Share/E-mail This Story

Email This



Is Passing Query String Data In Referral URLs A Privacy Violation?

from the seems-like-a-stretch dept

Achura points us to the news that Chris Soghoian, whose work I really respect, has filed an FTC complaint over the way Google handles referral URLs, saying that the company is violating its own privacy policy.
Frankly, the whole thing seems like a pretty big stretch. At issue, is the fact that Google search results URLs include the query data, and that's then included in the referral URL, allowing websites to know what people were searching on that got them to click on the website. This is, of course, how pretty much all search engines work, and websites have always used that data to analyze how people are getting to their sites. But Soghoian argues -- correctly -- that there can be personal info included in a query string, and that while Google does offer some tools to let you avoid passing on the query string, they're not that easy to find. He also suggests that Google could just provide aggregate data, rather than each query string.

While I'm pretty big in supporting privacy issues... I have to say that I really don't see this as a big issue. Soghoian tries to use examples of where query strings revealed private info, but those are in cases where the query string was revealed to other third parties who had nothing to do with the transaction in question. But providing that data directly to the site that was clicked? It's hard to see how there's a problem there. Soghoian does point out that Google does mask the query string on URL clicks that come from Gmail accounts, but that's an entirely different situation, because then you're searching through private data. When doing a websearch on public data, and providing it only to a party who is involved in the event, seems totally reasonable. There are plenty of legitimate privacy issues out there. It seems silly to focus on one that seems so inconsequential.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    out_of_the_blue, Oct 11th, 2010 @ 7:06pm

    You're making a variation of "If you've nothing to hide..."

    It's wise to minimize all information given out on the net. At best, it helps grifters to grift. Since there's no necessary reason for Google to pass it, they shouldn't.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 7:14pm

    Re: You're making a variation of "If you've nothing to hide..."

    But you are wrong. There is a great reason to pass that data on. Websites use that information to better target their keyword buying. And that drives Google's revenue. Besides, anyone searching on their social security number gets what they deserve.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 7:23pm

    Re: Re: You're making a variation of "If you've nothing to hide..."

    Find another way.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Ed Kohler (profile), Oct 11th, 2010 @ 7:40pm

    It's more than the query

    Using Google Analytics or pretty much any stats program or log file analyzer, a motivated web analyst can tie the query to the IP address, geolocation, browser type, computer OS, etc. It does narrow things down quite a bit when the query volume is narrow. For advertising purposes, people don't need that level of specificity, but the tools definitely provide for it.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 7:53pm

    You can always turn it off in firefox. about:config and network.http.sendRefererHeader;0

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 7:54pm

    Re:

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 9:42pm

    hes not forced to use google

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Johnny, Oct 11th, 2010 @ 9:46pm

    Ridiculous

    This is a ridiculous case, because anyone typing in privacy sensitive information in the Google search box is already parting with their private information by their own fault. To suggest that somehow as long as it stays on Google it remains private is just ludicrous (Google who knows everything about everybody.... please). Honestly people who are so stupid as to search for privacy sensitive data on Google really don't understand privacy.

    You could argue that any referrer is a privacy infringement as it reveals what place you visited before. In that case it's not limited to Google at all, but the entire web does this. Anyone who doesn't want to pass this information on, can already block it.

    This isn't a Google feature, this is a browser client feature. Google doesn't tell your browser to pass this on, YOU do (you could block it but you don't).

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 9:51pm

    Re: Ridiculous

    Have you ever had a companion that was suspicious?

    People who are not you can Google you is that your fault?
    It is in your control to stop other from doing it?

    So here we are asking for that data to be obfuscated and not send in clear text to everyone to see and collect what is the problem with that?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Oct 11th, 2010 @ 10:14pm

    Actually, for certain search engines that Google refers to, when they found the session is referred by Google, it helps by highlighting every word it found you're searching in the query string.

    Although you might not agree it's of much importance, it suggest there could be some good use of it. (e.g.: your e-store might suggest "recommandation" / "related items" with reference to this search string to help customers find more relevent goods.)

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    RandomGuy (profile), Oct 12th, 2010 @ 12:56am

    I'm not sure this feature should be entirely eliminated, as it serves some purposes (as other commenters have pointed out, in SEO and intra-site searching), but there are times when I do personally want to enter a site on a 'clean slate', and when I do it's simply a matter of copying and pasting the url into the address box. Not the most convenient way to access a site, but it works.

    Although I wasn't really aware of Google doing this until I first dug around Analytics, I'd still place it towards the lower end of the scale of privacy concerns.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Griff (profile), Oct 12th, 2010 @ 2:03am

    So let me get this straight...

    I type in "lace underwear for men".
    Someone has bought the keywords "lace underwear", and I get to see their ad.
    But when I click their ad, they don't just see that their ad triggered on the keywords "lace underwear", they actually see that I came to their site from a google results page for the string "lace underwear for men".

    Is that the problem ?

    Jeez, the guy has too much time on his hands.


    The REAL issue would be if

    a) google started giving people access to the search strings their ad was shown for, not just those it was clicked thru for. But I'm sure they never will because
    1. It is evil and also stupid
    2. The amount of data they'd be handing over would be enormous and no-one would want to have to deal with it (esp as it is so unqualified)

    b) google passed other info that they know about you too (say an email address if you're signed into gmail or whatever else they know, maybe even a cell phone number for mobile searches).
    Again, this would be
    1. Evil
    2. Stupid

    c) google included your GPS coords (for a search from a phone) without you having had a very clear opt in first. Of course, this might be implied if the adverstiser has asked for his ad to be selectively shown...



    The problem is not actually with google (on whom public gaze is permanently trained) but people offering similar services through apps that might have far access more personal info and which may not work anything like a good old fashioned browser. Not nearly as many people keeping them honest.



    What I think google SHOULD do with adwords is include in their quality score a "rapid return" clause. That is, if I click through an ad and within 5 seconds I have reversed back to the results page or come straight back for another search, then I probably did not find what I wanted, and the landing site may not be offering what the ad taster implied. And it would be OK to pass that info to the advertiser, IMHO, so they could learn from their mistake.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    The Mighty Buzzard (profile), Oct 12th, 2010 @ 2:50am

    Re: Re: Ridiculous

    Oh get over yourself. If someone else is googling your sensitive data your pooch is already thoroughly screwed.

    Aside from that, you have the right to disable referrer headers but you do not have the right to force others to. Not Google and not your ex-wife.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Pete Smith, Oct 12th, 2010 @ 3:04am

    Not actually Google...

    The main problem with this argument is that it's actually your browser that sends the refer header to the clicked link, rather than Google.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Oct 12th, 2010 @ 3:15am

    Is Passing Query String Data In Referral URLs A Privacy Violation?

    Yes. Legislation, please.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    R. Miles (profile), Oct 12th, 2010 @ 3:34am

    The web is static, not dynamic.

    Why is it assumed so many people think web pages are dynamic, as they can "talk" to each other by the magic of the internet?

    Does Soghoian not understand why the querystring is needed or that it can easily be done through a cookie instead?

    News tip, Soghoian: Web pages don't "talk" to each other. Information is passed from one to the other so it knows what to do. Querystrings are used because "tracking cookies" seem to cause even more paranoia.

    By evaluating this data, a receiving web page can host content you're looking for, rather than approach the page as a "blank slate", which wastes your time to find the relevant information after the Google search.

    Try Amazon.com as an example. Type in "cowboy boots" and you'll see the link takes you to Amazon.com's listing for cowboy boots.

    Incredible, isn't it? All this is possible thanks to what is known as the Query String.

    By the way: I wouldn't recommend the Firefox config edit as noted above. While it does work, it also renders many websites invalid and trust me when I say there's nothing worse than someone sending an email on why our page doesn't work because of settings they elected to disable/enable.

    Enjoy your day, Soghoian, because this just made everyone else's day miserable.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    DS, Oct 12th, 2010 @ 4:05am

    Re: Not actually Google...

    I didn't realize the referral header was part of the url.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    ComputerAddict (profile), Oct 12th, 2010 @ 5:36am

    Re: The web is static, not dynamic.

    "Try Amazon.com as an example. Type in "cowboy boots" and you'll see the link takes you to Amazon.com's listing for cowboy boots." This doesn't happen because of the referring url however... it happens cause the link you clicked on goes to "http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=cowboy+boots&x =0&y=0" not just the standard http://amazon.com However what Amazon could do is try and parse a referring url like "http://cheapcowboyboots.com" and present you with "items you might like" based on it. Either way this lawsuit is kinda ridiculous as they point out in the lawsuit that google doesn't pass your search query with the new AJAX enabled instant search feature. which is pissing off SEO companies and is probably the real motivation behind this lawsuit in some twisted way.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Bengie, Oct 12th, 2010 @ 5:39am

    Website magic

    Search engines and Web pages are magical. You don't need to use data for anything, it just magically happens. And I argue that since everything is magical, they don't need to include this extra data.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Pete Smith (profile), Oct 12th, 2010 @ 6:52am

    Re: Re: Not actually Google...

    Its not. However it is still sent to the resultant page by your browser when you click a link.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Griff (profile), Oct 12th, 2010 @ 12:47pm

    Re: Not actually Google...

    I beg to differ. if clicking on an adword link took you directly to the advertiser's website this would be true, but it takes you through a google process which allows them to count it and bill the advertiser. THEN it takes you to the advertiser's website.
    So Google choose exactly what to send at that point.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Pete Smith (profile), Oct 12th, 2010 @ 2:32pm

    Re: Re: Not actually Google...

    The way Google behaves may affect whether the query string is sent, but its still your browser that chooses to send the referrer header; you could configure it not to send the header.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Marah Marie (profile), Oct 12th, 2010 @ 4:36pm

    Doesn't Bing/Ask/whoever pass the search query along, too?

    Frankly, I think it's a bigger deal that browser info is passed on through the search query URL from the browser search box, like so:

    http://www.google.com/search?q=google+sucks&ie=utf-8&oe=utf-8&aq=t&rls=com.ya hoo:en-US:official&client=firefox

    No one's business what browser I'm using, or whether I have something installed from Yahoo (that looks artifact-y to me, since I don't have anything from Yahoo installed, but the last user of this computer did).

    Similarly, I resent the "safe Search off" parameter crowded into a normal (non-browser search box) search query:

    http://www.google.com/#sclient=psy&hl=en&safe=off&q=google+is+evil&aq=f&am p;aqi=&aql=&oq=&gs_rfai=&pbx=1&fp=74aa9d8d10e40e85

    Who's business is it that Safe Search is off? Who cares? Why must that be in there?

    That the search terms themselves are in there? Well, duh. I guess they should be, since it's helpful to have them from a webmaster's viewpoint.

    Unless the person bringing the complaint thinks webmasters should have less tools at their disposal for figuring out what their visitors want, not more...duh. Just duh.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This