Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks

Not ProvidedIn the past month, Google quietly made a change aimed at encrypting all search activity — except for clicks on ads. Google says this has been done to provide “extra protection” for searchers, and the company may be aiming to block NSA spying activity. Possibly, it’s a move to increase ad sales. Or both. Welcome to the confusing world of Google secure search.

Two Years Ago: Secure Searching For Logged-In Users

In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Google said it wanted to block anyone who might potentially be eavesdropping on a string of searches made by an individual and also prevent the actual search terms themselves from being seen by publishers, as some of them might be too “private” to reveal.

This Month: Secure Searching Being Made Default For Everyone

Now, Google has flipped on encryption for people who aren’t even signed-in. When asked about this last week, Google confirmed the shift, saying:

We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in.

I sent a series of follow-up questions to Google after getting that statement and am still waiting for a response to them, so I’ll update as I hear more. Is this worldwide? How soon until it happens for everyone?

A Sudden Change

One key question is “Why so suddenly?,” what prompted Google to make such a change out of the blue. And it was sudden.

When searches are encrypted, search terms that are normally passed along to publishers after someone clicks on their links at Google get withheld. In Google Analytics, the actual term is replaced with a “Not Provided” notation.

Over the past two years, the percentage of search terms as “not provided” has increased as Mozilla’s Firefox in July 2012Apple’s Safari browser in iOS 6 in September 2012 and Google’s own Chrome browser in January 2013 have used encrypted search, even when people aren’t signed in at Google.

That’s lead to a steady increase but not giant leap in “not provided” activity. But in the past month, the increased encryption on Google’s side has produced a dramatic spike:

Not Provided Count - Charting the rise of (not provided) in Google Analytics-1

The chart above is from a site called Not Provided Count, and it tracks the percentage of terms being withheld across 60 different web sites. You can see the spike that began around the week of September 4 and which currently shows almost 75% of terms being withheld.

It was after viewing this chart on Friday that I asked Google if there had been some type of change, because the percentage of not provided terms can also vary from site to site — or even for “basket” of sites for different reasons. As noted, the change is real, and confirmed by Google.

There are two main reasons why Google may have made such a quick switch, and perhaps both are even factors.

Done To Block The NSA?

The first is the whole US National Security Agency spying thing. In June, Google was accused of cooperating to give the NSA instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. That hasn’t saved it from criticism.

Since then, Google’s waged a campaign to allow it to be more transparent about the number of spying requests it says it does receive — on a limited basis and not involving direct access — but which it’s forbidden by US law from disclosing. It also began increasing encryption between its own data centers.

I suspect the increased encryption is related to Google’s NSA-pushback. It may also help ease pressure Google’s feeling from tiny players like Duck Duck Go making a “secure search” growth pitch to the media. Duck Duck Go and StartPage.com have seen large gains in traffic, though relatively speaking, what’s large is nothing for Google. The PR loss is far, far greater than the user loss, if any. But Google doesn’t like PR losses of any type.

Done To Boost Ad Sales?

The other reason is that Google recently made a change so that one of the easiest ways for publishers to see the actual terms that have been withheld over time is through the Google AdWords system.

See, apparently search terms aren’t so private that Google withholds them entirely. Rather, it withholds them from being transmitted in the clear across the internet. Publishers can still see these terms by going into the Google Webmaster Tools area, though they only see the top 2,000 per day and only going back for 90 days (something Google said earlier this month will increase to one year, in the future).

If publishers don’t somehow constantly archive these terms, they’re lost. But a change to Google AdWords in August allows publishers to store the terms as long as they like, for easy and instant access — as long as they use Google’s ad system.

It’s an odd situation that Google won’t archive search term data within the toolset it expressly built for non-advertisers — Google Webmaster Tools — but does allow this through its ad system. It suggests that terms have been withheld all along in part to create new Google advertisers.

Privacy Loophole Remains For Advertisers

That’s especially so given that ad search traffic has never been made secure. No encryption stops people from eavesdropping on the terms used when someone searches at Google and clicks on an ad. Google’s also never prevented this information from flowing directly to advertisers, in the way it has for non-advertisers.

More Background

So. Increased privacy to thwart the NSA? Or a handy excuse to do that and increase potential ad sales? If I learn more, I’ll update. Meanwhile, for more background, see the key article from earlier this month, below:

Postscript (5:05pm ET):

Google’s sent this update:

We want to provide SSL protection to as many users as we can, in as many regions as we can — we added non-signed-in Chrome omnibox searches earlier this year, and more recently other users who aren’t signed in. We’re going to continue expanding our use of SSL in our services because we believe it’s a good thing for users….

The motivation here is not to drive the ads side — it’s for our search users.

It’s still not clear why Google seems to have ramped up things especially today.

Related Topics: Channel: SEO | Features: Analysis | Google: AdWords | Google: Analytics | Google: Webmaster Central | Legal: Privacy | Top News

Sponsored


About The Author: is a Founding Editor of Search Engine Land. He’s a widely cited authority on search engines and search marketing issues who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn



SearchCap:

Get all the top search stories emailed daily!  

Share

Other ways to share:
 

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • Li Ma

    I noticed this since the beginning of August. Right before I read your post, I was talking to my team about Google is switching all access to https… Well, Hopefully this leads to a new business opportunity for Google to start charging webmasters and SEOs for keyword data.

  • http://www.seo-theory.com/ Michael Martinez

    Google — that is such a lame bullshit excuse. The “(Not provided)” issue has nothing to do with NSA monitoring. What a spin!

  • Cyndee DAgostini

    Our NP numbers increased significantly the first week of September – I was hoping it was a reporting error on my part. That’s not cool.

  • Durant Imboden

    I think people need to spend less time worrying about Google’s motives and more time focusing on real-world effects (and what to do about them).

  • http://www.koozai.com/ Mike Essex

    I can confirm that this isn’t just confined to the US either. We’ve been seeing an upwards trend in the last month in the UK. Today in particular Koozai.com was 92% not provided, although we’re a tech site so are likely higher than average.

  • http://www.isoosi.com/ Carlos Fernandes

    Sounds like they confirmed the change but didn’t comment on why so suddenly… or am I reading that wrong Danny. We can speculate as to the reason, but I don’t think they stated that last week or added to that angle of this did they?

    I guess that doesn’t really matter now anyway. Really is a short-sighted move that will hurt a lot of website owners of all shapes and sizes… but especially those businesses that have do not have “big pockets”.

  • http://blog.paulgailey.com/ Paul Gailey

    When you examine the notprovided % increase segmented by browser, the real increase in the last 4 weeks has come from Internet Explorer.

  • http://searchengineland.com/ Danny Sullivan

    Or it was on Google’s end. I was testing things in August. Google was making all types of things that shouldn’t have been secure into secure searching almost randomly.

  • http://searchengineland.com/ Danny Sullivan

    No, they didn’t say yet why it was done so suddenly. I’ve noted that in the story already as the key outstanding question.

  • Guest

    amen.

  • http://www.isoosi.com/ Carlos Fernandes

    Yeah I understand.. just wanted clarification.
    Some stating categorically it is confirmed as PRISM related.

  • http://blog.paulgailey.com/ Paul Gailey

    maybe GA isn’t telling the whole story as it’s possible toolbar IE users with google search set as the preference will have had that traffic obfuscated but referrer assigned to IE in GA.

  • Pat Grady

    Big news, chatter is everywhere.

  • http://www.v2interactive.net/ Josh

    Weren’t we told by Cutts it would affect ~10% of queries?

  • http://www.archology.com/ Jenny Halasz

    originally it was supposed to be between 3-5% of queries… but we saw this coming…

  • RyanMJones

    We all knew it was coming, eventually. We just didn’t want to believe it. I’m less mad about it finally happening, and more upset that they did it without warning.

  • RyanMJones

    Also, If they’re serious about doing this for PRISM reasons, then let’s talk about Gmail and storing mail in plaintext so that they can serve relevant ads next to it…

  • grahamcharlton

    (not provided) up to 93% of all Google organic search on Econsultancy today. Up from 75% in August and 86% just a day ago. Like Koozai, we’re a tech / marketing site and UK based.

  • http://www.attorneysync.com/ Gyi Tsakalakis

    Any guesses as to when we can expect ~ 100% (not provided)? Also, how are folks addressing this change with clients?

  • Jonathan Hochman

    Natural search and paid search are different systems. It is possible, even likely, that Google would update one before the other. Perhaps the AdWords clicks will also become encrypted in the near future.

    Meanwhile, advertisers only get to learn the keyword pattern that they supplied which triggered the ad. Google does not report the user’s query when the user is logged in. Obviously Google needs to tell advertisers which of their keyword patterns triggers ads and clicks, or else AdWords would be useless.

    To the casual observer, the Keyword Query (what the user types) is not necessarily the same as the Keyword pattern (what the advertiser lists).

  • Jay Friedman

    The fact there is a DCLK search ad at the end of the article is just awesome.

  • http://www.avainfotechseo.com/ Ashish Ahuja

    I am seeing 80-100% not provided across websites

  • RyanMJones

    For those curious. Yes, recent versions of browsers started defaulting toolbars to https, however sometime this morning, Google placed a redirect from http://www.google.com to https://www.google.com making it impossible to access the non-secure version.

  • http://electricdialogue.com/ Mark Hughes

    Yep seeing a big jump in the UK. Average of 55% two Mondays ago, up to 66% last Monday, now 73% today so far. Bad news.

  • joeyoungblood

    Google taking keyword data is simply a measure against competitive ad systems that used said data for highly reliable and inexpensive advertising gaining tens of millions off of Google’s data. No more, no less.

  • Nate Heinekamp

    NotProvidedCount.com is saying as soon as December 11th of this year if this pace keeps up. Scary huh?

  • http://searchengineland.com/ Danny Sullivan

    they’ve shown absolutely no interest in encrypting the ad-side.

  • http://searchengineland.com/ Danny Sullivan

    It’s post-PRISM, we know that. I’m been pretty clear that whether it is actually related to PRISM has yet to be confirmed.

  • koko the moneky

    Expect minimal GA charges very soon. Want free analytics? have an active Adwords account or else no keyword data for you. Charges may vary depending on your traffic.

  • Joel Solomon

    One possible solution (not a perfect one) is to make sure there is tracked in-site search set up. At least that way you can see what visitors are looking for once they actually get to your/your client’s site.

    Any other ideas to identify search term opportunities?

  • jnffarrell1

    It’s about using security to enable privacy. First secure all search related data that has been entrusted to Google: from users to Google servers, on Google Cloud storage, between Google Servers. Next shut down all Apps that can vector Trojans inside the user/Google encryption wall; that mean AdID only and ad-ranks are all a advertiser will get.

    If Google people touch search data their authority, reason for use, date and time will be logged. If they abuse their authority they will be gone from Google and data supporting their conviction will be at the DA long before they are escorted off campus. For this mode of assigning and enforcing privacy to work, advertisers will have to remain outside the chain of responsibility.

  • Julian Hooks

    So will they still deliver keywords and clicks via WMT? What’s the difference between giving data via WMT and Analytics?

  • Federico Munoa

    I would like to know if the enterprise version of GA has the exactly same issue or percentage… does anybody hear something about it?

  • rjonesx

    The only reason is to boost ad sales. If I am paying Google Adwords, I can on-the-fly optimize a landing page to match the keyword that brought them in. Laptops? sure, here are our best laptop deals. Desktops? sure, here are our best desktop deals. But, for organic search? Nope, shit out of luck. Google is interested in one thing and one thing alone – making organic search less profitable than paid.

  • http://www.leadgenix.com/ Brett Welker

    So what does this mean for me and other SEO developers that are part of different internet marketing companies? Does this affect us in any way directly or does it only mean that unwanted parties won’t be able to acces our information?

  • http://www.TheeDesign.com/ TheeDesign Studio

    Not a surprise, things have been headed this way for awhile. It will definitely be interesting to see what Matt Cutts has to say in the coming days and weeks.

  • http://searchengineland.com/ Danny Sullivan

    The enterprise version has the same issues.

  • http://searchengineland.com/ Danny Sullivan

    Sure. Google could ask everyone to move to secure servers, which would allow it to go back to passing search term data exactly as the industry-standard spec it broke was designed to work.

  • Federico Munoa

    Thanks Danny.

  • Gary Henderson

    Funny how they still pass all paid data to us. Privacy my ass!

  • Bazinga! Web Design

    Are they gonna pull this data from Google Webmaster Tools also?

  • Bruce Brownlee

    Keyword hiding will make it much more difficult for publishers to provide a good on-page experience for visitors, and harder to resolve high bounce rate problems. From Avenish’s example, if I sell oak and maple night stands and chairs, how will I know that people looking for “one night stands” are bouncing off my site? And if I have an arthritis site, how will I know that 30% of the people arriving want to know about arthritis in pets? This flies in the face of Googles pious words about providing relevant content and a good user experience. That’s all self-serving talk.

  • Beverly Mapes

    Makes me want to start using and promoting Bing more.

  • Li Ma

    I hope some Google reps will show up at SMX East and answer some of our questions and concerns with this major update on secured searches. Yes, I try to believe this is a good move to protect internet users’ private info, but at the same time, isn’t this just making big G a bigger monster with all the search info they solely controls now? Now, this is the company who once confirmed the secured search would only affect single digit percentage of websites’ organic search traffic…

  • Dick Fabulous

    Google’s motto: Don’t be evil. Hahahahaha.

  • RyanMJones

    I believe, even if you have a secure site though, they’re still not passing it.

  • http://searchengineland.com/ Danny Sullivan

    Correct. But they could do it that way. That would eliminate what seems to be the chief concern, the eavesdropping potential on a string of searches.

  • Paul Jewkes

    Enjoy that.

  • http://www.michaelmerritt.org/ Michael Merritt

    With the toolbar disabled and using In-Private mode, I’m redirected to HTTPS.

  • Christian Noel

    I agree with you on this one Michael. Big time power play on their part.

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest

 
 

Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States

Europe

Australia & China

Learn more about: SMX | MarTech


Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!

 


 

Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide