What exactly was the Microsoft exception in DuckDuckGo's tracker policy, and how has DuckDuckGo explained or changed it?
Executive summary
DuckDuckGo’s “Microsoft exception” was a limited carve-out in its browser and extensions that allowed certain Microsoft-owned tracking scripts to load on third‑party websites, a condition DuckDuckGo said stemmed from its search syndication / Bing relationship; the company later announced it had removed that limitation and expanded its third‑party tracker blocking to include Microsoft scripts while still permitting one advertiser measurement endpoint by default (bat.bing.com) [1] [2] [3]. Reporting and company statements show DuckDuckGo framed the issue as a contractual policy restriction rather than an embedded Microsoft tracking capability inside DuckDuckGo’s own search or apps [2] [4].
1. What exactly was the Microsoft exception?
Security researcher disclosures in May 2022 revealed that DuckDuckGo’s mobile browser and some extensions were blocking many third‑party trackers but allowed certain Microsoft (Bing/LinkedIn) tracking scripts to load on non‑DuckDuckGo sites, meaning those specific Microsoft-owned scripts were not being prevented by DuckDuckGo’s tracker‑loading protection in the same way as competitors’ trackers [5] [1]. Company commentary clarified that Microsoft scripts were not embedded in DuckDuckGo’s search engine or apps and that the exception only applied to third‑party websites viewed through the browser or extensions, not to DuckDuckGo’s own search product [2] [1].
2. Why did DuckDuckGo say the exception existed?
DuckDuckGo’s CEO Gabriel Weinberg and company spokespeople attributed the carve‑out to a contractual or policy requirement tied to DuckDuckGo’s use of Microsoft’s Bing for search results and related advertising arrangements, saying that a “search syndication agreement” or policy requirement limited how their third‑party tracker loading protection could apply to Microsoft tracking scripts [4] [3] [6]. Reporting and follow‑ups repeatedly quote DuckDuckGo stating the limitation was unique to the Microsoft relationship and that no similar restriction existed with other companies [2] [3].
3. How DuckDuckGo explained the mechanics and the narrowness of the issue
DuckDuckGo emphasized that most Microsoft scripts were already blocked by other protections in the browser (for example blocking third‑party cookies or fingerprinting vectors), and framed the exception as narrowly scoped to certain Microsoft ad measurement scripts on third‑party pages rather than as a wholesale backdoor to user tracking by Microsoft [7] [2]. The company also highlighted that websites insert tracking scripts for their own purposes and that those scripts “never sent any information to DuckDuckGo,” distinguishing flow of data to Microsoft from DuckDuckGo operating the trackers itself [2].
4. What changed and how did DuckDuckGo respond?
After public pushback, DuckDuckGo announced in August 2022 that it had eliminated the carve‑out and expanded its 3rd‑Party Tracker Loading Protection to include Microsoft tracking scripts across its browsing apps and extensions, with rollout to beta and desktop versions following; the company said it reached an agreement that removed the previous limitation tied to using Bing as a source for private search results [2] [3]. DuckDuckGo also said it would continue to permit one specific Microsoft domain—bat.bing.com—to load in the context of advertiser conversion measurement after a user clicks a DuckDuckGo search ad, while blocking Microsoft scripts “in all other contexts,” and told users they could disable ads in settings to avoid that flow [7] [6] [3].
5. Remaining critiques, context and alternative readings
Critics argued the episode exposed how commercial partnerships can produce privacy tradeoffs and created reputational damage for a privacy‑focused brand, framing the carve‑out as a governance or transparency failure even if technical impacts were limited; others noted independent experts say blocking all tracking scripts reliably is technically difficult and that many Microsoft scripts were already mitigated by other protections [8] [9] [2]. Fact‑checking reporting later pushed back on some sensational claims (for example conspiratorial headlines alleging secret tracking deals), noting DuckDuckGo had removed the carve‑out by August 2022 and emphasizing the nuance that the issue affected browser protections on third‑party sites rather than DuckDuckGo’s search service itself [9] [2].
Conclusion
The Microsoft exception was a narrowly described, contractually explained limitation in DuckDuckGo’s browser tracker‑blocking that allowed certain Microsoft ad measurement scripts to load on third‑party sites; public exposure prompted DuckDuckGo to renegotiate and formally expand its blocklist to include Microsoft scripts while preserving a limited advertiser measurement callback (bat.bing.com) and offering users ad‑disable options — an outcome the company presented as a technical and contractual fix though critics say it revealed larger tensions between privacy branding and business partnerships [4] [2] [3] [7].