Brave's founder calls out DuckDuckGo's browser for not removing Microsoft's tracking parameters from URLs
Remember the recent controversy surrounding the DuckDuckGo Privacy Browser? It turns out that the app not only allows cookies from Microsoft's trackers, but also allows users to be tracked via URLs.
When questioned about the original issue, DuckDuckGo's founder, Gabriel Weinberg, clarified that his company has a partnership with the Microsoft, which prevents them from blocking the ads. He played down the scrutiny, stating that the search engine protects the anonymity of users, even when ads are displayed from the Redmond company, by blocking third-party cookies.
Brave Browser's founder, Brendan Eich, doesn't appear to have been satisfied by the casual explanation given by the rival browser maker. In fact, he has accused DuckDuckGo of lying to their users. (source: Twitter)
DuckDuckGo's browser ha a built-in tracker blocker and cookie blocker, this should, on paper, prevent users from being tracked by ad networks, right? It does, but with some exceptions.
Eich says that DuckDuckGo's browser on macOS removes the tracking parameters from URLs, if they are from third-parties like Google or Facebook,
Visiting the above URL in the DuckDuckGo Browser on macOS removes the tracker from the address bar, this is what the tracking protection feature should work like. However, when you use a similar link and replace it with Microsoft's tracking method, such as the one below, the browser does not strip the query URL parameters.
The tracker part is visible in the address bar of the browser even after the page has loaded.
If you click on a link in a web page, and the URL has some parameters such as an affiliate ID, or other tracking elements, the website can know which link you clicked, and depending on its policies, may earn a commission from the destination site for advertising it. Likewise, the page that you were redirected to, can know which website you were on earlier, i.e. how you landed there (via search, a specific article, a product promotion, etc). This data could be used to profile your browsing habits, deliver personalized ads, etc. In other words, it is not good for privacy. Google's AMP is perhaps the most notorious example of URL-based tracking, besides Facebook, of course.
Essentially, this method circumvents cookie-based tracking, to identify you across sites. If you take a look at DuckDuckGo's GitHub page for Privacy Configuration, you can see the list of tracking parameters that it blocks. Guess which one isn't among the list?
Let's take a look at this support page on the Microsoft Advertising Blog. It mentions that the Microsoft Click ID, which is the tracking parameter, msclkid, automatically adds a unique click ID to the landing page after a user clicks on an ad.
That's why Eich has claimed that the cookie-less tracking method isn't blocked by the browser, because it is not in the code. He also theorized that DuckDuckGo is circumventing the tracking protection for Bing, in order to earn revenue from Microsoft.
DuckDuckGo denies that it allows link-tracking in its browsers
A spokesperson for DuckDuckGo told The Register that the ads that users see are private, and are not used to track them. They denied the allegations made by Eich, and said that the tracking parameters merely send an ad click to the provider. Interestingly, the person also pointed out that no browser protects against link tracking (based on data from PrivacyTests), and that their browser has started protecting users from Google and Facebook. The company has confirmed that it will block tracking parameters from Twitter and Microsoft in the future.Advertisement