Since Google launched Chrome yesterday, much have been said on the blogosphere about its privacy implications. The issue is Google can log your search keystrokes as you type, even prior you hitting that Enter key to submit the search. But since Google Suggest is now enabled by default, this behavior is actually no different than when you type in a search into Google.com directly, using any browser.
And this behavior is not confined to Google.com either, many third-party websites directly or indirectly uses Google Suggest, even if they don’t use the Google Search widget. It gets worse (see later). But how does it work from non-Google websites?
Basically, the website traps your keystrokes using an “onkeyup” event handler, then issues an AJAX call to the Suggest API (suggestqueries.google.com). The API can be invoked with a simple HTTP GET. Here’s an example when you search for “sarah p” today:
Google then returns a suggestion list:
window.google.ac.h(["sarah p",[["sarah palin","357,000 results","1"], ["sarah polley","1,110,000 results","2"],["sarah paulson","487,000 results","3"] ...etc...
notice this is a JSONP result.
What most people don’t know, if you use Firefox, the top-right Google search box (that’s default for most people) has already been using this functionality all along!! So Firefox has the same privacy issue. The Firefox search handler calls the suggestion API with an added parameter (output=firefox&qu=sarah%20p) and gets a simpler return list:
["sarah p",["sarah palin","sarah polley","sarah paulson", ...
So what’s new with Chrome? The difference is Chrome combines the URL bar and the Search bar together. When you type in “http://www.slashdot”, for example, Chrome sends out the following HTTP request prior to you completing your action. Here’s what the packet sniffer logs:
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=http%3A%2F%2Fwww.slashdot HTTP/1.1\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13\r\n Accept-Language: en-US,en\r\n Accept-Charset: ISO-8859-1,*,utf-8\r\n Accept-Encoding: gzip,deflate,bzip2\r\n Host: clients1.google.ca\r\n Connection: Keep-Alive\r\n
Which means with Chrome, Google now knows not only what you’re searching for, but also which websites you directly go to as well.
You can turn off this functionality by going to Options > Default Search > Manage and uncheck the “Use a suggestion service” box. At the very least, Google should let users turn off URL auto-suggestions (off by default) while still enabling search completion.