This is an obvious, thinly-veiled advertisement for a company's services. It's widely known that ad companies track you everywhere by many mechanisms. This is why we use ad blockers of all sorts. This has nothing to do with DuckDuckGo, it's merely used as a vehicle to get clicks.
This title is highly misleading, implying that Google tracks DuckDuckGo searches directly, which isn’t true. It also reinforces a conspiracy theory that we’re owned by Google, which also of course isn’t true. Kindly please change it to be more accurate about Google analytics and other Google trackers on websites you may visit.
We’ve been sounding the alarm about Google analytics, tag manager, and other Google trackers for years and why we started making our own extensions and browsers to block them and provide more comprehensive protection. On our homepage and everywhere else we can we try to get people to install those to get that additional protection, which you can compare here: https://duckduckgo.com/compare-privacy
The threat is real though and I've recently noticed an uptick in the google SSO popup, which is just another way of tracking. Most notably on pornhub. I'm not too keen to let them know what I have a wank to.
I don't think the title implies that Google is tracking DuckDuckGo searches directly, just that using DuckDuckGo instead of Google often doesn't prevent Google from tracking you. The article also makes clear that using DuckDuckGo is an improvement, just not enough.
Furthermore, I don't see any intimation in the article that Google owns DuckDuckGo.
All in all, it seems you and the article are on the same page.
Unlike Simple Analytics (the post authors), you deploy Counterscale to your own Cloudflare account and control the code + data end-to-end. It also uses no cookies, has no browser fingerprinting, and has no monetized SaaS offering.
It only has 90 days retention though, which could be viewed positively.
It's simple fear mongering and aimed at the wrong audience. Companies want people tracked to improve their ads and have a higher reach. The people who are being tracked can't exactly do much about what tracking system a website uses.
Depending on your network configuration I could imagine abuse of EDNS(0). This is used for example by NextDNS to identify which device (MAC) on your local network sent the request in order to apply specific filters and log the request. A not-so-friendly DNS could sell such information.
This list manages to be mostly correct while still spreading FUD. These can all be tracked, but the threat actors are very much uncoordinated in exploiting this info, and much of it (especially things like keystroke and mouse fingerprinting) is expensive to track en masse.
Just using Firefox with uBlock, no history, and privacy settings on max, through a somewhat trustworthy VPN like Mullvad will make your data mostly useless. Yeah, "they" could still catch you in a million ways, but if your threat model revolves mostly around surveillance capitalism you'll just be too much of a hassle to matter
To me just posting this long list is spreading FUD.
It mixes voluntary user actions, like submitting forms and “query parameters”, with things like “WebGL fingerprint” which we agree is evil sneaky fingerprinting.
I agree tracking is a serious problem, but this list isn’t contributing to any discussion.
People complain about google logging their search queries when they are in "incognito mode" and logged into their google account - we need a lot more education.
Query parameters are hardly voluntary, just about every linked acquired via "share" button on various platform includes tracking query parameters, including google search results. Combined with the fact that query parameters are has legitimate uses, the distinction complexity becomes indistinguishable from "legitimate WebGL usage" vs "WebGL fingerprint".
It is scary where we are, but you can't solve it by dismissing it as FUD.
Ha, nice find! I'm the Adriaan in adriaan.com. I'm testing some new script features that might improve deliverability. It's not sending any personal data. I use another domain to have the least effect of ad-blockers.
> Ha, nice find! I'm the Adriaan in adriaan.com. I'm testing some new script features that might improve deliverability. It's not sending any personal data. I use another domain to have the least effect of ad-blockers.
You are sending the user agent, path, referrer, a session id + the IP (which is automatically sent) to your personal server and also using a different domain to track users who have ad blockers installed. Even Google Analytics does not use random domain names to track adblock users (yet).
This is slightly incorrect. By sending a request from your business website (SimpleAnalytics) to your personal domain (Adriaan), you actually transfer personal data. In this case, it’s the IP address, which according to GDPR is considered PII.
Taking into account the scope of privacy terms provided on your business website, it doesn’t include data sharing with your personal entity through your website. So this is basically illegal, unless adriaan[.]com belongs and operated by SimpleAnalytics company.
VPN providers can't meaningfully block trackers. If they say they do, they have to be intercepting SSL which requires extra work (must install their generated CA on all clients) and you are literally handing over all data to the VPN provider, more so than without of course, as they'd be able to decrypt HTTPS payloads.
Readit News
Perhaps the name should be "IronyBrands"
We’ve been sounding the alarm about Google analytics, tag manager, and other Google trackers for years and why we started making our own extensions and browsers to block them and provide more comprehensive protection. On our homepage and everywhere else we can we try to get people to install those to get that additional protection, which you can compare here: https://duckduckgo.com/compare-privacy
Furthermore, I don't see any intimation in the article that Google owns DuckDuckGo.
All in all, it seems you and the article are on the same page.
They could have done a marketing blog post about the evils of Google Analytics without dragging DDG into this...
https://counterscale.dev/
Unlike Simple Analytics (the post authors), you deploy Counterscale to your own Cloudflare account and control the code + data end-to-end. It also uses no cookies, has no browser fingerprinting, and has no monetized SaaS offering.
It only has 90 days retention though, which could be viewed positively.
IP address, User-Agent string, Referrer URL, Requested URL, Language, Locale, Screen resolution, Time zone, System time, Installed fonts, Installed plugins, Cookie data, Browser fingerprint, Canvas fingerprint, WebGL fingerprint, AudioContext fingerprint, Mouse movements, Click paths, Keyboard input timing, History sniffing, DNS queries, Destination IP addresses, HTTP traffic content, HTTPS metadata (host, SNI, timing), MAC address, Query parameters, Session ID, Login status, User account info, Geolocation (via IP), Geolocation (via browser API), Page interaction data, Time on page, Scroll behavior, Clicks, Form submissions, Browser type, OS type, Network provider, Client ID (\_ga cookie), Session ID, Timestamp, Pages visited, UTM parameters, Interaction events, Google Ad ID, DoubleClick cookie (IDE), Cross-site behavior, Cross-device behavior, Inferred demographics, Mouse tracking, Scroll depth, Video interactions, Audio interactions, Session replay, Keystroke logging, Facebook login status, Pixel events (Meta, LinkedIn, etc)
If you want to avoid that, you need to make a real effort (not just using DuckDuckGo). The Tails operating system might be a good place to start.
And remote servers are outside of your local network and thus cannot see these values, either.
You may assume that they collude, or not.
Just using Firefox with uBlock, no history, and privacy settings on max, through a somewhat trustworthy VPN like Mullvad will make your data mostly useless. Yeah, "they" could still catch you in a million ways, but if your threat model revolves mostly around surveillance capitalism you'll just be too much of a hassle to matter
It mixes voluntary user actions, like submitting forms and “query parameters”, with things like “WebGL fingerprint” which we agree is evil sneaky fingerprinting.
I agree tracking is a serious problem, but this list isn’t contributing to any discussion.
It is scary where we are, but you can't solve it by dismissing it as FUD.
9: <script src="https://test-v1.adriaan.com/script-v1.js" async></script>
https://test-v1.adriaan.com/simple.gif?type=event&hostname=t... Gecko/20100101 Firefox/128.0&version=test-2025-04-22-v2&event=onload&path=/blog/google-is-tracking-you-even-when-you-use-duck-duck-go&referrer=&session_id=ab6ceafa-47c1-48e4-b26b-79148e625a15&metadata={"beacon_ok":true,"keepalive_ok":false,"ts_ms":1752496007219,"send_method":"image"}&t=1752496007219
So the correct title must be: "We track you when you're reading about Google tracking you (even when using DuckDuckGo)."
You are sending the user agent, path, referrer, a session id + the IP (which is automatically sent) to your personal server and also using a different domain to track users who have ad blockers installed. Even Google Analytics does not use random domain names to track adblock users (yet).
This is slightly incorrect. By sending a request from your business website (SimpleAnalytics) to your personal domain (Adriaan), you actually transfer personal data. In this case, it’s the IP address, which according to GDPR is considered PII.
Taking into account the scope of privacy terms provided on your business website, it doesn’t include data sharing with your personal entity through your website. So this is basically illegal, unless adriaan[.]com belongs and operated by SimpleAnalytics company.
How about this, I set a preference for some stuff I am interested in and that’s what they can show me.
3-letter-agencies.gif
Deleted Comment
Google analytics??
And many vpns also offer an option to block trackers and ads before they get to you.
So any client side requests to a known URL is just blocked. So only server side would work.