The Questions Google Refuses To Answer About Search Privacy


Last month, Google made one of the biggest changes in search privacy ever, by routing all searches through its Google Secure Search service. Why did it make the change? Why didn’t it close some loopholes that leave some search data vulnerable? Google — which is demanding more transparency from the US government over privacy issues — is preferring not to be transparent about its own moves.

What’s The TL;DR?

The too long; didn’t read is that more people should read stuff that they deem too long. The world would be a better place. But OK:

Google claims it has improved search privacy but won’t explain why there are major loopholes in that protection.

There. That even fits into a tweet. That statement should be enough to concern anyone. A major company makes moves it says are increasing privacy but with loopholes?

Right now, Google is desperately trying to battle the impression it already gives loopholes to the US government’s NSA spying agency about what people do on its services. It really doesn’t need to have unexplained loopholes of its own.

The Background

Over the summer, Google quietly started routing searches from some non-logged in users through Google Secure Search, something it previously had done only for people who were signed-in to Google. In late September, it increased that routing and confirmed to us officially that it was happening.

Why make such a move? Unlike the change two years ago, for logged-in searchers, there was no public blog post about the shift. Google seems to have hoped no one would even notice. That silence has helped fuel speculation that the change was less about protecting privacy and more about protecting Google’s ad business — or that perhaps privacy was a convenient excuse to also boost the ad-side of Google’s interests.

The Questions Google Wouldn’t Answer

To understand more, I asked to speak with Google’s director of privacy, Lawrence You, about the change. Google refused that request. Google also refused to provide answers to any specific questions I emailed. All it responded with was the same statement it gave when we reported in September about the change to send all searches through Google Secure Search:

We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in.

It’s a pretty sparse response to the questions that I — and others — wanted answers to. Answers that might help square-up Google saying the change was designed to protect searchers and yet, seemingly, still leaves big holes in that protection.

On to the questions.

1) Are search terms considered private information?

This is a fundamental question that Google should answer. It’s core to what most people do at Google — search. Are the words they enter into the Google search box considered private or not?

The answer seems to be, “maybe” or “sometimes.” But good luck figuring that out directly from Google itself.

Search privacy doesn’t appear to be an important enough topic to appear at all on Google’s “Good To Know” page about staying safe and secure online with its products, not that I can see. Nor is it something featured within Google’s Inside Search area.

No, trying to get an answer about Google’s view if search terms are private is like a scavenger hunt that you need a search engine like Google to perform. Here’s a page that explains Google may record your search history. Here’s another on how to delete that history. Here’s another that explains that search history is used to personalize results, and that “Google takes your privacy very seriously,” so presumably search terms are indeed private in some way.

But if you’re looking for that help page that explains how what you search for may be shared with advertisers, good luck. I can’t find it easily. I’m sure that’s covered in Google’s privacy policy, for those who care to read it and make all the right connections. But it’s sure not spelled out in the same way that Google details how advertisers can see those searches.

As I said, the answer seems to be that search terms are deemed private in certain cases. But what those cases are is left for the Google user to guess at. That doesn’t live up to the Google privacy policy promising to be “clear” about what Google collects, so that users can make “meaningful choices” about how their data — which includes their searches — is used.

2) If search terms are considered private information, why are they provided in various ways that can be viewed by third parties, such as through Google Webmaster Tools, AdWords & Google Suggest?

Google clearly considers that search term data is considered private to some degree, otherwise it wouldn’t be using Google Secure Search as a means to strip those terms off the “referrer” information that’s passed along to non-advertisers (advertisers still get this data).

That was the whole reason why Google justified making use of Google Secure Search back in 2011. It argued that as people were able to search for more personal things through Google, such as for appointments in Google Calendar or messages in Gmail, the searches themselves might somehow be too sensitive to expose to a third party.

For logged-in users, Google Secure Search stopped the transmission of search terms “in the clear” to publishers (except for advertisers). It also prevented the terms from being associated with other information, such as a searcher’s IP address (except for advertisers).

This change made it harder for anyone to “eavesdrop” on a string of searches by any individual. Get enough searches linked to an IP address, and potentially, you can learn enough to know who is doing those searches. That happened in 2006, when AOL released “anonymous” search data that the New York Times used to track back to a particular person. Great story. Read it.

But search term data is still provided in other ways — and without any apparent attempt to filter out terms that might be somehow personally identifying on their own.

That’s also the answer to the question that Google refuses to give. It clearly doesn’t believe that search terms, on their own — away from possibly personally identifying information — are private or private enough that they can’t be given to third parties. Otherwise, it wouldn’t continue to do this.

But that’s my guess. Google isn’t saying.

3) If only some search terms are considered private, how does Google filter these from being exposed to the public in some of the ways outlined above?

This is closely related to the second question and really depends on what Google’s answer is.

If the answer is that search terms are considered private, period — no ifs, ands or buts — then Google fails to protect this privacy because it applies no filtering (that it has acknowledged) before handing them over in various ways to third parties.

If the answer is that search terms are considered private when linked to personally identifiable information like a cookie or IP address, then Google fails to protect this privacy when it passes along search terms along with such information to advertisers.

If the answer is that search terms are considered private when linked to personally identifiable information AND when a number of terms can all be linked to one individual, THEN Google’s move to Google Secure Search makes sense and lacks some of the seeming loopholes in the “protection” story that Google wants to spin.

4) What’s considered the bigger privacy issue, potential eavesdropping of a string of terms or the terms themselves?

As explained in my speculation on the third question, I think Google sees eavesdropping on a string of terms to be the real privacy issue. It’s a pity the company won’t explain if this is so.

5) Why are ad clicks not encrypted or withheld? How does this square against privacy?

Do a search on Google, click on an ad, and what you searched for is transmitted to the advertiser, along with your IP address, leaving you open to being targeted for ads based on that term in the future.

This has been a loophole since Google’s first ramp-up of Google Secure Search in 2011. It never offers a decent explanation for why it does this.

The only real explanation that holds up is that terms aren’t deemed private unless you are able to intercept a series of them.

6) If terms aren’t considered private, why not allow web sites that allow secure connections continue to receive search term data, which would block eavesdropping?

There’s a nearly 20-year-old industry-standard “referrer” system where if you click from one web page to another, the destination page is told where you came from. It’s sort of like a “Caller ID” for the web. Until 2011, Google used this standard to let publishers know the exact terms used, if someone found their content when doing a Google search and then clicked to a publisher’s site.

Well, except for when people click on advertiser listings. Google still uses the standard, in that case.

The change was useful if the goal was to prevent “eavesdropping.” But if the goal was, as Google stated when making it, to encourage the industry to “adopt stronger security standards,” Google missed a huge opportunity.

Google could have continued to provide referrer data to publishers if they agreed to also use secure web sites. Many would have, just as many have increased their site speed when Google said it would reward faster sites with better rankings.

So why not do that, especially when today, Google seems even more worried about internet security in the wake of NSA spying revelations? Again, no answer from Google

7) Why the sudden change to encrypt everything other than ad clicks?

Moving ALL Google searches to Google Secure Search wasn’t something that Google would have just done just because someone at Google got up one day and decided to flip a switch.

Two years ago, Google caused people who were logged into Google to use Google Secure Search initially in preparation for the coming of Google’s Search Plus Your World. That was the motive.

What prompted Google to make the move this summer to full security? To me, the likely candidate was concern over the NSA spying. But, it could be that Google decided to make the move to shore up its ad business. Maybe it was both. But Google’s sparse statement says nothing about the WHY it made this change, out of the blue.

Tell Me More

These are two recent FAQ-like stories I’ve done:

These are background stories that go into detail on many of the things I’ve covered above

Related Topics: Channel: Search Marketing | Features & Analysis | Google: Critics | Google: Privacy | Google: Search | Legal: PRISM | Legal: Privacy | Top News


About The Author: is Founding Editor of Marketing Land. He’s a widely cited authority on search marketing and internet marketing issues, who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • Sergiu Draganus

    Hi Danny, as you’ve mentioned already in the article they are providing keyword data only on AdWords campaigns, so the deal is simple. Pay to get the keyword data, the bigger the campaign budget is, the more keyword insights you get.

    Bdw, if the data is secure how it comes that Keyword Planner Tool is listing all the search terms used by the users? even the location where they were searched from ?

    Privacy is only BS as any developer knows that servers can share data even if is https or not … the goal is clear … keyword insights are too valuable to be given for free …

  • Pat Grady

    If I pay for sales people to visit businesses, I have a right to know which ones they visited. To me, same thing for AdWords – I have a right to know which searches I was paying to advertise on.

    But AdWords doesn’t connect any PI info to the keyword data, so why is it a privacy issue for AdWords? If you program your website, and collect PI, and connect the dots, maybe you can identify specific people… but check the AdWords TOS.

    I know SEO folks are feeling deprived of data they want, but I don’t see the “AdWords” argument some are making. Even if you crank up AdWords, you don’t get the data SEO folks are looking for – so you’re not “paying to get the keyword data” anyhow. You may learn how some keywords behave as PPC, but that leaves out a lot of what SEOs are looking for.

  • Pat Grady

    Data companies that mine PII data from aggregated non-PII data, are the ones SEOs should be steamed at. Keyword data, in Analytics, is not PII, there is no privacy issue – as long as the data isn’t married to external data, and as long as we can trust G to not sell / rent / use / distribute the data… But this all changes when the 3rd party layer is added to this discussion. G knows the more PII that is cut out, the smaller the 3rd party issues become. They also know they have a financial, contractual relationship with advertisers, which means they can demand PII rules from AdWords users. Danny, you said sometimes search data is private, sometimes its not – I’m saying Google knows that what the data-consumers do with the data, is a key part of whether it’s a privacy issue, or it isn’t. Google cannot say that something is not a privacy issue, because I can bake a PII from the Non-PII I may get from G.

  • Danny Sullivan

    Pat, when someone clicks on an ad, PI info along with the search terms are transmitted in the clear, across the internet in the open, to an advertiser.

    That’s fine if Google believes, as I’ve been at pains to try and ask and get clarified, that the one-off transmission of terms like this is fine — if the concern is really about being able to intercept a stream of searches that might be linked to one person.

    Google won’t answer that question. And it’s completely valid from a privacy standpoint, regardless of any withholding of data on the SEO side.

    In fact, read the article again. I’m not talking about the SEO issue at all.

  • Arjan Bakker

    It’s all about the money…Someone once said; Do not be evil.

  • Danny Sullivan

    Pat, it would be a lot easier to have this discussion if Google itself would explain in what situations it considers search data to be private.

    RIght now, it doesn’t. It’s not saying or explaining that at all. It’s just saying that it made some change that supposedly protects privacy, but a change that seemingly has all these gaps unless it assumes in some situations, search term data is safe to expose.

    When those are, why those are, how it safeguards or feels data is safeguarded, it’s not saying.

  • Alistair Dent

    Hi Danny,

    I still think you’re conflating two issues that are distinct. I know it’s nitpicking, but it does confuse the argument somewhat.

    It’s not that organic clicks are encrypted and ad clicks are not. Clicks aren’t something that is encrypted, as such. The traffic when you perform your search is encrypted. The link between your browser and Google’s servers is encrypted. So when you pass info to Google (your search term) and they provide answers to you (the search results page), that’s all encrypted.

    The clicks are essentially not part of that argument.

    What happens to keywords then is slightly different. On organic clicks, the keyword is not passed. That’s a browser technology and I don’t think anybody’s confused there. But Google doesn’t suddenly say that it’s okay to pass unencrypted info on an ad click. Instead, the landing page includes a GCLID that Google’s own systems (Google Analytics) can turn back into a keyword (not search query) on the other end. The keyword wasn’t sent “in the open” as you state.

    I fully agree with the issue and the hypocriticism that Google seem to be displaying, but it’s not as simple an issue (and it’s incorrect to imply) that organic clicks are encrypted and ad clicks aren’t.

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!