On Wednesday Bleeping Computer reported that DuckDuckGo allowed trackers from Microsoft but blocked most other 3rd party trackers. That caused a storm in twitter - but what is that all about? But let's break this down.
What is a tracker - it sounds ominous - like a spy bot following every step you take. It is just a cookie, a small text-file, that the browser store on your computer. The content is unique and is used to identify you. As you surf around on the network your browser will submit the cookie when requested to do so and this is how you are tracked.
What is a third-party tracker. Essentially it means that a website includes a script from a 3rd party - this script provides functionality and sometimes these places a tracking cookie. If this script is used by multiple sites the script provider can track how people moves around the network. One example can be the google analytics scripts - they will measure traffic for the website but at the same time be able to track user across websites. Facebook can do the same through their like buttons etc.
DuckDuckGo is famous for their privacy friendly search engine. But it was not the search engine that this was about. Using the search engine you are private - you are not being tracked. Not even by the ads nestled into the search result. The ads that are being displayed are only context sensitive ads and doesn’t build a profile on you. Ads provided are proxied through DuckDuckGo making sure that you are not leaking any data. As long as you don’t click on an ad you are private. But clicking an ad will provide some data about you (IP and browser information) to Microsoft. No search query or profile (there is none) will be provided to Microsoft. But the second you leave DuckDuckGo you can be tracked by 3rd party trackers on the sites you go to - depending on the browser and setup you have. This is not the fault of DuckDuckGo - but of the sites you visit.
DuckDuckGo also has a private browser - it can be found in the Apple App Store and Google Play store. It is this application, not search, that is not blocking Microsoft tracker cookies. One of it key features is just to block 3rd party trackers. But since the DuckDuckGo company has some agreements to deliver Ads for Yahoo/Microsoft they are not allowed to hinder any of their tracking assets. That is why their browser doesn’t block the Microsoft owned 3rd party trackers.
So, do you need to be worried about this? If you are not using the DuckDuckGo browser - no, with the information available at this point you should be safe. If you are using the DuckDuckGo browser - yes, then you should be aware that Microsoft can track you. Clear your browser cookies often and diligently. Or switch browser.
I think that DuckDuckGo genuinely tries to do the right thing. If you don’t want to be tracked - use a different browser - such as Firefox with a bar-age of blocking plugins or why not use brave?
Minor issues like the one reported is to be expected even from a company like DDG. It costs money. A lot of money to run and operate a search engine. And they need to make money some how. With agreements you sometimes have to give a way some small things to gain the bigger piece. I think they do what they say - not tracking their users.
The root cause comes down to infrastructure. Internet is fundamentally built like an ever growing network of networks. Where each part is working autonomously. Look at the basic services like DNS, Email and Web. These where all foundational pieces. Image only having one DNS-provider, or a handful of email suppliers or that one web-host? That is hard to image. But when it comes to search we have allowed just that. Search is a fundamental part of internet and if this had been understood in the cradle of internet - we would probably se search be working similar to email or DNS. Be autonomous and distributed.
We shouldn’t allow a handful of companies sit on the power of search. Just as social media such as Mastodon can be made distributed or video such as Peertube - search should be something distributed. We all should be able to setup our own search engine and gather and federate the index. That would be a game changer for internet freedom.
But until we have a federated, secure and privacy friendly search in place, I will continue to use DuckDuckGo.