DDG has a tracker blocking carve-out linked to Microsoft contract

2 years ago 125

DuckDuckGo, the self-styled “internet privacy company” — which, for years, has built a brand around a claim of non-tracking web search and, more recently, launched its own ‘private’ browser with built-in tracker blocking — has found itself in hot water after a researcher found hidden limits on its tracking protection that create a carve-out for certain advertising data requests by its search syndication partner, Microsoft.

Late yesterday, the researcher in question, Zach Edwards, tweeted the findings of his audit — saying he had found DDG’s mobile browsers do not block advertising requests made by Microsoft scripts on non-Microsoft web properties. (NB: This is a separate matter to what happens if you actually click on an ad when using DDG — as its privacy policy clearly discloses all privacy bets are off at that point.)

Edwards tested browser data flows on a Facebook-owned site, Workplace.com, and found that while DDG informed users it had blocked Google and Facebook trackers, it did not prevent Microsoft from receiving data flows linked to their browsing on the non-Microsoft website.

You can capture data within the DuckDuckGo so-called private browser on a website like Facebook's https://t.co/u8W44qvsqF and you'll see that DDG does NOT stop data flows to Microsoft's Linkedin domains or their Bing advertising domains.

iOS + Android proof:
👀🫥😮‍💨🤡⛈⚖💸💸💸 pic.twitter.com/u3Q30KIs7e

— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) May 23, 2022

Edwards had some Twitter back and forth with DDG’s founder and CEO Gabe Weinberg, who initially appeared to be attempting to play down the finding by emphasizing all the stuff he said DDG’s browser does block (e.g., third-party tracking cookies, including those from Microsoft).

Weinberg was also especially keen to make it clear the data flows issue is not related to DuckDuckGo search.

However the limitation on DDG’s browser’s tracker blocking does amount to an exemption from protection against certain advertising data transfers to Microsoft subsidiaries (Bing, LinkedIn) — which could be used for cross-site tracking of web users for ad targeting purposes. Or, in other words, to undermine DDG browser users’ privacy.

You can capture data within the DuckDuckGo so-called private browser on a website like Facebook's https://t.co/u8W44qvsqF and you'll see that DDG does NOT stop data flows to Microsoft's Linkedin domains or their Bing advertising domains.

iOS + Android proof:
👀🫥😮‍💨🤡⛈⚖💸💸💸 pic.twitter.com/u3Q30KIs7e

— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) May 23, 2022

In Twitter back and forth, Weinberg confirmed Edwards’ audit was correct — “fessing up to a contactual agreement that he said limited DDG’s ability to block trackers in this scenario by writing that DDG’s ‘search syndication agreement’ with Microsoft, which owns and operates the Bing search engine and index, prevents us from stopping Microsoft-owned scripts from loading.”

He added that DDG was “working to change that.”

This is just about non-DuckDuckGo and non-Microsoft sites, where our search syndication agreement prevents us from stopping Microsoft-owned scripts from loading, though we can still apply protections post-load (like 3rd party cookie blocking). We are also working to change that.

— Gabriel Weinberg (@yegg) May 24, 2022

Asked via Twitter whether DDG’s contract included a clause that prevents it from publicly complaining about the limitations imposed upon it by Microsoft, a tech giant with a growing adtech business, Weinberg told us: “Our syndication contract has broad confidentiality requirements, and the specific requirement documents themselves are additionally explicitly marked confidential.”

Discussing his findings and DDG’s response with TechCrunch, Edwards described himself as “pretty shocked” by Weinberg’s public response to his audit — and for having what he summed up as “no public solutions for the problems created through the secret partnership between DuckDuckgo and Microsoft.”

“I have significant concerns … about DDG’s public claims, especially the ones they make on their iOS/Android app install websites, promising tracking protections,” Edwards added. “If you compare the language within the app details, to the information shared by the DuckDuckGo CEO yesterday, you can’t help but wonder why they are so openly lying in one location of the internet, and not lying in another area of the internet, and seemingly attempting to throw their top advertising partner Microsoft under some sort of bus — essentially DDG’s CEO made numerous comments about how he was trying and hoping to get out of their current contract with Microsoft — this was a shocking admission to see publicly and something that I hope regulators take a serious look at.”

The issue has blown up on Hacker News over the day — where Weinberg (aka yegg) has been doing more firefighting in the comments, reiterating that DDG’s hands are tied by its contract with Microsoft and further claiming it has continued to press for changes to “this limited restriction.”

“This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser’s protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We’ve also been tirelessly working behind the scenes to change this limited restriction,” Weinberg wrote on the site.

“I also understand this is confusing because it is a search syndication contract that is preventing us from doing a non-search thing. That’s because our product is a bundle of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search syndication agreement. Our syndication agreement also has broad confidentially provisions and the requirement documents themselves are explicitly marked confidential,” he added.

While DDG’s browser clearly does not block all scripts — and no tracker blocker is going to be 100% effective as tracking techniques are ever evolving — this carve-out for Microsoft scripts looks different on merit of it being a specific exemption attached to a contractual agreement that’s linked to a commercial deal which allows DDG to use Microsoft’s search index in its core product — none of which was (seemingly) public knowledge prior to Edwards’ audit.

In further public remarks on the issue, Weinberg implied that DDG is trying to balance a goal of giving browser users a very easy tracker blocker experience (i.e., to maximize accessibility), with beefing up protections that might further enhance user privacy but with a potential cost to the experience (e.g., broken webpages).

However the lack of a disclosure by DDG to browser users of the Microsoft-related restriction to its protections is particularly concerning — especially in light of the stark contrast with its privacy-focused marketing which tells users they will “escape website tracking” (which clearly isn’t happening in the specific Microsoft-related instances identified by Edwards). So DDG risks misleading users and undermining its own reputation as a pro-privacy business.

In a more recent response posted in response to Hacker News comments, Weinberg appears to have accepted the need for DDG to make fuller disclosure, writing: “We will work diligently today to find a way to say something in our app store descriptions in terms of a better disclosure — will likely have something up by the end of the day.”

“I understand the concern here that we are working to address in a variety of ways but to be clear no app will provide 100% protection for a variety of reasons, and the scripts in question here do currently have significant protection on them in our browser,” he added. 

We reached out to Weinberg with questions. He sent us this statement:

We have always been extremely careful to never promise anonymity when browsing, because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft. We’re talking here about an above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they even load on 3rd party websites. Because this can cause websites to break, we cannot do this as much as we want to in any case. Our goal, however, has always been to provide the most privacy we can in one download, by default without any complicated settings, so we took this on.

We also put questions to Microsoft about the limitation it imposes on search syndication partners but at the time of writing the tech giant had not responded.

Privacy trade-offs are never great but one conclusion looks inescapable here: Antitrust regulators need to closely examine the search syndication market — given it’s essentially comprised of two gatekeeping adtech giants, Google and Microsoft, which are fully empowered to enforce (unfair) terms on anyone else wanting to offer a competitive search product, or, indeed in certain cases, an alternative web browser.

European regulators have recently agreed a new ex ante competition regime that’s aimed at the most powerful intermediating platforms — which the Digital Markets Act refers to as internet “gatekeepers.” The DMA is clearly applicable to search engines but it remains to be seen whether the Commission will spot the opportunity to use the incoming regulation to crack open the search market by enforcing fair usage terms around search syndication on the only two indexes that count.

Read Entire Article