photo by polandeze
Last night, a horrific attack took place. Neighbours had called police to report screams and loud banging coming from the flat above. Sadly, when the authorities arrived, there was no screaming. There was no banging, only silence.
It was too late.
When police entered the flat, they found a woman in her late teens beaten and bloodied. She laid lifelessly on the floor in the kitchen.
It was too late. She was dead.
This wasn’t the first time someone had called to report a violent incident. The woman’s post mortem indicated numerous injuries, sustained from years of abuse — broken bones that didn’t quite heal straight, unhealed fractures, sprains, etc.
A look at the girl’s medical history showed numerous trips to the emergency department for various cuts, bruises, fractures, and internal organ damage. To make matters worse, she was pregnant.
You see, when police arrived, they found a piece of paper with a hastily scrawled address on it.
It was the address of a nearby women’s refuge. She was trying to get out, but was too late.
The man responsible for her murder, her partner, is thankfully in custody. He was a paranoid, unemployed IT worker who was, according to the police report, intoxicated at the time.
When the police questioned him, the man admitted he knew she was about to make a run for it. How did he know she would run? Easy. He regularly monitors her Internet usage and saw a Google query for the local women’s refuge. He confronted her and lost his temper.
He didn’t mean to kill her, he said.
She would have likely made it to that shelter if she had used https://www.google.com. Think about that when you’re moaning about not being able to see referral data.
The above story is fiction, but it is based on at least two real cases I know of. Many people seem to think the removal of the referral data was meant to aid privacy. In reality, it’s an unfortunate side product, albeit one that Google seems happy to promote as a feature instead of a bug.
The very genuine reason that moving to HTTPS is an improvement of privacy is to stop people from accessing query data and the results of queries on networks, between the user and Google Servers. Around the world, this will help increase access to information and provide some level of protection.
Overall, this is a positive step and one that Google has taken prior to having it enforced upon them by authorities. Many, including myself, believe it’s something they should have done 5 years ago and are already to late. For others, it’s throwing the baby out with the bath water and the referral data issue should be solved before enforcing https. Of course, a third group just thinks Google is a corporation and it can do what it wants. They are probably right.
In the past, people have suggested it should be opt-in, but in my fictitious story, the girl would not have known to opt-in. She certainly wasn’t going to ask her partner how.
It’s not the only situation where this comes into play:
- Someone seeking news of their brother or sister in Iran
- Soldiers in a war zone seeking more information about a natural disaster that hit their hometown
- Finding information and locations people can get help during genocides or persecution
- Even SEOs looking for donkey porn
I, like most people, want Google to continue to provide referral data and I hope to see the system they are testing with their AdWords customer rolled out, even if it means passing a UTM string of their choosing instead of mine. But I agree with them: rolling out https as a standard it’s worth it. Even if it saves just one life. EVEN if it causes you and I some inconvenience.
After sending this to a couple of friends to proof read, a couple of queries came back:
- Wouldn’t he have seen q= in the query string – Initially I was under the impression no, as Google would realise this, and under https, use POST rather than use GET. It turns out that “encrypted.google.com” uses GET. However, reports say Google is rolling out POST on https search requests, and I assume these will become the default
- Wouldn’t adding additional query string parameters cause issues for sites? Yep, that’s probably why Google hasn’t rolled out tracking to normal search results.
- From the comments, They are deliberately dropping referrer on SSL as well? This is not the case on encrypted.google.com but some reports from Google “never speaking officially” Matt Cutts implied the new system would. Unofficial comments I’ve had is that it’s not the case but something that is a “potential” in the future (presumably once a better solution for current issues are found)
A thought did pop into my mind: what if Google also introduced https for cached results? Sending the data via a post request. How would authoritarian regimes react? I’m guessing badly, so perhaps this will be the start of a truly fragmented web.