A flaw in Google Toolbar that allows the search engine to track some web browsing has been identified by a privacy researcher.
Ben Edelman, an assistant professor at Harvard Business School, shows in a report that under certain circumstances the Google Toolbar (versions 6.3 and above) tracks the browser habits of Internet Explorer 8 users who have activated the toolbar's "enhanced features" even when the toolbar is turned off or disabled.
This is problematic since the Google Toolbar is not supposed to transmit your browsing information back to Google when the browser add-on is disabled.
Google confirmed the bug and said that only a tiny number of toolbar users are impacted.
A spokesperson for the company said a fix for the toolbar would be pushed out Tuesday and the software would automatically update.
Google declined to say how many toolbar users use IE8 and would only estimate the number of all its toolbar users as "hundreds of millions".
The Google Toolbar version 6.3 was introduced in September 2009, according to Google.
IE8 users who enable Google Toolbar's enhanced features Sidewiki and PageRank are affected by the bug, according to Edelman.
Google confirmed the information. PageRank allows you to see how Google ranks the importance of particular web pages.
The pages with a higher rank are more likely to appear at the top of Google's search results.
Sidewiki is a comment system that lets Google Toolbar users discuss any web page using a browser sidebar.
Edelman began his tests by disabling the Google Toolbar (with enhanced features enabled) using the red 'X' found on the left hand side of the browser window (click above image to enlarge).
This action triggers a pop-up asking you if you would like to 'Disable the Google Toolbar only for this window' (the default choice) or if you would like to disable the toolbar permanently.
If you choose to 'Disable Google Toolbar only for this window', Edelman discovered by using an HTTP packet sniffer that the toolbar continues to send parts of your browsing history to Google.
If you choose to disable the toolbar by selecting the 'permanently' option within the 'Disabling the Google Toolbar' dialogue box the software performs as expected.
"A fix that doesn't require a browser restart will be available in an automatic update to Google Toolbar that we are pushing tomorrow," said a Google spokesperson said.
Disabling the advanced features (Sidewiki and PageRank) via Microsoft's IE8 browser software also does not stop information on your movements from being sent to Google, Edelman found.
If you select Manage Add-Ons (Tools, then Manage Add-Ons) in IE8 and choose to disable the 'Google Toolbar Helper' and 'Google Side Bar', your web surfing habits will still be reported back to Google, Edelman said.
However, once the browser has been closed and re-opened the disable request does block future toolbar communication with Google.
Google added the fix available Tuesday would address this issue as well as eliminating the need for a browser restart.
The fact that Toolbar continues to transmit any of your browsing history to Google after you've disabled the add-on contradicts the search giant's own statements about its Toolbar.
By agreeing to use Sidewiki and PageRank, you agree to send information about your browsing habits to Google.
If you are using PageRank, for example, Toolbar sends Google browsing information such as domain names, directories, filenames, URL parameters, and search terms, according to Edelman.
Google clearly states on a help page for Toolbar's enhanced features that if you disable PageRank and Google Sidewiki these features "no longer send URL information back to Google".
Google says it will make a download update for its toolbar available by the time you read this. Another option is to make sure you restart your IE8 browser after making any configuration changes to make sure changes stick.
Edelman says Google should delete any browsing information from its servers that has been collected as a result of what Edelman calls "nonconsensual data collection".
When asked, a Google spokesperson declined to comment on Edelman's request that nonconsensual data be deleted.