Google Addresses WiFi Privacy Snafu with Encrypted Search

By Clint Boulton  |  Posted 2010-05-23

Google May 21 began adding SSL (Secure Sockets Layer) encryption for its search engine, a direct response to the company's accidental collection of users' personal information in countries all over the world.

The search engine May 16 admitted that its Street View cars that patrol city streets to record images had unknowingly collected users' payload data from unsecured WiFi networks. This included e-mail, passwords and browsing information.

This resulted in the collection of more than 600 gigabytes of users' data over the last three years. This invasion of privacy is not being countenanced by the European Union or individual countries where Street View collected citizens' data, including the United States, Germany, Italy, Spain, France and the Czech Republic.

Google promised to offer SSL encryption, a sturdy security protocol used by banking and e-commerce sites, for users who want to protect information shuttled between their computers and Internet services. SSL offers a "significant privacy advantage over systems that only encrypt log-in pages and credit card information," noted Google Software Engineer Evan Roseman.

When users search from the URL, the SSL creates an encrypted connection between the user's browser and Google to better shield users' search terms and search results pages from being intercepted by a third party, including an errant drive-by from Street View cars roving their neighborhood to capture pictures for Google Maps.

The service features this modified logo to show users that they are searching using SSL. Roseman noted that SSL for Google search is rolling out to beta because it only covers the core search engine.

Indeed, a quick query on the Google SSL search domain displayed none of the usual topic tabs at the top, such as Google Maps, Image Search and shopping, which don't support SSL. Should users click on any of the Web results for unsupported services linked to Google Images, they will likely be taken out of SSL mode, Roseman said.

Moreover, he said there might be a lag time for search results because SSL connections require additional time to set up the encryption between the browser and the remote Web server. 

Google has long offered SSL for Gmail, Google Docs and other services, but most users aren't Web- or security-savvy enough to know about them or why they might want to elect to turn them on to better protect their data.

Privacy advocates have been calling for Google to SSL-enable its search for years; the WiFi privacy gaffe accelerated Google's plans to offer SSL for search.

SSL for search may be a small consideration for countries affected by Google's WiFi debacle, known in the media by privacy watchdogs as WiSpy. But it's not a long enough olive branch that will silence the complaints.

Governments overseas are hammering Google hard for this misstep, which will lend muscle to arguments that Google should be regulated. U.S. regulators have yet to formally complain, but it's quite possible the FTC or Justice Department may scrutinize the issue.

This isn't the first time Google has turned to SSL as a default security setting as a reaction to a security and privacy breach.

The company turned on HTTPS as the primary setting for Gmail one day after revealing that the Gmail accounts of users had been accessed in a Chinese cyber-attack.

Rocket Fuel