While Gabe's most recent post was a well-worded statement of his position, my guess is that Google's response was based on the billboard, which says "Google tracks you. We don't." On the website the billboard points to, Google employees are portrayed wearing ski masks and trying to spy on you. That does strike me as trying to a encourage a bit of fear?
This is a browser issue that's not specific to Google or even to search engines, but Google is the only company mentioned on donttrack.us until you get to the "more tools" section at the very bottom. Meanwhile, Google is the first (and only) large search engine to offer https to the best of my knowledge. It's a one-character addition to http://www.google.com for anyone that feels strongly about this topic.
One is basically checking in with Google everytime he visits any site that uses Analytics, embeds a YouTube video or a font from a Font Directory, or a Google-hosted Javascript snippet. Not to mention GMail. Don't know about other people but this bothers the hell out of me. So while I don't think DDG should've focused on the Referer issue, they got the core issue absoluely right. Google does in fact track everyone.
You don't win customers/users by saying "Our competitor is rubbish and here's why". You win them by saying "Our product is awesome and here's why".
Excuse me? You forgot the unwanted automatic opt-in for Google Buzz? Or doing a u-turn on net-neutrality in cahoots with Verizon? Or "accidentally" collecting wifi data?
This particular issue may not fall into that category, but the days of "don't be evil" are behind us. Like most major corporations, Google puts profit before ethics.
Google does have a tremendous amount of data on the connected part of the online population and it is a point in DDGs favor that they do not track their visitors.
Search leakage really is an issue, even if the majority of the people do not care they probably should and google could easily fix this, so is it going to or not?
Stop trying to spin this as "something that needs fixing".
The part in particular that is relevant is "All search engines and websites use referrer terms as part of the architecture of the web, but we recognize our responsibility to protect the data that users entrust to us and we give them meaningful choices to protect their privacy."
It is not a choice that you need to give a user -- you can just do it for them as it should not effect search results. The bottom line of the post is that Google can easily control this particular leaking of personal information, so why not do it? I cannot seem to get a straight answer to that question from you or anyone.
It's probably a complicated web of business relationships and strategies that is the answer for why Google would be reluctant to make such a change. It would cause a lot of upheaval and potentially ill will from companies affected by the change.
It would be an extremely bold move by Google to make to prevent search leakage by default. Does Google believe that encrypted.google.com appeases the users who are concerned? Does Google believe that it is only a minority of users that are concerned?
* Disable javascript
* Do a search
* Click on an https result
Referer https://duckduckgo.com/html?q=https
I'll stick with the search engine that has a legion of brilliant programmers working hard to bring me great search results.
Dude, not cool. This is Hacker News. Please refrain from ad hominem attacks and stick to making intelligent, comments that contribute to the conversation, please.
Referrers aren't needed for targeting. On that Gout example, Google knows you researched gout so they can target you with gout ads on sites that run AdSense or DoubleClick (which is a lot of ads). If you visited another site about gout that ran ads from a different network, then they too could target you. The referrer has nothing to do with it, it's what you're requesting.
If you don't want targeted advertisements, it's far more effective to use adblock or modify your /etc/hosts file than it is to use DDG.
http://www.w3schools.com/jsref/prop_doc_referrer.asp
Edit: AdSense at least does:
var ua=document
"&ref=",P(ua.referrer.substring(0,512))Can't advertising networks insert code to pick up referrers in the same way?
I was ready to try duckduckgo if it could give me the results I wanted (Despite the hugely irritating UI and infinite scroll).
But the constant attacking Google seems bad business to me. It IS FUD. Google doesn't track you. Your browser sends a referer header, which it has done since the dawn of time. Who cares?
flagged.
I think you're going to lose a lot of goodwill Gabriel.
I truly believe this is an unnecessary leaking of personal information. And I address the browser argument directly in the post, as well as the argument that no one cares.
can you confirm quickly that you are proposing that search engines sanitize/anonymize referrer data, and not that they somehow change the referrer behavior?
that's missing the forest for the trees, i think. while it's true that the browser is what sends the referrer, Google has some say in 1) what the referrer is (ie, what url is sent as the referrer) 2) and what Google itself does with that information once they (Google) have received it.
Google could have a stated policy of discarding or anonymizing referrer data. to my knowledge, they do not (i will gladly be corrected on this). they could also structure their results pages urls in such a way that the search terms are not sent as part of the referrer.
for the record, i think that Gabriel has seriously messed up here. i think he's approached this issue in entirely the wrong way, that he is going to lose a lot of good will over it. however, that Gabriel has done something foolish does not detract from the technical merits of either his search engine, or his argument with regards to search leakage. either they're sound, or they're not.
i don't use duckduckgo (yet?). but his argument with regards to search leakage seems to be sound, even if his ad campaign is not.
I'm having a hard time coming up with a reasonable context in which this statement is true.
I think you're going to lose a lot of goodwill Gabriel.
FWIW, I switched my default search in Firefox to DDG last week, partially as a result of the recent "FUD". It's working well and I've already used it for queries that I would prefer Google didn't associate with my IP address. (I'm not logged in to any Google accounts in Firefox, but I am in Chrome, and I'd expect Google to be able to correlate them).
Let me put it this way: they don't target those ads so precisely by not having any information on you. On the contrary, they have lots of info. How safe and how anonymous that info is, that's up for debate.
It really is impressive that you're on their radar enough to warrant a reaction like that.
In his example, if the user actually clicked directly from Google to Wikipedia, Google would be the only one who knew about the user's interest in gout. Google isn't in the business of sharing this information (believe me, it wish they were ;).
In most cases that people might assume to be related to this, you search for Timbuk2 bags, click through to their site, then are bombarded with ads all over the internet for Timbuk2 bags. This has nothing to do with search leakage, this is retargeting. Timbuk2 drops advertiser pixels on their site so they can later target those users with advertising.
Most advertisers are stupid. They don't have the fancy tech to handle and parse search terms, target users, and display ads. They're probably using RMX or DoubleClick, where you only have the ability to retarget users that have seen certain pixels. They may be using AdSense or AdWords to target queries, but those are using Google's own data, which has nothing to do with search leakage.
I think DuckDuckGo rocks, but as someone working in the online advertising industry today, this issue seems manufactured for publicity. This information is useful in theory (and I'm sure a small number of companies are using it) but there are much bigger issues that are getting exploited by everyone.
If you are willing to click the link and go to the site, the site will most likely have some idea of why you are there, and what you are interested in, regardless of the referrer headers (because, you know, the site is hosting the content that you are reading).
It seems that if I am willing to visit the site at all, I should also be willing to disclose trivial information like this. So I'm not sure why I should care.
Saying that this is not disclosed also seems a little disingenuous. Referrer headers are pretty standard. If you have a problem with Google doing this, you also have a problem with pretty much every other site that uses hyper-links. It seems that there is a lot of useful semantic information that could be gathered by being able to identify which documents reference your document. Eliminating referrer headers seems like it would be a net loss (pun not intended).
the issue is not whether the destination site receives the search terms (and indeed, Gabriel suggests that they should continue to do so, either through the GWT, or some other method).
the issues is that currently, any advertising networks in use by the destination site also receive the search terms, via the same mechanism: the referrer. that's the crux of the issue.
while the destination site can't follow your traffic once you leave it, the ad networks, because of their large user base, frequently can. they can begin to build a much more thorough profile of who you are and what you are searching for than anyone single destination site could. whether that's an invasion of privacy is your call, but to many people it is. currently, they're simply unaware that it's happening.
Through this same mechanism wouldn't the advertising networks be privy to the content of the sites that I am visiting? It seems that even if we eliminate this, we still have issues with advertisers being able to track and create a profile based on the content of the websites you are visiting.
The headers do seem to create a direct link between a given search and a set of visited sites, but can't things like cookies and tracking pixels be used to the same effect? Possibly then using NLP to figure out the most important words on the page? Or the SEO terms that the website uses to get picked up by the search engine?
If you are going to let an advertiser post content on your site, it seems to me that it would be very difficult to keep said advertiser from tracking your users.
If the user uses Adblocking software or otherwise blocks the advertisers' sub-domains, does the advertiser still receive the referral headers?
I agree that the amount of information a well-tagged website can collect on users is frightening, but I don't think that stripping search keyword data from the referrer is the solution. I think Gabriel is going after the wrong thing.
Here's why: A good Search Engine will never send a user to a page that isn't textually relevant to the search they entered. In 99.9% of cases, the text they entered is ON the page they hit. So if a user searches for: [SOMETHING CREEPY] they will be hitting a page that already has [SOMETHING CREEPY] published.
To put it another way: "Your Keyword data is never going to give a website something it didn't already have. It's just going to reveal what pieces of its content are of interest to you."
On the other hand, I think the gout example was google ads, not an ad network on wikipedia, so hiding referrer info wouldn't have helped.
In most cases the "leakage" is pretty minor from search engine to page, the big leak is from page to ad network.
If you are concerned about Ad Networks having so much data on you, clear your cookies and block cookies from them. Then they will never be able to string together more than one piece of data.
I struggle to see how this could work in a way that's a fraction as useful to webmasters as the current system. Sites that sell things like to tie keywords to conversions. They can learn, for example, that keyword X drives sales, but keyword Y doesn't, and assign resources accordingly. Online businesses become more efficient, and searchers get more of what they want. I think it's largely a good thing all round.
My respect goes to DuckDuckGo for coming up with a clever way to differentiate themselves from their competition. However, if the problem is that sites are inadvertently sharing keywords with third-party ad networks, then point the finger at those ad networks, not at Google. Blaming Google makes about as much sense as blaming Firefox, Safari, Internet Explorer and the web in general for sending referrers in the first place.
I also don't think that the keywords are shared with 3rd party networks explicitly. I think what's happening instead is that you search for something, you land on a page relevant to that something, and the ad network code is reading the content on the page and assigning a keyword target or theme to your search. For example, you might search for a Ford F-150 and you get to Edmunds and the ads are sold on a "by make/model" basis using ad segmentation so the ad network now can assign your cookie a "Pickup trucks" behavioral tag but it never had to read the referrer header, it was implied.
There is absolutely no reason that Google should break the web to pacify this guy.
It also seems worth noting that if for some reason you wish to continue using Google instead of DDG, and if you are concerned about the potential privacy issues, you can already change your browser not to send the referer header:
http://kb.mozillazine.org/Network.http.sendRefererHeader
https://chrome.google.com/extensions/detail/dkpkjedlegmelkog...
Sorry about the sloppiness with HTTP_REFERER vs Referer. You are correct --- I tend to think of it from the CGI point of view rather than browser. Browser sends Referer as an HTTP header, which web servers commonly set in the environment as HTTP_REFERER. Thus the question should be "Why not have browsers default to not sending the HTTP Referer header?"
Equally likely is that this concerned user clicked on a different health-related site with an ad network that classified him according to that site's content or stated category -- there's simply no evidence that the aggregation of search terms happened.
Note: I'm not saying the story couldn't be true, just pointing out that no technical evidence has been presented to rule out the other possibilities.
SSL pages prevent referer headers from being sent.
Easy.
The country specific pages dont have equivalents, so no encrypted.google.co.uk, but you can get the same effect using the gl parameter in the URL, so the url for a UK search would be:
https://encrypted.google.com/search?gl=uk&q=foo
Get your list of valid country codes here: http://www.google.com/cse/docs/resultsxml.html#countryCodes
But one could excuse the billboard potentially to a person trying to highlight that this is a big issue. But again, this seems quite different from an incumbent that is trying to cast doubt via obfuscation, which has usually been the case in FUD...
Chinese walls should take care of that.
And if those are not in place then google has bigger problems.
It also blocks referers being sent from localhost/local URLs. I would be interested in trying out an option that only allows referers to be send to the same domain or its subdomains. The interesting part is seeing how many things that option would break.
EDIT: Forgot the link.
https://addons.mozilla.org/en-US/firefox/addon/no-referrer-m...
The web as we know it has been built on the assumption that search engines pass along keywords in referrer data. Changing this would have a significant negative impact on a lot of businesses. Considering that most users don't really seem to care about privacy, at least if you judge by actions and not what they say, I don't see why a company like Google would ever stop sending along keyword data to webmasters. They'll piss off webmasters who buy ads from them, and it won't help them increase their share of the search market.