Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks
In the past month, Google quietly made a change aimed at encrypting all search activity — except for clicks on ads. Google says this has been done to provide “extra protection” for searchers, and the company may be aiming to block NSA spying activity. Possibly, it’s a move to increase ad sales. Or both. Welcome […]
In the past month, Google quietly made a change aimed at encrypting all search activity — except for clicks on ads. Google says this has been done to provide “extra protection” for searchers, and the company may be aiming to block NSA spying activity. Possibly, it’s a move to increase ad sales. Or both. Welcome to the confusing world of Google secure search.
Two Years Ago: Secure Searching For Logged-In Users
In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Google said it wanted to block anyone who might potentially be eavesdropping on a string of searches made by an individual and also prevent the actual search terms themselves from being seen by publishers, as some of them might be too “private” to reveal.
This Month: Secure Searching Being Made Default For Everyone
Now, Google has flipped on encryption for people who aren’t even signed-in. When asked about this last week, Google confirmed the shift, saying:
We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in.
I sent a series of follow-up questions to Google after getting that statement and am still waiting for a response to them, so I’ll update as I hear more. Is this worldwide? How soon until it happens for everyone?
A Sudden Change
One key question is “Why so suddenly?,” what prompted Google to make such a change out of the blue. And it was sudden.
When searches are encrypted, search terms that are normally passed along to publishers after someone clicks on their links at Google get withheld. In Google Analytics, the actual term is replaced with a “Not Provided” notation.
Over the past two years, the percentage of search terms as “not provided” has increased as Mozilla’s Firefox in July 2012, Apple’s Safari browser in iOS 6 in September 2012 and Google’s own Chrome browser in January 2013 have used encrypted search, even when people aren’t signed in at Google.
That’s lead to a steady increase but not giant leap in “not provided” activity. But in the past month, the increased encryption on Google’s side has produced a dramatic spike:
The chart above is from a site called Not Provided Count, and it tracks the percentage of terms being withheld across 60 different web sites. You can see the spike that began around the week of September 4 and which currently shows almost 75% of terms being withheld.
It was after viewing this chart on Friday that I asked Google if there had been some type of change, because the percentage of not provided terms can also vary from site to site — or even for “basket” of sites for different reasons. As noted, the change is real, and confirmed by Google.
There are two main reasons why Google may have made such a quick switch, and perhaps both are even factors.
Done To Block The NSA?
The first is the whole US National Security Agency spying thing. In June, Google was accused of cooperating to give the NSA instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. That hasn’t saved it from criticism.
Since then, Google’s waged a campaign to allow it to be more transparent about the number of spying requests it says it does receive — on a limited basis and not involving direct access — but which it’s forbidden by US law from disclosing. It also began increasing encryption between its own data centers.
I suspect the increased encryption is related to Google’s NSA-pushback. It may also help ease pressure Google’s feeling from tiny players like Duck Duck Go making a “secure search” growth pitch to the media. Duck Duck Go and StartPage.com have seen large gains in traffic, though relatively speaking, what’s large is nothing for Google. The PR loss is far, far greater than the user loss, if any. But Google doesn’t like PR losses of any type.
Done To Boost Ad Sales?
The other reason is that Google recently made a change so that one of the easiest ways for publishers to see the actual terms that have been withheld over time is through the Google AdWords system.
See, apparently search terms aren’t so private that Google withholds them entirely. Rather, it withholds them from being transmitted in the clear across the internet. Publishers can still see these terms by going into the Google Webmaster Tools area, though they only see the top 2,000 per day and only going back for 90 days (something Google said earlier this month will increase to one year, in the future).
If publishers don’t somehow constantly archive these terms, they’re lost. But a change to Google AdWords in August allows publishers to store the terms as long as they like, for easy and instant access — as long as they use Google’s ad system.
It’s an odd situation that Google won’t archive search term data within the toolset it expressly built for non-advertisers — Google Webmaster Tools — but does allow this through its ad system. It suggests that terms have been withheld all along in part to create new Google advertisers.
Privacy Loophole Remains For Advertisers
That’s especially so given that ad search traffic has never been made secure. No encryption stops people from eavesdropping on the terms used when someone searches at Google and clicks on an ad. Google’s also never prevented this information from flowing directly to advertisers, in the way it has for non-advertisers.
So. Increased privacy to thwart the NSA? Or a handy excuse to do that and increase potential ad sales? If I learn more, I’ll update. Meanwhile, for more background, see the key article from earlier this month, below:
Postscript (5:05pm ET):
Google’s sent this update:
We want to provide SSL protection to as many users as we can, in as many regions as we can — we added non-signed-in Chrome omnibox searches earlier this year, and more recently other users who aren’t signed in. We’re going to continue expanding our use of SSL in our services because we believe it’s a good thing for users….
The motivation here is not to drive the ads side — it’s for our search users.
It’s still not clear why Google seems to have ramped up things especially today.