Today’s question is: “should your mom use Google search?” It it is a good thing that Google has directly told us that their motto is “don’t be evil,” as their systems are subtle and difficult to evaluate.
I have two areas of concern.
My first concern is: what is going on with the ads on Google search? Are they safe to click on? Check out this ad (from a Google search page):
Where do you think the link would lead to if you clicked on it? First guess: “www.dmb.com/duns” which is further labeled “Official Site.” This sounds like we would directly link to the venerable company “Dun and Bradstreet.” This is not the case. The text and the green site are apparently part of the ad. Hovering the mouse or capturing the link yields the following huge and hard to decipher URL:
http://www.google.com/aclk?sa=L&ai=CwmvMvAVpSsyeDpvusAO4y5D8D5aTi3qAv83oDPXK5f0CEAEguVQoA1Dw0pOr-_____8BYMn2-IbIo6AZyAEBqgQdT9AhbH2fVXmJHnIy-TNNj_HkY7JsaGV106RyaVw&num=1&sig=AGiWqtwX5zxePZHhDkpqJBojcybMzKkFSw& q=http://track.did-it.com/n%3Flid%3D13619863%26tid%3D3fe34bfe02723%26eng_creative%3D3345771492%26eng_keyword%3Dd-u-n-s%2520number%26eng_placement %3D%26url%3Dhttp://smallbusiness.dnb.com/webapp/wcs/stores/servlet/SmbHome%3FstoreId%3D10001%26cm_mmc%3DGoogle-_-Adword-_-online-_-d-u-n-s%2520number%26LID%3D13619863
Can you anticipate where this goes? You can see the following three URL fragments inside the URL:
Reading from left to right you can be pretty sure the URL goes to a Google server that uses the rest of the URL as an argument. We can then assume that this Google server performs some bookkeeping and redirects to http://track.did-it.com/ . We can then further assume that track.did-it.com performs some more bookkeeping and redirects to http://smallbusiness.dnb.com/. Notice the first non-Google URL does not match the advertised URL. We don’t know what is encoded into each of these pieces and we are only assuming the track.did-it.com server unpacks the URL from the argument; maybe that is a red herring and it redirects us to somewhere else entirely.
Frankly I have no idea if this really happens. I do know from experience that Google did re-direct to track.did-it.com because my anti-spyware traps caught this, blocked the page load and issued a warning. This sort of thing could be a very irritating late night call from Mom- she gets a web-safety warning (anti-phishing, anti-virus, cookie request or something else) from a site she is not on, she is not loading inclusions from (images, scripts, iframes and so on) and she is not knowingly clicking on.
Is there a finite list of partners that Google allows to re-direct? Can anybody do this? Can I produce and place ads with arbitrary redirections?
My second concern is: do you even need to click to leave the Google search page?
Check out what happens with a fresh copy of Mozilla Firefox (no plugins and nothing added to the browser) when you search for “Bing” on Google:
Let’s look at that pop-up a little closer:
Why would http://www.bing.com get a chance to set a cookie? Doesn’t that only happen in response to a request from my copy of Firefox? Did some script on the Google search page or some obscure “web acceleration” option in Firefox pre-fetch the content of the first Google link or first Google Ad (triggering the cookie request)? Let’s not worry too much over cause (Google is the major funding source for Firefox), but look for possible effects. Does the destination site (Bing) see traffic from the Google page even if the user never clicked on the link? Something like that would inflate the already huge stature of Google as a traffic source. How much of my site’s “web traffic” comes from phantom clicks (from abandoned searches)? Finally, how safe is it? How much more than the cookie is being loaded? What if the site linked to has malware- is this a no-click infection route?
Some of these subtle features are necessary to support an ad network. But the implementation does not seem minimal. Allowing hosts to differ from ad content and performing a pre-fetch with every search both expose searchers to additional risk.
EDIT:
Found the prefetch. A Firefox tag that Google knows to set (see What is firefox prefetching?)- and sure enough if I perform Google search using Firefox we see:
<link rel="prefetch" href="http://www.bing.com/">
(and I don’t see this tag when using Safari).
So that is the mechanism- still wondering how much risk this is to users. Also wondering how much this skews traffic statistics into Firefox’s and Google’s favor (I haven’t seen the prefetch tag on Yahoo search or Bing search).
jmount
Data Scientist and trainer at Win Vector LLC. One of the authors of Practical Data Science with R.
So to turn prefetch off in Firefox- do the following: Start Firefox. Type “about:config” into the address bar and press return. Press the “Yes I am sure button.” Type “prefetch” in the new filter bar. Right-click on “network.prefetch-next” and select “toggle” on the menu to change the value from true to false.
By the way, I invented about:config while at Netscape. I don’t know anything about prefetch or other shenanigans. Thank you.
@mlenz Wow, I knew you had some patents on “remote configuration” while at Netscape- was that related to this?
Article about malicious ads placed on popular sites. This is why you don’t want your browser clicking for you:
http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2009/09/23/urnidgns852573C4006938800025763A0081022C.DTL