuine commentary. Keep up the good work!
You sound like would know about it, real sorry to hear your kind of movies are banned there.
LOL!
>>Ah, the quintessential Ghacks user, completely ignoring the context behind each of their points on how you cannot trust any company.
Not all of us has your level of technical sophistication.
@Anonymous, he/she who posted on May 26, 2022 at 2:29 pm,
Technical sophistication is like jam : less you have more you spread it!
Don’t worry :=)
I can’t trust DDG.
For me, it’s Firefox + uBlock Origin + Brave Search. On desktop and mobile.
Greed strikes again. DuckDuckGo has been BRIBED. The damage is done, this is the end for DuckDuckGo. YOU HAD ONE JOB! ONE!
Double agent TRAITOR.
@Scum Hear hear!!
Ghacks readers, the perfect example of naive and gullible.
I mean, when DDG android app was ‘caught’ sending typed URLs to DDG servers, don’t you think that was already a red alert?
https://web.archive.org/web/20200708031923mp_/https://github.com/duckduckgo/Android/issues/527
When they were caught lying about and breaking their own cookie privacy policies?
DuckDuckGo is the kind of company that hires people based on race and gender, what do you expect?
They obviously follow, not lead, they submit to governments they don’t care about users. Why do you think they have done censorship on top of Microsoft’s Bing censorship? for years, not just recently.
They have to send all your searches to Microsoft, they say they hide the IP, but people using DDG apparently didn’t care how they still send it because it’s all a business.
Look at DDG partnerships too, do you think they are good companies?
Or just read Gabriel Weinberg past with Names DB the surveillance capitalist service he founded in 2006. But now he cares about your privacy?
I don’t understand why people are surprised about this, you actually sound really dumb, like… did you never do any investigation to see if you could trust DDG? or you just believed the buzzwords and marketing schemes of “privacy”, “google evil”, “we are the good guys”.
Duck dot Com belonged to Google, but somehow they decided to give it away to DDG because Google are cool guys? Use your brain, that’s not how it works.
The fact that they did this is problematic. The fact that they did not disclose it is totally unacceptable and means that I won’t be using them again (they were my alternative search engine to Brave).
By the way I’ve just noticed that Brave Search has improved since last time I visited it : Web search results are no longer restricted to one page only. An interesting alternative.
All internet based companies are not to be trusted. Even Brave did their oopsies before(search ‘brave modify url referral’). Also, using a company which advocates Crypto is not good in my opinion.
@Anonymous
> brave modify url referral
Not saying this was a good thing, however, it also had nothing to do with security or user privacy. It’s about as much an oopsie as Firefox’s referral which they add to all Google searches performed with the browser is. If something like this, something which had no tangible downside for the user, is a problem already, then I don’t know what you are calling other things. Gloom and doom has its place, yet perspective is important.
DuckDuckGo turned into same thing they were against. No point using it anymore.
Duckduckgo recently agreed to manipulate search results the same way that Google and Microsoft do. They are not what they use to be. Brave Search is the only American search engine (other than a few very small projects) still resisting government pressure.
It eludes me why ghacks net writes so much about DDG. But I am happy that at least for now they are critical. Gabriel Weinberg was involved in shady social networks named Names Database and Classmates.com. That was in 2006. And now the already mentioned censorship: https://beincrypto.com/duckduckgo-and-its-move-on-disinformation-betrays-its-user-base/
This news about not blocking Microsoft trackers fits like a glove in this pattern of dodgy practices of Weinberg/ DDG.
I have never used DDG. I tried, but their search results area abysmal, at least here in Europe. Metager and Qwant lite ( without javascript) offers much better results, in Europe anyway. Do they offer real privacy? No but they try and Metager at least is not as dodgy as DDG. About Quant there are opinions pro and against, but anyway, being a French search engine I trust them more then this American business.
I really wish the search engine market was healthier. I.e. where small players don’t have to “feed” off the results of the big players. I’d much rather there be lots of big players who compete the conventional way, by delivering the best results and the best user experience possible.
But of course this is not what the people at the top want, they want to control what everyone can find on the Internet, etc, and you can only do that when there are only actually two or three players in the market and everybody else just uses their results.
I don’t understand why anyone is shocked by that.
Duckduckgo gets its results from Microsoft. Microsoft asked them not to block their tracking and they did it because they can’t make their own search engine. You need money and monetization to do that.
The “privacy” they claim is simply an advertising campaign to attract users. You just feed Microsoft with more data when you use Duckduckgo just like you do when you use Yahoo.
Hypocrites. M$ tracking good, Goggle tracking bad, right DDG?
It’s time for Linux!
Sheesh Phil give it a rest :)
One could always use search engines from countries that has no leverage in the Western world, such as Yandex and Baidu.
But the question is, is HTTPS connection really that privacy tight when the queries are sent through Western controlled network?
DDG should be dead. With recent comments on Twitter about them stifling free speech and others, this just adds more fuel to the fire.I’ve already stopped using them and changed all my families, friends and clients PCs to use different search engines et al.
Maybe better read a more professional version of the DDG conspiracy theory spawning itself by Ashwin on gHacks:
https://www.pcmag.com/news/duckduckgos-browser-wont-block-microsofts-trackers
Doesn’t PC Mag know how to put together an article and polish it off with a polite ending which basically says, “We need more information from DDG.”
DDG says in the hard to miss tweet:
“To be clear (since I already see confusion in the comments), when you load our search results, you are anonymous, including ads. Also on 3rd-party websites we actually do block Microsoft 3rd-party cookies in our browsers plus more protections including fingerprinting protection.”
I guess, use Google or Bing for searches; there’s always a choice.
Once gone, trust is hard to get back. If no researcher had made the discovery, DDG would’ve continued their friendship with Microsoft… Funny thing I recently turned to DDG after years with Startpage. I don’t hate DDG by any means but will probably switch to another safe search engine, at least until it is proven to be ‘selectively safe’ as well.
A thorough read of Weinbergs cover up: https://news.ycombinator.com/item?id=31490515
The internet was once promoted as the gathering place for freedom of expression where humanity was going to blossom and join together to display truth and destroy misconceptions. Big government and business and money quickly destroyed the world’s town hall with censored/manipulated results that reflect only government’s and big business’ and big money’s interests. Everything on this medium is now collected and stored for marketing or other nefarious purposes. Satisfaction and happiness are nowhere to be found unless you find those characteristics in cat videos or other mindless time wasters. It has become a place where my search results on searX for “how to block microsoft” turns up 7+ pages of stuff from microsoft.com which I need to scan through to the bottom in order to hit next page. There were a couple of results from other than microsoft.com that wanted to tell you how to stop using or delete EDGE. After 7+ pages, my hope of finding a non-biased result is gone out the window. I am tired of playing this game of “get past the algorithm” to get real results from ANY search engine. I am tired of microsoft popping up on my display to tell me I have two options – turn off my important computer now, or they will turn it off later at their leisure to install their “important” updates. No mention of what they were installing, updating, or how long it would take. Their is no care about customer satisfaction. They are all tied to the big public money source that ony cares about data collection. I will continue to look for that elusive unicorn of a “real” search engine, but there is a very big hill to climb now to meet my expectations.