We present the first extensive measurement of the privacy properties of the advertising systems used by privacy-focused search engines. We propose an automated methodology to study the impact of clicking on search ads on three popular private search engines which have advertising-based business models: StartPage, Qwant, and DuckDuckGo, and we compare them to two dominant data-harvesting ones: Google and Bing. We investigate the possibility of third parties tracking users when clicking on ads by analyzing first-party storage, redirection domain paths, and requests sent before, when, and after the clicks. Our results show that privacy-focused search engines fail to protect users' privacy when clicking ads. Users' requests are sent through redirectors on 4% of ad clicks on Bing, 86% of ad clicks on Qwant, and 100% of ad clicks on Google, DuckDuckGo, and StartPage. Even worse, advertising systems collude with advertisers across all search engines by passing unique IDs to advertisers in most ad clicks. These IDs allow redirectors to aggregate users' activity on ads' destination websites in addition to the activity they record when users are redirected through them. Overall, we observe that both privacy-focused and traditional search engines engage in privacy-harming behaviors allowing cross-site tracking, even in privacy-enhanced browsers.

翻译：我们首次对注重隐私的搜索引擎所使用的广告系统的隐私特性进行了大规模测量。我们提出了一种自动化方法，研究在三个采用广告盈利模式的知名隐私搜索引擎——StartPage、Qwant和DuckDuckGo上点击搜索广告的影响，并将其与两个主流数据采集型搜索引擎——Google和Bing进行对比。通过分析点击广告时的第一方存储、重定向路径以及点击前、点击中和点击后发送的请求，我们探究了第三方追踪用户的可能性。结果表明，注重隐私的搜索引擎在用户点击广告时未能有效保护其隐私：在Bing上，4%的广告点击会通过重定向器发送用户请求；在Qwant上，该比例为86%；而在Google、DuckDuckGo和StartPage上，这一比例达到100%。更严重的是，所有搜索引擎的广告系统均与广告商串通，在大多数广告点击中向广告商传递唯一标识符。这些标识符使重定向器不仅能记录用户通过其重定向时的活动，还能聚合用户在广告目标网站上的行为。总体而言，我们发现无论是注重隐私的搜索引擎还是传统搜索引擎，均存在损害隐私的行为——即使在使用增强隐私保护的浏览器时，这些行为仍允许跨站追踪。