IP address, User-Agent string, Referrer URL, Requested URL, Language, Locale, Screen resolution, Time zone, System time, Installed fonts, Installed plugins, Cookie data, Browser fingerprint, Canvas fingerprint, WebGL fingerprint, AudioContext fingerprint, Mouse movements, Click paths, Keyboard input timing, History sniffing, DNS queries, Destination IP addresses, HTTP traffic content, HTTPS metadata (host, SNI, timing), MAC address, Query parameters, Session ID, Login status, User account info, Geolocation (via IP), Geolocation (via browser API), Page interaction data, Time on page, Scroll behavior, Clicks, Form submissions, Browser type, OS type, Network provider, Client ID (\_ga cookie), Session ID, Timestamp, Pages visited, UTM parameters, Interaction events, Google Ad ID, DoubleClick cookie (IDE), Cross-site behavior, Cross-device behavior, Inferred demographics, Mouse tracking, Scroll depth, Video interactions, Audio interactions, Session replay, Keystroke logging, Facebook login status, Pixel events (Meta, LinkedIn, etc)
If you want to avoid that, you need to make a real effort (not just using DuckDuckGo). The Tails operating system might be a good place to start.
You may assume that they collude, or not.
And remote servers are outside of your local network and thus cannot see these values, either.
It mixes voluntary user actions, like submitting forms and “query parameters”, with things like “WebGL fingerprint” which we agree is evil sneaky fingerprinting.
I agree tracking is a serious problem, but this list isn’t contributing to any discussion.
It is scary where we are, but you can't solve it by dismissing it as FUD.
Just using Firefox with uBlock, no history, and privacy settings on max, through a somewhat trustworthy VPN like Mullvad will make your data mostly useless. Yeah, "they" could still catch you in a million ways, but if your threat model revolves mostly around surveillance capitalism you'll just be too much of a hassle to matter
For stopping tracking, uBlock Origin.
And yes I still use uBlock on top on desktop.
As in:
DuckDuckGo is a search engine you can go to from any browser, such as but not limited to the Chrome browser on various platforms.
DuckDuckGo is also a browser for mobile phones. It's an app you can install e.g. https://play.google.com/store/apps/details?id=com.duckduckgo.... You can then, if you want to, use Google Search exclusively from within that DDG browser ;)
DuckDuckGo is also a plugin for desktop browsers (e.g. for Firefox: https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-fo..., find the equivalent for Chrome on the webstore ...) that you can install. You can then exclusively use the Google Search engine while having the "DuckDuckGo Search & Tracker Protection" plugin installed if you so choose.
>make a new law
>they just move elsewhere
how??? tell me
On the other hand, I think a great firewall would be useful to the US and especially the EU, to be able to enforce their laws even better.
this is only works if your business located in EU, no one stop EU people visit US site and still get tracked
Just visited www.vmware.com. Site is located in the US. Company is located in USA, and OneTrust's cookie banner welcomed me, and allows me to make choices.
a) Show the cookie banners if somebody is coming from a GPDR or GDPR-compliant country, since it's required by EU law and these GPDR-compliant laws.
b) You geofence your site and prevent access.
So, in practice regardless you whether sell anything or not, if your site, proverbially, touches European soil, you have to show these choices.
Just like they will prosecute you for scamming EU citizens, for hacking EU citizens, for impersonating EU citizens, and anything else you can do to EU citizens while being located somewhere else.
we plebs, who buy their frontier stuff?, just don't know any better.. and then one day, after living in the frontier/futureland sufficiently, it clicks, we recognize we are being had..
then we organize, we get politicians to fight back the tide of abuse..
and it's our time to correct things, make the abuse illegal..
good luck fellow plebs..
knowing how the system is rigged in so many dimensions, i don't have much hope..
but we can dream right?
When you break a law, it doesn't magically summon an LEO and judge to catch you in the act and give you the proper penalty, so words in a code is not a deterrent. The deterrent is knowing someone will hunt you down, getting thrown in jail, it's fines that hurt your bottom line.
Yes, our society places a premium on policing break ins very harshly. Police have huge budgets for street crime & judges have harsh penalties available to them. White collar crime, like financial crime or breaking what little privacy protections is on the books? Not so much... So, again, you can't just make a law. You also have to have groups empowered to enforce the law and dole out punishments heavy enough to act as a deterrent.
The hyperscalers are a notable exception to that but the larger a company is the more likely systemic illegal practices are to get exposed.
How about this, I set a preference for some stuff I am interested in and that’s what they can show me.
3-letter-agencies.gif
This is basically it. GDPR is a stupid unenforceable law, and should be wiped from the books. Try again with something new.
China has a ton of laws aimed to suppress political dissent, and a good chunk of their laws/regulations would be even more unenforceable if they adopted an EU style approach. Of course, China means business, so they just go ahead and deploy the sledgehammer: you are banned from China unless you comply with the law. You typically can't even read the letter of the law and implement what it says verbatim; if you violate the spirit of the law (that is, don't disseminate anti-CCP content) you will still get the banhammer.
It's all about what political capital you're willing to give up to enforce the law.
Many "cookie banners" have finally started to work in the EU. Once you deny PII processing many sites don't load GA etc... The time of malicious compliance is starting to pass. Some sites have figured it out and realized they really don't need personalized analytics and have replaced implementations with privacy respecting ones(ex, plausible). This lets them remove the dark-patternish banner and no additional consent is required as all data is pooled together and one persons actions truly can't be singled out.
GDPR obviously has other good effects but as PII processing through cookies is what most people know, I chose that as an example. Email tracking links & pixels are another good example.
There's also a big difference between 2018 and 2025 when discussing GDPR in work contexts and saying that implementing this or that tracking would be illegal.
It's a slow process, but it's working as intended.
If they get caught lying (and that tends to happen in the end) that's another violation that is taken seriously nowadays.
For example, my e-mail server started picking up messages from DELETEDmyname@mydomain.org. Making it pretty clear a company did not respect my wishes to completely delete all data and user account references. They simply changed my email in the DB.
The way you phrase this is expressly non-compliant with the GDPR, because what you're describing is an opt-out. To be compliant, websites should only load GA etc after you accept PII processing.
That's the only mechanism one can use to really be compliant as GA (and other providers) stick identifiers onto the session as soon as the script has been loaded.
Google analytics??
9: <script src="https://test-v1.adriaan.com/script-v1.js" async></script>
https://test-v1.adriaan.com/simple.gif?type=event&hostname=t... Gecko/20100101 Firefox/128.0&version=test-2025-04-22-v2&event=onload&path=/blog/google-is-tracking-you-even-when-you-use-duck-duck-go&referrer=&session_id=ab6ceafa-47c1-48e4-b26b-79148e625a15&metadata={"beacon_ok":true,"keepalive_ok":false,"ts_ms":1752496007219,"send_method":"image"}&t=1752496007219
So the correct title must be: "We track you when you're reading about Google tracking you (even when using DuckDuckGo)."
This is slightly incorrect. By sending a request from your business website (SimpleAnalytics) to your personal domain (Adriaan), you actually transfer personal data. In this case, it’s the IP address, which according to GDPR is considered PII.
Taking into account the scope of privacy terms provided on your business website, it doesn’t include data sharing with your personal entity through your website. So this is basically illegal, unless adriaan[.]com belongs and operated by SimpleAnalytics company.
Did you mean Personal Data?
https://techgdpr.com/blog/difference-between-pii-and-persona...
> When organisations seek to protect their user’s data, it is necessary that they understand the data they need to safeguard. Personal data, in the context of GDPR, covers a much wider range of information than personally identifiable information (PII), commonly used in North America. In other words, while all PII is considered personal data, not all personal data is PII.
When you say PII in context of GDPR you are simply using wrong term.
You can read it as both PII and personal data, and it doesn't change the fact that this data sharing is out of scope of the company Privacy Terms.
You are sending the user agent, path, referrer, a session id + the IP (which is automatically sent) to your personal server and also using a different domain to track users who have ad blockers installed. Even Google Analytics does not use random domain names to track adblock users (yet).
Perhaps the name should be "IronyBrands"
And many vpns also offer an option to block trackers and ads before they get to you.
So any client side requests to a known URL is just blocked. So only server side would work.
yegg•6mo ago
We’ve been sounding the alarm about Google analytics, tag manager, and other Google trackers for years and why we started making our own extensions and browsers to block them and provide more comprehensive protection. On our homepage and everywhere else we can we try to get people to install those to get that additional protection, which you can compare here: https://duckduckgo.com/compare-privacy
unsupp0rted•6mo ago
FabHK•6mo ago
Furthermore, I don't see any intimation in the article that Google owns DuckDuckGo.
All in all, it seems you and the article are on the same page.
nottorp•6mo ago
They could have done a marketing blog post about the evils of Google Analytics without dragging DDG into this...
blackoil•6mo ago
bentlegen•6mo ago
https://counterscale.dev/
Unlike Simple Analytics (the post authors), you deploy Counterscale to your own Cloudflare account and control the code + data end-to-end. It also uses no cookies, has no browser fingerprinting, and has no monetized SaaS offering.
It only has 90 days retention though, which could be viewed positively.
blackoil•6mo ago
figmert•6mo ago
basquiyacht•6mo ago
jacquesm•6mo ago
jannes•6mo ago
RamblingCTO•6mo ago