However, it seems that DuckDuckGo’s browser is unable to protect users from a particular subset of trackers. Zach Edwards, a privacy researcher, recently discovered in the course of an audit that the company’s browser doesn’t block third-party tracking scripts that connect to Microsoft’s LinkedIn and Bing advertising domains. We tested this claim ourselves with the DuckDuckGo Android browser, and, sure enough, PCAPDroid showed connections to px.ads.linkedin.com and bat.bing.com while visiting workplace.com. The browser blocks other third-party tracking scripts, such as those from Facebook and Google, but not these two. We performed this same exercise with the Brave browser and didn’t observe connections to these two domains.
DuckDuckGo’s Privacy Configuration repository includes bat.bing.com among a list of domains for which cookie protections are disabled “due to site breaking issues.” However, this list does not include px.ads.linkedin.com. The lack of an explanation for this tracking protection exemption raises questions regarding the purpose and motivation for this divergence from DuckDuckGo’s outspoken stance on protecting user privacy.
As it turns out, the DuckDuckGo search engine is powered by Microsoft’s own Bing search engine, and DuckDuckGo’s agreement with Microsoft includes stipulations that DuckDuckGo not block Microsoft’s LinkedIn and Bing advertising domains. Gabriel Weinberg, CEO of DuckDuckGo, confirmed this fact in a tweetstating, “For non-search tracker blocking (eg in our browser), we block most third-party trackers. Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expecting to be doing more soon.”
The CEO further explained in a comment on Hacker News that the “search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser’s post-load protections (like 3rd party cookie blocking and others mentioned above, and do). We’ve also been tirelessly working behind the scenes to change this limited restriction.”
Two days after Zach Edwards pointed out that the DuckDuckGo browser doesn’t block LinkedIn and Bing advertising domains, DuckDuckGo updated the description of its browser in the Apple App Store and Google Play Store to be less misleading. The original description simply stated that “Tracker Radar automatically blocks hidden third-party trackers.“The new description splits third-party cookie blocking and third-party tracking script blocking into two different sections. The cookie section states that the browser prevents third-party cookies from tracking users without any caveats. Meanwhile, the tracking scripts section states that the browser “automatically blocks most hidden third-party tracking scripts” (emphasis added). This section also directs readers to “See notes and links below for more information.”