This article is more than 1 year old

Google's encrypted search casts shadow on web analytics

SSL snuffs browser referral

In adding SSL encryption to its primary search engine, Google isn't just protecting your traffic from anyone sniffing your network. It's also preventing third-party webmasters from tracking the search terms you used to find their sites. That may be a good thing for netizens intent on privacy lockdown. But for webmasters, it could be a bit of a problem.

Last Friday, Google told the world that an SSL-encrypted version of its core search engine was available at https://www.google.com (Notice the extra "s").

The company already offered https with several other services — including Gmail, Google Calendar, Google Docs, and Google Sites — but encrypted search is a little different. As Scroogle founder Daniel Brandt pointed out in response to our story on Google's announcement, when SSL is turned on, your browser will stop sending referral data to any non-SSL sites you visit through Mountain View's search engine.

"If you click on a link to some non-SSL page...then when you arrive at that page you will arrive with your referrer stripped," Brandt said. "The webmaster on that site won't know that you came from Google, and won't know what search terms you used to get there. He won't even know if you used a search engine (you could have just keyed in the URL in your address bar, which would also cause no referrer)."

Google acknowledges this in its "Help Center" article on SSL search, pointing out that it could affect what you see when visiting sites through its search engine. "Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy," Google says. "By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information."

A Google spokesperson (rightly) points out that this is not specific to Google's SSL implementation. "This effect is the result of the way browsers interact with HTTPS generally," he tells us. But Google controls a good 60 to 70 per cent of the US search market according to the big-name web research firms — if not much more in reality — and some have complained that with SSL search, the company will destroy web analytics as we know it.

In a blog post following Google's news, Clicky — a web analytics firm — went so far as to announce the death of analytics. "Say goodbye to search analytics," the post reads. "Google just announced their new secure search beta...the search term is not passed through the referrer, and hence no analytics tool (not even a good old log analyzer) will have any idea of what a visitor searched for to reach your site."

At the moment, Google's SSL search is tagged as a "beta" and it's optional. Users must explicitly visit https://www.google.com to use it. But Google has indicated it hopes to expand the service, and Clicky's knickers are in a twist. "I really hope Google never considers making this the default, because that would be very irritating for web masters — we would have no idea what people were searching for to get to our site, which is arguably the #1 reason to run analytics in the first place," the company says.

"Yes, someone 'snooping' your connection won't be able to tell what you're searching for, but the sites you click through to will probably have a good idea, based on your landing page —- not to mention they can also see their IP address and every page they have ever viewed on my site, ever. And yet somehow, not knowing this visitor's specific search term is protecting their privacy? Please. The only thing it does is make the life of a web master a much bigger pain in the ass than it was before."

Of course, Google itself will still have access to your search terms, and Clicky questions whether the company will somehow offer this information to webmasters through its Google Analytics service, trumping competitors like Clicky. But Google indicates it has no plans to do so. "I would point out that Analytics is no different from other third party services in terms of not receiving referrer information when users come from HTTPS sites," that company spokesman tells us.

"We have a lot of feedback about our beta feature that we need to gather and interpret before we make any decisions about how next to proceed. As it stands, this referrer effect applies only to users who elect to use the encrypted search offering each time." ®

More about

TIP US OFF

Send us news


Other stories you might like