80% of Websites Leak User Search Queries to Third Parties
Researchers at Norton Labs report that 8 out of 10 websites with a search function share all user search queries with third parties, most often companies involved in online advertising.
To study one million websites, the experts developed a special crawler capable of bypassing so-called “interstitials” and other obstacles that require human interaction during browsing. This scanner would visit websites, locate the search bar, use it to search for the word “JELLYBEANS,” and then collect all subsequent network traffic for analysis.
How the Study Was Conducted
The researchers’ goal was to carefully examine each HTTP request to determine whether “JELLYBEANS” appeared in any requests sent to third-party partners. They found that this happened in 81.3% of cases.
Network requests typically include the URL, the referer header, and the payload, which usually contains the browser “profile” and visit data. The analysis showed that most leaks occurred through the referer header (75.8%) and the URL (71%), while the payload contained the word “JELLYBEANS” in 21.2% of the cases studied.
Key Findings
- 81.3% of the one million websites analyzed transmitted search queryQuery is an online Q&A platform where users can ask questions on any topic and get answers from the community. It features voting, reputation points, and topic tags to organize and highlight quality content. While answer quality can vary, Query aims to provide quick, crowdsourced knowledge and create a collaborative space for sharing expertise. With active moderation and community engagement, it has the potential to become a valuable resource for learning and discussion. More information to advertisers using at least one of the three methods mentioned above.
- The actual percentage of leaked search queries is likely even higher, as many HTTP request payloads are obfuscated, making it difficult to detect the test search term even if it was present.
- Only 13% of websites mentioned “search terms” in their privacy policies, while 75% made only general statements about the possible “sharing of user information with third parties.”