Google Switching to SSL By Default For Logged-In Users

nonprofiteer writes "Google plans to encrypt search for signed-in users, so that websites will no longer get to see the search terms that led a user to their site, though they will get aggregated reports on the top 1000 search terms that led traffic to their sites."

the top 1000 search terms

[treeves]

That should be good enough, right?
Is this a good for Google, doing the right thing story, or is there more to it than meets the eye?

Re:the top 1000 search terms

[X0563511]

I think it's more good for everyone. it's not like you couldn't search via SSL before.

Re:the top 1000 search terms

[TechLA]

Google isn't doing it offer better privacy. It's doing it cause trouble for competing services. It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools. It's purely an anti-competitive thing and intented to destroy their compteitors. I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon. Google is the new Microsoft.

Re:the top 1000 search terms

[epine]

Google is the new Microsoft.

Every public company is required by law to become the next Microsoft if the business opportunity presents itself in order to provide maximum return to shareholders.

But then, you can take it to a whole new level by submitting falsified video tapes to the DOJ.

The government produced its own videotape of the same process, revealing that Microsoft's videotape had conveniently removed a long and complex part of the procedure and that the Netscape icon was not placed on the desktop, requiring a user to search for it. Brad Chase, a Microsoft vice president, verified the government's tape and conceded that Microsoft's own tape was falsified.

So yes, Google is getting grubbier, but it has yet to descend to flinging feces around like chocolate bon bons.

Re:the top 1000 search terms

[dririan]

I'd be surprised if FCC doesn't start to crack on Google's monopoly tactics soon.

I'd be surprised if the FCC considered using HTTPS a monopolistic practice. I'd be even more surprised if the FCC told Google "Encryption is good for security, but you can't use it, because it stops Referrer headers from being sent. Your users will just have to go without crypto."

Re:the top 1000 search terms

[cdrudge]

It basically requires all website owners to sign up with Google to access Analytics and Webmaster Tools.

If they don't already have an analytics package, or a Google account to access the webmaster tools for their search engine, the site maintainer either doesn't care about their site's SE performance, or is a complete idiot, or both.

Re:the top 1000 search terms

[datavirtue]

Engaging Webmaster Tools is just part of maintaining an active website. Google analytics just slows your site and is not any better than your own server logs.

Refreshing

This will break those sites that automatically generate content based on your search query.

Re:Refreshing

[Moheeheeko]

Its always fun to mess with those sites just a bit. "find 'weapons grade uranium' for sale here!"

Re:Refreshing

I've always wondered this: how did those sites GET my search terms?

Well, I stopped using google some time ago, but back when I was, how did they get it? I enter some terms to google.com - how does sleazywebsite.com even know that I did a search? Google knows obviously and returns the sites from its map of keywords to domains. But presumably it doesn't notify every site on the internet that matches my search that I just did one, and I've seen this happen for search terms that I'm pretty sure are unique, and nobody in the history of the internet had ever searched for in that combination before.

Re:Refreshing

[Qwell]

referer

Re:Refreshing

[MobyDisk]

I would love to find a site that does that and change my user-agent string to Googlebot. Would they actually let me check-out at the lower price?

Re:Refreshing

[kabloom]

And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

Re:Refreshing

[williamhb]

And I should point out (since the GP doesn't know about referers, he probably needs more than a one word answer) that the Referer is a field in your HTTP request that's automatically sent by your browser telling it the address of the website that you came from. Since Google (and other search engines) put the query string in the URL of the search results page (like they should), the website can read the results out of the URL and know what your search terms were.

Google didn't invent this as a way to invade your privacy -- it's been a feature of the web since the early days.

It's also what was behind the "Bing copies Google" ridiculousness some time ago. For Bing toolbar users, the HTTP request when you visit any site is also sent to Microsoft (if you have "suggested sites" turned on), so they get the traffic stats. Bing also used the Referer that brought a user to a page as one of its minor indexing terms. By clicking a link on a page, the user has indicated they think the link is relevant to what they are looking for -- so the Referer, and especially any query contained within it, is pretty good information. And it's the user's information -- the user both typed the search query, and chose to click the link. Google's experiment spammed the signal by ordering employees to visit a page for a made-up search query (non-existent words) so that those paid click-throughs would be the only information Bing could receive for those made-up words. The words didn't exist, so Bing couldn't index them off the web -- so it doesn't matter what algorithms Bing uses, that forced the paid click-throughs to be the only results because there was no other source of data in the world for those words. Google then spun it that it was Google's information that Bing was using (Google own their generated results page, most of which was not clicked on and did not appear in Bing) rather than the human user's information (what sites the user chooses to visit). The difference being that if it's the human user's information (if your clicks belong to you not Google), then the human user within his rights to give that information to whomever he likes, including Microsoft, and Microsoft are within their rights to use it as an index signal, albeit according to them it was a very minor one.

There is a current relevance to this history. That Referer information from the user's browser is valuable data. By making this change, Google is ensuring that they get this valuable data and other's don't. They get to see the full details of both where you came from and where you went; others only get the full details of where you went, and no longer get full details on where you came from. That's a straightforward business advantage. They can then sell more detailed stats to companies (in a freemium model), sell tools that let you access the Referer information that users used to give you for free, etc. While there's a privacy angle to this story (your data is now sent to fewer places), there's also money in this decision.

Some deal

[Hatta]

So I have to sign up with google and let them track me, or they'll divulge my searches to websites who will track me?

Re:Some deal

[Hatta]

Never mind, I should RTFA. For the rest of us who didn't: encrypted.google.com.

Re:Some deal

[scdeimos]

You are the product.

Re:Some deal

[Yaur]

note however that https://google.com/ will redirect you to http://www.google.com

Re:Some deal

[swillden]

They are able to charge a premium for that targeted advertising because other people selling products feel they are getting better bang for their buck (as opposed to blanket advertising on television, or spam/UCE) due to the higher conversion rates.

It's actually more direct than that.

The vast majority of Google's advertising revenue comes from pay-per-click advertising, and the ad that is shown is selected based both on your likely interests and on a real-time auction among advertisers. So, Google's goal is to put in front of you the highest-paying ad that you are likely to find sufficiently interesting that you click on it. More precisely, you can think of each possible ad you could see as having an expected value to Google, which is determined by the amount the advertiser will pay Google if you click on it times the probability that you will click on it, and Google's goal is to display the ads with the highest expected value.

Thus, the more Google knows about who you are and what you're looking for right now, the better job it can do at estimating the click probability function for each ad.

From Google's perspective, this is a win-win-win. It's a win for Google, obviously, because it's the way they make the most money. It's a win for the winning advertiser because the advertiser got an interested (at least enough to click) person to their site, for a price that's a little less than what they offered to pay -- plus Google also provides advertisers with extensive feedback that helps them optimize the effectiveness of their ads and even their site (but doesn't share any user info). Finally, it's a win for the user because it provides ads about things that are interesting and useful to him/her.

In Google's view, if Google shows you an ad that you don't click on, that's a failure. That means Google fails most of the time, but really hard problems are like that. It also means that it's better to display no ads than ads that the user won't care about. If Google were able to do its job perfectly, you'd click on every single ad Google shows you, and proceed to buy from each advertiser -- and you'd be happy about it because in each case you found just what you were looking for.

The perhaps non-obvious implication of all of this is that users are not Google's product. Not from Google's perspective. Rather, advertisers and users are both customers, and Google maximizes its income by serving both effectively, by pointing users towards products they actually want to buy. The service Google sells is a sort of digital matchmaking service, and while it's the advertisers who pay Google, the users are at least as important -- since they're the ones who ultimately pay the bills.

At least that's true for pay-per-click advertising. Google does do some pay-per-impression advertising, and that's different. In the pay-per-impression model the goal is to build brand recognition or to steer consumer perception, and there the user is definitely the product. That's a pretty small piece of Google's business, though.

(Disclaimer: I work for Google, but not in anything ad-related, and everything I've said above is public knowledge.)

Good or bad?

[Daetrin]

Is this going to be considered good because it helps protect our privacy from the websites? Or bad because Google is effectively monetizing the private information by keeping the details to themselves (and using it?) while only handing out aggregate data to everyone else? I can see arguments being made either way.

Re:Good or bad?

[blair1q]

How is it private information when you presented it to Google for them to do the legwork on finding 1.8 million matching websites?

They're making it a shared secret between you and Google instead of a broadcast message to every link you choose to click.

They're monetizing it because, well, they are the ones who gave you the free advice. 1.8 million times.

Re:Google Analytics - SEO's will be upset

[xmas2003]

Yep - referrer will show as NONE ... so similar to if a user is coming to the site by typing the URL. Since you don't have the keywords in the weblogs, those tools don't have anything to parse ... and the Search Engine Optimization people aren't going to be happy about.

Re:Google Analytics - SEO's will be upset

[mr1911]

Oh no! We can't offend the SEO deities.

Re:Google Analytics - SEO's will be upset

[irventu]

I am a *search engine optimization* person and I'm NOT happy about it--this takes away about 90% of data used for SEO strategy.

Re:Google Analytics - SEO's will be upset

[ackthpt]

I am a *search engine optimization* person and I'm NOT happy about it--this takes away about 90% of data used for SEO strategy.

You mean, like when I'm trying to look up some local bit of history and the first 5 pages of results are trying to sell me real estate, service, yelp reviews, etc?

Find homes near Hanging Trees!!!

Re:Javascript on links...

[hawguy]

Also, they moved the "cached" search results inside the website preview.

Now you can't get cached results if you have javascript disabled, and you still have to wait for that lame thumbnail to pop up in order to hit google's cache.

So that's where the cache link went! I assumed they stopped providing cached pages at all.

I really don't care to see the thumbnails that are so tiny that the text is unreadable, I wish they'd bring the cache link back to the search results page.

HTTPS Everywhere

...is a Firefox plugin that does that for you anyways. Google has a standard HTTPS page, as does a number of other sites, like Wikipedia.

While I applaud Google for doing this for its signed-in customers, people should be using HTTPS for everything, everywhere, if possible. Sure, it has its flaws, but better flawed privacy than no privacy.

Re:HTTPS to HTTPS

[BBTaeKwonDo]

Sure, but the link farms don't want to pay for SSL certificates for their subdomains such as https://viagra.spamsite.com/ , https://buy-viagra.spamsite.com/ , etc. I think I'm going to like this change.

Re:Javascript on links...

[X0563511]

The preview is sorta-useful.

You can see that a link is obviously link-farm or other trash without sending them a click or giving them an opportunity to rape your browser.

cryptome.org had some great posts on SSL

[AHuxley]

http://cryptome.org/0005/ssl-broken.htm on this issue.
Welcome to en.wikipedia.org/wiki/Clipper_chip, Enigma or the fun of Data Encryption Standard era standards in your new safe browser.

Re:google privacy

[lgw]

These days I find that DuckDuckGo often gives better results - it's a toss-up. Perhaps that's because the SEO guys are crapping all over Google specifically, but I don't fell like I'm missing out when I use ddg.gg for privacy/bubblefree search.

Everyone benefits

[FyberOptic]

This is particularly beneficial to all the hapless people who think using open wifi is perfectly safe. And it saves Google from having to deal with stolen accounts as a result. That's why it's so popular on places like Twitter and Facebook, too.

That's not to say that SSL is perfect, and a hapless user can still be tricked or spied upon once somebody starts ARP spoofing'em or SSL stripping or what have you. But some protection is better than none.

Re:google privacy

[datavirtue]

Google provides a valuable service that lifted the internet out of the dark ages. I'm still grateful (after 10 years) and happy that they are prosperous. I used excite for all search "back in the day" and dropped it the second I discovered Google. People forget, some people just don't know. Google -to- Facebook is no comparison.