For the uninitiated, DuckDuckGo’s mobile browser was recently discovered to have been permitting Microsoft’s trackers (opens in new tab) to operate, while blocking those of Google, and Facebook. Zach Edwards, the security researcher who first discovered the issue, later also found that trackers related to the bing.com and linkedin.com domains were also being allowed through the blocks.
“For non-search tracker blocking (e.g. in our browser), we block most third-party trackers (opens in new tab),” DuckDuckGo CEO Gabriel Weinberg said at the time. “Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
But now, Brave CEO Brendan Eich says Edwards wasn’t coming clean, as DuckDuckGo also allows Microsoft trackers to work around third-party cookie blocking, via appended URL parameters.
“Trackers try to get around cookie blocking by appending identifiers to URL query parameters, to ID you across sites,” he said, further stating that DuckDuckGo knows all of this very well.
“DuckDuckGo removes Google’s ‘gclid’ and Facebook’s ‘fbclid’,” Eich said.
“Test it yourself by visiting https://example.org/?fbclid=sample in [DuckDuckGo]’s macOS browser. The ‘fbclid’ value is removed. However, DuckDuckGo does not apply this protection to Microsoft’s ‘msclkid’ query parameter. Microsoft’s documentation specifies that ‘msclkid’ exists to circumvent third-party cookie protections in browsers (including in Safari’s browser engine used by DDG on Apple OSes).”
DuckDuckGo vehemently disagrees with Eich’s conclusions, saying he’s misleading the readers.
“What Brendan seems to be referring to here is our ad clicks only, which is protected in our agreement with Microsoft as strictly non-profiling (private),” The Register (opens in new tab) cited a company spokesperson as saying.
“That is these ads are privacy protected and how he’s framed it is ultimately misleading. Brendan, of course, kept the fact that our ads are private out and there is really nothing new here given everything has already been disclosed.”