Google has made a major change to the way secure search works for signed in users of its services. If a user is signed into a Google account, any search performed will now be done on a secure socket layer (SSL) and will no longer pass the search term referrer data. However, Google have also said that search term referrer data will be passed to advertisers who use their pay-per-click product.
The SEO community is crying foul over Google’s claim that this move is to better protect user privacy due to the fact that there is a double standard in the implementation. The message seems to be if you pay Google, you can have the search referrer data. However, the counter argument is that this is part of a wider move to create a more secure web experience.
What Has Changed?
- All users who are signed into Google services will be redirected to the Google Secure Search site when performing searches.
- All users who are signed into Google services will be have their search queries encrypted (via Google Secure Search).
- Secure site searches that lead to clicks to organic results will not pass the search query string via the referrer. According to the Google Analytics blog, the change will mean that:
- The organic click will be identified as coming from Google.
- The organic click will be identified as “organic” but will no longer display the query string.
- The organic click will be identified under the token “not provided” within Organic Search Traffic Keyword reporting.
- Secure site searches that lead to clicks via search ads, will still provide the search.
From the blog post, Google claim to be merely following suit with Twitter, Facebook and maintaining their commitment to the Electronic Frontier Foundation’s initiative called HTTPS Everywhere.
However, there seems to be one rule for security and another rule for advertisers, which means the move has been met with suspicion.
While there is some recognition that security is an important consideration, it seems extremely odd from outside the Googleplex. On the one hand, Google claims to be ‘concerned’ for user privacy, particularly over personalized search, while on the other hand they are enabling AdWords advertisers to essentially buy the private data they claim to protect.
Stephen Cobb, Security Evangelist from ESET, told Search Engine Watch that Google’s latest move, “addresses the concern that a consumer’s search activity can contain sensitive information, knowledge of which might be abused. For example, that information can be gathered without your knowledge if you are searching the Web over an unencrypted connection, and then used against you; or some website that you visit might use the referrer data inappropriately.”
Cobb went on to say that the move is good for privacy, but is in danger of not being sufficiently hardline. That secure search is only activated for a subset of Google users makes the company seem less committed to privacy.
“Encrypting referrer data with SSL makes it harder to spy on people’s search activity and that will be welcomed as a step in the right direction by some privacy advocates, but others will probably criticize Google for leaving two big loopholes. First, the search term will still be passed along when the consumer clicks a Google ad. Second, the SSL encryption only applies to people who are “signed in” to Google search. The fact that people who pay to place ads on Google will still get the referrer data is worrying on several fronts. First, it makes it look like Google is saying the referrer data is valuable to website owners, which makes it harder to argue that blocking the data is not a blow to website owners. And Google will find it hard to say that it is fine for consumers to connect to search without SSL. However, I don’t see this as Google trying to drive search spending from SEO to PPC, although that might be one effect in the short time. Google seems to be very genuine in its desire to improve search privacy.”
In fact, it is worth noting that it may be simply for practical reasons that Google will only pass referrer data to AdWords advertisers. SSL only strips referrer data when the traffic is sent to a non-secure connection, but that same data is kept intact between two secure connections.
So it’s possible that what we are really seeing is not a direct battle between SEO and PPC, but an attempt by Google to barter web data in order to leverage security as a quality control factor. Although Google is not being completely transparent about how or why the referrer data is passed or not, it’s feasible that if webmasters make their sites more secure via SSL, they will get to see referrer query data from signed in secure search users.
How Many Searches Will it Effect?
Matt Cutts told Danny Sullivan that secure search for signed in users is “estimated even at full roll-out… would still be in the single-digit percentages of all Google searchers on Google.com”.
The estimated number floating around in online rumors is “7% of people searching Google.com”, which is about 69 million people worldwide according to Eli Goodman from comScore. However, he noted that this number may also be overstated as the data loss only affects clicks, not actual searches performed. Nonetheless, if you use products like Gmail or Google+ on your mobile, you may have noticed recently that searches on your mobile device are logged into Google when you search. As most mobile users are not in the habit of deleting cookies or logging out of services, this change will likely affect a greater percentage of mobile device searches.
Sullivan’s report concluded, “the future is clear. Referrer data is going away from search engines, and likely from other web sites, too” adding that “It’s somewhat amazing that we’ve had it last this long, and it will be painful to see that specific, valuable data disappear.”
There is a undoubtedly a sense sweeping around the community that the subtext of Google’s position is a message to SEOs that referrer headers is Google’s data and they can do whatever they like with it. However, one could equally argue that making our data crawlable in the first place gives us a right to know how our sites are found. Should we be shaking fists for losing it or shaking hands for having it in the first place?
Despite the possible double standard over this change affecting some searches and not others, practically speaking, Google simply could not kill off all search referrers as privacy advocate Chris Soghoian suggested, because that would be met with massive protest.
The SEO community has already mounted vehement responses calling the privacy claim a smokescreen for Google to quietly kill off third party ad networks and retargeting companies. Joost De Valk, freelance SEO consultant and WordPress developer, said that greater privacy for search users is a ‘mere pretext’ for anti-competitive behavior aimed at search retargeting networks such as Chitika and Chango. Ian Lurie, Chief Marketing Curmudgeon and President at Portent, said Google has “done this for one reason, and one reason only: To shut out competing ad networks.”
Overall, there is a lot of confusion over what the impact of stripped out referrer headers really means. Internal speculation among our own SEW Experts reached no particular consensus. (Image Credit: #Occupy Protests on Tumblr.)
Bill Hunt who, amongst other things, specializes in advanced keyword modeling said:
“I personally think this is a ploy to downplay the value of SEO. If you can’t track performance at the keyword level do they really think that is enough to push people into paid? So why not block this for paid too – is it because we paid for the click? That to me is the “controversy” why are those clicks any less private? Why are they now all concerned about ‘privacy’ and why are they not leading a charge for others to do this? I think this will piss a lot of people off and create a PR mess that far exceeds the idea that a searcher actually cares that a site knows what keyword you used to find their site.”
Much of the community reactions I have heard overall reflect a growing sense of distrust and apathy towards Google, and there is a sense in which the announcement was badly handled.
Hunt went on to say that, “I wonder what that ‘premium data’ cost will be sold for down the road? Wonder if it will be free in the Enterprise Analytics solution?” The sentiment that the lost data will later surface in Google Analytics Premium was echoed as a concern internally and comments across the web.
Sarah Carling, Co-founder at Obsidian Edge, said:
“If the group that this effects were to become large enough, it could have a serious impact on the conversions for any business not running AdWords, it should also be stressed that the AdWords data may be of little use due to differences in conversion between AdWords and organic traffic. However, it’s also key to avoid any knee jerk reactions, there isn’t going to be a large impact felt from this for some time, so instead of being something to worry about, it should simply provide further motivation to broaden data collection points.”
Regular SEW contributor Alex Cohen, said:
“At the end of the day, I believe in more transparency, not less. I think it’s important for marketers to have a choice of more data, not less. If the concern is privacy, similar to retargeting and behavioral targeting, let’s give users a choice. If they want to cloak this information, make it a setting in their Google profile instead of a system-wide change forced by Google.”
And in reaching out to the wider community I found that the move has been met with disapproval and is perceived to be an attack on SEO and data quality.
Scott Smigler, President of Exclusive Concepts and co-chair of SEMPO Boston Working Group said:
“This change in policy is bad news for website owners who want to use analytics to improve onsite experience for their visitors. For example, if we know that 90 percent of shoppers who land on a particular landing page after searching for ‘discount coffee tables’ bounce from the site before browsing, we would try to figure out how to offer a better site experience for those shoppers who are clearly not finding what they are looking for. By restricting referral data from clicks on organic search results to users who are not logged in, we will be working with a much smaller data set.”
Attack on Ad Networks?
The question of whether Google intends to kill off certain search retargeting ad networks in this move has been raised by many parties. Sister publication, ClickZ noted that Google’s decision is a buzzkill. As Zach Rodgers investigated, the question of search data being used to retarget display ads is a thorny issue for Google, especially in light of regulatory interest in the company. Given their own sensitivity, and the fact that they do not sell the product themselves, it may have only been a matter of time until Google made moves to cut off the air supply to companies that were selling retargeted ads based on their search data.
Indeed, Josh Shatkin Margolis of search retargeting company Magnetic, confirmed with Search Engine Watch that, hypothetically speaking, unscrupulous companies could take the referrer data from search and retarget a user cookies with ads related to that search – or sell that data to another ad network. Therefore it could be argued that if Google search represents the glue that binds an ecosystem of sites together, then this latest strategy is no different to Twitter or Facebook vetting their own ecosystem of apps. After all, anyone can build a business on the fact that Google typically passes the search referrer header.
However, strategically speaking, encrypting referrers does not only affect retargeting. It also affects the ability of landing page optimization companies to customize websites to the search term and the less referrer data that is passed makes it harder to create intention based architecture. While Google may personalize search results, webmasters are put in the arguably unfair situation of not being to able to personalize their own websites in return.
With that in mind, one has to wonder whether Facebook’s Instant Personalization feature is also a target – but that is pure speculation on my part.
In Conclusion, What Can We Do?
To echo much of the sentiment above, we have to keep things in perspective and realize that:
- Initially this change won’t affect many search queries.
- Google is committed to HTTPS Everywhere and the one rule for advertisers and another for organic search traffic may simply be a technical consideration around how SSL works in general.
- Regardless of their commitment to HTTPS Everywhere Google must maintain search query data for it’s paid product, because that is fundamental to how their product works.
- The data of actual search terms is available in aggregate form elsewhere, via Google Webmaster Central.
- In most cases, analytics is performed at a custom segment level, rather than at the absolute granular level of individual keyword analysis.
- One could create a custom segment in Google Analytics to at least monitor the overall performance of conversion of visitors arriving on the “not provided” token within Organic Search Traffic Keyword reporting.
But, equally we must caveat our perspective with the recognition that:
- In the grand scheme of things, the growth of mobile search may mean that the market share of encrypted searches is likely to increase in tandem.
- Google has a tendency to make announcements in tandem, so we may fairly speculate that Google may be on their way to release a search retargeting product which plays off the data of USP around data security.
- Ultimately, by encrypting data, Google is saying that they own all the referrer header information they send to other websites and that we can expect them to do whatever they like with it in future.
- When Google has a tendency to use its weight to try and leverage new quality factors on the web, we probably have to listen, and a push for HTTPS is no different to announcements around Page Speed and new image and video formats like WebM. It is probably time to put HTTPS on the agenda.
- Google likes to reward companies who work to make the web less of a ‘cesspool’ – their commitment to HTTPS in personalized search, may ultimately be rewarded via Google+ apps, in which, Facebook Instant Personalization style features will be granted to companies who look to do a deeper integration with Google+. That your site is served via SSL will most likely be the lowest bar to entry into such a program.