Google has begun rolling out SSL to its search engine, much like its Gmail service. A win for privacy... sort of.
Google has decided that the trade-off of higher latency for increased security when running searches is worth it. While there has been an SSL-enabled search for more than a year now, it was never the default. Google announced on its official blog that it would be phasing the SSL feature in as the default setting for users who are signed in to a Google account over the next few weeks.
Attempts to access http://www.google.com will be redirected to https://www.google.com. Note that other localized Google search engines, such as Google UK and Google AU, do not yet appear to have working SSL implementations. However, it is quite common for features to be rolled out to these at a much later date.
Google says that it wants to protect personalized search results from snooping eyes connected to unsecured Wi-Fi hotspots. For this reason the new SSL-based search is optionally accessible to users who are logged out or who don't even have a Google account. Of course that's merely a side benefit compared to the real reason that this is being rolled out.
Upon clicking a search result using a a standard, insecure connection, the search query is passed to the website being accessed. Sometimes this is used to highlight the keywords on the page with gaudy colors that make it difficult to read. More importantly, the search term is collected by page scripts – particularly Google Analytics – and used by the website owners to determine what search terms they are primarily being found under and what content is generating the most traffic.
SSL changes everything.
No longer will Google Analytics data let website owners know what search terms were used to bring a person to their websites - at least not for logged-in Google account users. What it will provide is the number of users who came to the site via an SSL-enabled search. After conducting some research using a site whose Analytics data I have access to, I found that, rather than displaying the keyword information, these visits will simply appear in the dashboard's Keywords section as "(not provided)". This mirrors the findings some others as well. So while you won't see a sudden and unexpected collapse in your traffic, the data that you receive in Google Analytics will have been stripped of any context or meaning, other than that it came from Google.
Fortunately, Google's benevolence prevails and the search engine giant will still provide basic aggregate information about the top search terms that provided traffic to the site from the previous 30 days via its Webmaster Tools.
From an end user perspective, is this a win for privacy? Partially, yes. However, there is a small detail in the official blog post that may easily be overlooked. Google will still be passing on the search query for AdWords (paid search results). Those who are willing to pay for your search terms are still going to get them regardless of how much encryption Google throws at its users. Whether this is an attempt at causing dodgy SEOs more pain than being hit by a giant Panda or a way of pushing more people to AdWords is anyone's guess. Regardless of the motive, it will cause headaches for website owners, especially if it is eventually rolled out as the default for users who are not logged in.