in HTTP

Referer FUD

Gabriel Wienberg:

For those of you who have no idea what I’m talking about: when you click on a link on the Internet, where you clicked from gets automatically sent to the site you clicked on (most of the time).

For example, if you’re on yahoo.com and you click to a story at the New York Times, your browser will send to newyorktimes.com some information that you came from yahoo.com — namely, the Web address of the page you were just on. This info is called the Referrer.

At issue here is that sometimes the Referrer contains personal information. In particular, when you use most search engines, your search terms are included in the Referrer. That is, when you search on Google/Bing/etc., and you click on a link, your search terms are sent to the site you clicked on. This search leakage doesn’t happen at DuckDuckGo.

I don’t see why this should not be called FUD. This post does not actually explain how any personally identifiable information (PII) leaks to third parties when you search for something using a search engine. Search terms don’t constitute PII. Duck Duck Go uses a clever trick to get the browser send a Referer header with no search terms, but there are other tricks possible.

At the core, the problem is not with the Referer header. By choice or by poor design, some sites include PII in URIs of pages that link to third-parties. That is the real problem. This is not a problem for Google or Bing to fix. Every site that cares about privacy of its users should just ensure not to leak PII in URIs.

Write a Comment

Comment

  1. I agree that search terms are not PII as long as they are collected anonymously. But that is rarely the case these days with always logged in features of sites. For example, if I navigate to Facebook from Google search results, Facebook will know who exactly is the person performing search and what keywords.

    • No. facebok.com will get the Referer header with the keywords only if facebook.com is one of the search results. Essentially, Facebook needs to be linked from Google for the Referer header to make it to Facebook. Mere navigation with the user typing in facebook.com in the browser’s location bar does not send the Referer header.

  • Related Content by Tag