How Google could have made the Web secure and failed -- again

Google confirmed this week it has made a change to better protect the privacy of how people search. However, it left loopholes in that protection and once again failed to seize an opportunity to encourage all sites.

You probably didn't notice, but this week, your searching activity on Google got a little safer from prying eyes. When you go to Google, it likely will transfer you automatically to its "encrypted" service, one designed to prevent potential "eavesdropping" on your searches. What's not to like with that? Chiefly, a loophole Google has left in for its advertisers and a lost opportunity to get all sites to go secure.
Blocking "eavesdropping" of search activity
Encrypted search -- officially, Google SSL Search -- protects you from "eavesdroppers" in the same way you're protected through an encrypted connection when you do online banking. Only you and the site you're talking with can "hear" your conversation. So with encrypted search, what you're searching for can't be heard by third parties. Assuming, of course, no one like the National Security Agency or hackers have cracked the "keys" to that encryption.
Google made a big push to increase the use of encrypted searches two years ago. Anyone who had logged into Google, such as to check Gmail, would be sent to the Google SSL Search, if they wanted to search for something.
This week, Google confirmed it is forwarding users to Google SSL Search even if they aren't signed in. From the statement Google gave to me when I wrote about this on my Search Engine Land site:

We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We're now working to bring this extra protection to more users who are not signed in.

In short, everyone is -- or will soon be -- protected from eavesdropping, even if they don't remember to sign in. Google's got your back! Or so it seems on the surface. As it turns out, search data remains exposed in several ways.
The loophole for advertisers
Perhaps the most glaring loophole is that if you do a search and click on an ad, what you searched for isn't protected at all. Google is continuing, with a deliberate decision it made two years ago, to transmit search terms "in the clear" to its advertisers.
That's something I've always found disturbing. There's only one reason for Google to leave in this loophole: to make its advertisers happy. If search data is private, as Google clearly believes it to be with these encryption moves, then why allow advertisers to still see it?
This hypocrisy is so embarrassing that Google doesn't even acknowledge it on its help page about Google SSL Search. Google notes that Web sites might know the search terms people use to reach them but not the exact reason why this might happen: because Google makes an exception for its advertisers.