Launched in 2008 as a privacy-focused search alternative to Google, DuckDuckGo sells itself on its lack of user tracking. However, some new security research reveals that policy does not apply equally to Microsoft trackers.
Questions have now been raised about DuckDuckGo’s relationship with Microsoft. The company pulls results from a variety of partners, but relies heavily on Bing results that are filtered for extra user privacy. This search partnership agreement appears to be giving Bing and LinkedIn special permission to engage in user tracking for those using the DuckDuckGo Privacy Browser, as confirmed by DuckDuckGo CEO Gabriel Weinberg.
DuckDuckGo allows Microsoft trackers through the gate?
Building a useful web search engine is no easy task, one of the reasons that Google still dominates the space after more than 20 years. DuckDuckGo relies on the search APIs from a number of other vendors, Microsoft included, and focuses on making the results anonymous and free from the sort of user tracking that puts personal information in the hands of data brokers.
Tapping into the results of services such as Yahoo and Bing means striking deals with their owners, in this case a syndicated search content contract with Microsoft. It appears that the terms of that contract require that Microsoft-owned services, such as Bing and LinkedIn, continue to do the usual third-party user tracking that DuckDuckGo’s browser usually blocks. This was not known to the public until private security research uncovered the connection, and the company CEO was pressed to admit to the relationship.
DuckDuckGo does have known advertising relationships with its partners, but it was not supposed to use Microsoft trackers to collect personal information; instead, Ads by Microsoft was supposed to serve up contextual results based on things the user previously expressed interest in while browsing. Microsoft expressly states that it may log the IP address of DuckDuckGo users when they click on its ad links, but it does not build individualized user tracking profiles on them.
It appears that all of this may be true for DuckDuckGo’s standard web-based search service, but not so much for its DuckDuckGo Privacy Browser. Similar to browsers like Brave, it touts the default ability to block third party user tracking. The app store pages imply that this is done for all “hidden third-party trackers we can find lurking on websites,” but it appears a special exception has been quietly made for Microsoft trackers per the terms of the syndication deal between the companies.
Security researcher traces user tracking back to Microsoft services
Security researcher Zach Edwards did some research on the DuckDuckGo Privacy Browser and found that data flows to LinkedIn and Bing user tracking advertising networks went unimpeded, posting proof on Twitter in late May. This prompted a response from Weinberg, who confirmed in a follow-up tweet that DuckDuckGo’s syndication agreement with Microsoft compelled them to allow Microsoft trackers in the Privacy Browser. He also specified that Microsoft trackers were blocked along with all other third party user tracking systems in the standard DuckDuckGo web search through other browsers.
The development would thus not appear to be that damaging; users can simply avoid DuckDuckGo’s browser, for which there are numerous secure alternatives on the market. But user trust in the company took a big blow as this arrangement had not been previously disclosed to the public, and would presumably have remained buried had a security researcher not dug it up.
Weinberg has said that the company is working with Microsoft to revamp this agreement, but it left some users wondering if DuckDuckGo had any other surprises being kept under wraps. Privacy advocates have taken issue with some elements of the search engine in the past, for example the fact that it logs local search history in plain text and displays search terms unfiltered in the URLs it links out with. The biggest controversy it had previously faced came in March, however, when the company declared that it would follow Google and others in downranking URLs believed to be related to Russian disinformation due to the Ukraine invasion. While some applauded the move, others saw it as a betrayal of the company’s free speech principles.
Given that it is a contractual arrangement and DuckDuckGo relies heavily on Bing search results, the Privacy Browser will likely continue to not be so private when it comes to Microsoft trackers; Weinberg has said that the company wants to update app store descriptions to reflect this. A spokesperson for the company added that those using the browser on Mac OS or iOS devices are getting an added layer of protection from these Microsoft trackers due to Apple’s own privacy requirements.
Cillian Kieran, Founder & CEO of Ethyca, provides some thoughts on how DuckDuckGo might restore its reputation (and how other companies that champion privacy might avoid falling into the same pit): “Developing tools or products with any mention of ‘privacy’ means that the stakes are high. Calling yourself a privacy champion is an invitation for users to deeply trust what you offer. Users develop high standards, and there is the visceral backlash as I’ve observed in the hours since the disclosure. For those of us that are building privacy technologies—whether your customers are people or businesses—we need to recognize the responsibility that comes with branding ourselves ‘privacy’ companies. Humans are trusting you to do what you say and—importantly—to not do what you don’t say. Tucking data practices into legalese does not protect you from real reputational damage.”