DuckDuckGo now blocks Google sign-in pop-ups on all sites

DuckDuckGo apps and extensions are now blocking Google Sign-in pop-ups on all its apps and browser extensions, removing what it perceives as an annoyance and a privacy risk for its users.

DuckDuckGo offers a privacy-focused search engine, an email service, mobile apps, and data-protecting browser extensions. A standalone web browser is also in the works, currently in beta and only available for macOS.

The company announced today that all its Chrome, Firefox, Brave, and Microsoft Edge apps and browser extensions will now actively block Google sign-in prompts displayed on sites.

Google offers this single sign-on option on websites to enable users to quickly sign in to new platforms using their Google account for convenience and unified control.

Simply put, instead of having to create new accounts and manage multiple passwords on various sites, users can just sign in with Google when the option is available and skip the hassle.

The downside of this practice for users is that the websites and apps users sign into can be tracked by Google.

While Google states explicitly, “Data from Sign In With Google is not used for ads or other non-security purposes,” DuckDuckGo says their tests show that Google still collects data.

“See our testing in the attached image which shows Google is collecting data on sites when signed in with Google. For example, on investing.com, many requests are made to https://securepubads.g.doubleclick.net/gampad/ads?.,” DuckDuckGo told BleepingComputer.

“This includes the full page url in the request parameters. In testing, if we’re not signed into the website with Google, the DSID cookie sent with these requests has a value of NO_DATA. If we are signed into the website with Google, the DSID cookie sent with these requests has a long hexadecimal value.”

“You can see this in the attached image – on the left we’re signed in with Google, on the right we’re not signed in with Google.”

Cookie siphoning user data (left) and blocked (right) (DuckDuckGo)

As DuckDuckGo believes these are privacy risks, it has resorted to taking the rather aggressive approach of blocking Google sign-in prompts, never giving users the option to take up the tech giant’s offer.

BleepingComputer has found that the option is baked into the general protection feature of the browser extension, so when the extension is active, all Google prompts are blocked automatically.

The same applies to the DuckDuckGo browser for macOS, where the Google blocking feature is built into “Protection,” and there’s no option to disable it unless you disable all privacy protections.

DuckDuckGo browser on macOS, protection set to on (left) and off (right) (BleepingComputer)

DuckDuckGo’s new feature will not cause any issues to those who use Google to sign-in on websites as that method is still available on the affiliated platforms’ login pages. However, the annoying pop-up window will not show up.

Comments

Wim-Katje – 4 days ago
And this now makes DuckDuckGo completely useless for me. As a software developer, I depend a lot on Google and many of it’s services. My own company even has a Workspace account and I use various Google API’s in the projects I develop. I depend heavily on this functionality. So if DuckDuckGo blocks it then I just block DuckDuckGo…
Thing is, if people want to have privacy then they should stop sharing private information online. And become more aware of all the trackers that exist.
And don’t trust DDG that much either, as it has been proven before that even DDG is using trackers themselves, collecting data and who knows what they do with it? They can’t disclose that, as that would be bad marketing. (“We promise that no one else will share your private data” is not a good marketing slogan…)
While Google is collecting private information, they are also open about it. That’s a big difference…
ThomasMann – 3 days ago
I understand your problem. For a software developer this is not good.

But on the other hand….
It was and is people like yourself that have allowed to get corporations like Google, M$ and the like, to amass all that data = power, that they are now using against their customers.
All you people are interested in, is your income… Software developers are the major problem when it comes to the horrifying state of powerabuse against users, which means everybody!
The surveillance ability of states all governments all over the world would not be possible without your ignorance. And what will be the endresult of this development is still unpredictable, but it will be a desaster…

I understand your problem, but duckduckgo understands the REAL problem!
The excuses you make are a joke, are simply in it for the money!
Wim-Katje – 3 days ago
Well, unfortunately DuckDuckGo used trackers from Microsoft to track user data. Read a previous article at https://www.bleepingcomputer.com/news/security/duckduckgo-browser-allows-microsoft-trackers-due-to-search-agreement/ to learn more. They claim to be privacy-focused but they’re not honest about that. Now you might like DDG because they claim to respect your privacy, but they lied about that!
Thing is, people have started to use computers for entertainment and sharing their privacy everywhere. Social media are Gold for companies, as it provides so much information for them. And for DDG, their goal doesn’t seem to be concern about privacy, but a concern that others can collect this information. By trying to control the browser market and search engines, DDG is basically able to collect all this data themselves and use this data without disclosing this to the end users.
Keep in mind that DDG might even have violated the GDPR laws in Europe. Claiming they don’t track anyone yet secretly allowing Microsoft to use trackers? That seems a serious accusation to me. And yes, that too is all about money!
Thing is, I’m not ignorant. I’m just not sharing any personal details that I want to keep private. And if more people would just stop sharing private information online then that would solve about 80% of the whole problem. Instead, people just continue what they have always done and fall for the marketing trick of DDG. Because even DDG uses data to gain more power.
Don’t forget, DDG makes most of it’s money from online advertising and to do a better job at that, they will need to collect data from their users, to provide better ads.
Thing is, I don’t trust Google but they are at least honest about collecting data. They also provide insights in what they know about me. DDG lied to me about not tracking me, and they probably know things about me that they are unwilling to disclose. So I don’t trust DDG either. But they also lied to me, and to the public in general, which is why DDG is just as Evil as Google and the rest…
ThomasMann – 2 days ago
Thank you, that sounds a bit different than the first comment. I myself hve no illusions about DDG, digital security is nothing but wishful thinking. I completly agree with your “I’m just not sharing any personal details that I want to keep private. And if more people would just stop sharing private information online then that would solve about 80% of the whole problem.”

The advantage that DDG (and “Startpage”) has, unless you have different info there too, is that they do not manipulate ranking of search results…
Wim-Katje – 2 days ago
“Thank you, that sounds a bit different than the first comment. I myself hve no illusions about DDG, digital security is nothing but wishful thinking. I completly agree with your “I’m just not sharing any personal details that I want to keep private. And if more people would just stop sharing private information online then that would solve about 80% of the whole problem.”
The advantage that DDG (and “Startpage”) has, unless you have different info there too, is that they do not manipulate ranking of search results…”

You’re welcome. And yes, to me it’s a matter of trust. As a developer, I work on projects that handle millions of euros in financial transactions and needs to be very aware of privacy. One of the conditions I have to deal with is that I cannot use any Cloud services or remote APIs. As a developer in Europe, I also have to be very aware of the GDPR and need to be clear and transparent about we deal with the privacy of users. So I know the amount of data that we can collect with our services and sites in minute details. I know the personal details that you can find in the HTTP headers of each request. SSL should encrypt them all, though. But the URL and IP address can still be collected. And a man-in-the-middle approach can defeat the purpose of SSL if the client does not check the SSL certificates. This makes DDG challenging as they operate as a middle-man with their privacy tools.
So, DDG desires a lot of trust from us, users. All out private data will go through their servers for anything we do through their apps. And DDG blocks all this data to anyone else who is interested in it. This basically provides DDG a monopoly on this data…
Now, when DDG gets caught supporting trackers, I know something fishy is happening. This should be a warning signal for many, showing that even DDG might not be trusted with our data. Because as a developer, I know all sites can and will collect private data for various purposes, but most are open about it.
DDG lied… And that means they’re not worth my trust. Keep in mind that this is more than just a search engine, as they have their own browser app and extension.
ThomasMann – 1 day ago
Thank you, for your answer. Interesting, as I live in a different world. A world in which the idea of security while using the internet is a silly idea. People like myself want to know when all attempts security will be completely useless, maybe with computers in the “wrong” hands… Security breaches seem to me to be at best, a question of time. I watched a “documentary” last night about the beginning of germany’s Chaos Computer Club in the 80s, which shows that government secret services from the very beginning of the net, where after those people who threatend to establish a communication platform, that will NOT be under government control.
People even were murdered by CIA &Co. Those efforts have of course increased and will NEVER stop.
When it comes to browsers, have you heard of one that is usable and will not be able to be broken, if someone finds it necessary in the future? I took a careful look, which of my correspondence through the net I want NOT to be accessable for others. I use a VPN and Tor for that. For the rest I still use Ff…. which lied a lot more than DGG, but at least it makes life very much easier for things that do not matter.
Very understandably you write “DDG lied… And that means they’re not worth my trust.”
Agreed, but do you have any idea at many things you simply just have not yet looked thoroughly enough to see, that they also lied?
Wim-Katje – 1 day ago
“Thank you, for your answer. Interesting, as I live in a different world. A world in which the idea of security while using the internet is a silly idea. People like myself want to know when all attempts security will be completely useless, maybe with computers in the “wrong” hands… Security breaches seem to me to be at best, a question of time. I watched a “documentary” last night about the beginning of germany’s Chaos Computer Club in the 80s, which shows that government secret services from the very beginning of the net, where after those people who threatend to establish a communication platform, that will NOT be under government control.
People even were murdered by CIA &Co. Those efforts have of course increased and will NEVER stop.
When it comes to browsers, have you heard of one that is usable and will not be able to be broken, if someone finds it necessary in the future? I took a careful look, which of my correspondence through the net I want NOT to be accessable for others. I use a VPN and Tor for that. For the rest I still use Ff…. which lied a lot more than DGG, but at least it makes life very much easier for things that do not matter.
Very understandably you write “DDG lied… And that means they’re not worth my trust.”
Agreed, but do you have any idea at many things you simply just have not yet looked thoroughly enough to see, that they also lied?”

I’m old as I was born in 1966 and my father was a Software Engineer. I came in contact with computers in the early days, since I was 8, and was already programming when I was 12. I’ve seen the early days of the CCC and I know a bit about the history of computers and their origin, from the early looms with punched cards to the German dominion of computer technologies before they decided WWII was a good idea. After Germany lost WWII, the Allied forces basically plundered the German computer technologies to use them for themselves. Because Germany was far ahead on everyone else. After all, the first higher programming language, Plankalkül, was originally created by a German developer and used on German mainframes.
As for the Internet… Well, this actually started as a military project (DARPA) and to get more people working on it, the technology was also shared with many universities in the USA to get more developers working on it. At one point, it also became a major part of NASA and then more and more companies and industries started to join the project until it developed into the World Wide Web as we know it since the 1990’s. But it’s primary use has always had a military aspect, and later State Control. Well, mostly the USA.
As for security… Well, it doesn’t matter which browser you use. Your security is in danger as soon as you start sending signals to your provider. If you want a bit more security then you should install this in your router or get a local VPN server that will block certain domains and IP addresses. But this should be in your home and you need to get it from some source that you absolutely trust. DuckDuckGo would have been an option, if they had not lied to the public. But as I said, one small lie about such a sensitive topic is enough to distrust them forever.
But more importantly, if you want your communications to be secure then you would need a peer-to-peer connection with others and use an encryption method with asynchronous keys. You would send the public key to your friend and your friend sends his public key to you. You then use his public key to send messages to him while he uses your public keys to send messages to you. Because these messages can only be read by someone with a private key, you know that only one person can actually read these messages. You just have to make sure that you have the real public key from your friend as a man-in-the-middle attack works quite well if you don’t.
Suck communication tool is not difficult to make but the challenge is just validating these keys. With the Web and SSL certificates, this is done through a layer of trustees who digitally sign the key. If the key is valid then the key should be from the proper source mentioned in it. And with SSL, certificates are validated with the domain name through various means, where the person who owns the domain has to prove he’s the owner to the trustee. A complex process, yet generally reliable. If you check if the certificate is from the trustee…
But the problem is that if you really want something secure, then you might have to write something yourself. It’s not too difficult to write peer-to-peer encrypted communications but the question is always whom to trust. And my philosophy is simple: trust no one! But always evaluate the risks you might have and consider if it’s worth taking these risks…
For me posting here, for example, is also such a risk evaluation. I’m sharing my opinion here, knowing that it can be used against me. I use my name, knowing people might start to look more information about me. I have a profile picture that shows what I look like. And I think this is enough information for others to find my Facebook account, Twitter, Google and my personal website. Probably my LinkedIn account too. Maybe even my Fiverr account and other data. So, how easy would it be for people to find all of this? Well, not too easy, but possible…
But then my thoughts are about large schools of fish. You have these schools with thousands of fish swimming close together and a hungry predator swimming in the area. But a fish in such a large group is not easy to notice as an individual so a predator going after one is likely to get one of the thousands of others. If you would swim alone, you would be their sole target and you’d need to hide. But in the school, you can swim in the open, knowing others might alert you of any dangers.
The Internet is like this school of fish. There’s dangers out there, but the chance of getting picked as target is slim. You need to attract the would-be attacker in some way. So, would anyone be really interested in you and what you do? Well, maybe if you’re a celebrity or important politician. Or if you’re high up in some military command or are in control over a large organization. But the average person living a normal life with his wife, two kids, a dog and a house with a tree in the garden? Boring. 🙂
Well, unless you’re selling meth and have a secret meth lab in your cellar where you make that stuff Walter White made in “Breaking Bad” with it’s blue color. Then you’d be a target for the FBI and the Drug cartels… 🙂
Anyways, TL;DR… What I’m saying is that you need to understand security in details to know how to be secure. So if you feel you need better security then you have to learn, not trust any marketing campaigns from companies like DuckDuckGo. Those companies are trying to sell products to you, and are likely to collect any data about you…
ThomasMann – 22 hours ago
Thank you for your thoughts, but I must admit none of them changed my opinion about security while using the internet… My thinking about security is more concerned with the future, when the speeds will reach completely different dimensions with quantum computing. Then someone’s image on the net of being a family man with two kids and a house will not make you any safer, cause they will simply survey EVERYBODY! And the algorithms will sort out those that are of interest.
As I happily have better things to do, I neither use facebook, nor twitter nor any other of those toys. I do not even own a phone! But, in the end exactly that will make me a suspicious suspect in the thinking of the controllers.
Unlike the ideas of the founders, digitalisation will NOT bring about a secure privacy. It will bring a about the exact opposite: total control of the individual by the authorities in power, governmental or others. Corona and the digital health pass on your phone, which in turn is advanced to a “safe traveller” concept, were the test run. Facial recognition opens up possibilities that we are told are already abused by the “evil chinese”, when in reality western “civilisations” do exactly the same thing, or at least are learning how to use them more and more.
And there is nothing that will stop them. I f.e. have made sure that no actual picture of myself has ever or will ever exist in the net, my name is unknown at google.
It is not that I have much to hide, I really do nothing considered illegal at present, or a danger to any state. I simply find it “distasteful” to have the primitive half-monkeys that run “our” “free” societies even know about my existence. As I mentioned , the problem is not the present, the problem are the possibilities that the future will bring. When having kept your anonymity may turn out to be useful…

“You would send the public key to your friend and your friend sends his public key to you.”
There you have the problem. If you already came to the attention of the algorithms, then there is NO way to get that code to anyone safely, not even via snail-mail through the post-office…

“With the Web and SSL certificates, this is done through a layer of trustees who digitally sign the key.”
Everyday I check on exactly this website what is possible by those who want to circumvent stuff like that. The difference between us is, that I do not play a game called security, I am only interested in what actually is, which is NO security. As Ross Ulbricht and others said, p2p is a possibility. I occasionally started using it about 15 years ago… but I still cannot see any progress on that front. And… once it becomes a widely used too (if ever), then how do we know that authorities will not find a way breach that too?

“I have a profile picture that shows what I look like.”
For your sake I hope that is a lie….

“But a fish in such a large group is not easy to notice as an individual so a predator going after one is likely to get one of the thousands of others. If you would swim alone, you would be their sole target and you’d need to hide. But in the school, you can swim in the open, knowing others might alert you of any dangers.”
Just because that example is repeated everywhere, does not make it any more logical. When a big fish eats, he simply opens his mouth and grabs what ever is there in the swarm he has found. Your chances of being part of those that are not swallowed are smaller than your chances are at swimming alone. Why would a big fish be bothered to make the effort to get one small fish….?

The real problem are the attempts of abolishing cash… If you depend on digital money and can only pay with your phone… And only as long as the government does not interfere with the money in your account…… as the chinese are already doing. And not only the chinese.
Sadly enough that already works. The financial world, big data, media, politicians and of course the WEF are working on it. And as I mentioned the “Safe Traveller Program” has already started to grow…

You know this one?
https://wauland.de/en/projects/informational-self-determination/
Wim-Katje – 20 hours ago
Well, what will be the future of security? Well, computers are becoming more powerful and can process large amounts of data and find information inside all of this data. If this is done through quantum computing and artificial intelligence isn’t that interesting. The fact is that we all send Data about ourselves and others to the Internet, where it could be processed by anyone who gets access to it. And using this data, they can collect all kinds of information about us all.
For example, there’s facial recognition software that has been trained using millions of selfies posted by people online. As a result, the AI can recognize faces in pictures. But connected with the data, it could also identify a lot of people by tracing the origin of this data and following the connected data.
This basically means that anything you post online can be used against you. If you want to keep something secret then keep it offline. But then there’s the additional problem that people use software that will send data to servers on the Internet for various reasons. Microsoft OneDrive, for example, will synchronize your local data folder (and more!) with servers owned by Microsoft. Other software might use various Web API’s to help process data, like AI tools that e.g. identify objects in pictures. But even built-in error reporting in various applications and automatic updates will send data to servers online. So even a Linux system could be compromised because you installed an application that has automatic updates.
My problem is that I depend on the Internet for most of my work, even though my work is mostly about privacy protection. I need to make sure that the projects I work on won’t leak any sensitive data online. This also means that I need to be familiar with various social media, including Facebook and Twitter, just to know how dangerous these media really are. I even use several different accounts with made-up names and completely fake histories to see how much search engines pick up about these accounts.
Very interesting to see how most of these fake names ended up at CrunchBase, as that site is well-known for collecting lots of personal data. And while this is probably someone else, they do have a profile of someone named “Thomas Mann” at https://www.crunchbase.com/person/thomas-mann :O
Important to remember is that others might share information about you online, or share information about someone with the same name online! So when you apply for a job somewhere and your employer Googles your name, then they might end up there and see this specific profile…
Which is good, as it has a picture that doesn’t look like you, right? 🙂
I also know that there are many other websites that will sell all kinds of information online. I found a website called webtechsurvey’ that has information about one of my fake accounts because I used the name of this account in the header of websites I’ve been developing. As a result, they knew which websites are related because they share headers. Interesting! 🙂 Also shows how a simple header could already hurt your privacy…
That wauland.de site does have a good article as it points out that people need to be protected against data misuse. But as anyone on the Internet can collect all this data, this would not be easy. Especially when you realize how all this data goes through various channels online, through various providers and servers. We all fear governments and large corporations will steal and misuse our information, but it’s more likely to be individuals and small companies, plus various hacker groups, who will misuse this data as no one keeps an eye on them.
As I said, CrunchBase seems to collect a lot of sensitive data about people, without their permission. So does WebTechSurvey. And many other smaller companies. Yet everyone looks at Google and Facebook, while those companies are closely watched over by the public and many governments.
Then again, I use various social media to actually research how easily data gets leaked online. And one of the things I’ve noticed is how people tend to steal identities from others. Or how sites try to connect various data together to build profiles of people and companies. A site called “closelyhq” managed to connect some of my fake accounts together, with some other people and several companies, They did this by scraping data from LinkedIn and Facebook. Including data that others shared about my accounts! So even if you don’t use social media, your friends, colleagues, employer and family still might and thus expose your privacy…
Which is why I do use social media, yet don’t really use it. These social media accounts will alert me about funny things regarding my privacy…
Which is another funny thing, as my fake accounts also have email addresses related to them. And I receive spam on those mail accounts from people who want to offer services. And yes, that includes Nigerian princes and people claiming they put malware on all my devices and collected all kinds of dirty things they’ve seen these fake people do… Yeah, right… 😀
And that’s another thing… I have multiple domain names and for every site where I have to register, including this site, I will use an alias and keep tract of this alias and the site that it’s linked to. So every site I register has a different, unique email address for me. This is also very useful to detect sites that leaked my email address to others. These include LinkedIn, Twitter, Amazon and Adobe among the bigger names. But also a lot of smaller websites, who did not have the proper security set up!
So, overall, I’m pretty experienced with the issues of privacy and the Internet. Simply put, online there’s no privacy as all you put online gets shared with the whole World. The only protection you have is to be as boring as possible so you won’t get noticed between the billions of other people online. But if you are online then using misdirection and misinformation about yourself is very useful. Instead of just one Facebook account, you could create five of them. Each different from the others but with your real name and some real data, plus a lot of rubbish. Create a few more accounts with fake names and connect with those. This allows you to hide between it all.
Because the only other option to protect yourself is to stay away from the Internet. And that would include not having an account at BleepingComputer, which is still a security risk no matter how well they protect their data. One hack and someone might get your personal data including the email address you used to register, plus the IP addresses from where you connected to this site. (Plus timestamps, so they can connect that IP address with other sites visited from there!)
So, concerning my privacy, what would be my biggest fears? Not my government, as I can vote and thus control my government. (And protest against them when voting did not work.) Not the big companies like Google and Facebook, as they have way too much data to sift through. I’m not interesting enough for them. Being boring is also very useful to protect yourself!
As you said, a big fish opens his mouth and chomps a lot of little fish in one gulp from a large school. But none of those little fish were a specific target as the big fish just can’t focus on a specific individual. It just bites and hopes to get a few. If you’re unlucky, you get eaten, yet most will just escape so the risks in the school are not that big.
Anyways, it works both ways. The Internet can also be used AGAINST the government. While China tries to control the finances of it’s citizens, the same citizens can use the Internet to share all the dirt they know about their government and encourage protests and even revolts against their current leaders. The same is true about banks and other companies. People can share reviews and opinions about them online and thus have a severe impact on them…
Which brings me back to DuckDuckGo, actually. A company that claims to value privacy so many people started using it. Then the truth got exposed about them using trackers and sharing data with Microsoft and they get exposed for this after several researchers discovered this. And they might violate privacy in other, hidden ways that have not been exposed yet. DDG is trying it’s best to hide those secrets, if they have any. And we want to believe that they protect our privacy, so we allow them to hide secrets. Which is a bad thing, actually. Is DDG allowed to hide secrets? To have privacy, as a company? Or should they be completely open about how they work?
So, there’s a trade-off here. The Internet is for us all to share information with one another and each of us has some influence about the data we share. And we all have to learn how to control it. We should not rely on others to keep our privacy as that requires us to trust them. It’s weird to trust DuckDuckGo and not the Government or Google, because they all collect data about us. So you need to know how to stay secure online. For example, by using a proxy server to hide your origin. (Which requires you to trust the proxy!) And by using multiple accounts that are hard to connect to one another. I use my fake accounts for this purpose so one day I use Google as Wim, then as Marcus, Bianca, Janine, Berthus, Alicia or some other account. And important: know the risks you take with everything you do online!