[HN Gopher] Tell HN: DuckDuckGo's privacy extension is adding an...
___________________________________________________________________
Tell HN: DuckDuckGo's privacy extension is adding an inline popup
to web forms
I didn't really believe my eyes when I saw it the first time, I
thought it had to be some ad specific to the website. But it
appears every form accepting an email on any website I visit now
gets a small duck icon next to it that pops up a big bold-print
message box to "Protect your inbox " complete with a cheeky prompt
to either "get email protection" or "maybe later." Refusal is not
even an option. This is definitely new for me as of today.[0] I
found DuckDuckGo via Hackernews and have generally been a happy
user of both the search engine and the privacy extension. Why could
they possibly be doing this? It seems like a self-destructive act
from a branding standpoint, I can't imagine their target customer
demographic is amicable to this kind of thing.
[0]https://i.redd.it/p1tcoikka0ka1.png Edit: It's even on
Hackernews! I genuinely can't recall a browser extension acting
like this since the mid-00s adware toolbar days.
https://i.imgur.com/vYjZAUK.png Edit again: This post originally
just said "injecting ads into web forms," I edited the title to
clarify - apologies if that was misleading.
Author : mustacheemperor
Score : 88 points
Date : 2023-02-23 21:34 UTC (1 hours ago)
| yborg wrote:
| If you install the Firefox Relay extension it does exactly the
| same thing, which is what I want it to do.
| thefourthchime wrote:
| Or use safari, they do the same thing for free and it works
| seamlessly with iPhone and mac
| jeffbee wrote:
| DDG "Privacy Essentials" is a highly privileged extension that
| can do absolutely anything with all of your private data.
| Installing it is among the worst ideas I can think of. This weird
| quirk is the least of its problems.
| the_cramer wrote:
| Is this a feeling of yours or are there documented issues you
| refer to. Looking at what DDGPE does, it seems reasonable to
| have those privileges.
| yegg wrote:
| We have a strict privacy policy and don't have any user-level
| data (e.g., search or browsing histories) at all. Our extension
| is designed to be the "easy button" for privacy, and as such,
| needs to pack in it a wide variety of Web Tracking Protections
| as enumerated at https://help.duckduckgo.com/duckduckgo-help-
| pages/privacy/we... that require such permissions. We do not
| ask for any permissions that we do not need to make the privacy
| features of our extension work as promised.
| freedomben wrote:
| I noticed this about an hour ago as well. They're advertising
| their email alias feature and doing it (quite effectively) by
| injecting into email fields. I don't think the site matters, it's
| just on an email field.
|
| I think it's a little distastefeul to inject stuff into the
| user's page, but it's not an outrage worthy of bailing from DDG.
| I do hope they reconsider their approach though.
| greendude29 wrote:
| I saw the headline on your post and felt horrified.
|
| I then read the details and I'm no longer horrified.
|
| There is a difference between advertising your own services vs
| injecting ads from other parties. Injecting ads from other
| parties could imply sharing of personal data which would be
| worrying.
|
| There is no breach of the DDG implicit user contract here which
| is low tracking and privacy.
| mustacheemperor wrote:
| You likely saw it just before I edited the headline. I didn't
| realize at the time I posted it, but the original title
| definitely could give the impression they're injecting 3rd
| party ads. Personally, this feels 90% as annoying as a third
| party ad. But my intent was definitely not to mislead, I was
| hesitant to even make a post because I don't want to be a bad
| HN citizen by starting a thread that becomes an emotional
| bandwagon.
|
| I don't think there is a breach of DDG's contract but it it is
| a disappointing contrast to my expectations from DDG's brand,
| which I would expect to be more respectful the user. This is
| disruptive.
| sergiotapia wrote:
| Be grateful there's not a big purple monkey jumping around your
| screen!
| curiousfab wrote:
| The description of this extension explicitly tells you it will do
| this (integrated email protection). Works as advertised?
| autoexec wrote:
| It sure didn't take long for the Founder/CEO to show up to try to
| spin this. If they're lurking here it kind of makes me feel like
| they've been intentionally ignoring my constant complaining about
| their search not working correctly.
|
| Common DDG lurkers, fix "-" so that searching for things like
| "Office -microsoft" or "apple -id" works correctly instead of
| returning results with "microsoft office" or "apple id" in the
| title and body! This is basic functionality we've had for years
| without issue! I don't know what broke it, but it's forcing me to
| G! far more often than I'd care to.
| user3939382 wrote:
| Maybe the CEO can jump on here again and give us a bunch of back-
| peddling double talk about how they're misunderstood, as when
| they were caught censoring news results.
|
| I no longer trust DDG and switched to Kagi. Whether that's better
| for privacy I'm not sure but at least their business is driven by
| user payments and not ads.
|
| That my quoted search terms don't get blatantly ignored was
| actually the impetus to move.
| greendude29 wrote:
| > Maybe the CEO can jump on here again and give us a bunch of
| back-peddling double talk about how they're misunderstood, as
| when they were caught censoring news results.
|
| I must have missed this, what's this about censoring news?
| yegg wrote:
| It is simply not true that we have censored anything. I realize
| I previously explained how our news rankings work very poorly
| on Twitter, but I subsequently put out a clarification tweet[1]
| and then we made this help page with a much clearer (and
| detailed) explanation of how our news rankings work:
| https://help.duckduckgo.com/duckduckgo-help-
| pages/results/ne.... This is not "back-peddling"; it is the
| ground truth of what is actually going on with our news
| results.
|
| [1] "We are not ranking based on any political agenda or my (or
| anyone else's) personal political opinions. We are also not
| assessing any individual news stories."
| https://twitter.com/yegg/status/1515637392190935041
| account-5 wrote:
| I can't speak to the rest of the parent post but regularly
| experience my quoted searches being ignored and similarly
| when I don't want something using the correct syntax to
| exclude it the exact term I want to exclude us top and f the
| list. Very annoying.
| ChickenNugger wrote:
| And there it is.
| happybuy wrote:
| Sometimes the cure is worse than the disease.
|
| If you want privacy, it would be best practice to not install an
| extension that has complete read/write access to all of the pages
| that you browse.
| [deleted]
| yegg wrote:
| Founder/CEO of DuckDuckGo here. This title implies we are
| injecting third-party advertising into web forms, which is not
| the case.
|
| This is part of the onboarding for our optional DuckDuckGo Email
| Protection feature, where we generate email aliases for you on
| sign up forms (so you don't give out your real email address),
| which then forwards to your regular inbox with email trackers
| removed in the process: https://spreadprivacy.com/protect-your-
| inbox-with-duckduckgo.... It is mentioned in the add-on
| description as one of the extension's primary features, e.g., at
| https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-fo...
|
| Update: I am listening to the feedback presented here. There is a
| whole team of people working on this feature, trying to bring
| needed email protection to our mainstream user base. Email
| protection as a concept is hard for people to understand and the
| team feels that this in-context onboarding was the best way to
| explain it. However, we will now revisit this given the feedback.
|
| (Also x-posting part of another comment for context on this
| feature: Popping up a level, the goal of our product is to be the
| "easy button" for privacy, and email protection is a big part of
| it, since as we (and others) have gotten much better at web
| tracking protection (e.g., see
| https://help.duckduckgo.com/duckduckgo-help-pages/privacy/we...),
| unscrupulous actors have done more and more email tracking, using
| your email address as a unique identifier to track you across
| sites and putting email trackers within emails to do similar.)
| toxic wrote:
| So, it's an ad for a service where email goes through your
| servers before reaching mine, for the purpose of removing
| tracking and hiding my address. This isn't onboarding, this is
| cross-promotion of another service and it's really F'ing gross.
|
| Messing with the integrity of a web page's content without your
| users' consent is a gross violation of trust. Doing it inside
| of a browser extension is adware. Doing it as a privacy-focused
| company is... a fast way to destroy your image as a privacy-
| focused company.
|
| If you're manipulating the display of a page that I'm visiting,
| without an opt-in, and you're being shady about calling it
| advertising, why should I expect that you're going to treat
| email with the level of integrity required/expected?
|
| This is a hard red line that you've crossed, especially as a
| privacy-focused company, and instead of backing down, you're
| blaming your UI design? Stop. There is no amount of UI work
| that makes it OK to silently insert your ad into someone else's
| content.
|
| If you want to cross-promote (please don't, but if you must),
| you need to do it in a way that makes it clear it's coming from
| the extension, and not manipulating third-party content without
| user consent. The second you start inserting your message into
| a page that I'm reading, is the second that I uninstall your
| extension and never use it again.
|
| Which is a shame. I like your search product, and I thought
| that I liked your company's philosophy and goals. Oh well.
| mustacheemperor wrote:
| Thank you for the response. I have edited the title to clarify
| it is a first-party advertisement for a DuckDuckGo service
| being placed alongside web forms.
|
| Seeing this notification appear once, in the extensions area as
| a popup from the DuckDuckGo extension, would feel much less
| outrageous. It does not feel like onboarding, it feels like an
| ad. It is an unexpected disruption of my browser's usual
| behavior.
| yegg wrote:
| Thank you, though I still don't think it is fully clarified,
| i.e., a "DDG ad" could still be a third-party one.
|
| I understand your concern though and again will take it to
| the team. Popping up a level, though, the goal of our product
| is to be the "easy button" for privacy, and email protection
| is a big part of it, since as we (and others) have gotten
| much better at web tracking protection (e.g., see
| https://help.duckduckgo.com/duckduckgo-help-
| pages/privacy/we...), unscrupulous actors have done more and
| more email tracking, using your email address as a unique
| identifier to track you across sites and putting email
| trackers within emails to do similar. So, when you sign up
| for forms online, to escape this tracking, you really should
| be using a per-site alias, as well as using a service that
| strips email trackers from emails so you aren't tracked on
| email open.
| the_other wrote:
| I use DDG search as my daily driver. I want to support you
| and your mission. A simple "buy us a beer" link would
| probably get me donating/paying. However, this report of
| your extension adding interruptions to forms has guaranteed
| I will nevwr install your extension and strongly puts me
| off even trying your browser. It's an abuse of the
| privilege your users grant you and you should stop it. It
| makes you look like you're watching your users.
| bhhaskin wrote:
| This. It is hard red line for me. Instantly uninstalled.
| thefourthchime wrote:
| ^ this
| mustacheemperor wrote:
| I am almost at the HN character limit, so it's a challenge
| to accurately describe in the title that DDG inserts its
| logo with a pop-out notification, requiring two clicks of
| interaction to dismiss, asking me to utilize another
| duckduckduckgo service in my inbox. I've altered it to "an
| inline popup," which I think is at least a more accurate
| way to describe this than an onboarding message (which
| wouldn't fit anyway). But frankly, as a user, to me it's an
| ad for another DDG service.
|
| I've got no qualms with the product mission for the email
| tracking protection, I think it's a great one and I utilize
| email tracking protection myself. I made this post because
| I really like DuckDuckGo and I was just so astounded at
| this behavior. I tell everyone to "just use the duck
| website" because I really do believe in your mission, and I
| hope this post doesn't set off too much bandwagoning. My
| concern is voiced from a standpoint of support, not
| negativity. I really appreciate the opportunity to exchange
| this feedback with you directly and especially to add to
| this post that I really do generally love what you're
| building. When it doesn't get in my face when I'm trying to
| work.
|
| I hope this post winds up being useful feedback. The
| decision to ship this into the product is mystifying to me.
| I would agree with the other users saying this should be
| recalled immediately while any internal discussion about it
| is ongoing.
| Slighted wrote:
| >This title implies we are injecting third-party advertising
| into web forms, which is not the case.
|
| Its okay everybody, the CEO came out and said its *not*
| actually advertising but just simply an unsolicited, intrusive
| pop-up that tries to get users to use more of their services so
| its all good!
| focusedone wrote:
| Happy DDG user who also hates extra popups while browsing
| here:
|
| I think this only happens if you install the DDG extension.
| So it's not _exactly_ unsolicited.
|
| I totally get DDG wanting people to be aware of their
| services. I use their email proxy service and it seems like a
| solid addition to their portfolio. For me, anything that
| requires additional action or distraction when I'm just
| trying to do _this one quick thing_ gets disabled / removed.
|
| How often are people actually signing up for things? Maybe
| this could be a separate extension or at least have an easier
| way to mute the injected ad?
| matkoniecz wrote:
| > I think this only happens if you install the DDG
| extension. So it's not exactly unsolicited.
|
| Has extension mentioned obnoxious inline ads as one of
| things it will be doing?
| Waterluvian wrote:
| I think that what's more important than rethinking and
| ultimately reversing this decision is to explore the conditions
| that made this idea internally palatable in the first place.
| thefourthchime wrote:
| right its not an ad. It's just a way to force possible future
| customer to know about a product your selling.
|
| DDG has always been a little sketchy, but now I know.
| mouse_ wrote:
| This is filthy. Stop being disingenuous.
|
| > the UX of this feature can be improved, and will take this
| feedback back to the team working on it.
|
| It's adware, and you need to recall it.
| KomoD wrote:
| You are injecting an ad :)
| snickerbockers wrote:
| > we generate email aliases for you on sign up forms (so you
| don't give out your real email address),
|
| Look man, i love you and i love your products but using nagware
| to try to make users proxy their email through your service
| isn't very privacy friendly.
|
| I don't think you have any ill intent with this but it does
| require an extraordinary degree of trust and i don't think
| users should be nagged into doing it until they finally give in
| just to make your software stop nagging them.
| sdfghswe wrote:
| > (...) this isn't even really an ad at all -- it is part of
| the onboarding for our completely optional (...)
|
| Wow. So disappointing.
| bhhaskin wrote:
| Right. It's an Ad.
| TechnoJunky wrote:
| They're telling you that they can provide you with an email alias
| so you don't have to enter your legit email address. Using your
| legit email address on every site you register to helps them to
| track you. And you can turn off an email alias and spam to that
| address will stop.
| JaggedJax wrote:
| After clicking "Maybe Later" I get a "Don't Ask Again" option
| after that, so it's possible, but harder than it should be. This
| is definitely bad practice.
|
| I don't feel like this should be enabled by default. It would be
| fine for them to advertise it when you click on the extension
| asking you to turn it on, but not inline on every email form with
| a double opt-out.
___________________________________________________________________
(page generated 2023-02-23 23:00 UTC)