This title is very misleading (and really should be changed).
This is not about search. To be clear, when you load our search results, you are completely anonymous, including ads. For ads, we actually worked with Microsoft to make ad clicks privacy protected as well. From our public ads page, "Microsoft Advertising does not associate your ad-click behavior with a user profile." This page is linked to next to every Microsoft ad that is served on our search engine (duckduckgo.com). https://help.duckduckgo.com/company/ads-by-microsoft-on-duck....
In all our browsing apps (iOS/Android/Mac) we also block third-party cookies, including those from Microsoft-owned properties like LinkedIn and Bing. That is, the privacy thing most people talk about on the web (blocking 3rd party cookies) applies here to MSFT. We also have a lot of other web protections that also apply to MSFT-owned properties as well, e.g., GPC, first-party cookie expiration, fingerprinting protection, referrer header trimming, cookie consent handling, fire button data clearing, etc.
This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser's protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We've also been tirelessly working behind the scenes to change this limited restriction. I also understand this is confusing because it is a search syndication contract that is preventing us from doing a non-search thing. That's because our product is a bundle of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search syndication agreement. Our syndication agreement also has broad confidentially provisions and the requirement documents themselves are explicitly marked confidential.
Taking a step back, I know our product is not perfect and will never be. We face many constraints: platform constraints, contractual constraints (like in this case), breakage constraints, and the evolving tracking arms race. Holistically though I believe it is the best thing out there for mainstream users who want simple privacy protection without breaking things, and that is our product vision.
Overall our app is multi-pronged privacy protection in one package (private search, web protection, HTTPS upgrading, email protection, app tracking protection for Android, and more to come), being careful (and putting in a lot of effort) to not break things while still offering protections -- an "easy button" for privacy. And we constantly work to improve its capabilities and will continue to do so, including in this case. For example, we've recently been adding bespoke third-party protections for Google and Facebook, like Google AMP/Topics/FLEDGE protection and Facebook embedded content protection.
Yes, it is. Your competitors in the privacy-centric browser space don’t have this restriction because they’re not search engines acquiring the majority of their data from an entity with a conflicting interest.
I’m inclined to blame Microsoft here; this is a nasty move on their part. However, your stance is problematic. This is a problem, and it’s a serious one. It undermines trust in a product that claims to be the bastion of privacy. And statements like this…
> Overall our app is multi-pronged privacy protection in one package (private search, web protection, HTTPS upgrading, email protection, app tracking protection for Android, and more to come), being careful (and putting in a lot of effort) to not break things while still offering protections -- an "easy button" for privacy.
…don’t help the matter. To me, that just sounds like marketing mumbo jumbo. Ultimately, if a privacy-centric browser is contractually obligated to load tracking scripts and is required to avoid disclosing that fact, I want absolutely nothing to do with either party.
We will work diligently today to find a way to say something in our app store descriptions in terms of a better disclosure -- will likely have something up by the end of the day.
In terms of our app and multi-pronged protection, it isn't mumbo jumbo. Our app is way more than just a browser (and increasingly so). For example, the app tracking protection mentioned for Android blocks trackers in all your other apps. The email tracking protection blocks trackers in your email (that you read in your regular email client/app).
I understand the concern here that we are working to address in a variety of ways, but to be clear no app will provide 100% protection for a variety of reasons, and the scripts in question here do currently have significant protection on them in our browser. From the comment "That is, the privacy thing most people talk about on the web (blocking 3rd party cookies) applies here to MSFT. We also have a lot of other web protections that also apply to MSFT-owned properties as well, e.g., GPC, first-party cookie expiration, fingerprinting protection, referrer header trimming, cookie consent handling, fire button data clearing, etc."
The thread by the security engineer shows that the scripts are communicating back to the servers. That means your multi-pronged protection has failed, unless you've suddenly discovered a way for browsers to block IP addresses from being sent by scripts (and since they can be extracted from the request itself that doesn't seem likely).
That's why the ad blockers that stop the scripts from loading to begin with will always due a much better job than the extra "mumbo jumbo" you're relying on. That stuff should be a fallback for when scripts slip through the filters, not the primary means of protection.
"multi-pronged privacy", "easy button", "capabilities", and repeated use of the word "protection" are all signals that what is being said is an attempt to sell me something and that the salesman should be doubted.
What's actually happening is you're forced to allow Microsoft scripts which do indeed do telemetry on users despite some restrictions you put on them, and they're still effective because fingerprinting works. That fact is embarrassing for a product you're trying to sell as promoting privacy so there's this mildly deceptive attempt to hide what's going on with lots of words and claims of protection instead of straightforward disclosure.
Still coming to my own conclusion here, but I wouldn't dismiss "easy button" as marketing. We keep hoping for easy buttons and reasonable default settings in things like openssl or pgp. I do like organizations that understand an easy button is the safest default. Is that what we have here?
I'm commenting only on the rhetoric, calling it an "easy button" stinks of marketing BS. People desiring simple straightforward tools is a separate subject.
Of course it’s marketing. My mom doesn’t want to set up uBlock and a script blocker and a Pihole. She’d love to click a button and be safer. What’s the issue here?
That I am on HN and someone trying to convince me their company isn't being shady is using evasive marketing speak instead of candor to an audience that clearly knows better than to believe the weasel words.
> Isn't this entire story about them disclosing this fact?
It seems to be, but they're claiming the details are confidential. It's rather confusing. I wonder whether Microsoft's intention was to prevent them from disclosing it altogether, or whether they just wanted to avoid the general details of the contract getting out (rather than this particular tidbit of info). I'm inclined to suspect it was the latter--just a general NDA. In any case, I don't like it.
Do you have any sources you can cite that Microsoft has breached contracts with companies in the past in an effort to get at your ID for advertisers? Otherwise, I would consider this a nothing burger.
> Ad clicks are managed by Microsoft’s ad network.
> Microsoft and DuckDuckGo have partnered [..] Microsoft Advertising will use your full IP address and user-agent string so that it can properly process the ad click and charge the advertiser
It seems DDG is not that privacy focused when it comes to ads.
Actually, that's not the case. First, that page is a linked to directly from every Microsoft ad on duckduckgo.com -- it's a public disclosure for transparency. Second, we specifically worked with Microsoft to make our ads privacy protected. When you load them, they are completely anonymous. When you click on them, we got Microsoft to contractually agree and publicly commit (on this page) that "Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes."
I think a legal department could be convinced that "accounting purposes" could adequately cover most all of the business of tracking, optimizing, and attributing ad clicks.
"Microsoft Advertising does not associate your ad-click behavior with a user profile."
Does somebody else besides Microsoft Advertising do it? I'd guess so.
Is there another kind of association besides a "user profile" which has substantially similar concerns for an end user? I'd guess so.
This is all coming off as an attempt to cover up what's really going on with deception. That might not be the case, but if it were, this is exactly how I expect a "privacy focused" organization to communicate when they had been corrupted by a compromise to a third party.
So instead of an actual set of real protections, like offered by things such as UBlock, you want us to rely on Microsoft being ethical.
It also ignores that governments like the NSA have tapped these very networks for data (this is what prompted Google's internal SSL drive). Even if we trust the legal entity, the fact is that the information itself is a target and so are those entities. It is always safer not to send the data, but in this case you're explicitly sacrificing that safety to benefit your ad partners.
So now I also have to trust Microsoft before clicking on a DDG ad. Based on a pinky promise not to use my IP address + User-Agent + whatever fingerprint they make?
I mean, of course you have to trust a party X with your browsing fingerprint if party X is involved in serving the URL you go to when clicking on the link.
What did you want—for the URL to go straight to the destination page with no redirect through an ad-network analytics provider, making your impression invisible to the network and thus unable to be costed against the advertiser? Why would any ad network even bother to participate in such a scheme? How would they make money? Prepayment for an arbitrary guess at predicted click-through count?
They wouldn't, and DDG has a convenient way to disable ads which I am sure many users take advantage of.
Still, millions of users do click those ads, because if nobody did, DDG would not exist. A less tech savvy user, who is probably DDGs main target, came on the promise of privacy and does click those ads and is also being tracked around the web by Microsoft if they use DDG browser (from what I understand).
This is less than ideal from the standpoint of "privacy simplified" promise, but really no other way around it when selling ads is your business model.
I wonder how many “less tech savvy” users use ddg, because in my experience people who actually care about their security are quite tech savvy as a rule - not necessarily in IT though. While the others use a default search engine/browser/whatever.
Those kind of people usually do not click on ads, have ads disabled and/or use ad blockers.
But because they are tech savvy, they the the ones friends and family ask what browser/search engine to use, so you end up with 20 more less tech savvy people on the platform, and they are probably the ones that end up clicking on ads (because, again, DDG is making a ton of money with that)
Brave cannot be trusted. They were misrepresenting themselves and their relationships with content creators. As far as I saw it, they were stealing and lying about it. They've inserted referral codes to cryptocurrency websites. That sounds completely anti-privacy and antithetical to anyone wanting a privacy-focused browser. Sorry, but that all just smells untrustworthy.
I dropped DDG back in March when Weinberg disclosed that they were engaging in censorship and injecting bias into search results related to the Ukraine/Russia conflict. Now that we see he's sold his soul to MS for $$$, this further confirms my decision. I'm using Brave as my search engine now.
And I recently learnt that they also have the bang searches which makes them much more viable as a replacement for DDG to me. Brave Search, Andi search, and a bit of Yandex at times for some variety in results, makes for a much better search experience than DDG ever did.
The submitted title was "DuckDuckGo Paid by Microsoft to not block their trackers". We've changed it now. If anyone wants to suggest a better (i.e. more accurate and neutral) title, we can change it again.
When you click on a link in our results page, your search terms are not sent to the site that you click on, which can be the case on other search engines due to something called HTTP "referers".
On modern browsers we accomplish this by adding a small piece of code to our page called Meta referrer. Some browsers (especially older ones) do not support this standard, however. For those browsers, and also in situations where meta referrer doesn't work, we send the request back to our servers to remove search terms. This redirect goes through r.duckduckgo.com.
You can disable this privacy feature. To do that, go to the settings page, select Privacy, and change the option Redirect to Off.
> ...generally in very old browsers that need to use our non-JavaScript site (http://duckduckgo.com/html).
I use duckduckgo.com/html & duckduckgo.com/lite on all my (up-to-date) browsers (Firefox Mobile for Android / Chrome for Debian as two examples); they are "not very old" at all, and I still get ddg-proxied hrefs.
A feature request (if I may): Old browser or not, if the dnt header is set, I'd ideally want ddg to not proxy/redirect anything at all on my behalf.
The “very old” browsers seem to include the very latest version of WebKitGTK-based GNOME Web aka Epiphany. (It does have legitimate conformance problems, admittedly, so I don’t know if this is one of them.)
You trading potential tracking by thirdparties with potential tracking by yourself. Since you are the one making this tradeoff and als the one who can benefit off it it always will be suspicious.
Really, Referer-related privacy problems should be fixed in the browser and any browser that still sends cross-origin Referer headers by default cannot claim to care about privacy - and that includes Firefox.
> Some browsers (especially older ones) do not support this standard, however. For those browsers, and also in situations where meta referrer doesn't work, we send the request back to our servers to remove search terms.
Disabling javascript is one of the first things to do to take back control of your privacy so you deciding to leak more data for those users who make that choice is not a good look.
> You trading potential tracking by thirdparties with potential tracking by yourself.
You're not making any sense. Proxying all requests is the only way to shield you from being tracked by third parties. If DDG wants to track you they don't need some convoluted dance - you're already on their website.
> If DDG wants to track you they don't need some convoluted dance - you're already on their website.
I don't trust their website either but the user-agent that I use that has enough anti-tracking measures I trust (whether those might be defeated is an orthogonal topic). The redirects through their servers... I cannot control what runs on it, just as I cannot control what terms they sign up with Microsoft.
You can. The link still works, it's just ugly. And, as @yegg said, it's because you're browsing the lite version. Just disable the anti-tracking feature if you want.
Considering this is a well-known, well-advertised feature from many many many years ago, and has long been the way they do things, it's not going to suddenly change because you think more people should be tracked by default.
Considering it is a misfeature, I'd rather they think twice: I'm neither on a older browser nor do I disable JavaScript and yet I'm subject to ddg's terribly slow redirects.
Huh? Ive just checked with multiple links, it’s quite fast. I don’t think that user experience that can be measured in fractions of second can be referred as “terribly slow”.
Latency is a long tailed distribution, and that's discounting the fact that various regions in the world won't see similar perf. Given the number of times I use ddg in a day, I usually hit slow redirects more often than not. I mean, we didn't go from http1 to http2 / vps to edge / tcp to quic only for ddg to add an additional redirect.
How’s the latency of ddg redirects depends on the region?
> given the number of times I use ddg in a day
What’s you estimation? A hundred? It’s something like a minute or two of accumulated time. It’s not even worth mentioning.
Also I doubt that the redirect delay should be taken in account at all. The workflow may vary (obviously) but I normally open a link in a separate tab. By the time you click on this tab all the redirect work has finished. What’s your workflow and how does the redirect delay impact it?
I just changed from DDG to Kagi and will probably pay them once out of Beta. So far I am very happy with the search results and I believe that the next innovation in search is it not being beholden to ads. DDG is not in the place where ads will corrupt your business but should you grow and be successful, you one day will be.
Haven't heard of you.com before, having a quick look at it:
- You.com uses affiliate links.
- My ad blocker (uBlock origin) shows that you.com has tracking in the form of analytics (https://plausible.io/api/event).
- you.com makes a lot of requests to many 3rd party domains.
- Kagi lets you quickly create rules to customise results such as domain/url weighting, term filtering etc...
- I personally find the UI/design off-putting - it's very busy and the round style elements immediately remind me of the windows XP theme.
- The popup in the right corner nagging to "Make You.com your default" is very off-putting.
- you.com promotes the use of Google Chrome.
- you.com loads results slower.
- I'm not a fan of the square cards on you.com.
- Kagi has a clear and transparent business model, you.com seems pretty up in the air as to how it will be funded in the future, including statements such as "You.com currently has no ads." - currently is the key word there.
- It's not clear if you.com uses data from other search engines.
>This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading
But this is exactly the problem. Sure, unlike Google DDG is not itself collecting data, and there appear to be limited tracking on MS properties, but unless I misunderstand the situation (a decent possibility) then the vast majority of the web, which are not MS sites, are still able to use MS scripts for tracking.
You are marketing a privacy-centric ecosystems of tools but your partner in one component (search) is preventing you from implementing that vision in non-search areas, so that should be clear. It should also be clear that it's still very much a search problem. The source of the limitation has search as a root cause, and a massive corporation with just as much interest in obtaining data on user browsing habits is still able to do so in some ways.
I admit this is still a better situation than Google, but you're providing an ecosystem of tools, they are inextricably linked with each other.
I don't have any proposed solution. I'm not sure there needs to be one aside from making boundaries clear. I still see significant value in your offerings. Partnering with a provider of quality search that solves some but not all privacy issues is still valuable. Each person chooses their own level of comfort & tradeoffs between product quality & privacy, and you offer what I consider to be a valuable middle ground in that range. But let's just be clear on what the middle ground is made of, though I otherwise do not judge harshly for an agreement like this.
It is “independent from search” in the sense that people who just use DDG as a web search provider from any browser other than DDG’s own will be unaffected by this constraint, and will browse just as anonymously as if this constraint was not imposed. (Which is to say: as anonymously as their browser enables for them, with DDG not being the limiting constraint. Not so anonymous for Chrome; much more anonymous for Brave / TorBrowser / etc.)
All this constraint is doing is limiting the increase in privacy you get from using the DDG mobile app on top of the privacy you get from using the DDG web search provider. At worst, DDG searches in the DDG app will be no less private than DDG searches done in any non-privacy-enforcing browser, e.g. Chrome. Which is to say—still pretty private.
Also, I presume that only a minority of DDG users are users of the DDG mobile browser app. (I didn’t even know it existed!)
It is hard to title because people assume this is about search (when it's not, so that should be in there), and also people assume trackers get a free pass (when they do not, e.g., 3rd party cookies blocked, etc.)
Maybe something like:
Microsoft contractually prevents DuckDuckGo's browser from stopping Microsoft scripts from loading on 3rd party sites (FYI: not search related)
I agree with the first part of the title, but this part seems like you're going out of your way to defend yourself. The mention of "DuckDuckGo's browser" should already imply it's not search related.
I think for transparency sake, it could be helpful to list the Microsoft trackers that were essentially white listed and therefore allowed to load on a particular site, right under the list of trackers that were blocked.
When you visit a site, a variety of scripts are downloaded and run. Some from the website you visit, some from their CDN, and some from a variety of third parties that may track what you're doing and/or provide some other functionality. Google and Facebook are the major parties involved in this from my experience, but there are quite a few different ones including Microsoft.
This is what I've gathered from running uMatrix for years.
People know us primarily for search and our relationship with Microsoft is about search, so it will be assumed by most people this is about search (when it is not, it's about browsers).
Additionally the way it is phrased implies Microsoft trackers get a free pass, when they are in fact heavily restricted, e.g., blocking 3rd party cookies, fingerprint protection, etc.
And the current title can further easily be misinterpreted to be about more than Microsoft scripts on 3rd party sites (e.g., other companies, which it is not).
FWIW this is exactly what happened to me and I support the title change.
As a long time DDG user, my stomach turned when I saw this. Following the link to Twitter, it required a lot of digging to find what was really happening.
For those of us using DDG search - this is a big nothing burger. For folks using DDG browser, this is misleading at best. The difference between the title and reality, from my understanding, isn’t nuance.
My reading of this title (and Twitter) made me believe DDG was sharing user data with MSFT across all of their properties (including search) by serving users MSFT trackers with DDGs content.
> know us primarily for search and our relationship with Microsoft is about search
This looks like a textbook brand extension [1] issue.
Your brand is privacy. You built it on your search product. You're compromising those principles, perhaps reasonably so, in extending the search product's brand to a browser. This is coming back to bite the brand, search and all. (Per the Wikipedia article, it's highly recoverable.)
My goal is to get meaningful privacy protection in the hands of as many people as possible. We learned from extensive research that mainstream people do not want to install multiple things, and yet multiple types of protection are required to get meaningful privacy protection. So we are building them into one package, and are diligently working to make these protections as good as they can be.
Or you could partner with a trusted brand like 1Blocker who is not forced to relax protections against MSFT. You could give the user one easy experience.
But you won’t, because you are explicitly not working to make these protections “as good as they can be”. You are working to capture the user’s entire session and monetize owning that. (I’d like to know the eventual purpose of owning that, and personally I’d like to see subscription somewhere, because any other monetization is likely to be user-hostile.)
FWIW, I’m super annoyed with you. I’ve gotten countless normals — and certain enterprises with 10k to 100k users — to switch defaults to you, and they now trust you (thanks to trusting me) on privacy in a simple binary way. Which you’re proving wrong.
Now I have to do diligence before recommending your brand, and that’s shitty.
> learned from extensive research that mainstream people do not want to install multiple things, and yet multiple types of protection are required to get meaningful privacy protection
This is a reasonable position. The shift in positioning that's driving the confusion is real, though.
DDG (search) has an almost absolutist stance on privacy. That was differentiated. The nuanced tradeoff you describe, between privacy and convenience, which I agree boosts the actual outcomes, is something else. It's more similar to Apple's philosophy. Which is fine. I use their products as well as yours. But it's different in a fundamental, and to many a meaningful, way. That's going to be difficult to brush away without making it look like there's something to hide. (None of this could be said to have been predictable ex ante.)
let's be clear, your goal is to make money via a privacy brand positioning. that's fine, but it's not the same as simply "to get meaningful privacy protection in the hands of as many people as possible".
this change in emphasis has been palpable in the 4 Ps (marketing strategy) of duckduckgo over the past few years.
What is the real, tangible improvement to someone's life with all this claimed privacy protection? IE, when my mom asks why she should switch from Google, what would I tell her that would actually make a difference in her life?
To answer your question though, comprehensive privacy protection prevents data profiles from getting created about you, which in turn prevents ad and other content targeting. This targeting, regardless of how it's done, enables
general manipulation (e.g., exploiting personal characteristics for commercial or political gain), filter bubbles (e.g., creating echo chambers that can divide people), and discrimination (e.g., people not seeing job opportunities based on personal profiles).
More generally though, I view privacy as protecting you from coercion. Yes, it protects personal information, but that's not the real point. The real point is autonomy -- the freedom to make decisions without coercion. From this perspective in addition to helping reduce identity theft, commercial exploitation, ideological manipulation, discrimination, polarization, etc., it also helps reduce self-surveillance (i.e., chilling effects), and just general loss of freedom (e.g., mass surveillance).
You want me to pitch my mom on un-targeted advertising? How do you phrase it in practice? "On Google, you get evil ads relevant to you, such as restaurants near you. On Duck Duck Go your privacy is protected, so you get ads for restaurants in Omaha, Nebraska. Therefore you should switch to Duck Duck Go". Something like that?
This comment is based on the actual results I was served by DDG for "best burger".
Your mom will have a better experience and more control if she learns to search for "best burger in <city name>" instead of trying to give the wheel to Google's mind reading AIs.
My mom is completely satisfied with Google, so we're discussing some theoretical mom.
I honestly do not understand the pitch, that's why I want to hear it from the horse's mouth. Scare words like "tracking" and "profile" and "targeting" are used by the privacy fear industry to disparage the practice of having implicit terms in your search query. These implicit terms greatly improve search quality, which is why the results on Google are so much better. Advertisements are their own separate search corpus where good ranking is desired and the implicit elements of the search vector are also helpful there. To me there can be no rational case made that omitting the implicit terms improves the quality of the result.
Google's search engine is awful. In case you hadn't noticed rants about it are increasingly popular. Part of the reason is that Google keeps taking away user's control of the tool, partly in the name of convenience but also to manipulate you, get you to click on favored links, show you ads or extend their search monopoly to other products.
I'm not arguing that duckduckgo/bing are any better, just that these tracking convenience features have a dark side and many times work against your best interest.
1. Never heard any rant about it outside tech circles.
2. I've given DDG many chances when Google failed to return satisfactory results. In those many cases DDG results were just about the same or even less relevant. Google changing the query? Well DDG either also changes it or returns irrelevant results not containing the query anyway.
The single advantage of DDG I've noticed is that it doesn't CAPTCHA me on a VPN connection.
Same. Tried to sell my mom on some privacy stuff, zero care. Tried to sell her on unique passwords and a password manager, zero care. And so on.
Lots of people (most people?) want to do the bare minimum with computers. Sacrificing convenience for privacy or whatnot isn’t something they would accept.
The normal results are going to be global (though I do sometimes see local results), but the map view and list of places are both geolocated by default.
In any case, searching instead for "best burger near $CITY" doesn't seem terribly difficult (and that's in fact how I generally write my queries).
It's a shame that page doesn't address the benefits you mention here eloquently. It basically just says we don't track you, and implies that is good. I do think it is good but it's losing the value prop for most people.
Please put your second paragraph up at the top of that page, maybe with some bullet points and icons and I'll send out the URL.
I don't see the connection here. Does duckduckgo/bing have more ethical advertisers? Are ads for "financial service which turns out to be a scam" dependent on tracking?
OT but thanks for making DDG. I went out and discovered it on my own because i wasn't satisfied with Google Search (too much SEO results, not enough links to forums). But many thanks and i wish you the best of success.
Sorry, I was trying to be clear not confusing :). But no, this has nothing to do with DuckDuckGo servers or sites, whatsoever. This is about completely 3rd party sites that might embed a Microsoft script. The original example was Workplace.com embedded a LinkedIn.com script.
This is not about search. To be clear, when you load our search results, you are completely anonymous, including ads. For ads, we actually worked with Microsoft to make ad clicks privacy protected as well. From our public ads page, "Microsoft Advertising does not associate your ad-click behavior with a user profile." This page is linked to next to every Microsoft ad that is served on our search engine (duckduckgo.com). https://help.duckduckgo.com/company/ads-by-microsoft-on-duck....
In all our browsing apps (iOS/Android/Mac) we also block third-party cookies, including those from Microsoft-owned properties like LinkedIn and Bing. That is, the privacy thing most people talk about on the web (blocking 3rd party cookies) applies here to MSFT. We also have a lot of other web protections that also apply to MSFT-owned properties as well, e.g., GPC, first-party cookie expiration, fingerprinting protection, referrer header trimming, cookie consent handling, fire button data clearing, etc.
This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser's protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We've also been tirelessly working behind the scenes to change this limited restriction. I also understand this is confusing because it is a search syndication contract that is preventing us from doing a non-search thing. That's because our product is a bundle of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search syndication agreement. Our syndication agreement also has broad confidentially provisions and the requirement documents themselves are explicitly marked confidential.
Taking a step back, I know our product is not perfect and will never be. We face many constraints: platform constraints, contractual constraints (like in this case), breakage constraints, and the evolving tracking arms race. Holistically though I believe it is the best thing out there for mainstream users who want simple privacy protection without breaking things, and that is our product vision.
Overall our app is multi-pronged privacy protection in one package (private search, web protection, HTTPS upgrading, email protection, app tracking protection for Android, and more to come), being careful (and putting in a lot of effort) to not break things while still offering protections -- an "easy button" for privacy. And we constantly work to improve its capabilities and will continue to do so, including in this case. For example, we've recently been adding bespoke third-party protections for Google and Facebook, like Google AMP/Topics/FLEDGE protection and Facebook embedded content protection.