Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Zach Edwards Profile picture
@thezedwards
May 23, 2022 15 tweets 8 min read Read on X
Scrolly
Sometimes you find something so disturbing during an audit, you've gotta check/recheck because you assume that *something* must be broken in the test.

But I'm confident now.

The new @DuckDuckGo browsers for iOS/Android don't block Microsoft data flows, for LinkedIn or Bing.🧵
DuckDuckGo has browser extensions & their own browsers for iOS / Android @ duckduckgo.com/app

iOS @ apps.apple.com/us/app/duckduc…

Android @ play.google.com/store/apps/det…

Both versions of the DDG browser claims to use tools which
"automatically blocks hidden third-party trackers" 👀 DuckDuckGo promise @ "Privacy, simplified"Escape Website Tracking — Tracker Radar automatically bloc• Escape Website Tracking - Tracker Radar automatically bl
If you download the current version of the DuckDuckGo browser for iOS/Android, & if you hope this browser actually stops data transfers to super common advertising subsidiaries owned by a company like Microsoft... well too bad, the browser has a secret allow data flow list 👀🤡
I don't have the full list of advertising domains that the DuckDuckGo browser is allowing to collect data within their new "private" browser ((anyone have that or parsed it somewhere??) but any list that doesn't include "linkedin[.]com" + "bing[.]com" is *purposefully* broken.
It's public knowledge that DuckDuckGo has been creating exemptions for Microsoft for awhile, which they've been required to explain on a page like @ help.duckduckgo.com/duckduckgo-hel… / DDG openly says they are sending your user IP address & user agent to Microsoft for the DDG ads on-click. Microsoft and DuckDuckGo have partnered to provide a search
But you won't find any public articles from DuckDuckGo explaining *why* they are not blocking Microsoft-owned 3rd party data flows on websites *not* owned by Microsoft, like on Facebook's Workplace[.]com domain sending data to Bing & Linkedin in the DDG "private" browser. 👀🤡⛈️
I tested the DuckDuckGo so-called private browser for both iOS and Android, yet *neither version* blocked data transfers to Microsoft's Linkedin + Bing ads while viewing Facebook's workplace[.]com homepage.

Look at DDG bragging about stopping Facebook on Workplace, no MSFT..: The Duck Duck Go brags about stopping data transfers on Work
You can capture data within the DuckDuckGo so-called private browser on a website like Facebook's workplace.com and you'll see that DDG does NOT stop data flows to Microsoft's Linkedin domains or their Bing advertising domains.

iOS + Android proof:
👀🫥😮‍💨🤡⛈️⚖️💸💸💸 DDG browser sending data to Microsoft on Facebook's WorkplacDDG browser sending data to Microsoft on Facebook's Workplac
And you can see proof that the DuckDuckGo team *knows* that Microsoft's domains are crossite tracking vectors @ raw.githubusercontent.com/duckduckgo/tra… - that's the DDG feedback loop to help them populate blocklists.

So if DDG's researchers *know* MSFT/Bing/Linkedin=tracking, why exclude them?
So another question to ask: if you were a DDG privacy researcher who knew that Microsoft has a variety of domains they use for cross-site tracking to optimize their ads systems, and you already knew that DDG was giving IP address & UA string data to MSFT, did you know this too?👀
And if you are a privacy researcher working at DDG, do you think it's appropriate to push rhetoric about why this is a good browser, knowing that there are global data brokers - your own partners - who you are purposefully not stopping data flows for, on domains they don't own?🆒
Personally, I think that both Google & Apple have an obligation to users within their app marketplaces to remove apps which claim to do X, Y, Z, but do the opposite, merely because it makes the parent company more money.

If you say you block 3rd party data flows, *do that* ...
There are a variety of lists from DuckDuckGo to help parse this, like "Domains which should have cookie protections disabled due to site breakage issues" github.com/duckduckgo/pri… - which includes the bat.]bing.]com domain but does NOT include the Linkedin domain, so 100% unclear:
I don't think there is a public list of *all* the domains that the DuckDuckGo browser is *not* blocking, but they seem to be doing this w/ hardcoded rules. The DDG browser stops data flows from tons of domains.... except DDG's #1 ad tech partner.

Mysterious! 🤡⛈️⚖️📴📴
I won't hold my breath that DuckDuckGo will update their own so-called private browser to actually stop data flows to their own ad tech partners, but this is one of those things that makes a privacy auditor ... annoyed? bitter? confrontational?

Does Google / Apple care? </🧵>

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Zach Edwards

Zach Edwards Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @thezedwards

Zach Edwards Profile picture
Apr 24, 2025
Our team at Silent Push has been hard at work on the largest report we’ve ever made public – and along with Reuters – today we’re explaining how North Korean threat actors associated with the “Contagious Interview” subgroup created 3 front companies...🧵
... and registered 2 of them as legitimate businesses in the United States.

The front companies are: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC
Yesterday, the Federal Bureau of Investigation (FBI) acquired the Blocknovas domain, but Softglide is still live, along with some of their other infrastructure.
Read 15 tweets
Zach Edwards Profile picture
Nov 14, 2022
Last year, while conducting audits on SDKs installed in mobile apps for @SafeTechLabs, a popular SDK installed in thousands of apps called “Pushwoosh” started to raise some odd questions, was it secretly Russian? Reuters has an explosive story out today: reuters.com/technology/exc…🧵
This is a complex but important story for folks to understand -- this is the start of the discussion about these types of risks.

There was a SDK company -- "Pushwoosh" -- pretending to be based in Washington, D.C., but was really based in Russia, and has been the ~entire time.
Have you seen this man? Nah.. unlikely because he’s not a real person. But this fake marketing dude was apparently created in ~2018 by a Pushwoosh 'contractor' to market services in Washington, D.C.

Unfortunately for Pushwoosh, the fassbender-carell face mash.. wasn't great..🤣 Picture of fake personPicture of fake person -- t...
Read 16 tweets
Zach Edwards Profile picture
Nov 10, 2022
I have some really disappointing & horrifying news about how Twitter ads is ingesting + storing advertiser credit cards. They have a ~new "reviewData" field that is a plain text ingestion (CC fields are encrypted) which includes the "firstSix" and "lastFour" #'s of your CC.🌩️⚖️🧵 Twitter ads screenshot - this is a plain text JSON payload sCredit card form submit pushing plain text credit card numbe
I want to make sure it's clear that storing credit card numbers in plain text in a "reviewData" field is maybe used for fraud and abuse, potentially for the Twitter ads fraud and abuse vendor Sift which you agree to share data with. But the data is stored on Twitter's side.👀🥵🌩️ Twitter advertiser add a new credit card form plain text credit card fields ingested into twitter infrastr
And so currently, the way that Twitter has setup this "reviewData" field for advertiser credit cards, there is a big JSON dump on the Twitter infrastructure, w/ advertiser name/contact info/ and *most importantly* the "first six digits of the credit card AND the last 4 digits"🥶
Read 6 tweets
Zach Edwards Profile picture
Aug 24, 2022
I've gone through mudge's redacted whistleblower complaint and there are some really spicy sections that relate to ad tech + privacy + foreign intelligence... brief thread of what I think is most interesting (link to documents in tweet below)🌶️🐦🌩️⚖️🧵
First up... folks have known for awhile that tons of Chinese advertisers were/are buying Twitter ads... But no one had pieced it together that those Chinese advertisers would be using ***Twitter Custom Audiences to doxx VPN users who verified with real contact info...** 🚨🥵🥵🚨 "Twitter executives opted to allow Twitter to become mo
"Twitter executives opted to allow Twitter to become more dependent upon revenue coming from Chinese entities even though the Twitter service is blocked in China...."

It seems clear that Twitter is becoming "more dependent" on China.. via.. Twitter advertising. Uhh @congress ?? "Twitter executives opted to allow Twitter to become mo
Read 15 tweets
Zach Edwards Profile picture
Aug 5, 2022
Reminder: @WhiteHouse has done nearly nothing to hold Yandex accountable for their Putin War propaganda via Yandex News, no comment about the massive Yandex Appmetrica SDK data collection straight to Moscow.

But leaders within women's hockey (PWHPA) fought back against Yandex🧵
ICYMI in April 2022 the PWHPA decided to *not* move forward w/ a partnership w/ the PHF due to the connections to Yandex Chair John Boynton, "It’s believed Boynton will be an issue when it comes to attracting major sponsors moving forward." 🧐🌩️⚖️👏🏻👏🏻👏🏻

thehockeynews.com/news/report-pw…
And the vote from PWHPA (Women's pro hockey) in April 2022 to stop all discussions with PHF due to the PHF connections by-proxy to Putin allies, was *unanimous* -- one organization stood up effectively to Yandex here in the U.S....

But @whitehouse ??
Read 7 tweets
Zach Edwards Profile picture
Jul 31, 2022
Google's "automatic ads" w/ the new "Anchor / Vignette Ads" = full-screen between-page-loading interstitial @ support.google.com/adsense/answer… @ "Auto ads will then scan your site and automatically place ads where they’re likely to perform well and potentially generate more revenue."👀 Auto ads offer a simple and...
This is going to be a complex product to audit how it performs / users are impacted, and while I'm a big fan of "easy deployments" - I can only imagine what would happen if this process for "auto ads will then scan your site and automatically place ads" went a little wrong.😅🥵
Being a technical auditor requires you to constantly receive partial information and then back into what could have happened during a client experience -- and oftentimes information about a problem can be as murky as "ghost in a machine ate my homework" = auditing "auto ads" = 😅
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(