The Real Reason Google Turned off Keyword Referrals for Logged in Users?

If you work in the search marketing world, you know the story by now — Google has decided not to pass in keyword data when users are logged into their Google accounts. The last part of that sentence (in bold) is incredibly important, and we’ll get to that in a minute.

Google claims that they’re making this change for privacy reasons — and strangely predictably, nobody believes Google. But I do. And I will tell you why.

But before we go down that path, let’s get a couple things straight: This isn’t about premium analytics packages. This isn’t about other advertising networks using Google’s keyword data for retargeting. This is about how Google grossly compromised user privacy for more than one month for the sake of getting a product to market as quickly as possible.

And now they’re trying to clean it up before anyone notices.

The REAL Privacy Problem

From September 15, 2011 – October 18, 2011, it was possible for any webmaster with a hacker-leaning mindset to do something we never could have imagined before: to tie an individual Google search back to the actual human being who typed it into their search box — if that user was logged into their Google account.

Take a second to think about the impact there. We use Google to find help for private and sensitive things that we don’t want others to know. We put a great deal of trust in Google to keep our searches private. The thought of our privacy being compromised is scary enough on its own — but it’s even scarier when you realize that this wasn’t even a hack.

Google provided all of the tools anyone would need to do this.

They made it possible by launching the Google+ API before it was safe.

How it Worked

As with all social APIs, developers using the Google+ API can access public parts of any user’s profile data.

So for one month, each time your keyword data was passed through in the referrer to a given website and you were signed into your Google account, anyone could write a simple program with the API to tie YOU back to the search that brought you to the site.

By closing keyword referrals for logged in users, Google is cleaning up the gaping privacy hole that left our searches exposed for over a month.

How do you think the FTC would feel about this? What about privacy advocacy groups? The United States Congress?

It’s no wonder that Google has remained uncharacteristically silent on their motivations for making the switch.

Google Hasn’t Gone Far Enough

By blocking keyword referrals for logged in users, Google is taking good steps towards cleaning up this privacy mess — but they need to go all the way.

First, I know my PPC friends won’t like to hear this, but if Google wants to make things right, they need to close off the referring keywords for AdWords customers as well. Sorry, it sucks, but you’ll learn to deal with it.

Second, Google needs to come clean. All of their users have a right to know.  A vague post on their Analytics blog just isn’t going to cut it.

cup of coffee

Did this post help you out? Please consider buying me a cup of coffee (I'm an addict).


  1. tom pitts says

    This might be on point- but to be fair, this was possibly before the G+ APIs.

    Big cookie co-opts out there exist like ones run by big display retargeting companies (Dotomi etc), which can match back cookies to individuals across the web.

    Any site with logins or email marketing can easily start to match back customers to email addresses. A small pool of advanced companies are already doing this for attribution, segmentation and retargeting. Matching back individuals to search terms has nothing to do with G+ in these cases, but is more reason for Google to hide the searches.

    Google has to be more careful around any removing any sort of data from paid search optimization. Most big spenders don’t use Google Conversion Tracking as their primary tool to manage their paid search spend. They can’t afford to hurt Google’s own revenue stream by breaking other tools from tracking and optimizing paid search.

  2. says

    Not to mention, a much bigger, more used, more uprotected, and more robust dataset can be obtained from Facebook. OpenGraph is a treasure trove to be mined. Social networks kill your “privacy” — if you don’t want information to be broadcast, don’t be jacked into the system. It’s that simple. Being a bit of a luddite DOES have its advantages.

    Honestly, internet privacy has always been dead. Maybe working in the industry helped me reach that conclusion. Even before the days of anything, if you had access to say, the top 10 websites in a niche, you could compare all kinds of data on an IP level, giving a relatively accurate picture of a wide swath of users. (Before you talk about dynamic IPs and whatnot — your internet persona and you yourself are two different entities. Cf Youtube comments. That disconnect is still there.) And while having “lolz u leik pr0nz?!?!” as a display ad chasing you is a bit embarrassing, most modern browsers have a few levels of protection with private browsing beyond just history erasing. [Also, that'd be a hilarious waste of ad spend.]

    The fact, though, is that anyone reputable is using very little personally-identifiable information, looking at the aggregate over the specific. Anyone non-reputable could tarnish your online reputation by knowing a few things, but it’d be unlikely that someone would put the effort into connecting the dots unless you really did something. Check out, say, Anonymous chatlogs to see what kind of people they attack and what they use.

    Finally, this concept:

    First, I know my PPC friends won’t like to hear this, but if Google wants to make things right, they need to close off the referring keywords for Adwords customers as well. Sorry, it sucks, but you’ll learn to deal with it.

    The problem is, without any keyword data, how in the blazes could one say, accurately decide keyword-level bidding? On organic, it’s frustrating; in PPC, it’d be the death of the industry. Should I pump an extra dollar into the competition campaign or the specific local-local? Without keyword data, it completely invalidates the question.

    Now, of course, this is only for logged-in users, and for right now, not even that much (neither my personal or work accounts are switching to https, and are therefore passing keyword data through the referrer). But the intent is clear, both on having a large percentage of people logged into Google (whether through mail or G+ or some other service), and for keeping user data out of the hands of those who need it most.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>