Hands-On with DuckDuckGo App Tracking Protection

Posted on November 22, 2021 by Paul Thurrott in Android, Cloud, Mobile with 27 Comments

Last week, DuckDuckGo announced that it was adding App Tracking Protection to its mobile app on Android, and the firm was nice enough to give me an invite to the beta. And from what I can tell over several days of usage, this feature works quite well. And I’m more than a bit troubled by the secret tracking activity it’s discovered—and blocked—on my phone.

Tracking protection is simple enough on the desktop, at least for web apps: just install an extension like uBlock Origin or DuckDuckGo Privacy Essentials and you’re good to go. Mobile, of course, is a bit trickier. On the iPhone, Apple added privacy controls, including mobile app anti-tracking functionality, in IOS 14.5 back in April. But we’re unlikely to see anything like that on Android. Google, after all, makes the vast majority of its revenues from advertising, and that requires them to allow tracking throughout Android.

Enter DuckDuckGo, which has found a unique solution to this problem: because Android supports the notion of a local VPN (virtual private network), the DuckDuckGo creates a fake VPN using this capability. This fake VPN doesn’t route traffic through an external server, like a real VPN does. Instead, everything happens right on your phone, and because it can run in the background perpetually, you should be protected from app-based tracking.

And my God. Is there a lot of app-based tracking in Android. Even more than I had imagined possible.

Over the past 3-4 days alone, 17 of the apps on my phone have made over 5,000 tracking attempts. Some of the apps, like the Bose Music app, are apps I have never even used since installing them, or apps I’ve only used very rarely. Some of them are from legit heavy hitters like The New York Times app or Fitbit, which is ironic since I use that app with a wearable fitness tracker.

Today alone, Fitbit has tried to track me (non-fitness-related) 85 times. The Washington Post? 22 times. United, an app I’ve not even signed into yet, has tracked me 12 times. Zillow, which I’ve never used, 35 times. The Bose Music app, 73 times. On and on it goes.

You can select any app entry to see which trackers they’re using. Dunkin’, for example, uses Verizon Media (24 attempts), Apptentive (17), New Relic (6), and, naturally, Google (2). Fitbit, meanwhile, only uses one tracker, Optimizely, but it tried to track me 115 times. What you can’t do is tap on one of these entries to see what types of things they track, which might be interesting. I Googled a few of these companies because I was curious.

If you do find an app that’s not working correctly and suspect it might be caused by DuckDuckGo, you can disable tracking for just that one app. Oddly, you can’t do that by selecting the app in a list. Instead, you must navigate to Manage Protection for Your Apps and deselect the app in that list.

One final note about the UX: because DuckDuckGo uses that local VPN capability, you’ll see a persistent VPN icon in the status bar at the top (it looks like a key). And DuckDuckGo, like a few of my other apps (like Fitbit) uses a silent notification, which also puts an icon in the status bar, this time on the left. It’s handy to have while you’re monitoring how App Tracking Protection works, but I don’t like superfluous icons in my status bar. The solution is to disable silent notifications in the status bar in Settings, or to just disable that one notification icon.

Implementation aside, DuckDuckGo takes a starkly different approach to anti-tracking than does Apple. With an iPhone, you will be prompted the first time that any app tries to track you. But with DuckDuckGo, tracking is disabled by default for all apps. I prefer that approach, but because this technology is new and it’s possible that anti-tracking could impair the functionality of certain apps. During the beta, you’re advised to look out for issues, and as noted, you can of course disable anti-tracking for apps as needed. I like it.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (27)

27 responses to “Hands-On with DuckDuckGo App Tracking Protection”

  1. jgraebner

    I completely understand the motivation behind anti-tracking tools like this one and I think they are going to become increasingly common (at least for power users) unless the industry as a whole gets a lot more transparent about tracking. At the same time, I do worry that this might be a bit of a case where we need to be careful what we wish for. People have become very used to and reliant on free apps and services and if you cut off this kind of tracking, you are also cutting off their main revenue source. An inevitable end result is very likely to those apps and services either ceasing to be free or ceasing to exist at all.


    It's probably to be expected, but another issue is that tools like this are often more like a sledgehammer than a scalpel when deciding what to be blocked. I find it interesting that the article mentions NewRelic. The company I work for uses that and it is an application performance monitoring tool. Those calls are measuring reliability and response times, not user information.

    • lvthunder

      Application Performance Monitoring is a form of tracking though. It's tracking how and when you use the app.

      • jgraebner

        APM does not monitor individual usage. It just gathers measurements on load times, errors/timeouts, device CPU/memory, and that kind of thing. It isn't the type of marketing-driven, individualized data that people are generally thinking about when concerned with tracking. As someone who has used NewRelic and similar tools extensively, I can't even begin to imagine how that data could be used for anything that would be a privacy issue.

        • DLF

          "..., I can't even begin to imagine how that data could be used for anything that would be a privacy issue." With all due respect for your own (benign) use of app performance monitoring, I'd submit that you can't imagine any other (non-benign) uses because you're just not evil enough to imagine it.

  2. stmorr82zw5zml

    I’m keen to try this in my Android when I’m not at home. I use a Pi-hole at home, which has blocked 66.7% of 84,705 queries over the last 24-hours (ads and tracking, not including anything that may use DNS over HTTP/TLS). The main culprit? Microsoft. Staggering.

  3. qwertyfan

    Having just been, once again, shown the cookies preference selector for this site I decided to not allow the vendor cookies.

    Honestly it took several minutes to untick them all.

    No doubt I'll have to go through the same thing in a few days time.

    Services such as DDg have their place, but perhaps site owners also have a responsibility to take into account the sheer number of trackers they are employing.

  4. spacein_vader

    I have a similar suction, using Wire Guard VPN to my home Internet connection which runs through a Pi-hole to block the ads and tracking. Glad to see a more user freindly take.

  5. scovious

    Does blocking the app tracking with DuckDuckGo end up using more battery than it saves, or does it save more battery than it uses?

    • wright_is

      It is there to save your personal data from dissemination and lower the used data volume. It has nothing to do with battery, per se.


      That said, it should do a lot fewer DNS look-ups and transfer much less data over Wi-Fi or mobile data, therefore it should reduce the amount of power needed to transmit and receive the data, but it is probably a small amount.

    • MikeCerm

      I've been using a similar app (DNS66) for years, and there's really no impact to the battery whatsoever. Though, I did have a similar thought about the number of blocked attempts in one of Paul's pics: I wonder how many of those 5,299 blocked attempts were retries of a failed previous attempt, and are the numbers therefore an order of magnitude higher than they would be if you weren't blocking them?

  6. Donte

    It is not surprising at all and the reason that I do not use any Google products other than YouTube. On Edge I use Ublock, and the DuckDuck plugins. I never see an ad on YouTube.

    • scovious

      There is a YouTube app for android called NewPipe that removes advertisements and commercials from YouTube so people can experience YouTube like it was before Google bought it out and then packed it full of ads and tracking systems.

      • jgraebner

        There's also a product called "YouTube Premium" that gets rid of all the ads, but still provides revenue to Google and the content creators.


        As I mentioned earlier, there is a major double-edged sword here. When you are trying to get something for free while also denying alternative forms of revenue, the end game is ultimately going to be that the free options will simply go away.

  7. pdhemsley

    Regarding your last paragraph, you can also turn off app tracking by default on iPhone. Go to Settings > Privacy > Tracking. First option on that screen.

  8. north of 49th

    I wonder if the Marketing department for these companies understands how much tracking takes place in the apps they have created for the product or service they are selling?  I wonder if they understand how it affects their brand?

    For example, if you have a business selling fast food, the cost of developing an application to help your customers ordering remotely and driving business to your company shouldn’t need tracking to support the cost.

    For example, if you have an application that supports your high-tech gizmo, shouldn’t the purchase price of the gizmo support the application creation/maintenance? Why do you need to track your customers when they aren’t using your application?

    This is why I think DuckDuckGo is doing the right thing. Ignorance of what your application is doing is no excuse.

    • jgraebner

      In most cases, the marketing departments are likely the ones asking for the tracking. My specialty is performance engineering and it has long been a battle to try and get marketing to tamp down their need for more and more data, which often comes at the cost of slower load times.

  9. wright_is

    Our local newspaper says that there is no internet connection, if the tracker is blocked…

  10. Cdorf

    Wow I'm curious what mine will say. I am on the waiting list, just waiting for the notification to try it

  11. Nic

    If this is using a VPN under the covers, that would indicate that using an actual VPN client (ExpressVPN or other) won't function. That's an unfortunate side effect.

    My question would also be how DuckDuckGo monetize their business. There's a lot going on here that's not costing the user anything.

    • MikeCerm

      You can only connect to one VPN at a time, so it won't work in combination with another VPN. Virtually everything that DuckDuckGo is doing here can be done at the DNS level, so you can use something like Adguard DNS (or your very own Pi-hole based solution) to block a lot of this stuff if you really want to.


      DuckDuckGo does run ads on their search results pages, though if you use an ad blocker you'd never see them. A "service" like this really doesn't cost DDG anything to operate, because it's not like they're carrying your traffic.

    • MarkH

      I'm a little curious about coexistence with other "actual" VPNs as well. In my case, Google One.

      • drprw

        I use adguard and you can run tracking protection and their VPN at the same time on Android. I trust Adguard so it's a great solution for me (that I gladly pay for).

  12. dcdevito

    This is very promising, and one of the biggest reasons I switched to an iPhone. I just hope Google won’t cave to any pressure that undoubtedly some of the biggest Android app vendors will put on them as a result.

    • MikeCerm

      I always assumed that Google did not allow apps like this in the app store, which is why similar apps like DNS66 are available on F-Droid and not in the Play Store.

    • dbonds

      The other interesting part is whether Google itself will "take offense" to DDG using VPN functionality "for something other than what it was intended for" and remove/restrict the DDG app (or at least the antitracking functionality) and IF they do that, what the anti-trust response may (or may not) be.

  13. thewarragulman

    I wonder if this will cause a conflict with a real VPN, I've used Private Internet Access for a couple of years now and am about to move to Android, I wonder if this will interfere with using that, as I would preferably like to have both.

Leave a Reply