Google searchers from years past can get paid for pilfered privacy Between October 25, 2006, and September 30, 2013, Google allegedly revealed searchers' personal information to third parties in violation of privacy promises. Now, those who used Google Search and clicked on a search result link during that period can recoup a small portion of the cash the search ad biz collected. Doing so …
None of those will help. The Referer header is inserted directly by browsers into the HTTP request, nothing to do with cookies, JavaScript or third-party embeds.
To be honest, I'm struggling to understand what exactly Googles is supposed to have done wrong here. Having the search terms being part of the results page URL is an artefact of how web pages generally work, historically at least, and it allows you to bookmark and/or share a search. Or programmatically construct a search URL.
I get that Google never bothered to offer an opt out from this behaviour (the Referer header) in its browser, but the article talks mostly about Google search, not Chrome. Which makes no sense: Google.com doesn't insert the Referer header, the user's browser does.
I used to configure Opera not to do this back in the pre-Blink days. It doesn't seem to be an option in current Vivaldi or Firefox; does any current browser offer this?
-A.
It was Google who decided to make the search expression part of the results' page's URL. Which is how the information leaks.
They didn't have to do that, but it was a simple technical fix to what I imagine was quite a complex problem and they went with it. That was very much their decision.
None of those will help. The Referer header is inserted directly by browsers into the HTTP request, nothing to do with cookies, JavaScript or third-party embeds.
Correct. However, in Firefox you can disable that function:
- URL about:config and acknowledge that you can safely be left alone with scissors;
- search for "network.http.sendRefererHeader”;
- set the value to "0".
hmmmm, I don't think that's going to help. I've assembled a rather lengthy host file with everything Google set to 127.0.0.1 when I find it. I do have web pages with large blank holes, but it's better than flashing ads for dick pills and ancient Japanese remedies for better prostate health.
Not sure how it's going to work... Since this is searches from any OS / browser over a 7-year period, it's impossible to identify all of the potential claimants, nor will it be possible to prove that one is a valid claimant (even though in practice "did a Google search and clicked on a link while in the US over a 7-year period" is probably 95-99% of US adults, at least 200 million I would say). What will probably happen is that most people will (a) never even hear about it (b) most will not bother to jump through all the hoops for $7 (c) a bunch of applicants will be rejected by the administrators because paperwork and bureaucracy and, most of all (d) the administrators / lawyers will be taking their cut, as is usual with class actions.
So end result is probably $20 million divvied up between the lawyers and $4-5-ish dollars each to a million-ish people
I am thinking of a movie in which Steve Maatin's character had to write individual checks for $7.01 to millions of people, and you see him going..
"Pay to the order of... Jim Smith. SEVEN DOLLARS AND ONE CENT!!!"
"Pay to the order of... Harriet Jones. SEVEN DOLLARS AND ONE CENT!!!"
If the full URL of the website that the address came from is passed through to the linked-to website is passed through, query_string and all, that is purely a BROWSER issue, not a website issue.
Sure, websites can mitigate it by redirecting to a POST url on their page before presenting the result, but this itself is a bit of a hack.
Basically, if I search the register for "I love trump", the returned page is:
https://search.theregister.com/?q=i+love+trump
If there happens to be any external link on that page (e.g. an advert), they will get that full information in the Referer header (as determined by the browser)
. Should The Register be sued because the browser revealed my secret?
Does the register now need to replace all search results with POST instead of GET?
The difference is your example is a single site search. The search string is already known by the server where the links take it. Also, your example is a URL, which differs from a referrer string.
In the case of a Google search, the destination site when following a link is not (usually) google.com, but a site which matched the search. That site only gets the search string if provided by the referrer string.
There are two points where the referrer string is controlled. First, the referring server generates the string. Second, the browser can modify the string before presenting it to the destination server.
Google is now frequently representing both the search server and the browser. Most people just accept the defaults which will result in the search terms being in the referrer string.
Now, for the $32 million dollar question. My top of the head math tells me the estimated individual share is optimistic by maybe an order of magnitude. Seventy or so cents seems more like it unless there are far fewer Google users than I am thinking.
Sorry, you're wrong.
A "single site search" is irrelevant.
If you are on a web page, and you click on some link, the full URL of the current page, query and all, are passed in the referrer header to the link you click on. The browser sets that. That's the point. That's how it's always worked. And exactly my point, if there is an issue, THERE is the issue - with the browser.
The only real way around it is to change what browsers do.
The only way a server can guarantee it is to purposely cause the the URL of the current page to be changed - this is a conscious effort to subvert the normal method of operations.
You could do this either by making the whole request a POST rather than a GET operation (which may not be suitable), or you fudge some extra page reload - an extra hop inbetween the results page and the clicked-on link - this could either be done by some sort of automatic browser redirect, or via an "exit page" (i.e. a "you are about to leave this site, do you want to continue" page)
More recently, a "refererpolicy" / http header have been added to the spec, and I suppose you could argue google is remiss if they haven't included those (I don't know whether they have or not), but again, that only works if the browser understands and decides to honour those headers.
TL;DR - This is a spec / browser issue. Google aren't intentionally leaking the query string - they may not have been actively kludging ways to filter it out, but they were never actively setting it.
You should read this: https://www.rfc-editor.org/rfc/rfc9110.html#name-referer
A "single site search" is relevant in that the query information is already known to be associated with the particular client. It is only known to a different site in a search for third party sites when the client follows the provided links and it is included in the referrer.
I am viewing the process from a step before the form being filled and returned to the server. I am viewing it from the blank form being presented to the browser. A search provider for third party sites concerned with privacy should really not set up the browser to fail.
The browser does not decide to use a GET method for the search form. The server provides the form with the GET method. The server is where it is known that third party links will be provided. So, yes a POST method search form is what the server needs to provide to the browser. GET and POST are not seamlessly interchangeable so the browser cannot just simply use POST instead, the server has to be prepared for a POST and the best way is to present a POST method at the time of form delivery to the client.
The browser can alter the referrer prior to making the request to the third party server.
Google search is using the GET method knowing full well that most links provided to the query will be third party and will result in a referrer with the query embedded. Leaving it up to the browser entirely to prevent the query from being seen by the link destination server.
The second part is the browser does have a role. It is permitted to change the referrer. There are rules it is supposed to follow and ones it should. Implementing those rules pertaining to sensitivity of information is challenging for the browser. The only way to be sure is to always strip the query portion from the referrer if the link is going to a different server or domain.
As far as I know, Google is still the search leader and now the browser leader.
Google is not the only search provider guilty of setting up the search result to include the query so a referrer with the query will be presented to a third party. Nor is Google the only browser provider guilty of sending the search query off to a third party by design.
Times have changed and it has been realised that more information is sensitive than previously thought. Google would prefer that we keep doing things the old way as long as possible.
Well, even on a "single site search", any search results page that you get back will leak to a third party site not only if you click, but if there are banner ads etc.
In my example earlier of "https://search.theregister.com/?q=i+love+trump", the server that provides any ads on that results page will get that query string as a consequence of the fact that the request to the ad server will contain that full URL as the referrer, whether I click it or not.
But I get what you're saying - on a google search, *ALL* links by design are off-site.
I do understand your overall point.
I guess I'm thinking of it from a "This is how it's always worked, it's a consequence of the protocol - Google haven't gone out of their way to leak things"
whilst you're thinking of it more as "The web isn't the safe place it once was. Google knows this referral leak happens. They should have proactively mitigated the problem"
Cheers!
P.S. Not my downvote!
"Seventy or so cents seems more like it unless there are far fewer Google users than I am thinking."
What I usually see in class-action payouts is the tell-tale term "as much as" in front of the amount or as a footnote which will also state the amount will vary depending on the number of claimants. $7.70 is likely the max as ordered and it just goes down from there. You might spend more money in petrol taking that check to the bank. You'd certainly not want to hand them your banking information for direct deposit.
At least this is money. Given the decades of free credit monitoring I have at this point, to be offered more as a settlement would be silly. I know that in this case that wouldn't be as appropriate. I do think that when it comes to these sorts of judgements is they need to really hurt the company rather than just waggling a finger and giving them a stern look.
@hayzoos "There are two points where the referrer string is controlled."
No it is just the user agent, that would be the browser. When you click on a link the browser creates the referrer string from the URL of that page.
If you follow this link google.com your browser will create the referrer string “https://forums.theregister.com/forum/all/2023/06/17/google_searchers_from_years_past/” because that is the url of this page.
A search engine (Google, Bing, duckduckgo) page is no different. Follow this link Duckduckgo.com then follow a link on that page your browser will generat a referrer string from that pages URL “https://duckduckgo.com/?va=v&t=ha&q=david+bowie&ia=web/” a URL that has the search items in it. But just like the Register example above it is because that is the URL of the page the link was on.
In both examples the browser controls the referrer string not the site with the link.
I upvoted you, and made a similar point myself in reply to the first post at the top of this page, but in fact there *is* a mechanism for the web server to ask the user agent to modify the usual Referer header, and it is briefly alluded to near the end of the article: the Referrer-Policy response header. It's a relatively recent addition to the HTTP spec, though, so wouldn't have applied in the time frame of the alleged offences.
-A.
Today you can see if you inspect their source (<meta content="origin" name="referrer">) Google and the other search engines use that mechanism. But in 2013 the link provided in the article shows most browsers would not have supported that and would have populated the referrer string with the full URL.
Yep!!
Though I think it's a bit of a kludge - as you know, it's asking the browser not to send the referrer string in the normal way, but if that was something I really wanted to happen with my website, I'd feel uneasy relying on such a thing to work - even when we get to the stage that most browsers honour it, it's still "asking the browser a favour" - if it was that important to me, I'd mitigate it server-side.
So, it still comes back to the fact that this is all a function of the protocol, and not Google intentionally doing something dodgy!
Yeah. I mentioned that in my subsequent reply, but should have mentioned it in the post you are replying to.
But at you say, it's a relatively new addition, and even then it's *asking* the browser not to send the string. My main overall point was that Google wasn't proactively leaking information in the way the suit implies.
Cheers
You search for that, you get a page with those search results.
What you do not do is then click an external link to outside of El Reg's ecoystem that also passes your search term to an unknown third party.
An example used is the search term "Abortion clinics Indianapolis". Let's make this current and change that search term to "Abortion clinics Texas".
If you were to search that today and click what looks to be a legitimate link to an actual clinic but is actually a Conservative anti-abortion group's site, they now have your IP address and your search term and can do *whatever they like* with this information as they can collect it without any interaction with a privacy policy or whatever. You're in a shithole US state so there's no GDPR covering your pregnant ass.
There are ways to protect yourself through a VPN or TOR but most people don't use those services.
You search for that, you get a page with those search results.What you do not do is then click an external link to outside of El Reg's ecoystem that also passes your search term to an unknown third party.
I get the point that with a search engine like google, you are by design going to click an external link, but my point was about how the referrer system worked - and the same thing would happen *IF* you clicked on an external link off The Register's search page.
But there's one thing you are forgetting - the referrer is also sent to all objects the webpage loads, so even if you don't click on an external link, that referrer info is sent to the ad brokers who server the advert images on the site, and any third party javascript providers (in the case of https://search.theregister.com/?q=i+love+trump, that would be 2 requests to doubleclick, and 1 to googletagmanager.
P.S. Not my downvote!
"this meant third-parties received not only personal information people submitted in search queries, like names, credit card numbers, and social security numbers, but also other information that might later be used to deanonymize an individual and build an identifying profile"
How many people search for their own credit card, SS number, etc? How many websites are likely to contain that information on an indexed page?
Back in the days when I used to run websites, I kept an eye on the search terms that were bringing people to my sites, and I don't recall ever seeing any that included a name, cc or ss number, or anything remotely like it. They were all terms related to the page content, and it was really useful to see which terms were bringing traffic.
Note that I didn't know and didn't care who the visitors were. All I cared about was whether my SEO was working for the terms I was targeting, and whether there were other terms that I should be targeting.
If people were really finding their way to a site by searching for their cc or ss number, perhaps they should have been more concerned about why that site had a page containing that information in the first place. It follows that any site that contains that information already knows it, and probably a good deal more, and therefore doesn't need to extract it from headers.
Of course, any improvement to privacy is a good thing. But I can't help thinking that (in general, there are no doubt limited specific instances of serious breaches) this is all a bit overblown - person enters private information into search engine, arrives at page containing that information, is horrified that site receives copy of the information it already has. Maybe don't input private information into search engines? Just a thought.
Doing so requires providing personal information to the company administering the legal settlement that resolves the decade-old lawsuit challenging Google's behavior.
Step 1: You send your personal info to the award-administrating company, which they will store, unencrypted, on their computers.
Step 2: Award-administrating company sells the info you sent them.
Step 3: Award-administrating company profits.
Step 4: Award-administrating company says, "We wuz haxord! Your deets is escaped. Durr-hurr-hurr-hurr!"
-- or --
Step 1: You send your personal info to a fake award-administrating company, which they will store, unencrypted, on their computers.
Step 2: Fake award-administrating company sells the info you sent them.
Step 3: Fake award-administrating company profits.
Step 4: Fake award-administrating company says, "We wuz haxord! Your deets is escaped. Durr-hurr-hurr-hurr!"
So somebody, somewhere, has decided that just under 3,000,000 applicable searches occurred between October 25, 2006, and September 30, 2013? (23 million divided by 7.7).
One wonders how, exactly, they came up with that number. Can they justify it? Will they show all their work?
Not that it matters. Nobody in their right mind is going to waste the several hours of jumping through hoops that alphagoo will require for a mere $7.70 payout.
And yet by this time next year, that loot will have somehow managed to find a new home. One wonders if anyone with authority will bother doing a follow-up to ensure there has been no graft involved.
> Nobody in their right mind is going to waste the several hours of jumping through hoops
Coming to a YouTube channel soon: "I show YOU how to get $$$$$ from Google (Step #7 will ASTOUND you!)"
Notes:
Only 5 dollars 'cos he's encouraged more people to take up The Google Challenge (like a dozen other YT ot TT Challenges, but more useful to society)
Step #7 was his actually managing to wait on the 'phone for 317 minutes to before reaching the automated service, without sobbing that he never wanted to hear about the Girl From Ipanema again (sequences shown may be shortened; your call is important to us)
They probably calculated the expected value based on some incorrect assumption on how many people will bother filling out the forms. I wonder whether any class action places are smart and sneaky enough to make the forms even more complex than usual or actively broken so they can split that payment among some friends who coincidentally are the only people to actually have registered themselves in a database.
"So somebody, somewhere, has decided that just under 3,000,000 applicable searches occurred between October 25, 2006, and September 30, 2013? (23 million divided by 7.7)."
The attorneys are going to skim pallets of money off the top plus their expenses which will include attending seminars on maximizing income through class action lawsuits held on sunny tropical islands.
Optigrab anybody?
One wonders how, exactly, they came up with that number. Can they justify it? Will they show all their work?
It's a settlement, not a ruling. Which means that Google was willing to pay that much to make the lawsuit go away, and the class action lawyers were not optimistic that they could get more. That's it, essentially.
That said, I assume the logic went on the lines of what's the tiny percentage of queries that contained private information, how often did the destination website get that information, what's the actual damage considering the users were willing to send an unencrypted query to Google...
I'd sign up for the money but I stopped using Google search before then. Not so much for privacy reasons (at the time), but simply because signing in means you're likely to see the same sites/pages for other searches - which is annoying when you've already read them and know they're not relevant to what you're looking for.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
