In this episode, Cristina (SVP, Marketing) and Peter (Director, Product) discuss digital fingerprinting, privacy washing, and how hidden trackers appear in the majority of popular websites. Plus, the steps you can take to protect yourself online.

Disclaimers: (1) The audio, video (above), and transcript (below) are unedited and may contain minor inaccuracies or transcription errors. (2) This website is operated by Substack. This is their privacy policy.

CristinaHi, and welcome to DuckTales, where we go behind the scenes at DuckDuckGo and discuss the stories, technology, and people that help provide privacy tools for everyone.

In each episode, you’ll hear from employees about our vision, product updates, approach to AI, or how we operate as a company. Today, we’re going to chat about the online privacy problem and DuckDuckGo’s web protections. I’m Cristina. I’m on the marketing team. And today, I’ll be interviewing Peter. Peter, would you like to introduce yourself, maybe what team you’re on and where you spend a lot of your time? ⁓

Peter Absolutely.

Hi, Cristina. I’m Peter. I’m on the product team at DuckDuckGo, which I typically work on our browsers and our privacy protection. So happy and excited to talk about the mystifying world of online tracking and privacy today.

CristinaAwesome, likewise, well let’s jump in. So I think a lot of people would be surprised to hear just how much information about them is being tracked online. Some seemingly irrelevant to what they’re doing and some pretty creepy in how detailed it is and how all the dots are being connected. Can you give some examples of the pervasiveness of this tracking?

Peter Absolutely. know, anyone I talk to about online privacy, the first thing they’ll tell me, and I’m sure you’ve heard the same, is microphones must be listening to them. ⁓ Yeah, everyone can give an example of a conversation in their household where not too long thereafter, they’re seeing advertisements, creepy advertisements, following them around online based on, you know, what it is they were talking about. ⁓ And the reality is the amount of surveillance that happens

is like microphones are listening to you everywhere, but the methods are not actually microphones. The methods are actual trackers on websites, on search engines and browsers and apps, which we’ll talk about that are always collecting information about you. ⁓ So just to break those down a little bit, most people, if you think about someone in their daily life, they’re going to go do a search online, whether it’s on their smartphone or on their computer.

The search engine that most people use is, of course, Google, most dominant search engine in the world. They collect basically anything and everything about you. ⁓ And so that search engine is one source of this data collection. And then ⁓ the browser you use to actually do those searches, often owned by some of the same companies like Google, ⁓ like Google Chrome specifically, these browsers also directly

collect information about you. So if you’re not using a private search or a private browser, a lot of information is directly collected about you. But then, of course, after you do a search and you get onto a website, the websites themselves have trackers embedded in them. And specifically, we’ve done actually a lot of analysis on this. 85 % of the top websites on the web have Google trackers included in them, and about 36 % have

Meta or Facebook trackers overall. And these trackers are pieces of code that run on the websites that send information about you, what you’re doing on the site, what products you’re looking at, what’s in your shopping cart, and so on to companies that are not the owners of the websites. The same is true of your mobile apps. So just as it happens, the surveillance on websites, it happens in your mobile apps. ⁓ In fact, 96 % of the popular top free Android

Apps send data to third-party companies. And of those, 87 % send data to Google, 68 % send data to Guest It, Meta, and Facebook. Top two trackers overall. And then, of course, there’s other sources too. When you use emails, emails contain trackers. When you open them, little code fires. It tells the email sender when you open their email, where you were when they opened the email. And then there’s a lot of other scenarios too. Like if you go to the store,

What do they ask you when you make a purchase at the store? Can we have your email address? And they say, oh, it’s for a loyalty program. You can get points or whatever it is. But the reality is they’re actually usually taking that email address and then directly uploading it to Facebook, to Instagram, so that they can buy advertisements targeting you later. And so you combine all this. And you have this pervasive tracking and then targeting that’s happening.

that makes it feel like ultimately there must be microphones listening to you, but it’s just happening throughout your day overall.

CristinaIt’s pretty chilling that I could be on almost any site or Android app or reading email or at the mall buying a new shirt and companies like Google are tracking me. So what type of information are they collecting?

Peter So they’re typically after two sets of things. And when I say they, I use Google and Meta, Facebook as examples, but there’s thousands of other ad tech companies that are often in the mix trying to collect something about you as well. ⁓ They’re looking first for an identifier. So they want something that’s gonna be able to tie what you’re doing to an identity so they know who it is, or even if they might not know who exactly it is, they wanna know it’s the same person. So of course, email address could be an identifier, your name could be an identifier, phone number could be an identifier. Those are the obvious ones that they would want. And by the way, this is why so many websites try to get you to log in on those websites, often with your Google login, because then they can tie all this, whatever you’re doing on that website to your identity. And then of course, I think most people have heard of cookies, and seen cookie banners come up when they visit websites.

Cookies are another form of identifier, might not be your name or your email address, but it is a unique code. And so that when these trackers that are across all these websites see the same cookie identifiers across those websites, they all, this is the same person. And so whatever you did on this site, we can link it to whatever you did on this other site. And then there’s a couple other identifiers such as ⁓ digital fingerprints, which really use information about your device, like your screen resolution and your battery, literally the state of your headphone jack on your smartphones, they piece this together into a digital fingerprint that is unique. And so if they see the same set of attributes about your device on a different website or different app, again, they can infer this is the same person overall. So that’s the first thing they want, identifiers. And then the second thing they want is something about you, behavior, interests, actions. ⁓ And so it might be as high level as Cristina’s into snowboarding. ⁓

But it could be as low level as the specific things that you had in your shopping cart, what you purchased in real life in Home Depot last week. ⁓ Whatever it is, they basically want to collect it, put it together into a behavioral profile that they can then turn around to advertisers and offer very hyper-targeting to these individuals overall. And just to give you a sort of creepy example, we’ve done a lot of studies on this with websites and apps.

And we looked at health websites and health applications, ones where you may look up health conditions or prescription drugs. And we literally observe these trackers included in these apps or websites sending information about your health conditions, your sexual orientation, and even prescription drug information to third-party companies overall, things that people would be absolutely shocked to hear overall.

CristinaThat’s definitely not information I want shared without my permission. ⁓ And while historically I might have thought something like, ⁓ battery life or headphone jacks, whatever, don’t care, when you start piecing it together to make this fingerprint like you’re talking about, yeah, it gets super scary. You know, I’ve heard some people say, ugh, it’s impossible to do anything when it comes to these giant companies and all these clever ways they’re collecting information. Anything I could do would just be a drop in the ocean. How is DuckDuckGo thinking about a user-led approach to solving the privacy problem?

Peter DuckDuckGo, obviously, most people know us through our private search engine. And of course, our private search doesn’t collect information about users. That’s what sets it apart. And even our advertisements themselves on DuckDuckGo search are just based on what you’re searching for. But ⁓ we realized that protecting people in their searches is not enough. We needed to protect people’s privacy more broadly. And so that’s why DuckDuckGo introduced you some years back. ⁓

browsers as well. And so you could use our search and our browser to mo