What independent audits exist of DuckDuckGo’s tracker‑blocking behavior after the 2022 changes?

1. The researcher audit that started the story

In May 2022 Zach Edwards conducted what the press describes as an independent audit of DuckDuckGo’s browser privacy claims and captured network evidence showing data flows to Microsoft domains (Bing/LinkedIn), which revealed that certain Microsoft scripts were not being blocked in some contexts and created the initial controversy ^{[2] [1]}. TechCrunch and The Verge explicitly credit Edwards’ work as the independent finding that exposed the “carve‑out” and forced DuckDuckGo into public explanation ^{[2] [3] [1]}.

2. DuckDuckGo’s public response and subsequent technical changes

Following Edwards’ disclosure, DuckDuckGo’s leadership acknowledged a contractual search‑syndication relationship with Microsoft that had limited blocking in a specific ad‑measurement scenario and pledged to expand tracker script blocking to include Microsoft scripts across its browsing apps and extensions, while preserving certain ad‑click measurement behavior that it said was separate and optional for users ^{[1] [3]}. The company also said it would publish its tracker blocklists and offer clearer documentation of what its protections block, and later rolled the App Tracking Protection out of beta on Android after a 2022 beta period ^{[1] [4]}.

3. Other independent audits or external confirmations (what exists and what does not)

The public record in the supplied reporting identifies Edwards’ independent research as the principal external audit referenced by multiple outlets; follow‑up coverage documents DuckDuckGo’s internal changes rather than reporting the existence of additional formal external audits by security firms ^{[2] [3] [1]}. Some secondary pieces and commentary allege that “external auditors” or "external security audits" discovered secret lists or ongoing allowances ^[5], but those claims come from a less clearly sourced item in the dataset and are not corroborated by the mainstream reporting from TechCrunch, The Verge, PCMag, or CNET ^{[5] [1] [6] [4]}.

4. Limits of the public evidence and reporting agendas to watch for

Reporting has two clear axes: independent researcher disclosure (Edwards) and DuckDuckGo’s public relations fixes; major tech outlets focus on that chain rather than publishing independent audit reports from named security firms, so there is a gap between researcher findings and formal audit documentation in the sources ^{[2] [3] [1]}. Some pieces highlight potential conflicts — notably DuckDuckGo’s commercial relationship with Microsoft — and that commercial context likely shaped the company’s initial blocking choices and the subsequent defensive framing in its public statements ^{[2] [1]}. Where claims (like the “secret data flow list”) originate from lesser‑sourced outlets, readers should treat them as uncorroborated until a named independent audit or primary disclosure is produced ^[5].

5. Bottom line — what independent audits exist and what that means for verification

The only clearly documented independent audit cited in the mainstream reporting is Zach Edwards’ researcher audit that found Microsoft‑related exceptions in 2022 and spurred DuckDuckGo to change behavior and publish more transparency about its blocklists ^{[2] [1] [3]}. Subsequent coverage tracks DuckDuckGo’s product updates and claims of broader blocking and Android App Tracking Protection availability ^[4], but does not present a separate, public audit report from an independent security firm that verifies the post‑change blocker behavior across all platforms; therefore, independent verification beyond Edwards’ work and DuckDuckGo’s own disclosures is not evident in the provided reporting ^{[1] [3] [4]}.