Google Invests in Privacy for Profit

October 19, 2011
By Rhea Drysdale in SEO

Guess what? Google just pissed on the SEO community and tried to call it rain.


Since Google’s announcement yesterday that they would now be encrypting search result URLs by default for all users, the community has been out for blood. The change is going to fix known privacy issues, so why is this a bad thing?

How will this change impact Google Analytics users?
When a signed in user visits your site from an organic Google search, all web analytics services, including Google Analytics, will continue to recognize the visit as Google “organic” search, but will no longer report the query terms that the user searched on to reach your site. Keep in mind that the change will affect only a minority of your traffic. You will continue to see aggregate query data with no change, including visits from users who aren’t signed in and visits from Google “cpc”.’

As of this morning, here’s what we see in Outspoken Media’s Organic Search Traffic report for the last 24 hours:

Google Not Provided Referral Data

According to Google’s Matt Cutts, the change is only supposed to affect referral data in the single digit percents — only users who are signed into Google and searching.

That’s a pretty big assumption on Google’s part about my client’s users and referral sources. Remember, they’re AVERAGING based on the entirety of the Internet. In the case of Outspoken Media, yes, this “(not provided)” data does account for a small percent of traffic for that 24-hour period of time. To be exact, it accounts for 1.2% of our visits for that timeframe. But what about clients who have a stronger user base with Google accounts? We spoke with one such client yesterday and approximately 30% of their current users are signed up with Gmail accounts. That’s more than a single digit percentage and they already have a small amount of traffic!

When I asked Matt Cutts about the update on Twitter he said:

Matt Cutts on Google's Encrypted URLs

This is when my head exploded (I’m sure Lisa heard me from across the office). Google’s logic is that because no one noticed that data was disappearing, it makes it ok?


I’m going to use that with our clients from now on – I’ll just stop reporting on certain links or keywords and hope they don’t notice. What’s worse… on the backend I’ll be selling that data to competitors that want to use our other services.


Yes, the data that is missing is likely a small percent of referral data for the majority of website owners and we still have other methods of optimizing websites for conversions and meeting user intent. In my eyes — this is not the point.

The point is that this data is still available to those willing to pay for it. To quote a friend, Google has shown “irreconcilable favoritism to paid users.”

Dear SEO, CRO, usability, marketing and digital strategist friends – welcome to Google’s perception of you. We’ve known for a long time that Google openly profiles SEOs as criminals, now they withhold information from us under the guise of privacy, but it’s really for the sake of padding their bottom line and protecting Google from competition.

But wait, Google’s philosophy is “do no evil.” Why would Google do something that was such an obvious double standard?

When is the last time you took a look at Google’s core principles? Do no evil doesn’t appear in any of this language.

Meet principle number 6 (emphasis mine):

You can make money without doing evil.
Google is a business. The revenue we generate is derived from offering search technology to companies and from the sale of advertising displayed on our site and on other sites across the web. Hundreds of thousands of advertisers worldwide use AdWords to promote their products; hundreds of thousands of publishers take advantage of our AdSense program to deliver ads relevant to their site content. To ensure that we’re ultimately serving all our users (whether they are advertisers or not), we have a set of guiding principles for our advertising programs and practices:

  • We don’t allow ads to be displayed on our results pages unless they are relevant where they are shown. And we firmly believe that ads can provide useful information if, and only if, they are relevant to what you wish to find–so it‘s possible that certain searches won’t lead to any ads at all.
  • We believe that advertising can be effective without being flashy. We don‘t accept pop–up advertising, which interferes with your ability to see the content you’ve requested. We’ve found that text ads that are relevant to the person reading them draw much higher clickthrough rates than ads appearing randomly. Any advertiser, whether small or large, can take advantage of this highly targeted medium.”
  • Advertising on Google is always clearly identified as a “Sponsored Link,” so it does not compromise the integrity of our search results. We never manipulate rankings to put our partners higher in our search results and no one can buy better PageRank. Our users trust our objectivity and no short-term gain could ever justify breaching that trust.

What’s curious is that at no point in this language does Google mention evil with respect to their actual search results or users outside of how they are impacted by advertising.

How is this update not evil?

By encrypting the URLs, Google has fixed the privacy concern. The referral data itself in Google Analytics was not the problem and we know this because it’s visible in the report, we just can’t see the keywords, and it’s still visible to advertisers.

SEOs are not naïve. We believe in privacy. We believe in improving the quality of our clients’ websites and optimizing conversions. We believe in transparency.

We do not believe in using a privacy fix as a thinly veiled method of strong-arming third party applications, other analytics providers, potential competition for search retargeting and other sites using data for relevance factors (cough, Bing, cough). Am I alone in wondering what Google’s plans are with the two display advertising companies they acquired in the past year? A number of SEOs have already weighed in on the subject, so take a closer look at why they believe Google is blocking access to organic referral data.

This was predicted by Tom Pitts back in February. Hat tip to Kevin Spence for sharing a link to Pitts’ post from February in which he called this exact situation. However, Pitts also gave a more kind recommendation to Google on how to still provide this data to users:

Google could also strip the referring keywords and still provide keyword data to website owners. They could provide the data through Google Webmaster Tools, and potentially through an integration with Google Analytics. Hopefully if Google goes this route, they open up the integration to all web analytics vendors and don’t use their competitive advantage with Google Analytics.

Guess what? Even the privacy studies conducted around the issues that instigated this update did not have recommendations that were as dire as what Google has begun to implement.

Let’s take a quick nerd break to identify what privacy groups were actually seeing and recommended.

Last night Danny Sullivan tweeted a link to the Electronic Frontier Foundation’s post on the news. In it were two studies conducted on the user privacy through Google’s search results. I read both of them. To spare you the pain of reading through them (unless you’re into that kind of thing), here’s the gist:

The decision to move to encrypted URLs by default is a result of hijacked cookies that made it possible to reconstruct a user’s Google Web History by typing prefixes into Autocomplete and capturing recommendations from the user’s past search queries, as well as other “new features” in the search results that left data exposed, like:

  • Star features (ability to star a result as a bookmark or favorite page)
  • Personalized search results (“view customizations” link and number of visits and last visit data)
  • “More search tools” like the “social” filter which display’s a user’s network and contacts and “visited” which displays recent Web History

The caveat… you had to be signed into Google and have Web History enabled (though anonymous cookies are given to signed out users, which would still leave them susceptible to attack for the lifetime of the cookie).

Session hijacking left many Google Services open to attack including:
Google Privacy Study Results

Facebook has actually been protecting your privacy better than Google! Facebook has both encrypted URLs and redirects that strip out discriminating user information.

The recommendations from both studies were immediate action on the part of Google to correct these issues:

“We argue that solutions should be quickly deployed to protect users against these two types of attacks. The session hijacking attack is harmful not only because it allows an attacker to collect a lot of private information, including sometimes the search history, but also because it can be exploited to add potentially compromising entries [25]. It can also be used to modify the search results displayed to the victim. In fact, Google allows to delete or promote—i.e., show as first—results using a button associated to them. An adversary hijacking a session cookie can perform searches on the victim’s behalf and influence the results corresponding to these searches as she wishes. For instance, this attack can be a powerful tool for censorship, as it can be used to remove or promote some pages displayed after a Google search.”

In each document were recommendations to both users and Google on how to counteract the threat of hijacking:


  • Log out from any Google service when performing a search
  • Delete and disable the Web History service
  • Disable personalization from anonymous cookies or always delete Google cookies
  • Sign out from Google accounts when connecting from a shared network or to use a vpn to encrypt the traffic and prevent cookie interception.


  • Discontinue the Personalized Search service
  • Let the users choose to enforce HTTPS for web searches (for instance, by clicking on a special link when surfing from unsecure networks) and trade off speed with privacy
  • Keep separate histories based on the networks from which user’s searches originate. Then, provide different search suggestions (and personalized results) based on different locations. Use an extension to the web page to allow a user to configure such locations and the privacy settings related to them.
  • Allow user agents to bind the authentication cookies to the current IP address.

Despite so many options on how to protect user’s privacy without castrating organic referral data, we see where Google fell on the subject. This just setback Google/SEO relationships by years and demonstrates that Google’s 1st core principle (“Focus on the user and all else will follow”) really isn’t that important when there’s an opportunity to make a buck.

I’m not comfortable with this update because of what it says about Google’s treatment of SEOs and third-party applications. It’s not about the data, it’s that never has the message been more clear – Google is a business, don’t threaten their profits or they’ll take their ball and go home.

Internet Marketing Conferences
Internet Marketing Conferences

Reputation Management: Monitoring Your Brand Online

on Nov 9 by Lisa Barone

Holy no break between sessions, Batman. If I didn’t know better, I’d think Brett Tabke hates me. Luckily, I know…

Internet Marketing Conferences
Internet Marketing Conferences

Lessons from a First Time Speaker

on Apr 27 by Dawn Wentzell

I recently spoke at both Search Marketing Expo Toronto and Pubcon South in Dallas. Now, neither was my first time…

Social Media
Social Media

How to Confidently Pick a Social Media Tool

on Sep 17 by Lisa Barone

Having to pick a dedicated social media tool is increasingly becoming something us marketers have to worry about. With so…

^Back to Top