Earlier this week, Google made a significant change purportedly to better protect the search privacy of users. In reality, it specifically — and deliberately — left a gaping hole open to benefit its bottom line. If you pay-to-play, Google will share its search data with you.
Google’s a big company that goes after revenue in a variety of ways some critics feel put users second. However, I’m struggling to think of other examples where Google has acted in such a crass, it’s all-about-the-revenue manner as it has this week. The best comparison I can think of is when Google decided to allow Chinese censorship. Yes, this is in the same league.
It’s in that league because Google is a company that prides itself by doing right by the user. Yet in this case, it seems perfectly happy to sell out privacy, if you’re an advertiser. That’s assuming you believe that Caller ID-like information that’s being blocked (except for advertisers) is a privacy issue.
Google doesn’t, as best I can tell. Instead, the blocking is a pesky side effect to a real privacy enhancement Google made, a side effect Google doesn’t seem to want to cure for anyone but advertisers.
If it had taken a more thoughtful approach, ironically, Google could have pushed many sites across the web to become more secure themselves. It missed that opportunity.
I’ll cover all of this below, in detail. It’s a long article. If you prefer a short summary, skip to the last two sections, “Why Not Get Everyone To Be Secure” and “Moving Forward.”
Default Encrypted Search Begins
Let’s talk particulars. On Tuesday, Google announced that by default, it would encrypt the search sessions of anyone signed in to Google.com. This means that when someone searches, no one can see the results that Google is sending back to them.
That’s good. Just as you might want your Gmail account encrypted, so that no one can see what you’re emailing, so you also may want the search results that Google is communicated back to you to be kept private.
That’s especially so because those search results are getting more personalized and potentially could be hacked. The EFF, in its post about Google’s change, pointed to two papers (here and here) about this.
Encryption Can Break Caller ID
There’s a side effect to encryption that involves what are called “referrers.” When someone clicks on a link from one web site that leads to another, most browsers pass along referrer data, which is sort of like a Caller ID for the internet. The destination web site can see where the person came from.
When someone comes from an encrypted site, this referrer information isn’t passed on unless they are going to another encrypted site. That means when Google moved to encrypted search, it was blocking this Caller ID on its end for virtually all the sites that it lists, since most of them don’t run encrypted or “secure” servers themselves.
This is a crucial point. Encryption — providing a secure web site — doesn’t block referrers if someone goes from one secure web site to another. Consider it like this:
Unsecure >>> passes referrer to >>> Unsecure
Secure >>> passes referrer to >>> Secure
Secure /// does NOT pass referrer to /// Unsecure
No comments:
Post a Comment