Safari Shifts To Google Secure Search in iOS 6, Causing Search Referrer Data To Disappear
Another source of Google search referrer data appears lost. Searches through Google that happen in Apple’s Safari browser search box in iOS 6, Apple’s latest mobile operating system, no longer pass along search terms to publishers.
For those unfamiliar, “referrer” data is information a browser passes along to a publisher about the last page you were on. When you do a search on a search engine, this means what you searched for — the exact words — are passed along as part of the referrer.
The change, as we’ve learned as this story has developed, is because Apple apparently — as part of iOS 6 — now routes searches to Google made through the Safari search box to an encrypted version of Google search. Google told us:
The web browser on iOS 6 switched to use SSL by default and our web servers don’t yet take that fact into account. Searching still works fine, but in some situations the HTTP referer header isn’t passed on to the destination page. We’re investigating different options to address this issue.
Better Privacy, But Ad Clicks Still Open To Eavesdropping
Encryption adds some privacy protection for searchers, but it also means publishers no longer understand how these searchers found their web sites through Google, unless they are Google advertisers. That loophole also means that some searches are still vulnerable to potential “eavesdropping” by others.
Google offers two types of encrypted search. Google Encrypted Search blocks referrers from being sent — and thus removes any eavesdropping worries — for all clicks that leave the Google web site, unless those clicks lead to another encrypted site (which means the destination site itself can see the search terms but no one else can eavesdrop on the connection).
Apple is making use of the Google SSL Search, which Google introduced last year. This blocks eavesdropping when people click on unpaid listings. However, any clicks on paid listings are transmitted in the clear, leaving that data open to eavesdropping.
Firefox made a similar move to Google SSL Search earlier this year, and Google itself shifted all searches for those signed-in to Google to use Google SSL Search a year ago (at least for desktop browsers — on mobile browsers, SSL doesn’t appear to be the default after signing in).
I’ve had a fairly big issue with Google for compromising privacy with Google SSL Search by not blocking all referrers as it could, for what appears to be the sake of not upsetting advertisers. For more about that, see these two articles:
When Google Does & Doesn’t Block
Ryan Jones noticed earlier this week that searches done on Google, through Safari’s search box on iOS 6, no longer passed along referrer data. We tested ourselves today and found this also to be the case.
This only happens when you use the search box in Safari, not if you go to Google directly. That’s important to understand, because if you don’t test the right way, you’ll still see referrers.
Here’s an easy way anyone can test, drawn from some of the comments below.
If you do the same thing using the built-in search box in Safari, if you search against Google (which is the default in the US), no referrer is passed:
FYI, “referer” is a long ago misspelling for “referrer” in HTML specs, which is why you sometimes still see that misspelling used.
Bing & Yahoo Referrers Not Blocked
Doing the same test above for Bing and Yahoo finds referrers are passed either if you go to their home pages or if you change your settings to make them the default for Safari’s search box. That’s probably because neither has an encrypted search service that Apple could use, which would have blocked referrers.
Another Referrer Source Gone & A Mystery
Soon after Google shifted to Google SSL Search for signed-in users last year, the move quickly caused some publishers to see more than 20% of their search referrer data to disappear. Those who use Google Analytics, for example, are now familiar with how one of their top search terms is no “not provided.”
Currently, we find just over half our searches from Google to Search Engine Land now are “not provided” or have search term referrer data removed.
That leads to a mystery we’re still exploring. Google SSL Search should still pass a referrer, just one that has the search terms removed. That means a tool like Google Analytics can tell that a search was done on Google — and count this traffic as search traffic — but just not know what the exact term is (hence the “not provided” message).
In the case of Safari, no referrer at all is passed. Analytics programs can’t tell at all that the traffic came from Google, so it’s counted as “direct.”
If Apple were sending searches through Google Encrypted Search, then it would make sense for referrers to be completely stripped. However, that’s not the case. I can tell this because the Google URL shown on search pages begins https://…. (which is Google SSL Search) rather than https://encrypted.google.com…. (which is Google Encrypted Search).
I think the answer comes from something Ryan Jones notes below. In Google SSL Search on a mobile browser, Google doesn’t appear to be redirecting clicks. Since it doesn’t do that, it’s not able to override how a browser wants to remove a referrer according to the https standard.
Normally, if you go from a secure server to a non-secure one, no referrer at all is passed. Google SSL Search changes this behavior. If you click on a link, the link is actually rerouted back through Google, where it decides to do one of two things:
- If it’s a click on an unpaid listing, Google removes the search term and passes along the referrer through an unsecure connection to the destination web site
- If it’s a click on a paid listing, Google leaves the referrer alone and passes along the referrer through an unsecure connection
Since the mobile Google SSL Search apparently lacks redirection, the “normal” behavior takes over. Any click leaving Google to an unsecure web site gets no referrer. This means mobile Google SSL Search is actually more secure than desktop search. But few have been likely to use it until now, when Apple began pointing to it by default.
Now that this is happening, chances are Google will actually make mobile Google SSL Search less secure by restoring referrers to advertisers. Non-advertisers will likely get referrers again, too, but without search terms attached to them.
Postscript: We’ve updated this story to better clarify how referrers are passed if you search from the Google home page, as opposed to from the Safari search box. We’ve also updated it to reflect the confirmation from Google that we were given. Search Engine Land news editor Barry Schwartz was the original author of this story, and it was shifted to Danny Sullivan as he continued writing on it. It was also further updated to better explain why no referrers at all are showing in mobile Google SSL Search.
Postscript 2: See our follow-up story How An iOS 6 Change Makes It Seem Like Google Traffic From Safari Has Disappeared.
- How A Google Change May Mistakenly Turn Search Traffic Into Referral Traffic
- Google To Begin Encrypting Searches & Outbound Clicks By Default With SSL Search
- Google Puts A Price On Privacy
- Google’s Results Get More Personal With “Search Plus Your World”
- 2011: The Year Google & Bing Took Away From SEOs & Publishers
- Firefox 14 Now Encrypts Google Searches, But Search Terms Still Will “Leak” Out