The duck is in hot waters! DuckDuckGo is the go-to search service for folks concerned with online privacy, but sadly, it appears that things are not as private as these users would have hoped for.
Before we get down to the juicy details, an introduction to the company.
DuckDuckGo is founded on the promise of a more private web, with a search engine that does not heavily track every movement you make on the web. The firm also offers dedicated apps for the iOS and Android platforms, as well as a slew of accompanying services.
So, naturally, a revelation like this is not just damaging but the controversy is likely to have an impact on the number of users it manages to attack.
That’s because a discovery by a security researcher reveals that the company is allowing data to be transmitted via Microsoft trackers to LinkedIn and Bing ad domains. What’s more, the company also admits that an agreement exists between itself and the Windows maker.
Zach Edwards, the security researcher has a gargantuanly lengthy thread about his finding:
Sometimes you find something so disturbing during an audit, you've gotta check/recheck because you assume that *something* must be broken in the test.
But I'm confident now.
— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) May 23, 2022
He goes on to explain that if you download the current version of the DuckDuckGo browser on iOS and Android, you will find that the browser has a secret allow data flow list that is used to enable data transfer to super common advertising subsidiaries owned by Microsoft.
It stops all other trackers — including those from the likes of Facebook and Google — but not the ones owner by Redmond.
Apparently, this stems from a search syndication agreement that exists between DuckDuckGo and Microsoft. And to make matters worse, the company has kept this hidden with no mention of this leeway afforded to the software titan in official communication or app descriptions.
Now that the cat is out of the bag, though, the company is in damage control mode.
In a statement, DuckDuckGo CEO Gabriel Weinberg clarified the stance, while the app descriptions on app stores has also been amended to let folks know that the company is not able to block all hidden tracking scripts on other websites for a variety of reasons.