In this episode, Beah (Product) and Max (Frontend) discuss cookie pop-up protection, why our solution is uniquely private, and the feedback loops we use to help us reject cookies across more of the sites you visit.

Disclaimers: (1) The audio, video (above), and transcript (below) are unedited and may contain minor inaccuracies or transcription errors. (2) This website is operated by Substack. This is their privacy policy.

Beah: Hello and welcome to DuckTales where we go behind the scenes with DuckDuckGo and discuss the stories, technology and people that help build privacy tools for everyone. In each episode, you’ll hear from employees ⁓ about our vision, product updates and our approach to AI or how we operate as a company. In this case, today we’re going to be talking about a feature that I dearly love.

⁓ cookie pop-up protection with ⁓ Max here. So let me just do some quick introductions, I guess, before I’m kind of getting a little ahead of myself. I’m Bea Berger-Lenahan. I lead the product team here at Tech Tech Go. And I’m going to be asking Max a few questions. Max, would you like to introduce yourself?

Max: Yeah, sure. Hey, ⁓ my name is Max. I am an engineer in the front-end team at DuckDuckGo. Been here for about three years, a little more. Yeah, I’m excited to talk about cookie pop-up protection.

Beah: Awesome. Thank you, Max. We’re glad you’re here. I’m glad you’re here. ⁓ So first, just tell me, tell all of us a little bit about what cookie pop-up protection is, how it works.

Max: Yeah, so this is the ⁓ feature in our browsers that handles cookie pop-up for you. ⁓ And in a nutshell, it... ⁓ that’s a good question. ⁓ I mean, I think most people have seen a cookie pop-up, but yeah, the definitions vary, but we’re talking about these...

Beah: What’s a cookie pop-up first? Hahaha

Max: dialogues that websites show you on the first visit that typically tell you something about their data sharing practices and the use of cookies and similar technologies. And sometimes they give you a way to opt out of some optional tracking ⁓ or cookies. And that’s what we’re actually doing. We’re automating, ⁓ basically clicking reject buttons for you or whatever it takes to...toggle all these little checkboxes and saving the settings. ⁓ I could demo it if that’s okay. ⁓ So let me share my screen. ⁓

Beah: That’d be great.

Max: So for the sake of the demo, I’ve disabled the feature in the settings right now. It’s enabled by default, ⁓ but I’m just going to show you. ⁓ So if we go to Sky Scanner, for example, and I’m in the Netherlands, so you see a Dutch version, but there is this huge cookie pop-up ⁓ when you load the page. And if I enable the feature, cookie pop-up protection and reload the page, you’re not gonna see this pop up anymore. And what happened, and then there will be a ⁓ little notification in the address bar. And if you drill down, you’ll see the explanation

Beah: Okay. Okay.

Max: what happened. But basically what happened behind the scenes is we clicked on the reject button rejecting the cookies automatically. And that’s why we call it cookie pop-up protection. ⁓ So for us, this is a privacy protection feature because it actually ⁓ chooses the most private option for you, which is not always easy. Let’s see.

Beah: Mm-hmm. Yeah, I mean, I don’t know if we have data on this, but I imagine very few people are willing to go into, you know, click the option to actually adjust ⁓ settings and start toggling things on and off on the regular.

Max: Yeah, ⁓ that’s for sure. So ⁓ some pop-ups can be really tricky to opt out. ⁓ You would need to go to click, Settings and then toggle a bunch of check boxes and then click Save. This can become... Like most people, think they just click Accept button. ⁓ And ⁓ yeah, this is of course not good for your privacy. ⁓ So we help...

Beah: Yeah.

Max: getting through these dark patterns.

Beah: Yeah, makes sense. why did we build this? What’s the origin story?

Max: Yeah, so ⁓ like many other features that go, it started as like a hack project, which is when someone goes in and tries to tackle the problem in a couple of days. And ⁓ of course, cookie pop-ups are universally annoying and wanted to do something about it. ⁓ And we built some prototypes. And then eventually we built a feature on top of a ⁓ prior work of my colleague, Sam Macbeth, who... ⁓ So we have an open source library that does most of the ⁓ things that we... ⁓ And we ⁓ use it and it powers all our... ⁓ This feature in all our browsers.

Beah: Nice. ⁓ Max, did I cut off your demo? Did you want to show anything else there?

Max: No, I’m trying to stop presenting it just doesn’t work. I’m clicking the button

Beah: Oh, okay. Alright, I was just worried I cut you off. Alright, we’ll see if it responds at some point. So, okay, so just to recap, ooh, there it goes, okay. Just to recap, we are a, removing the annoyance of you’re like trying to go to Skyscanner, I don’t know what that is, you’re trying to go to Skyscanner and instead of getting whatever it is that’s on Skyscanner, you’re getting this big like notification in your face, we’re making that go away and we’re going in and we’re changing the settings to be more privacy respecting. That sounds great. What’s the downside?

Max: Correct. And that’s, so like ⁓ this ⁓ approach actually is actually quite intentional, right? So as I mentioned this, we’re trying to maximize user privacy and ⁓ because there are other solutions on the market that do like ranging from clicking accept button, which is not acceptable for us. But also ⁓ there’s another approach of like preventing the interaction. And for us, this was very important to do it this way, to actually actively opt out because, well, first of all, ⁓ this is like the only way to opt out of ⁓ server side tracking we know of. ⁓ the second, it gives a clear signal to the website through the official channels.

Max: And then finally, in some legislations, it’s actually the only way to opt out. So for example, in California, they can sell your data by default unless you click on the button. So ⁓ yeah, we think that as long as the site is compliant with the law, this approach is better for privacy. ⁓ And if it’s not compliant, we still have our tracker blocking and other privacy protections to fall back to. And so this is of course, so speaking of challenges, ⁓ this is a bit more involved than just, you know, blocking some requests to or blocking the pop-ups from loading. ⁓And so it needs a bit more effort because we actually need to automate each and every pop-up vendor. So it takes a bit more effort. But yeah, this is something we chose to do. I think we, for a while now, we’ve covered most of the, all of the major pop-up vendors, which is like 80, 90 % of top sites in Europe and the US.

Beah: So that’s roughly the percent of cookie pop-ups that we think we’re successfully blocking at this point.

Max: Yes, so that is 80 or 90 % of all pop-ups that you see on the top sites are handled. And one of the biggest challenges is this long tail of sites, because of course, no one visits just the top sites. And like, each of us has this one site that no one else visits.

Beah: Mm-hmm. Okay.

Max: And yeah, this is something we’ve been focusing on lately. We’re trying to ⁓ experiment in with automated approaches and using AI as well. And we’ve had some good success in the past months with it. So I think we’re gonna ramp up the this long tail coverage in the coming weeks and months. Yeah, and

Beah: And how are you finding those? Do you want to talk about like how your finding those sites, which includes internal reporting, right?

Max: Yeah, so we have a few different ⁓ feedback loops, as I say. of course, we have ⁓ our own crawling. So we ⁓ regularly crawl top sites ⁓ and trying to detect new pop-ups and handle them. ⁓ Then we have user reports, ⁓ breakage reports, and just user feedback reports. that we have special systems that filter out and surface the reports related to cookie pop-ups. And we also have very active internal reporting, which is DuckDuckGo employees who go above and beyond and just report new sites to us. is a very important source of feedback because we can get back to those people and verify.

Beah: Who’s the number one reporter of cookie pop us.

Max: the number one is Gabe. ⁓ So our CEO, he’s like, I think it’s fair to say that half of all the internal reports come from him. I have no idea how he does it.

Beah: Hahaha I know. Yeah, sometimes I think maybe I can catch him, but I don’t know. I don’t know that I can. ⁓ So if a user watching this encounters a cookie pop-up, what should they do? How should they report it?

Max: Yeah.

⁓ So it depends on what kind of user there are. Like the easiest thing would be to send the feedback through the app. We have this ⁓ feat