photo by polandeze
Last night, a horrific attack took place. Neighbours had called police to report screams and loud banging coming from the flat above. Sadly, when the authorities arrived, there was no screaming. There was no banging, only silence.
It was too late.
When police entered the flat, they found a woman in her late teens beaten and bloodied. She laid lifelessly on the floor in the kitchen.
It was too late. She was dead.
This wasn’t the first time someone had called to report a violent incident. The woman’s post mortem indicated numerous injuries, sustained from years of abuse — broken bones that didn’t quite heal straight, unhealed fractures, sprains, etc.
A look at the girl’s medical history showed numerous trips to the emergency department for various cuts, bruises, fractures, and internal organ damage. To make matters worse, she was pregnant.
You see, when police arrived, they found a piece of paper with a hastily scrawled address on it.
It was the address of a nearby women’s refuge. She was trying to get out, but was too late.
The man responsible for her murder, her partner, is thankfully in custody. He was a paranoid, unemployed IT worker who was, according to the police report, intoxicated at the time.
When the police questioned him, the man admitted he knew she was about to make a run for it. How did he know she would run? Easy. He regularly monitors her Internet usage and saw a Google query for the local women’s refuge. He confronted her and lost his temper.
He didn’t mean to kill her, he said.
She would have likely made it to that shelter if she had used https://www.google.com. Think about that when you’re moaning about not being able to see referral data.
The above story is fiction, but it is based on at least two real cases I know of. Many people seem to think the removal of the referral data was meant to aid privacy. In reality, it’s an unfortunate side product, albeit one that Google seems happy to promote as a feature instead of a bug.
The very genuine reason that moving to HTTPS is an improvement of privacy is to stop people from accessing query data and the results of queries on networks, between the user and Google Servers. Around the world, this will help increase access to information and provide some level of protection.
Overall, this is a positive step and one that Google has taken prior to having it enforced upon them by authorities. Many, including myself, believe it’s something they should have done 5 years ago and are already to late. For others, it’s throwing the baby out with the bath water and the referral data issue should be solved before enforcing https. Of course, a third group just thinks Google is a corporation and it can do what it wants. They are probably right.
In the past, people have suggested it should be opt-in, but in my fictitious story, the girl would not have known to opt-in. She certainly wasn’t going to ask her partner how.
It’s not the only situation where this comes into play:
- Someone seeking news of their brother or sister in Iran
- Soldiers in a war zone seeking more information about a natural disaster that hit their hometown
- Finding information and locations people can get help during genocides or persecution
- Even SEOs looking for donkey porn
I, like most people, want Google to continue to provide referral data and I hope to see the system they are testing with their AdWords customer rolled out, even if it means passing a UTM string of their choosing instead of mine. But I agree with them: rolling out https as a standard it’s worth it. Even if it saves just one life. EVEN if it causes you and I some inconvenience.
Updates
After sending this to a couple of friends to proof read, a couple of queries came back:
- Wouldn’t he have seen q= in the query string – Initially I was under the impression no, as Google would realise this, and under https, use POST rather than use GET. It turns out that “encrypted.google.com” uses GET. However, reports say Google is rolling out POST on https search requests, and I assume these will become the default
- Wouldn’t adding additional query string parameters cause issues for sites? Yep, that’s probably why Google hasn’t rolled out tracking to normal search results.
- From the comments, They are deliberately dropping referrer on SSL as well? This is not the case on encrypted.google.com but some reports from Google “never speaking officially” Matt Cutts implied the new system would. Unofficial comments I’ve had is that it’s not the case but something that is a “potential” in the future (presumably once a better solution for current issues are found)
A thought did pop into my mind: what if Google also introduced https for cached results? Sending the data via a post request. How would authoritarian regimes react? I’m guessing badly, so perhaps this will be the start of a truly fragmented web.
18 comments
Tim,
Great post, very controversial and very un real and factually incorrect.
If the boyfriend was an IT guy and has control of the network (which you infer) he could have taken the Google search query data any number of ways. Router level proxying etc etc etc. Google enabling SSL itself will not stop it and the uproar within the SEO community is NOT about Google enabling SSL.
Let’s be frank here, SSL enabling the default web site is a GOOD thing.
What isn’t a good thing is Google consciously breaking the referer information. Referer information is NOT broken because the refering site is run under SSL. SSL -> SSL will still send referer information by default (It’s browsers that send referer info, not the servers) What Google is doing is choosing to break referer information for “some” of the clicks they send out.
The argument of security of users falls and breaks down at this point. We’ll protect users where we don’t earn money but will not protect users where we DO earn money.
Just my tuppence worth of opinions – they’re worth exactly what you paid for them
I think it’s safe to say the initial part was fictitious and as you say their are hundreds of ways to have access the data not so much at the router level which would be seeing the encrypted traffic but at her computer level which one assumes he would have had access to. Also as I indicated in the post the query she used would have today been done via a GET not a POST request so as the router owner today he would have seen the entire string going out anyway. In the future the scenario would be more plausible if they do shift to doing POST requests instead.
Refer data wise, as far as I’m aware and this seems to be backed by Dan Theis post
http://www.seofaststart.com/blog/ssl-search-referral-data
As well as my own that SSL->SSL is still receiving referrer data you are correct in saying this is on a per browser basis, and Chrome for example is notorious for dropping data if you have a loop.
The issue then is making sure the https version is indexed not the non http.
But my original point was and I suspect I didn’t make it clear enough, and unfortunately is not helped by Google rather disjointed explanation the dropping of some refer data is a by product (all be it one they will be keen to exploit I’m sure) of bringing the site under HTTPs. Now when I start to see SSL->SSL forced through a clearing loop then it’s time to bring out the pitch forks but currently I haven’t seen any implications that this has happened.
But let’s be clear the privacy benefit is between the consumer machine and Google servers and the interactions here, what happens the other side is a by product (unless they tweak it) of that and it in itself is not providing privacy benefits.
Sensationalist blog title.
True, but the title is also true, I’m sure Google could prevent a murder or two, not sure how many will be saved by SSL but that’s not to say that it won’t. I’m sure thats the excuse Daily Mail uses for it’s titles.
Really engaging post, it’s great to see the other side of the argument. I do agree with Jason’s comment above though. If they were that concerned about protecting user privacy they wouldn’t offer AdWords search query data or re-targeting and other such services to advertisers. It wouldn’t surprise me if their next step is to say ‘actually, we will give you organic search query data but you’ll need to buy it from us’. As much as I’d like to believe this was done for the good of the user I can’t help but think there’s an ulterior motive.
It’s Google I think most people will say it has something to do with their profit line, given the way privacy is being legislated for I suspect their legal team dreamed up something similar to my take and took preemptive action so that it didn’t effect their profits. It’s also worth noting their AdWords solution is not great either though appreciate far better then nothing at all.
Good time to be in SSL business which strangely Coding Futures is
OK let’s break this down into a few parts.
#1. I will skim over the dramatisation of the specific topic you posted about but the general theme of the post is “SSL enabling Google will deliver privacy and security to users”
Let me be clear here. I wholeheartedly believe that https:// should become the new http:// – SSL enabling a site, Google.com or any other, is a good thing!
#2. SSL Enabling a site does NOT stop anyone on the local network, or as you correctly said, having direct access to the device accessing the SSL site, understanding the data that has been transmitted.
For obvious reasons I won’t go into details but ARP Spoofing in conjunction with tools like SSLStrip and/or many others can enable the ability to understand what is going on over a secure connection is quite simple. Whether the data has been sent via POST or GET or even HEAD is a moot point. It’s all data and it can all be understood and viewed. If the network owner, or even any other person on the network, has decided that they wish to “see” what is going on then they can.
On top of this G made it clear there will be a “Network Override” where network owners can stop SSL being the default. I haven’t seen details of this yet but it is likely to be able to be used by the hypothetical IT guy murderer above.
#3. I am glad we agree that SSL enabling Google does NOT mean referers can’t be passed. If a website owner wants a referer to be passed from an SSL enabled site then the website owner needs to SSL enable their site. The way all current browsers operate means that SSL site to SSL site WILL pass the referer information… unless…
#4. The originating SSL site, in this case Google, decide to “break” the referer information. This is what Google is deciding to do. They are going out of their way, likely be a simple redirect or incorporating the search query within part of the fragment data, to ensure that no referer / query data is sent.
#5. I could be convinced this is being done “in the name of personal security for users” but I do not believe it to be the case. This is reinforced as Google WILL send the referer information / query string to the receiving site when the receiving site is directly paying for their placement. IE they have advertised.
If my security and privacy is important to Google, it should be important whether I click on an advert or organic link when I search for things like http://www.google.co.uk/search?q=anal+butt+plug
#6. So to summarise I believe your post is an amazingly superb link bait / discussion topic, but I do NOT believe that your example is correct. SSL enabling Google and/or blocking referer information would NOT have saved a death of a person. Quite simply it’s factually wrong and hyperbole!
#7. What could be the real reason Google are incorporating both SSL and referer blocking into their site?
Well I believe I gave a pretty good summary of my thoughts over at SearchEngineLand in my comment on Danny’s post. I have included it below.
Here are my thoughts.
Do I believe that Google originally thought about doing this to protect users’ data? – Yes I do
Do I believe that Adwords teams, Security teams and Spam teams fought and pulled in differing directions over this? – Yes I do
Do I feel that a half way house answer was ultimately agreed upon? – Yes I do
Do I feel that Google did this to reduce the effectiveness of their competitors products? – Yes I do
Do I feel that SEOs and online marketers in general will adapt and overcome? – Yes I do.
I feel that someone suggested turning off referer information was a good thing for users. We saw it earlier in the year with the “Ajaxy” style URLs that quickly got rolled back. I believe that this started some serious discussions in the Plex and someone realised that those nasty competitors who had started to drop retargeting cookies on loads of big web sites enabled 3rd party companies to make money based on G’s IP – I can well imagine someone saying “Those cheeky bas****s who are targeting OUR users based on what they search for on OUR website. This can NOT go on”
I can well imagine that someone thought that the answer lay in delivering BOTH security to users AND killing a competitor.
Now having said all of that I can REALLY imagine someone shouting very loudly about “Our customers, the guys and gals that actually PAY us, they need to see the referer information to run effective campaigns”
This is how we ended up with such a mishmash of an implementation and terrible communication and a likely insight into G corp policy and how things really work.
There we go, rant over – back to business now
As I mentioned in another thread elsewhere SSL is not security on it’s own and is as broken as the entire HTTP stack is (I used more appropriate words) I added the fact the IT guy was drunk as my get out of jail free card and will assume to drunk to use his proper sniffer and relied on the router log.
I haven’t seen any evidence for your #4 across any of our ECommerce partners but time will tell and as I said if it happens and it’s deliberate pitch forking I will go. That said I have seen evidence that this is a direction Google might take if we look at Chrome.
I think and here is the difference is I doubt when it was being discussed keywords being dropped was even mentioned and yes I’m sure when it was mentioned it would have been AdWords team shouting loudest and almost certainly would be given preferencial treatment guess what that’s how Google makes their business but from everything I can tell other then Google has an appalling PR team managing.
So to summarise since I have upset everyone my take is in Googles eyes rather then throwing the bath baby out with the bath water, they just tossed what they considered the soap suds. This wasn’t malicious and had the best intentions (all be it motivated by bottom line and a legal team wishing to cover ass)
So is this a PR cockup? yes
Is it a halfway house? yes though unlike you I really don’t believe they are intentionally dropping SSL->SSL keywords and do not see that in our analytics but if they do introduce this then it’s a bad thing.
Did the AdWords team win a tug of war? not really they got something for their time.
Is it going to rapidly evolve? Yes of course, will it force a new standard in passing data between sites maybe. Will it upset despots and SEOs around the world probably.
We’re in agreement then Tim
I really don’t believe they are intentionally dropping SSL->SSL keywords and do not see that in our analytics but if they do introduce this then it’s a bad thing.
This is the real test and we will only know for sure once it is started to be rolled out. As I understand matters the roll out of their announcement yesterday hasn’t occurred yet which explains why you won’t see it in your Analytics but it is my understanding of what they intend to do and purely for Organic rather than Paid results
From the official Google announcement at – http://googleblog.blogspot.com/2011/10/making-search-more-secure.html
Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account
That says that it isn’t fully rolled out yet but is starting to be pushed out there.
What does this mean for sites that receive clicks from Google search results? When you search from https://www.google.com, websites you visit from our organic search listings will still know that you came from Google, but won’t receive information about each individual query.
That infers to me they are sending a referer but making a conscious decision (in effect writing more code to make sure it is the case) and ensuring the referer doesn’t deliver search query information
If you choose to click on an ad appearing on our search results page, your browser will continue to send the relevant query over the network to enable advertisers to measure the effectiveness of their campaigns and to improve the ads and offers they present to you
That says to me they are sending the full referer information, including the search query to advertisers. IE, choosing to break only organic referers and not ads.
They have been running encrypted.google.com for quite some time and certainly both mine and Dan’s data seem to back from that source there is no issue and one of our clients forces their workforce through it (Don’t ask) which actually means we have had some test data. But only time will tell
Sounds like a PR team who has been listening to a pile of whinging SEOs personally
Tim,
To be clear the current encrypted.google.com is NOT the same service that is being pushed out.
I am quoting Danny Sullivan who quotes Matt Cutts at http://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435
But Google Encrypted Search, as Google told me today, doesn’t block referrer data in the way that the new service does,
and then goes onto say,
For example, if you used Google Encrypted Search and clicked on a result to come here to Search Engine Land, because we don’t run encryption, the referrer isn’t passed along. But Cutts said that if we did run encryption — or if any site did — they they would get the referrer data passed along.
We will see my understanding is the opposite (though I don’t have an on a record comment so it may have changed) and I would be surprised if that’s the case, Either way the damage for SEO might be massive but overall it’s not a big deal for anyone else.
You say Either way the damage for SEO might be massive but overall it’s not a big deal for anyone else.
I disagree completely. Anyone who operates a website will be affected. The referer system is part of the http specifications – http://www.w3.org/Protocols/HTTP/HTRQ_Headers.html#z14
This may become the thin end of the wedge – A protocol only remains an effective protocol while it is being used. Purposely breaking a protocol can not be good for anyone who operates online
Interesting perspective, Tim. You’ve definitely made me reconsider my first reaction to this news. Good stuff!
It’s also optional field that the client browser can pass to the server, the browser doesn’t have to pass it and if you change transport layers it get’s lost. That’s why SSL->SSL still works. They are not breaking the protocol even if they did in hypothetical scenario drop it through the loop forcing no query strings across. They could simple choose to adopt an entirely separate URL structure and you wouldn’t get any data anyway.
Google is a business it happens to send large amount of traffic if it changes it’s URL structure to not present you with any query string that’s not causing the end of the internet as we know it. It certainly fully entitled to do so and it’s certainly not effecting a already deeply flawed and broken protocol. If Google was to rewrite a browser to secretly strip a required non optional header then that’s another story.
I can certainly believe that the intention started out genuine, but the way this spins is just wrong. If the intention is to protect privacy then post a CLEAR history link on Google search pages. If however, it’s about the cash … then proceed as planned.
Besides the IT boyfriend would have been key logging on the network =P
To me the truth is this:
If it’s private information (which it’s not), then block it in all platforms… Don’t just make me pay for it. Really seems “dirty” when you say it like that.
Secondly, using a computer, the Internet, software etc comes with a certain responsibility on behalf of the user. If the girlfriend cannot manage to clear her search history… well lesson learned I guess.
It is wrong for Google to play mom and dad to the world and babysit our stupid selves to protect us. No one can learn from a lesson that never happened.