From 0614243df1455f72a65b98370ae60e2b0b8595ae Mon Sep 17 00:00:00 2001 From: englehardt Date: Wed, 26 Jul 2023 09:23:57 -0400 Subject: [PATCH 1/4] Adding Infrastructure Domains and refactoring Private Search Ads * Consolidated the description of Private Search Ads into a single section * Documented existing process for handling CDN Infrastructure Domains * Documented new related process for handling Tag Manager Infrastructure Domains --- _docs/privacy/web-tracking-protections.md | 68 ++++++++++++++++------- 1 file changed, 49 insertions(+), 19 deletions(-) diff --git a/_docs/privacy/web-tracking-protections.md b/_docs/privacy/web-tracking-protections.md index d8350830..d8ca5cbc 100644 --- a/_docs/privacy/web-tracking-protections.md +++ b/_docs/privacy/web-tracking-protections.md @@ -10,7 +10,7 @@ DuckDuckGo never tracks you - TOC @@ -24,11 +24,7 @@ Sites often embed these 3rd-party requests to support site functionality, but th Most browsers that offer web tracking protections are usually talking about cookie tracking protections (described in [3rd-party][3rd-party-cookie-protection] and [1st-party][1st-party-cookie-protection] cookie protection). However, these types of protections can only restrict 3rd-party trackers after they load in your browser, and these 3rd parties still get access to information that could be used to track you across sites as part of the loading process (like IP address or other identifiers sent with the loading request). To protect against this tracking, you need a web tracking protection that actually stops most 3rd-party tracking requests from loading in the first place. This type of protection comes built-in with all our apps and extensions, and goes well beyond the web tracking protections most popular browsers offer by default. -This protection is particularly difficult to provide without causing usability issues because some websites depend on code that loads from these embedded requests. We can sometimes work around this with [Surrogates][surrogates]. In other cases, we may make a limited exception when it would prevent you from signing in to a site or to preserve essential usability. It’s also important to note that the intention of 3rd-Party Tracker Loading Protection is not to stop all 3rd-party requests from loading, just those used for 3rd-party tracking. - -Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results. This is no longer the case and as of October 2022 we block Microsoft scripts from loading on 3rd-party websites in our browsing apps (MacOS, Windows, iOS, and Android) and in our browser extensions (Chrome, Firefox, Safari, Edge and Opera). - -Currently, if an advertiser wants to detect conversions for their own ads that are shown on DuckDuckGo via the `bat.bing.com` domain, [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection] will not block `bat.bing.com` requests from loading on the advertiser’s website following DuckDuckGo ad clicks, but these requests are blocked in all other contexts. This is because DuckDuckGo private search advertising is in partnership with Microsoft and some advertisers use this domain for conversion measurement. For anyone who wants to avoid this, it’s possible to disable ads in DuckDuckGo search settings. To eventually replace the reliance on `bat.bing.com` for evaluating ad effectiveness, we’ve started working on an architecture for private ad conversions that can be externally validated as non-profiling. [Read more on our blog][post-private-ad-conversions]. +This protection is particularly difficult to provide without causing usability issues because some websites depend on code that loads from these embedded requests. We can sometimes work around this with [Surrogates][surrogates]. In other cases, we may make a [limited exception][remotely-configured-exceptions] when it would prevent you from signing in to a site or to otherwise preserve essential site functionality. It’s also important to note that the intention of 3rd-Party Tracker Loading Protection is not to stop all 3rd-party requests from loading, just those used for 3rd-party tracking. For example, [infrastructure domains][infrastructure-domains] require more nuanced classification since they don’t always serve tracking content. Additionally 3rd-Party Tracker Loading Protection may also behave differently following a click on a [DuckDuckGo Private Search Ad][duckduckgo-private-search-ads]. | Platform | Support | | ----------------- | --------------------------------------------------- | @@ -48,7 +44,7 @@ Believe it or not, web “cookies” were originally designed to be a helpful da If you notice the same ads following you around, 3rd-party cookies may be to blame because they can easily track you as you browse from site to site. That’s because even though third-party cookies are created on one site, they can be retrieved from another. For example, if you visit a website which uses Google’s ad network, it can create a 3rd-party cookie based on the content you are viewing. Then, when you visit another website that also uses Google ads, Google can read the initial cookie, know that you’re the same person, and show you an ad based on what you were viewing on the previous site. -To protect against this, we first block most 3rd-party tracking requests with [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection], which stops requests from loading that would otherwise have a chance to create or access 3rd-party cookies. In addition, we also automatically block 3rd-party cookies on our list of known trackers by default, and will only make a limited exception when it would prevent you from signing in to a site or to preserve essential usability. +To protect against this, we first block most 3rd-party tracking requests with [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection], which stops requests from loading that would otherwise have a chance to create or access 3rd-party cookies. In addition, we also automatically block 3rd-party cookies on our list of known trackers by default, and will only make a [limited exception][remotely-configured-exceptions] when it would prevent you from signing in to a site or to otherwise preserve essential site functionality. | Platform | Support | | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -66,9 +62,7 @@ To protect against this, we first block most 3rd-party tracking requests with [3 Unlike 3rd-party cookies, 1st-party cookies are less likely to be involved in cross-site tracking because they can only be retrieved from the site where they were originally created. However, 1st-party cookies can still be used to re-identify you when you later return to a website. This can be helpful when used to recognize that you’re still signed in, but 1st-party cookies can also be used to monitor your activity on sites over time and facilitate cross-site tracking. That’s because identifiers stored in 1st-party cookies can be sent to 3rd-party companies when their requests are directly embedded in the content of a website. -To protect against this, we first block most embedded 3rd-party tracking requests before they even have a chance to create or access 1st-party cookies, because we stop those requests from loading with [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection]. We also do the same for many 3rd-party requests that are disguised as 1st parties with [CNAME Cloaking Protection][cname-cloaking-protection]. We're sometimes unable to block 3rd-party tracking requests because doing so would break site functionality. Since these unblocked 3rd parties may be able to set 1st-party cookies, we automatically set a 24-hour expiration on those cookies to limit their privacy impact. In addition, we set a 7-day expiration for all other 1st-party cookies created by scripts. We may make a limited exception when these rules would prevent you from signing in to a site or to further preserve essential usability. - -Currently, 1st-Party Cookie Protection automatically expires cookies set by the `bat.bing.com` domain after 7 days to allow an advertiser to measure conversions for their own ads shown on DuckDuckGo. The `bat.bing.com` requests that set these cookies are blocked in all other contexts, with the exception of the advertiser’s website following DuckDuckGo ad clicks as described in 3rd-Party Tracker Loading Protection. +To protect against this, we first block most embedded 3rd-party tracking requests before they even have a chance to create or access 1st-party cookies, because we stop those requests from loading with [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection]. We also do the same for many 3rd-party requests that are disguised as 1st parties with [CNAME Cloaking Protection][cname-cloaking-protection]. We're sometimes unable to block 3rd-party tracking requests because doing so would break site functionality. Since these unblocked 3rd parties may be able to set 1st-party cookies, we automatically set a 24-hour expiration on those cookies to limit their privacy impact. In addition, we set a 7-day expiration for all other 1st-party cookies created by scripts. We may make a [limited exception][remotely-configured-exceptions] when these rules would prevent you from signing in to a site or to otherwise preserve essential site functionality. We may also alter the behavior of 1st-Party Cookie Protection following a click on a [DuckDuckGo Private Search Ad][duckduckgo-private-search-ads]. | Platform | Support | | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -104,7 +98,7 @@ We identify 3rd-party domains trying to track you in this way through our open s Some companies try to combine specific information about your browser (like your user agent) and device information (like your device screen size) to create a unique identifier for you that can let them follow you around the web. This widespread tracking technique is known as “fingerprinting” or “device fingerprinting” and is one way tracking companies try to get around cookie tracking protections. They do this by running JavaScript code and using browser APIs to ask the browser to reveal and return information about itself and the device it’s running on (for example, screen size and CPU type). -To protect against this, we block many fingerprinting scripts before they can even load with our [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection]. In addition, we override many of the browser APIs used for fingerprinting to make them return either no information or alternative information that’s less useful for fingerprinting. We will only make a limited exception when it would prevent you from signing in to a site or to preserve essential usability. You can review [our open source code][github-fingerprint-protection] for this feature. +To protect against this, we block many fingerprinting scripts before they can even load with our [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection]. In addition, we override many of the browser APIs used for fingerprinting to make them return either no information or alternative information that’s less useful for fingerprinting. We will only make a [limited exception][remotely-configured-exceptions] when it would prevent you from signing in to a site or to otherwise preserve essential site functionality. You can review [our open source code][github-fingerprint-protection] for this feature. | Platform | Support | | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -142,7 +136,7 @@ Except for Safari, most popular browsers only direct users to encrypted versions The links embedded in websites, social media, and emails that we share and click on every day often contain additional URL parameters after the destination domain. While many of these parameters aren’t used for tracking purposes, others are added to specifically track your behavior across sites (for example: `example.com/page.html?`**`fbclid=your_facebook_account_ID`**). -We help protect against this type of tracking by removing [many tracking parameters][github-tracking-parameters]. This type of protection is not offered in most popular browsers by default. +We help protect against this type of tracking by removing [many tracking parameters][github-tracking-parameters]. We may make a [limited exception][remotely-configured-exceptions] when removing parameters would prevent you from signing in to a site or to otherwise preserve essential site functionality. This type of protection is not offered in most popular browsers by default. | Platform | Support | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -160,7 +154,7 @@ We help protect against this type of tracking by removing [many tracking paramet When content loads in a web browser, the browser and any servers through which the request passes along the way use metadata in what’s called the “header” to determine what to do with the request. Part of this header is known as the “referrer,” which allows a server to identify the last place a user was before they arrived on that site. Sometimes this is used for security checks (like when you sign in to a website), but it can also be hijacked by companies to send along additional data that could help them track and fingerprint you. -By default, we “trim” (remove) some of the metadata in the “referrer header” that trackers could potentially use to track you individually. All 3rd-party requests are trimmed down to the hostname (for example, `info.test.com/path?query` becomes just `info.test.com`). +By default, we “trim” (remove) some of the metadata in the “referrer header” that trackers could potentially use to track you individually. All 3rd-party requests are trimmed down to the hostname (for example, `info.test.com/path?query` becomes just `info.test.com`). We may make a [limited exception][remotely-configured-exceptions] when this protection would prevent you from signing in to a site or to otherwise preserve essential site functionality. | Platform | Support | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -178,7 +172,7 @@ By default, we “trim” (remove) some of the metadata in the “referrer heade When you visit a website that contains embedded content from social media companies (such as YouTube videos, Tweets, Facebook comments, or sign-in buttons), that content often includes tracking code that those companies use to link your user information (like IP address and browser details) with your browsing history. -By default, we block social media embedded content from Facebook on [our list of content types][social-ctp-config], which includes: sign-in buttons, videos, comments, posts, pages, and groups. We plan to expand this protection to additional social media content, including YouTube videos. You can easily unblock a particular piece of content to view it if desired. While social media companies will receive some user information each time you unblock a piece of content, this protection will help reduce what they know about you overall by default. You can learn more about Embedded Social Media Protection. This type of protection is not offered in most popular browsers by default. +By default, we block social media embedded content from Facebook on [our list of content types][social-ctp-config], which includes: sign-in buttons, videos, comments, posts, pages, and groups. We plan to expand this protection to additional social media content, including YouTube videos. You can easily unblock a particular piece of content to view it if desired. We may make a [limited exception][remotely-configured-exceptions] when this protection would prevent you from signing in to a site or to otherwise preserve essential site functionality. While social media companies will receive some user information each time you unblock a piece of content, this protection will help reduce what they know about you overall by default. You can learn more about Embedded Social Media Protection. This type of protection is not offered in most popular browsers by default. | Platform | Support | | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -200,7 +194,7 @@ Google's Accelereated Mobile Pages (AMP) is [marketed][amp-about] as a way to To help protect you against this form of Google tracking, we replace most Google AMP links when clicked with the original publisher’s website so publishers can directly serve you these pages, instead of Google. -To do this, we extract the original publisher link where possible by recognizing the format of AMP. Otherwise, we load the AMP link in the background, and [block all content from loading][github-block-amp-content], separate from your normal browsing experience. This allows us to extract the publisher link, delete all data from that background load and then load the publisher webpage, as normal. This helps protect you from the additional Google tracking that may not be present on the original webpage. This type of protection is not offered in most popular browsers by default. +To do this, we extract the original publisher link where possible by recognizing the format of AMP. Otherwise, we load the AMP link in the background, and [block all content from loading][github-block-amp-content], separate from your normal browsing experience. This allows us to extract the publisher link, delete all data from that background load and then load the publisher webpage, as normal. This helps protect you from the additional Google tracking that may not be present on the original webpage. We may make a [limited exception][remotely-configured-exceptions] when this protection would prevent you from signing in to a site or to otherwise preserve essential site functionality. This type of protection is not offered in most popular browsers by default. | Platform | Support | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -218,7 +212,7 @@ To do this, we extract the original publisher link where possible by recognizing Google is attempting to replace 3rd-party cookies within their browser with an alternative tracking mechanism called [Topics][topics-fledge-announcement]. For Google Chrome users, Topics can use your Chrome browsing history to automatically infer your interests and align them with a predefined list of topics (for example, “Child Internet Safety” or “Personal Loans”). A subset of this list is shared with websites and other tracking companies so they can target you with ads just as easily — based on your behavior and without your knowledge. -The DuckDuckGo Chrome extension disables Topics from running in Google Chrome. You can [learn more about Google Topics Protection][post-topics-fledge-protection] and [review our open source code][github-topics-fledge-disable] for this feature. +The DuckDuckGo Chrome extension disables Topics from running in Google Chrome. We may make a [limited exception][remotely-configured-exceptions] when this protection would prevent you from signing in to a site or to otherwise preserve essential site functionality. You can [learn more about Google Topics Protection][post-topics-fledge-protection] and [review our open source code][github-topics-fledge-disable] for this feature. | Platform | Support | | ---------------- | ---------------------------------- | @@ -229,7 +223,7 @@ The DuckDuckGo Chrome extension disables Topics from running in Google Chrome. Y Like Topics, Google [FLEDGE][fledge] is another Google mechanism meant to replace 3rd-party cookies. Its ultimate goal is also to “re-target” you with ads — in other words, letting Google ads [follow you from website to website][topics-fledge-announcement]. FLEDGE works directly in the Chrome browser and [uses your browsing history][fledge-browsing-history] to run ad auctions in order to re-target you better and without you realizing it. -The DuckDuckGo Chrome extension disables FLEDGE from running in Google Chrome. You can [learn more about Google FLEDGE Protection][post-topics-fledge-protection] and [review our open source code][github-topics-fledge-disable] for this feature. +The DuckDuckGo Chrome extension disables FLEDGE from running in Google Chrome. We may make a [limited exception][remotely-configured-exceptions] when this protection would prevent you from signing in to a site or to otherwise preserve essential site functionality. You can [learn more about Google FLEDGE Protection][post-topics-fledge-protection] and [review our open source code][github-topics-fledge-disable] for this feature. | Platform | Support | | ---------------- | ---------------------------------- | @@ -240,7 +234,7 @@ The DuckDuckGo Chrome extension disables FLEDGE from running in Google Chrome. Y Aggressive prompts to sign in using your Google Account are commonplace across the most popular websites, often popping up as soon as a website loads. Opting to sign in using your Google Account can give Google implicit permission to collect even more data about your activity on sites than they would typically have access to when you’re not signed in or if you chose a different sign-in method. -To help protect against being misled into unwanted tracking, we block these annoying Google sign-in pop-ups by default on sites Google doesn’t own wherever possible. That means you can take back your choice to sign in with any account (including a Google Account) and use standard website sign-in forms instead. +To help protect against being misled into unwanted tracking, we block these annoying Google sign-in pop-ups by default on sites Google doesn’t own wherever possible. We may make a [limited exception][remotely-configured-exceptions] when this protection would prevent you from signing in to a site or to otherwise preserve essential site functionality. That means you can take back your choice to sign in with any account (including a Google Account) and use standard website sign-in forms instead. | Platform | Support | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -254,7 +248,7 @@ To help protect against being misled into unwanted tracking, we block these anno | Mac app | Google sign-in pop-ups hidden wherever detected. | | Windows app | Google sign-in pop-ups hidden wherever detected. | -## Preserving Usability +## Preserving Site Functionality We aim to deliver privacy, simplified. Part of our ethos of simplicity is not breaking website functionality in the process of blocking and restricting trackers. We develop our protections with this mind, and we use the following techniques to further this effort as we continue to expand protections. @@ -286,6 +280,34 @@ We review user-reported Broken Site Reports daily, and work to address these usa | ------------- | --------------------------------------------------------------------------------- | | All platforms | All platforms provide feedback channels for reporting tracker-dependent breakage. | +### Infrastructure Domains + +Most websites cannot build all of their technology in-house and must rely on 3rd parties for site functionality. We don't want to penalize websites for using a 3rd party so long as their use of that 3rd party doesn't help track you across websites. In this way, we hope to encourage good 3rd-party script behaviors over time. + +We consider some domains on our list to be “Infrastructure Domains”, for example Content Delivery Networks (CDNs) and Tag Managers, since these domains are often used to load website functionality (i.e., infrastructure, like images, videos, and site elements you interact with) from other 3rd-party domains. However, Infrastructure Domains can be used to load both tracking and non-tracking resources. + +Because blocking Infrastructure Domains from loading any resources creates significant site breakage and prevents sites from loading resources they rely on, we take the approach of evaluating individual resources loaded from Infrastructure Domains, and apply [3rd-Party Tracker Loading Protection][3rd-party-tracker-loading-protection] to those specific resources that we observe participating in tracking, taking into account the potential for site breakage. In addition, we apply our other overlapping protections (like [3rd-Party Cookie Protection][3rd-party-cookie-protection]) to Infrastructure Domains directly. + +For example, a domain that hosts open-source JavaScript libraries would be considered a CDN and thus not blocked by 3rd-Party Tracker Loading Protection, but any instance of the FingerprintJS fingerprinting library hosted on that domain would be blocked because it’s used to fingerprint you and track you around the web. Likewise, 3rd-Party Tracker Loading Protection doesn’t apply to Google Tag Manager, as we have not detected the tag manager itself participating in tracking, we’ve observed it associated with breakage on many sites, and it occasionally loads necessary features like site widgets and privacy-friendly analytics libraries. However, we continue to block tracking resources Google Tag Manager may load, such as Google Analytics, and we also block Google Tag Manager itself on sites where we’ve detected embedded fingerprinting code within it. Other Infrastructure Domains are treated similarly. + +| Platform | Support | +| ------------- | --------------------------------------------------------------------------------------------------------------- | +| All platforms | Infrastructure Domain categorization impacts how we build our tracker lists, which are shared across platforms. | + +### DuckDuckGo Private Search Ads + +Advertising on DuckDuckGo is done in partnership with Microsoft. Viewing ads on DuckDuckGo is anonymous, and Microsoft has [committed][ads-by-microsoft] to not profile our users on ad clicks: “when you click on a Microsoft-provided ad that appears on DuckDuckGo, Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes.” + +Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results. This is no longer the case and as of October 2022 we block Microsoft scripts from loading on 3rd-party websites in our browsing apps (MacOS, Windows, iOS, and Android) and in our browser extensions (Chrome, Firefox, Safari, Edge and Opera). To be clear, Microsoft scripts were never embedded in our search engine or apps, which do not track you. Companies insert these scripts on their own websites for their own purposes, and so they never sent any information to DuckDuckGo. + +To evaluate whether an ad on DuckDuckGo is effective, advertisers want to know if their ad clicks turn into purchases (conversions). To see this within Microsoft Advertising, they use Microsoft scripts from the bat.bing.com domain. Currently, if an advertiser wants to detect conversions for their own ads that are shown on DuckDuckGo, 3rd-Party Tracker Loading Protection will not block bat.bing.com requests from loading on the advertiser’s website following DuckDuckGo ad clicks and 1st-Party Cookie Protection will expire any cookies set by these requests on the advertiser’s website after 7 days, but these requests are blocked in all other contexts. For anyone who wants to avoid this, it's possible to disable ads in DuckDuckGo search settings. And in any case, our other overlapping protections — including 3rd-Party Cookie Protection and Fingerprinting Protection — continue to apply, even in the context of DuckDuckGo ad clicks. + +We’ve chosen this approach because it allows us to continue shipping best-in-class privacy protections while working to guide the advertising industry to adopt more privacy-preserving technologies. We envision a future where ad conversion detection can occur anonymously. DuckDuckGo isn’t alone in facing this issue, and the browser community has been working on private ad conversion technologies for several years now. Safari is working on [Private Click Measurement (PCM)][apple-pcm] and Firefox is working on [Interoperable Private Attribution (IPA)][mozilla-ipa]. This work is important because it means we can improve the advertising-based business model that countless companies rely on to provide you with free services, making it more private instead of throwing it out entirely. We hope these efforts can help move the entire digital ad industry forward and make privacy online the rule rather than the exception. + +| Platform | Support | +| ------------- | ---------------------------------------------------- | +| All platforms | All platforms support DuckDuckGo Private Search Ads. | + ## Everyday Privacy Controls ### The Fire Button @@ -368,7 +390,13 @@ For questions, comments, or concerns, please feel free to