Serious problem with Google Web History

Google Web History is a service that stores your Google searches and the results you clicked on. This can be helpful if you can’t find a site anymore which you found useful earlier.

What Google Web History is not supposed to do is to continue to log searches from a computer that you haven’t been using in months!

Spying with Google Web History

Here is what happened: About six weeks ago I logged into Web History when I noticed some strange entries. Apparently I had searched for a Siemens mobile phone and an electromagnetic induction stove. For a few minutes I could make neither head nor tail of this, when I suddenly realized that I was looking at my parents searches. Apparently I had logged into Gmail while I was at their place and had forgotten to log out. The problem is, that at that point, three months had already passed since I had last visited my parents!

Obviously, no login should be that persistent and Google realizes that. On Google History there is a note saying:

To help protect your privacy, we’ll sometimes ask you to verify your password even though you’re already signed in. This may happen more frequently for services like Web History which involves your personal information.

Password change = no change

But it got even worse: Since I don’t have direct access to my parents computer (and since I didn’t want to freak them out) I decided to change my password for all Google services. Surely that would put a stop to it, even if I had accidentally told my parents computer to store my password (very unlikely, since I’m very security-conscious, but  not impossible).

However that didn’t make any difference either. Below are my mothers search results from November 27 – that is 4.5 months after I was logged into that computer the last time and six weeks after I changed the password!

My mother's Google Searches - she is planning a trip to Turkey.

My mother’s Google Searches – she is planning a trip to Turkey.

Obviously there is something seriously wrong there. I haven’t tried to replicate the problem, but the fact that my mothers queries are still being logged under my account after I changed the password really floored me.

The privacy implications are of course massive. Consider how much your search history says about you – it’s almost like a stream of your consciousness. Would you want other people to be able to see that? Could I enable web history at a colleague’s computer and spy on him? If this behaviour can be replicated and is not just a fluke, then I most certainly could.

I’m pretty certain that this behaviour would have stopped if my parents had a Google account of their own and would have logged in with that at any time. But that is no excuse.

Update (1 December 2009): I contacted Google’s Matt Cutts through Twitter. Here is our brief exchange of messages. I still think it’s a bug that should be fixed.

@timolue if your parents continue to search often without ever signing out, we probably can’t tell if it’s you vs. them at the keyboard.

@timolue I’d ask them to sign out of Google or clear their cookies; either should work.

@mattcutts Thx. But shouldn’t I be logged out automatically and asked to log in again after a few months? Like with Gmail?

@timolue not sure; it’s a question of convenience vs. forcing re-logging in.

  • interesting! i have been having a similar problem with Facebook and Yahoo's Delicious. about 1.5 years ago, i connected my fb account to my delicious account. then i tried deleting that connection. no luck. i read that the app developers had discontinued working on the app.

    fast forward to today – about 1 year later – my facebook page still links to my delicious account. even when i change my delicious password, the changed password communicates with delicious app, which prevents me from ever severing my ties to this clingy sh___! i've struggled to communicate the problem with fb. they tell me they've fixed it – obviously without looking at my fb profile – for they would see it's not fixed.

    it's infuriating!! they assume i simply don't know how to de-activate my apps. if they would dig into the matter, they would see that there is not the slightest hint in my fb apps panel that i'm connected to delicious in any way.

    conclusively, months after the developers quit, since they didn't clean up their cybermess, i'm stuck with fb "family" be torpedoed w every single delicious save i make. i hate it, i hate, i hate it.