The CEO of crypto-oriented browser Brave has slammed rival DuckDuckGo over its affiliation to Microsoft and the wider online tracker controversy.
For the uninitiated, DuckDuckGo’s mobile browser was recently discovered to have been permitting Microsoft’s trackers to operate, while blocking those of Google, and Facebook. Zach Edwards, the security researcher who first discovered the issue, later also found that trackers related to the bing.com and linkedin.com domains were also being allowed through the blocks.
“For non-search tracker blocking (e.g. in our browser), we block most third-party trackers,” DuckDuckGo CEO Gabriel Weinberg said at the time. “Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Misleading statements
But now, Brave CEO Brendan Eich says Edwards wasn’t coming clean, as DuckDuckGo also allows Microsoft trackers to work around third-party cookie blocking, via appended URL parameters.
“Trackers try to get around cookie blocking by appending identifiers to URL query parameters, to ID you across sites,” he said, further stating that DuckDuckGo knows all of this very well.
“DuckDuckGo removes Google’s ‘gclid’ and Facebook’s ‘fbclid’,” Eich said.
“Test it yourself by visiting https://example.org/?fbclid=sample in [DuckDuckGo]’s macOS browser. The ‘fbclid’ value is removed. However, DuckDuckGo does not apply this protection to Microsoft’s ‘msclkid’ query parameter. Microsoft’s documentation specifies that ‘msclkid’ exists to circumvent third-party cookie protections in browsers (including in Safari’s browser engine used by DDG on Apple OSes).”
DuckDuckGo vehemently disagrees with Eich’s conclusions, saying he’s misleading the readers.
“What Brendan seems to be referring to here is our ad clicks only, which is protected in our agreement with Microsoft as strictly non-profiling (private),” The Register cited a company spokesperson as saying.
“That is these ads are privacy protected and how he’s framed it is ultimately misleading. Brendan, of course, kept the fact that our ads are private out and there is really nothing new here given everything has already been disclosed.”