Personal Privacy. PHOTO: Cybercrime Magazine.

DuckDuckGo Quacks On User Privacy

Microsoft ad-blocking exceptions put search engine CEO on defensive

David Braue

Melbourne, Australia – Jun. 20, 2022

Web search engine DuckDuckGo has built a following by focusing on end-user privacy and blocking third-party trackers, but this reputation made it even more of a “shocker,” one security expert has admitted, when security researchers recently discovered that the company was quietly allowing Microsoft trackers to bypass its user-tracking blocks.

That means Microsoft-owned sites like Bing and LinkedIn can track users of the company’s DuckDuckGo Privacy Browser across websites, collecting personal usage data to target Microsoft-sponsored advertising at them.

The revelations, by privacy and security researcher Zach Edwards, shook a community of security experts that have come to embrace DuckDuckGo as a secure alternative to mainstream search engines and browsers like Google Chrome and Microsoft Edge.

News that DuckDuckGo was lifting the velvet rope for Microsoft — the result of a previously confidential marketing partnership — “was a shocker to me,” KnowBe4 data driven defense evangelist Roger Grimes told Cybercrime Magazine.

“Even as a penetration tester, if I wanted to be tracked less, I would use DuckDuckGo as a privacy person,” Grimes said, noting that “DuckDuckGo is synonymous with privacy.”

Cybercrime Radio: Duck, Duck Goose

Microsoft and DuckDuckGo, what you need to know

“Their intent is to not track you, and to actually try to prevent those first-party and third-party trackers a little bit better. A lot of people don’t like to be tracked, and then the alternative browser that has become the most popular one, that claims to not track you, had an exemption for Microsoft.”

The concerns raised eyebrows given the company’s official guidance about its Microsoft ad policies and the sharing of search information, in which it said ad-click behavior is only used “for accounting purposes” and promised that its use of search proxies means “we never share any personal information with any of our partners that could lead to the creation of search histories.”

“This means our partners see those requests as though they came from us instead of our users, and no unique identifiers are passed in that process,” the policy explains. “That way, we can work with partners to produce relevant search result pages, while keeping you anonymous to them (and us!).”

Further clarification has confirmed that the newly discovered data sharing relates to DuckDuckGo’s Privacy Browser app and not to its search website — a point that DuckDuckGo CEO Gabriel Weinberg explained in defending the policy that, he said on Twitter, “has nothing to do with search.”

“We block most third-party trackers,” Weinberg said. “Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties.”

“However, we have been continually pushing and expect to be doing more soon.”

DuckDuck… goose?

Even as many in the security community lambast DuckDuckGo for allowing its Microsoft partnership to taint its supposedly completely private browser, Grimes said on the whole Weinberg’s explanation was “a pretty good reply, although it would have been better if he said it sooner and faster.”

“When you’re using any browser they’re tracking you through the use of first-party cookies whatever website you go to,” Grimes explained, noting that “the average website can track like 12 to 16 different characteristics about any session that you’re in — and it only takes 4 to 8 characteristics to uniquely identify you.”

Even that had proven difficult, however, given the myriad “amazing” ways that ever-resourceful tech companies have developed to track users — for example, with 1-pixel transparent images embedded on sites, and third-party scripts “that can still track you.”

“There are literally dozens, if not well over a hundred, methods that these third-party people like Google and Microsoft use, and stuff like that can still track you,” Grimes explained.

“When you visit a website, 99 percent of the time the website developers are clueless about what’s running on their websites because they have so many third-party cookies and so many analytics.”

“Each one of those elements is bringing in other things, like banner ads. So it turns out almost no website has any idea what is running.”

In the context of the new revelations, should security-conscious end users turn away from DuckDuckGo?

Not necessarily.

“If you go to DuckDuckGo, you’re still less likely to be tracked,” Grimes said.

“As a penetration tester, you learn early on that you can’t use the regular browsers. You’re being paid to do hacking, and a lot of those browsers will block what you’re trying to do.”

“And so you learn to use DuckDuckGo and other things because they will allow your pentesting attempts to go through far better than the regular major browser manufacturers.”

Despite what many might assume would be better privacy protection from the “hardcore privacy advocates” like Mozilla, Grimes said, “it turns out that Apple Safari and DuckDuckGo are actually better protectors of privacy than some of the open-source stuff.”

“If you want [complete] privacy you should be using the browser-based search engine. But DuckDuckGo is still doing better than everyone else.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.