This article is more than 1 year old

Brave roasts DuckDuckGo over Bing privacy exception

Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

"For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

However, Eich argues this is disingenuous because DuckDuckGo also includes exceptions that allow Microsoft trackers to circumvent third-party cookie blocking via appended URL parameters.

"Trackers try to get around cookie blocking by appending identifiers to URL query parameters, to ID you across sites," he explained.

DuckDuckGo

DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers

BACKGROUND

DuckDuckGo is aware of this, Eich said, because its browser prevents Google, Facebook, and others from appending identifiers to URLs in order to bypass third-party cookie blocking.

"[DuckDuckGo] removes Google’s 'gclid' and Facebook’s 'fbclid'," Eich said. "Test it yourself by visiting https://example.org/?fbclid=sample in [DuckDuckGo]’s macOS browser. The 'fbclid' value is removed."

"However, [DuckDuckGo] does not apply this protection to Microsoft’s 'msclkid' query parameter," Eich continued. "[Microsoft's] documentation specifies that 'msclkid' exists to circumvent third-party cookie protections in browsers (including in Safari’s browser engine used by DDG on Apple OSes)."

Eich concluded by arguing that privacy-focused brands need to prioritize privacy. "Brave categorically does not and will not harm user privacy to satisfy partners," he said.

A spokesperson for DuckDuckGo characterized Eich's conclusion as misleading.

"What Brendan seems to be referring to here is our ad clicks only, which is protected in our agreement with Microsoft as strictly non-profiling (private)," a company spokesperson told The Register in an email.

"That is these ads are privacy protected and how he's framed it is ultimately misleading. Brendan, of course, kept the fact that our ads are private out and there is really nothing new here given everything has already been disclosed."

Our ads are private ... there is really nothing new here given everything has already been disclosed

In other words, allowing Bing to append its identifier to URLs enables Bing advertisers to tell whether their ad produced a click (a conversion), but not to target DuckDuckGo browser users based on behavior or identity.

DuckDuckGo's spokesperson pointed to Weinberg's attempt to address the controversy on Reddit and argued that DuckDuckGo provides very strong privacy protections.

"This is talking about link tracking which no major browser protects against (see https://privacytests.org/), however we've started protecting against link tracking, and started with the primary offenders (Google and Facebook)," DuckDuckGo's spokesperson said. "To note, we are planning on expanding this to more companies, including Twitter, Microsoft, and more. We are not restricted from this and will be doing so."

To judge the data at privacytests.org, the handling of Bing ads by DuckDuckGo's iOS browser represents the only significant difference with Brave's iOS browser. A macOS browser comparison isn't yet available as DuckDuckGo's macOS browser is still in beta, the site maintainer told us. Brave on Android, however, blocks significantly more trackers than DuckDuckGo on Android – and contrary to the assertions of DuckDuckGo's spokesperson, does appear to offer protection against link tracking (23 out of 24 identifiers in "Tracking query parameter tests"). DuckDuckGo for Android does too, but far less so (3 out of 24).

Really, Microsoft?

Perhaps more noteworthy than Brave dunking on DuckDuckGo, is the fact that Microsoft's Bing openly describes how to track ad conversions even when people are using privacy protections that block third-party cookies and are expecting not to be monitored.

"Last year, Apple Inc introduced a feature called Intelligent Tracking Prevention that impacts how conversion tracking works on the Safari browser," Microsoft Bing Ads documentation explains. "To help ensure that conversions continue to be reported accurately and in full across your Bing Ads campaigns, the auto-tagging of the Microsoft Click ID in ad URLs is now required."

In other words, here's how you route around privacy protections to measure your ads, whether people want this or not.

Back in 2012, when Google agreed to pay a $22.5 million civil penalty to settle Federal Trade Commission charges that it misled Apple Safari users by stating it would not place tracking cookies or serve them targeted ads, the issue was the gap between what Google said and did.

Here we have Microsoft Bing Ads counseling customers how its technology facilitates tracking without third-party cookies, regardless of whether users have expressed the desire not to be tracked by adopting a privacy-oriented browser.

Justin Brookman, director of technology policy for Consumer Reports, told The Register in a phone interview that the law is unsettled with regard to this sort of behavior.

Google, he explained, got into trouble by dropping cookies on Safari users but that's because the company had said it would not do so. Existing laws, he said, can potentially deal with some of the more sophisticated methods of tracking, like bounce tracking, if the behavior is deemed to be deceptive. And if someone in California declares that they don't want their data sold, that has legal effect, thanks to the state's recently adopted privacy regime.

"There are exceptions, however," said Brookman. "That might stop targeted advertising while still allowing tracking for ad attribution. The law is unclear in lots of different ways."

Brookman pointed to a recently introduced privacy bill, the American Data Privacy and Protection Act (ADPPA), as a possible improvement to the status quo, though the proposed legislation's language has yet to be agreed upon and the bill hasn't passed a vote. ®

Bootnote

We note that privacytests.org is run by Arthur Edelstein, who happens to work for Brave. He insisted the site is independent of his employer.

"This website and the browser privacy tests are an independent project by me, Arthur Edelstein," a statement dated this month reads on the dot-org.

"I have developed this project on my own time and on my own initiative. Several months after first publishing the website, I became an employee of Brave, where I contribute to Brave's browser privacy engineering efforts. I continue to run this website independently of my employer, however. There is no connection with Brave marketing efforts whatsoever."

More about

TIP US OFF

Send us news


Other stories you might like