So, it's an ad for a service where email goes through your servers before reaching mine, for the purpose of removing tracking and hiding my address. This isn't onboarding, this is cross-promotion of another service and it's really F'ing gross.

Messing with the integrity of a web page's content without your users' consent is a gross violation of trust. Doing it inside of a browser extension is adware. Doing it as a privacy-focused company is... a fast way to destroy your image as a privacy-focused company.

If you're manipulating the display of a page that I'm visiting, without an opt-in, and you're being shady about calling it advertising, why should I expect that you're going to treat email with the level of integrity required/expected?

This is a hard red line that you've crossed, especially as a privacy-focused company, and instead of backing down, you're blaming your UI design? Stop. There is no amount of UI work that makes it OK to silently insert your ad into someone else's content.

If you want to cross-promote (please don't, but if you must), you need to do it in a way that makes it clear it's coming from the extension, and not manipulating third-party content without user consent. The second you start inserting your message into a page that I'm reading, is the second that I uninstall your extension and never use it again.

Which is a shame. I like your search product, and I thought that I liked your company's philosophy and goals. Oh well.

It’s exactly the same behavior as password managers, adding an icon in the form field.

If the feature is the point of the extension you’re installing, maybe don’t install the extension.

I installed this extension a long time ago, as a browser tracking protection tool similar to PrivacyBadger. I think it is objectionable that the nature of the extension has been changed to one that injects notifications into the contents of the webpages I visit, with the only alert to me of that change being the injection of notifications into the contents of webpages I visit.

And for what it's worth, I use a password manager and have used a few over the years, and I've never encountered such an obnoxious UI from one.

The biggest point here is messing with web content… don’t change content without consent- ddg are doing this here!

>This title implies we are injecting third-party advertising into web forms, which is not the case.

Its okay everybody, the CEO came out and said its *not* actually advertising but just simply an unsolicited, intrusive pop-up that tries to get users to use more of their services so its all good!

Happy DDG user who also hates extra popups while browsing here:

I think this only happens if you install the DDG extension. So it's not exactly unsolicited.

I totally get DDG wanting people to be aware of their services. I use their email proxy service and it seems like a solid addition to their portfolio. For me, anything that requires additional action or distraction when I'm just trying to do this one quick thing gets disabled / removed.

How often are people actually signing up for things? Maybe this could be a separate extension or at least have an easier way to mute the injected ad?

> I think this only happens if you install the DDG extension. So it's not exactly unsolicited.

Has extension mentioned obnoxious inline ads as one of things it will be doing?

When people were installing it?

It's literally what the extension does and what it's for.

It's a bit weird to call intended functionality for sonething you install explicitly for that purpose an "ad". Let alone an "obnoxious" one.

I mean, how else would you expect "email protection in the browser" to work at an extension level, other than the extension trigerring a message with more information when you're about to type your email?

I think I should clarify that I installed this extension quite a long time ago ago, and it has never served an unsolicited inline notification to me of any kind. The stated purpose at the time was website tracking protection, similar to something like PrivacyBadger, and that's what I use it for. It added a small button to my extensions menu that I can click to see some information about the website's requests and turn tracking protection on or off. The behavior I am criticizing in this post is not what the extension was for when I installed it, and it's not something it's ever done before.

I think it would be reasonable to notify me about this new feature in a less disruptive way, like from the extension's existing information pane. Inserting that inline into the websites I use isn't the only way to notify me, but it does seem like the most obnoxious way to do that.

Thank you for the response. I have edited the title to clarify it is a first-party advertisement for a DuckDuckGo service being placed alongside web forms.

Seeing this notification appear once, in the extensions area as a popup from the DuckDuckGo extension, would feel much less outrageous. It does not feel like onboarding, it feels like an ad. It is an unexpected disruption of my browser's usual behavior.

Thank you, though I still don't think it is fully clarified, i.e., a "DDG ad" could still be a third-party one.

I understand your concern though and again will take it to the team. Popping up a level, though, the goal of our product is to be the "easy button" for privacy, and email protection is a big part of it, since as we (and others) have gotten much better at web tracking protection (e.g., see https://help.duckduckgo.com/duckduckgo-help-pages/privacy/we...), unscrupulous actors have done more and more email tracking, using your email address as a unique identifier to track you across sites and putting email trackers within emails to do similar. So, when you sign up for forms online, to escape this tracking, you really should be using a per-site alias, as well as using a service that strips email trackers from emails so you aren't tracked on email open.

I use DDG search as my daily driver. I want to support you and your mission. A simple “buy us a beer” link would probably get me donating/paying. However, this report of your extension adding interruptions to forms has guaranteed I will nevwr install your extension and strongly puts me off even trying your browser. It’s an abuse of the privilege your users grant you and you should stop it. It makes you look like you’re watching your users.

This. It is hard red line for me. Instantly uninstalled.

Wait until you find out how Safari interrupts your forms by default as well!

^ this

I am almost at the HN character limit, so it's a challenge to accurately describe in the title that DDG inserts its logo with a pop-out notification, requiring two clicks of interaction to dismiss, asking me to utilize another duckduckduckgo service in my inbox. I've altered it to "an inline popup," which I think is at least a more accurate way to describe this than an onboarding message (which wouldn't fit anyway). But frankly, as a user, to me it's an ad for another DDG service.

I've got no qualms with the product mission for the email tracking protection, I think it's a great one and I already utilize other email tracking protection myself . I made this post because I really like DuckDuckGo and I was just so astounded at this behavior. I tell everyone to "just use the duck website" because I really do believe in your stated mission, and I hope this post doesn't set off too much bandwagoning. My concern is voiced from a standpoint of support, not negativity. I really appreciate the opportunity to exchange this feedback with you directly and especially to add to this post that I really do generally love what you're building. When it doesn't get in my face when I'm trying to work.

I hope this post winds up being useful feedback. The decision to ship this into the product is mystifying to me. I would agree with the other users saying this should be recalled immediately while any internal discussion about it is ongoing.

> The decision to ship this into the product is mystifying to me.

Yegg discussed it the last time email protection came up on the front page - rolling it out internally into their android browser was the main goal, and the extension for others. The motivations are in the old hn posts. They could have rolled out a new app and extension, and maintained those on top of the current ones, but those would be extra codebases to maintain.

To clarify, the decision I find mystifying is the one to promote this via a phishy-feeling inline pop-up. The choice to incorporate email tracking protection into the product makes sense to me.

Yeah, considering how it has caught people off guard, a toggle in the settings, maybe an overview of it in a splash screen on their site, something before the actual form fill shows up. I'm curious if they discussed that much. It definitely would have kept the feature more obscure, so you can guess at the push back.

> (...) this isn't even really an ad at all -- it is part of the onboarding for our completely optional (...)

Wow. So disappointing.

Right. It's an Ad.

But then when is any button in the UI not considered an Ad?

Chrome's new Side Panel button is an ad for the side panel feature.

Can't comment, as I don't use Chrome.

But to answer your question, a button in the UI is not considered an Ad when it's there to facilitate whatever the app is used for.

Long time DDG user here. I really like the search and the android privacy app. I just wanted to add my vote to what others have said.

You have a brand that requires trust. You've built up that trust slowly, and it could be destroyed so easily. To me this injection crosses a line of interfering with content that isn't yours. You are trusted to have access to this content, not to change/add to it. I get that it's not quite the same as 3rd party ads, etc. But it's an untrustworthy thing to have done.

As a happy long time user I'm currently still willing to give some benefit of the doubt about this being a misstep, and I'm hoping to see it corrected shortly.

But I think the value of the trust you've built up shouldn't be understated. It won't take many scandals like this and once the trust fades you'll never get it back. The bigger issue to address is not just how to fix this, but also how to fix the broken decision making process that allowed this to happen at all.

Someone else has said about having a core set of values against which everything is reviewed. How about an ethics committee of sorts to uphold those values. A group of beta tester users who don't just test things work, but also give feedback on whether new changes are aligned with your brand and core user base. (Email is in my profile if you want to discuss this idea, if be interested in helping)

> To me this injection crosses a line of interfering with content that isn't yours.

Sincere question from someone who doesn't understand why we're freaking out: Why is this different to you than a password manager doing the exact same thing with password fields?

Here's what I see: someone installed the DuckDuckGo extension, which now has a new feature. That feature is best implemented by having a little widget that allows creating a new alias. Users who haven't seen the widget before wouldn't know how to use it, so DuckDuckGo added an explanation for people who click on it without having set it up yet.

Where was the line crossed? Do you object to having a widget at all? Is the problem having an inline explanation introducing the feature? Is it the phrasing of the pop-up?

I see a lot of visceral reactions and condemnations, but I don't see anyone explaining what makes this an ad and not onboarding.

For me it's about purpose and expectations. If I installed a password manager who's purpose is to inject my passwords into password fields that's what I expect it to do. That's fine. I'm explicitly giving it permission to inject such content.

If I installed a browser extension to remove trackers from sites, I'd be surprised to find it adding in email onboarding buttons to every email entry form.

It may not be clear, but the email privacy thing is a new feature. I just checked back on the chrome store and it does now make it reasonably clear that it's part of the extension now. Fair enough. But for those who had installed before, this would have come as a surprise when it suddenly started happening. The change of purpose is surprising. This reduces trust for a brand who's entire reason to exist is built on trust from a user base who are more than the average amount of paranoid.

If I installed a speech synthesis extension who's purpose was to read out the content of a web page, I would be equally annoyed if it after an update it started verbalising extra words trying to encourage me to try out their braille books everytime I browsed Amazon. Braille books might be just what the average user of a speech extension might want. But it's still a breach of trust to start modifying other websites content for a reason you weren't explicitly given permission for.

If the password manager injected anything else than a "paste password" button, for example anything that is a different product by the password manager authors... yes, same thing.

DuckDuckGo has made it very clear over the last few years that they don't have multiple products—they have an all-in-one solution. You can dislike their bundling and wish you could pick and choose the component parts, but that isn't what they're offering and it's reasonable of them to view this as a tutorial instead of an ad.

I think that what’s more important than rethinking and ultimately reversing this decision is to explore the conditions that made this idea internally palatable in the first place. Perhaps features need to be tested against a concrete set of principles. Otherwise DDG may just slowly corrupt even if nobody actually meant for it to.

You're right. For an at least somewhat effortful, complicating feature like that to have made it out to release, it leaves the emergent sensibility of the organization in doubt.

> This post originally just said "injecting ads into web forms,"

> This title implies we are injecting third-party advertising into web forms

You're literally injecting ads for your own products into web forms.

You could argue that people might think that "injecting ads" means "injecting 3rd party ads", and that wouldn't (currently) be true. But if you're not allowed to say that you are injecting ads, when you are injecting ads, that's super gray zone: Don't say we're doing X (we're doing X) because it makes us sound like we're doing X+1!

I switched from DuckDuckGo to https://searx.be/ during the outbreak of the Ukrainian war because DuckDuckGo started censoring Russian sites [1].

Email proxies may be seen as a privacy protection, but it comes with a vendor lock-in: You cannot reset the password for that service without DuckDuckGo now. So those ads have commercial value to DuckDuckGo, you're no goodie two-shoes here.

[1]: https://www.vox.com/recode/22981115/duckduckgo-free-speech-p...

right its not an ad. It's just a way to force possible future customer to know about a product your selling.

DDG has always been a little sketchy, but now I know.

@Yegg: Just curious, but I suspect your users will not understand that this might impact login on accounts when registering using an email alias. What happens if your service goes down or is discontinued?

How do you differentiate which form fields you should offer your services on?

I don’t understand whose whole message is focused around privacy could possibly have thought this was a good idea.

Money is a helluva drug.

Duckduckgo has pretty much become one of the mainstream search engines. Normal, everyday users who find google's surveillance offputting because of its comprehensive nature probably think they are comparatively more private with something like duckduckgo. They will probably not react as strongly as power users or more privacy oriented folk. So, i doubt the points of view on hacker news is very damaging to duckduckgo.

DuckDuckGo has sub-1% market share. There’s no sense in which that can be considered “mainstream”.

I just wanted to chime in and say thank you for taking the time to come explain. The HN audience can be quite unforgiving, especially those who comment on things like this, but there are a lot of us who read what you say and understand where you're coming from. I personally very much appreciate your consistency in responding reasonably to complaints.

For myself, the pictures from OP looked much more like an onboarding tutorial for the extension's features than they did an ad, and I suspect that's how most people would react.

This is filthy. Stop being disingenuous.

> the UX of this feature can be improved, and will take this feedback back to the team working on it.

It's adware, and you need to recall it.

You are injecting an ad :)

Just use your extensions power to look at everything the browser does and if you see they go to hackernews hid your “onboarding tool”

As a user of said new features I love it! Keep on improving