Thursday, April 07, 2011

Google Encrypted - killing the competition, one step at a time

Today, when I opened google search, it redirected me to a new URL

At the face of it, its an innocuous attempt by google, seemingly a very well intentioned one that provides end to end privacy for search users. But Google no longer looks like a company whose motto is 'Do No Evil' (Ref: Wifi Gate, Google Buzz), so I take this with a pinch of salt.

I think the real intent here is to make sure that Referrer data is not passed along when you click on a search result. For the technically challenged, the REFERER header is an HTTP header sent to the server when requesting a resource, that tells who referred this client. When you click on a search result and go to, will get a REFERER header that would be google. With the move to SSL, this would not happen anymore, so can't tell how many users landed when searching on google. Why would that happen? Because the protocol doesn't allows secure pages to pass REFERER information to insecure pages, and most pages on any search result page would be insecure.

This is not the first time Google has tried to prevent information flow via the REFERER header. Why is this important? When you search on google and then click on a site, that site gets access to the REFERER header, which lets them know you are coming from google, and also provides information on which search terms brought you to their site. The content publisher then knows what percentage of organic search traffic they are getting, and what keywords are important. There are a host of site analytics tools that use REFERER for this reason. But that's not all. Any scripts running on the publisher page will also have this information, and ad networks can use this to build visitor profiles, do keyword targeting for search engine users, and what not.

Bottom line - a lot of third parties benefiting from the presence of the REFERER header stand to lose, and lose a lot. The last time google did something like this (they removed search terms from the REFERER), it generated such a hue and cry and they had to rollback. This time, they will be doing it quitely, and they will get away in the name of Privacy.

I am not arguing in the favor of Behavioral ad networks using that data in the name of relevance and targeting, but a case can be made for site owners and site analytics companies such as omniture. If google itself was not a player in the online advertising industry, I would still have taken them at their word. This change, however, ensures that only Google has access to the search terms, only Google Ads can use this data for targeting, and only Google AdSense can do search analytics. I wouldn't be surprised if SSL search becomes the default pretty soon. Do you think otherwise?

No comments: