Warning: Firefox is About to Start Stealing Our Data

Back in October of 2011 (that long ago?) on the “Official Google Blog” it was announced that search was going to become more secure. Awesome. But, wait there’s a catch (Official Google Blog, October 18, 2011):

As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we’re enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page. This is especially important when you’re using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe. You can also navigate to https://www.google.com directly if you’re signed out or if you don’t have a Google Account.

What does this mean for sites that receive clicks from Google search results? When you search from https://www.google.com, websites you visit from our organic search listings will still know that you came from Google, but won’t receive information about each individual query. They can also receive an aggregated list of the top 1,000 search queries that drove traffic to their site for each of the past 30 days through Google Webmaster Tools. This information helps webmasters keep more accurate statistics about their user traffic. If you choose to click on an ad appearing on our search results page, your browser will continue to send the relevant query over the network to enable advertisers to measure the effectiveness of their campaigns and to improve the ads and offers they present to you.

In the internet marketing world this meant that extremely useful, highly relevant keyword data would appear as “(not provided)” if someone was logged into their Google account, performed a search and was brought to the site through an organic listing. At first, in November, it looked like this was affecting approximately 8.875% of web traffic. Then, reports started rolling in with people claiming numbers as high as 30%.

Yesterday, things got worse for internet marketers spending any time hoarding over Google Analytics data. In his blog, Christopher Soghoian, a security and privacy researcher, announced that Firefox was jumping into the game of Google encrypted search:

Recommended for YouWebcast: 5 Growth Hacking Techniques to Increase Your Revenue in 30 Days or Less

A few days ago, Mozilla’s developers quietly enabled Google’s HTTPS encrypted search as the default search service for the “nightly” developer trunk of the Firefox browser (it will actually use the SPDY protocol). This change should reach regular users at some point in the next few months.

This is a big deal for the 25% or so of Internet users who use Firefox to browse the web, bringing major improvements in privacy and security.

I’m in no way a mathematician, but if we *guess* that 10% of data was “(not provided)” before Firefox jumped on board, and that Firefox user account for 25% of Internet users, we can back into what we can expect to see.

10% encrypted already (of this 25% were already using Firefox), so 7.5% plus 25% (32.5%) of all Internet users; ergo a *rough estimate* of what our “(not provided)” data will look like in the coming months:

Site Visitors: 10,000 per month via organic search

Pre-encryption: You saw 10,000 visible search queries per month in Analytics

Google logged in account encryption (November 2011): about 9,000 visible search queries per month – 1,000 encrypted queries

Firefox and Google logged in combo (the very near future): about 6,750 visible search queries per month – 3,250 encrypted queries

And for those that like data visualization:

(axis starting point intentionally increased from zero for dramatic effect)

Again, take it for what it’s worth based on estimates from my own experience and those published on the web, but OUCH – Thanks a lot Firefox…

  Discuss This Article

Comments: 3

  • Vicdot says:

    If they don’t steal my password or credit cards number and just want to know what website I visited or something like this.Actually I don’t mind. There are so many news about privacy these days.I ever got do not track installed in all my chrome firefox and Avant browser and IE, but who knows these add-on is as safe as they claimed? I have delete these add-ons from my browser. Whatever,I just keep my own way.

  • lily says:

    I using firefox and avant .don’t like chrome .firefox is steal my data? Really? How can I protect my data?

  • Wow, what an incendiary headline! Someone who reads just that headline and doesn’t dive into your article will not see that the “our” in “steals our data” represents internet marketers and not normal users.

    While Mozilla recognizes the importance of commerce on the internet, the security and privacy of individual users is more important. That’s how features like Do Not Track come along (though, iirc, that one even started at Microsoft). Using https by default for google helps in the security and privacy of Firefox users (and *prevents* “our data from being stolen”).

    “Firefox is about to start hiding the search you ran from internet marketers” is a lot less exciting a headline.

    (I work for Mozilla, but not in an area that touches this particular part of Firefox)

Add a New Comment

Thank you for adding to the conversation!

Our comments are moderated. Your comment may not appear immediately.