The CEO of web privacy company DuckDuckGo has spoken out to defend the platform after a researcher discovered that it kept its user-tracking agreement with Microsoft quiet.
Public criticism of DuckDuckGo started on Monday as privacy and data supply chain researcher Zach Edwards discovered that DuckDuckGo allowed user data to flow to Microsoft-owned products LinkedIn and Bing.
DuckDuckGo is a privacy-focused web browser that also has apps for iOS and Android - the two platforms which have been found to leak user data due to DuckDuckGo not blocking specific third-party trackers to Microsoft.
Both Apple App Store and Google Play Store pages for the DuckDuckGo apps claim to offer “seamless protections from third-party trackers while you search and browse”.
However, there is no mention of the agreement with Microsoft to stop loading Microsoft-owned tracking scripts on third-party websites. This means services like LinkedIn and Bing can still gather user browsing data when their trackers are loaded for DuckDuckGo users on other websites.
Gabriel Weinberg, CEO and co-founder of DuckDuckGo, addressed the situation in a lengthy Reddit post on Wednesday, admitting that its contract with Microsoft means the company’s “all-in-one privacy apps” cannot afford the same protections to users as they can from other companies like Google or Meta.
Weinberg said that DuckDuckGo imposes restrictions on all third-party tracking scripts, including Microsoft’s, relating to third-party cookie and fingerprint protection, and also adds an “above and beyond protection” that blocks third-party tracking scripts from loading on websites.
The CEO said this is something that most other browsers don’t attempt to do because blocking such scripts often leads to visited websites breaking.
The reason why DuckDuckGo has to permit Microsoft’s third-party trackers for Microsoft only is due to distribution requirements associated with its agreement to display some Bing search results in its browser.
“While a lot of what you see on our results page privately incorporates content from other sources, including our own indexes (e.g., Wikipedia, Local listings, Sports, etc.), we source most of our traditional links and images privately from Bing (though because of other search technology our link and image results still may look different),” said Weinberg.
“Really only two companies (Google and Microsoft) have a high-quality global web link index (because I believe it costs upwards of a billion dollars a year to do), and so literally every other global search engine needs to bootstrap with one or both of them to provide a mainstream search product.”
DuckDuckGo said it’s currently in ongoing talks with Microsoft to remove this limited restriction, but conceded that its “product is not perfect and never will be. Nothing can provide 100% protection”.
That said, it still believes it offers much greater privacy compared to other browsers and understands the confusion held by users given that it's ultimately a search syndication contract that is preventing DuckDuckGo from doing things unrelated to search.
Weinberg’s response was greeted warmly by users saying the comprehensive and technical explanation was “refreshing” and one user said it improved their perception of the company.
DuckDuckGo’s agreement with Microsoft has been disclosed before and in one article on the company’s help page, it informs users that Microsoft can see the full IP address of a user so it can properly charge advertisers when a user clicks on a Microsoft-provided advert.
“I hope this provides some helpful context,” said Weinberg. “Taking a step back, I know our product is not perfect and will never be. Nothing can provide 100% protection. And we face many constraints: platform constraints (we can't offer all protections on every platform due to limited APIs or other restrictions), limited contractual constraints (like in this case), breakage constraints (blocking some things totally breaks web experiences), and of course the evolving tracking arms race that we constantly work to keep ahead of.
“That's why we have always been extremely careful to never promise anonymity when browsing outside our search engine, because that frankly isn’t possible.”
As well as working with Microsoft to remove the restriction, DuckDuckGo is also working to update its app store pages to more accurately reflect the allowances it makes to Microsoft.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.