[HN Gopher] Tell HN: DuckDuckGo's privacy extension is adding an... ___________________________________________________________________ Tell HN: DuckDuckGo's privacy extension is adding an inline popup to web forms I didn't really believe my eyes when I saw it the first time, I thought it had to be some ad specific to the website. But it appears every form accepting an email on any website I visit now gets a small duck icon next to it that pops up a big bold-print message box to "Protect your inbox " complete with a cheeky prompt to either "get email protection" or "maybe later." Refusal is not even an option. This is definitely new for me as of today.[0] I found DuckDuckGo via Hackernews and have generally been a happy user of both the search engine and the privacy extension. Why could they possibly be doing this? It seems like a self-destructive act from a branding standpoint, I can't imagine their target customer demographic is amicable to this kind of thing. [0]https://i.redd.it/p1tcoikka0ka1.png Edit: It's even on Hackernews! I genuinely can't recall a browser extension acting like this since the mid-00s adware toolbar days. https://i.imgur.com/vYjZAUK.png Edit again: This post originally just said "injecting ads into web forms," I edited the title to clarify - apologies if that was misleading. Author : mustacheemperor Score : 88 points Date : 2023-02-23 21:34 UTC (1 hours ago) | yborg wrote: | If you install the Firefox Relay extension it does exactly the | same thing, which is what I want it to do. | thefourthchime wrote: | Or use safari, they do the same thing for free and it works | seamlessly with iPhone and mac | jeffbee wrote: | DDG "Privacy Essentials" is a highly privileged extension that | can do absolutely anything with all of your private data. | Installing it is among the worst ideas I can think of. This weird | quirk is the least of its problems. | the_cramer wrote: | Is this a feeling of yours or are there documented issues you | refer to. Looking at what DDGPE does, it seems reasonable to | have those privileges. | yegg wrote: | We have a strict privacy policy and don't have any user-level | data (e.g., search or browsing histories) at all. Our extension | is designed to be the "easy button" for privacy, and as such, | needs to pack in it a wide variety of Web Tracking Protections | as enumerated at https://help.duckduckgo.com/duckduckgo-help- | pages/privacy/we... that require such permissions. We do not | ask for any permissions that we do not need to make the privacy | features of our extension work as promised. | freedomben wrote: | I noticed this about an hour ago as well. They're advertising | their email alias feature and doing it (quite effectively) by | injecting into email fields. I don't think the site matters, it's | just on an email field. | | I think it's a little distastefeul to inject stuff into the | user's page, but it's not an outrage worthy of bailing from DDG. | I do hope they reconsider their approach though. | greendude29 wrote: | I saw the headline on your post and felt horrified. | | I then read the details and I'm no longer horrified. | | There is a difference between advertising your own services vs | injecting ads from other parties. Injecting ads from other | parties could imply sharing of personal data which would be | worrying. | | There is no breach of the DDG implicit user contract here which | is low tracking and privacy. | mustacheemperor wrote: | You likely saw it just before I edited the headline. I didn't | realize at the time I posted it, but the original title | definitely could give the impression they're injecting 3rd | party ads. Personally, this feels 90% as annoying as a third | party ad. But my intent was definitely not to mislead, I was | hesitant to even make a post because I don't want to be a bad | HN citizen by starting a thread that becomes an emotional | bandwagon. | | I don't think there is a breach of DDG's contract but it it is | a disappointing contrast to my expectations from DDG's brand, | which I would expect to be more respectful the user. This is | disruptive. | sergiotapia wrote: | Be grateful there's not a big purple monkey jumping around your | screen! | curiousfab wrote: | The description of this extension explicitly tells you it will do | this (integrated email protection). Works as advertised? | autoexec wrote: | It sure didn't take long for the Founder/CEO to show up to try to | spin this. If they're lurking here it kind of makes me feel like | they've been intentionally ignoring my constant complaining about | their search not working correctly. | | Common DDG lurkers, fix "-" so that searching for things like | "Office -microsoft" or "apple -id" works correctly instead of | returning results with "microsoft office" or "apple id" in the | title and body! This is basic functionality we've had for years | without issue! I don't know what broke it, but it's forcing me to | G! far more often than I'd care to. | user3939382 wrote: | Maybe the CEO can jump on here again and give us a bunch of back- | peddling double talk about how they're misunderstood, as when | they were caught censoring news results. | | I no longer trust DDG and switched to Kagi. Whether that's better | for privacy I'm not sure but at least their business is driven by | user payments and not ads. | | That my quoted search terms don't get blatantly ignored was | actually the impetus to move. | greendude29 wrote: | > Maybe the CEO can jump on here again and give us a bunch of | back-peddling double talk about how they're misunderstood, as | when they were caught censoring news results. | | I must have missed this, what's this about censoring news? | yegg wrote: | It is simply not true that we have censored anything. I realize | I previously explained how our news rankings work very poorly | on Twitter, but I subsequently put out a clarification tweet[1] | and then we made this help page with a much clearer (and | detailed) explanation of how our news rankings work: | https://help.duckduckgo.com/duckduckgo-help- | pages/results/ne.... This is not "back-peddling"; it is the | ground truth of what is actually going on with our news | results. | | [1] "We are not ranking based on any political agenda or my (or | anyone else's) personal political opinions. We are also not | assessing any individual news stories." | https://twitter.com/yegg/status/1515637392190935041 | account-5 wrote: | I can't speak to the rest of the parent post but regularly | experience my quoted searches being ignored and similarly | when I don't want something using the correct syntax to | exclude it the exact term I want to exclude us top and f the | list. Very annoying. | ChickenNugger wrote: | And there it is. | happybuy wrote: | Sometimes the cure is worse than the disease. | | If you want privacy, it would be best practice to not install an | extension that has complete read/write access to all of the pages | that you browse. | [deleted] | yegg wrote: | Founder/CEO of DuckDuckGo here. This title implies we are | injecting third-party advertising into web forms, which is not | the case. | | This is part of the onboarding for our optional DuckDuckGo Email | Protection feature, where we generate email aliases for you on | sign up forms (so you don't give out your real email address), | which then forwards to your regular inbox with email trackers | removed in the process: https://spreadprivacy.com/protect-your- | inbox-with-duckduckgo.... It is mentioned in the add-on | description as one of the extension's primary features, e.g., at | https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-fo... | | Update: I am listening to the feedback presented here. There is a | whole team of people working on this feature, trying to bring | needed email protection to our mainstream user base. Email | protection as a concept is hard for people to understand and the | team feels that this in-context onboarding was the best way to | explain it. However, we will now revisit this given the feedback. | | (Also x-posting part of another comment for context on this | feature: Popping up a level, the goal of our product is to be the | "easy button" for privacy, and email protection is a big part of | it, since as we (and others) have gotten much better at web | tracking protection (e.g., see | https://help.duckduckgo.com/duckduckgo-help-pages/privacy/we...), | unscrupulous actors have done more and more email tracking, using | your email address as a unique identifier to track you across | sites and putting email trackers within emails to do similar.) | toxic wrote: | So, it's an ad for a service where email goes through your | servers before reaching mine, for the purpose of removing | tracking and hiding my address. This isn't onboarding, this is | cross-promotion of another service and it's really F'ing gross. | | Messing with the integrity of a web page's content without your | users' consent is a gross violation of trust. Doing it inside | of a browser extension is adware. Doing it as a privacy-focused | company is... a fast way to destroy your image as a privacy- | focused company. | | If you're manipulating the display of a page that I'm visiting, | without an opt-in, and you're being shady about calling it | advertising, why should I expect that you're going to treat | email with the level of integrity required/expected? | | This is a hard red line that you've crossed, especially as a | privacy-focused company, and instead of backing down, you're | blaming your UI design? Stop. There is no amount of UI work | that makes it OK to silently insert your ad into someone else's | content. | | If you want to cross-promote (please don't, but if you must), | you need to do it in a way that makes it clear it's coming from | the extension, and not manipulating third-party content without | user consent. The second you start inserting your message into | a page that I'm reading, is the second that I uninstall your | extension and never use it again. | | Which is a shame. I like your search product, and I thought | that I liked your company's philosophy and goals. Oh well. | mustacheemperor wrote: | Thank you for the response. I have edited the title to clarify | it is a first-party advertisement for a DuckDuckGo service | being placed alongside web forms. | | Seeing this notification appear once, in the extensions area as | a popup from the DuckDuckGo extension, would feel much less | outrageous. It does not feel like onboarding, it feels like an | ad. It is an unexpected disruption of my browser's usual | behavior. | yegg wrote: | Thank you, though I still don't think it is fully clarified, | i.e., a "DDG ad" could still be a third-party one. | | I understand your concern though and again will take it to | the team. Popping up a level, though, the goal of our product | is to be the "easy button" for privacy, and email protection | is a big part of it, since as we (and others) have gotten | much better at web tracking protection (e.g., see | https://help.duckduckgo.com/duckduckgo-help- | pages/privacy/we...), unscrupulous actors have done more and | more email tracking, using your email address as a unique | identifier to track you across sites and putting email | trackers within emails to do similar. So, when you sign up | for forms online, to escape this tracking, you really should | be using a per-site alias, as well as using a service that | strips email trackers from emails so you aren't tracked on | email open. | the_other wrote: | I use DDG search as my daily driver. I want to support you | and your mission. A simple "buy us a beer" link would | probably get me donating/paying. However, this report of | your extension adding interruptions to forms has guaranteed | I will nevwr install your extension and strongly puts me | off even trying your browser. It's an abuse of the | privilege your users grant you and you should stop it. It | makes you look like you're watching your users. | bhhaskin wrote: | This. It is hard red line for me. Instantly uninstalled. | thefourthchime wrote: | ^ this | mustacheemperor wrote: | I am almost at the HN character limit, so it's a challenge | to accurately describe in the title that DDG inserts its | logo with a pop-out notification, requiring two clicks of | interaction to dismiss, asking me to utilize another | duckduckduckgo service in my inbox. I've altered it to "an | inline popup," which I think is at least a more accurate | way to describe this than an onboarding message (which | wouldn't fit anyway). But frankly, as a user, to me it's an | ad for another DDG service. | | I've got no qualms with the product mission for the email | tracking protection, I think it's a great one and I utilize | email tracking protection myself. I made this post because | I really like DuckDuckGo and I was just so astounded at | this behavior. I tell everyone to "just use the duck | website" because I really do believe in your mission, and I | hope this post doesn't set off too much bandwagoning. My | concern is voiced from a standpoint of support, not | negativity. I really appreciate the opportunity to exchange | this feedback with you directly and especially to add to | this post that I really do generally love what you're | building. When it doesn't get in my face when I'm trying to | work. | | I hope this post winds up being useful feedback. The | decision to ship this into the product is mystifying to me. | I would agree with the other users saying this should be | recalled immediately while any internal discussion about it | is ongoing. | Slighted wrote: | >This title implies we are injecting third-party advertising | into web forms, which is not the case. | | Its okay everybody, the CEO came out and said its *not* | actually advertising but just simply an unsolicited, intrusive | pop-up that tries to get users to use more of their services so | its all good! | focusedone wrote: | Happy DDG user who also hates extra popups while browsing | here: | | I think this only happens if you install the DDG extension. | So it's not _exactly_ unsolicited. | | I totally get DDG wanting people to be aware of their | services. I use their email proxy service and it seems like a | solid addition to their portfolio. For me, anything that | requires additional action or distraction when I'm just | trying to do _this one quick thing_ gets disabled / removed. | | How often are people actually signing up for things? Maybe | this could be a separate extension or at least have an easier | way to mute the injected ad? | matkoniecz wrote: | > I think this only happens if you install the DDG | extension. So it's not exactly unsolicited. | | Has extension mentioned obnoxious inline ads as one of | things it will be doing? | Waterluvian wrote: | I think that what's more important than rethinking and | ultimately reversing this decision is to explore the conditions | that made this idea internally palatable in the first place. | thefourthchime wrote: | right its not an ad. It's just a way to force possible future | customer to know about a product your selling. | | DDG has always been a little sketchy, but now I know. | mouse_ wrote: | This is filthy. Stop being disingenuous. | | > the UX of this feature can be improved, and will take this | feedback back to the team working on it. | | It's adware, and you need to recall it. | KomoD wrote: | You are injecting an ad :) | snickerbockers wrote: | > we generate email aliases for you on sign up forms (so you | don't give out your real email address), | | Look man, i love you and i love your products but using nagware | to try to make users proxy their email through your service | isn't very privacy friendly. | | I don't think you have any ill intent with this but it does | require an extraordinary degree of trust and i don't think | users should be nagged into doing it until they finally give in | just to make your software stop nagging them. | sdfghswe wrote: | > (...) this isn't even really an ad at all -- it is part of | the onboarding for our completely optional (...) | | Wow. So disappointing. | bhhaskin wrote: | Right. It's an Ad. | TechnoJunky wrote: | They're telling you that they can provide you with an email alias | so you don't have to enter your legit email address. Using your | legit email address on every site you register to helps them to | track you. And you can turn off an email alias and spam to that | address will stop. | JaggedJax wrote: | After clicking "Maybe Later" I get a "Don't Ask Again" option | after that, so it's possible, but harder than it should be. This | is definitely bad practice. | | I don't feel like this should be enabled by default. It would be | fine for them to advertise it when you click on the extension | asking you to turn it on, but not inline on every email form with | a double opt-out. ___________________________________________________________________ (page generated 2023-02-23 23:00 UTC)