

Use a VPN or Your Google Searches Are Public - rasengan
https://www.privateinternetaccess.com/blog/2013/03/use-a-vpn-or-your-google-searches-are-public/

======
rohanpai
Used my ninja skills and found it. Here is an example:
<http://extremetracking.com/open?login=46union> [NSFW links on site] I just
found a random example

It appears to be incoming search terms for a webstie that has the
ExtremeTracking service installed. So it's not really that it's public, it's
more that the incoming search terms are just saved along with personal
identifying information (ISP/IP) etc.

Website states: "Adding the tracker to your site is not complicated. If you
are familiar with HTML-editing just copy and paste the tracker code into the
source of your pages and you are ready. The tracker code can also be handled
fine with WYSIWYG editors and content management systems, scripts and blogs.
You can use one and the same code for all your pages or the more advanced code
to report groups of pages, it is all possible. We will be happy to help you
through. At your My Account you find all your tracker details and setup
instructions clearly explained as well as your personal code-checker to check
if you have copied your code correctly."

~~~
emersonrsantos
[https://www.google.com/search?hl=en&newwindow=1&safe...](https://www.google.com/search?hl=en&newwindow=1&safe=off&biw=1280&bih=691&output=search&sclient=psy-
ab&q=inurl%3Ahttp%3A%2F%2Fextremetracking.com%2Fopen%3Flogin%3D&btnK=) shows
hundreds of this.

Edit: <http://extremetracking.com/open?login=rarlab2> is actually winrar main
website.

------
lubujackson
Just to be clear, this has been happening since Google started when sites
would just leave their incoming traffic logs available for indexing. Referrer
spam exists specifically to glean value from this. What is interesting is that
the whole "big data" thing is really about connecting pre-existing dots like
this into valuable information. The privacy reaction (like in this article)
are to lock all the doors and bar the windows. But a lot of this data is
already out there and it's only going to spread further.

I just got an email from LinkedIn that someone I used to know looked at my
profile. Does they mean this person wanted me to know that? Certainly not, but
it's possible to track and beneficial for LinkedIn, so now I know.

I worry for the openness of the web (via over-reaction) just as much as these
emergent privacy issues. There are no easy answers here.

~~~
Vivtek
Ah. Thank you for finally letting me realize the point of referrer spam (I've
never left logs lying around in Net-accessible places and it boggles the mind
that anybody would - bandwidth consumption if no other reason...)

------
TomAnthony
In late 2011 Google started stripping the search term from the HTTP referrer
[1] that is passed on to the site for some searches (depending on where you
are and whether you are logged in).

Since then the number of searches affected by this has steadily increased [2],
so this sort of tracking is going to become less and less of a concern.

[1] [http://googleblog.blogspot.co.uk/2011/10/making-search-
more-...](http://googleblog.blogspot.co.uk/2011/10/making-search-more-
secure.html) [2] <http://www.notprovidedcount.com/>

------
rcfox
Is there a more authoritative source? This article comes off very heavily as
"Here's some FUD. Oh by the way, our product just so happens to alleviate the
problem that we just pointed out."

~~~
bochoh
There would be a more authoritative source if the "source" had linked to the
website. Until that I am inclined to agree with you.

------
gjulianm
It doesn't seem to me like an issue at all.

Referral data has been available since the beginning of Google. You get the
referrer, extract the search terms of the URL and link it to the visiting IP.

This doesn't show up if you're using HTTPS search. The URL is encrypted and
the terms can't be extracted IIRC.

So, the only problem is a tracker (which I never heard of) giving out that
referral data. And it's publicized by a site who ends up promoting its VPN
(and not mentioning the HTTPS solution).

~~~
MichaelGG
HTTPS doesn't pass the referrer to non-HTTP sites, but will to HTTPS sites.
What Google does on top of that, I don't know. They could easily bounce you
through an HTTP redirect that does pass the search terms.

------
nostromo
Only if you're not signed in to Google. If you are, Google no longer sends
your search terms to the website when you click.

Ironically, people in incognito mode do not want to be tracked, but via this
method, are much easier to track in terms of matching IP addresses to search
terms.

------
trg2
When Google first came out and said they would default to secure search, the
SEO industry got pretty heated. They initially said it would affect queries
"in the single digits". This number has grown much higher, with most people
reporting 20-60% of traffic showing up in their analytics as "not provided".

While most SEOs said this was monopolistic behavior by Google, attempting to
take more market share from other ad networks (when you can't extract the
keyword from the referring URL, it's harder to provide relevant ads), this is
an example of secure search actually being quite useful.

That said, it makes us all the more reliant on Google for more and more.
There's definitely no easy answer here.

------
mike-cardwell
I've been using a Firefox addon called RefControl for a long time now. It
forges the referer header to be the root of the website that you're on. I've
never noticed a problem caused by this.

We could turn off HTTP referers tomorrow, and the number of sites it would
break would be tiny, whilst the benefits to the general public regarding
privacy would be _humongous_

This wont happen, because the major browser vendors make money from
advertising and tracking. You think Google would do this for Chrome? Microsoft
for IE?

It makes no sense that your browser should by default tell websites that you
visit where you came from. If referers didn't already exist, and Google came
along and added them today to Chrome or Microsoft added them to IE, the level
of protest would be epic.

------
gesman
Extremetracking == the same as Google analytics + IP addresses tracking + more
detailed info per visitor's IP

Extremetracking offers free tracking - which offers free .js tracking widget
for site. The problem with "free" tracking is that it exposes all your
visitors + all their search terms + all their referrers to the whole world -
which is what this article found out.

I bought Pro for 1 month to see if I can squeeze any more business out of that
compare to Google analytics. Unfortunately it does not offer visitor cross-
reference data (what other sites given visitor visited).

"Pro" plan keeps your log data confidential.

~~~
rsync
By "business" you mean ... ?

Actual productive pursuits, or parasitic bullshit like SEO ?

~~~
gesman
Nothing to do with SEO. I can see that extreme's tracking screen is much more
convenient that Google analytics and allows to quickly dive into specific
visitor's history.

The bottom line to discover - does this tool allows to deliver more business
to customer

------
mpclark
Websites don't get to see your search terms at all if you're logged in to
Google.

I guess that makes it safer on one hand, and much more dangerous on the other.

------
ronaldx
subheading, "Young Person Discovers Internet Existed Before They Were Born"

Surely extremetracking is on almost every website made 1999-2002?

------
arkitaip
Not if you google encrypted.

------
gertef
Mostly false. HTTP_REFERER sharing is a browser feature, not a network
feature. You can tell your browser not to set it.

<http://www.whibb.com/hide-referrer-headers-in-firefox.html>

------
mbailey
OH WOW HTTP_REFERRER? This is adspam, company is selling VPNs.

Did you know your IP is showing?!

~~~
charlesism
Agreed. The "flaw" they claim they have "discovered" is a browser feature, and
an old one at that. I have problems with plenty of _other_ Google features,
but it's outrageous to blame Google for something one's browser does every
time one clicks a link on any website anywhere.

------
shoopy
Not an issue for HTTPS searching.

------
fencepost
I like PIA and have an account for public hotspots, but this comes off as FUD.

------
matznerd
How long until someone posts the link?

~~~
pseudometa
20 minutes.

------
recoiledsnake
If I am not mistaken, only the website you click on after searching will know
the search term, so how does using a VPN protect you from this? For example,
if I search for Yahoo and click on the Yahoo.com result, this rogue
website(assuming Yahoo is not it) won't be able to access that search keyword
from my IP.

~~~
Encosia
Your true public IP address won't be disclosed if you're using a VPN as an
intermediary. Sort of like private domain registrations; sure, there's an
address to associate, but it's meaningless.

Of course, using a SSL connection to Google would be sufficient on this case,
since that prevents the referrer from being included when you visit a search
result.

~~~
potkor
Most people's "true public IP address" is just as pseudonymous though.

~~~
Encosia
With always-on routers usually being the DHCP lease recipient for residential
broadband, even dynamic IP addresses are typically a lot more "sticky" than
most people expect. Couple that with the location-specific info available via
reverse DNS on residential IPs, and it doesn't take a vivid imagination to see
how easily even a loosely correlated search history could be used against you
when applying online for jobs, healthcare, credit, etc.

I would honestly be shocked if there aren't risk assessment departments (or
entire companies) already specializing in applying techniques like that to
filter resumes, bias interest rates, and raise premiums accordingly.

