Google does make money from ads, but that is not their primary business. Yes they have AdWords and they bought DoubleClick around 2007. They also have YouTube that took them forever to figure out how to monetize. They bought Urchin (Google Analytics) specifically to monetize AdWords.
Google’s primary business is search. They monetize search in a couple different ways. The primary revenue model for search is micro auctions to determine ranking of product placement on search results.
I don’t have numbers but I suspect Google ads get far more eyeballs than do their search results. The distinction though is margin not quantity. Ads aren’t worth very much. Google ads generate a higher margin than Facebook ads but still tiny, like maybe fractions of a penny. When I was at Travelocity a million years ago I remember hotels bidding up to $18 per click for placement on searches related to Las Vegas. Not only is that click-through worth a fortune it is also relevant and thus far more likely to be clicked.
EDIT
Death by a thousand paper cuts.
Somebody provided a source below, they clearly did not read, which explains all of this:
> Search is Google’s most lucrative unit. In 2020, the company generated $104 billion in “search and other” revenues, making up 71% of Google’s ad revenue and 57% of Alphabet’s total revenue.
This section of the article further details how the auctions differ from online advertisement products.
I don't have the source but Google's chief economist has been very clear about how the micro auctions work and generate revenue separately from display ads.
> Google’s primary business is search. They monetize search in a couple different ways. The primary revenue model for search is micro auctions to determine ranking of product placement on search results.
You're going to have to explain how product placement in search isn't ads.
I worked at Yahoo! Travel in the before times, so hello from a fellow Travel industry person, I've got a Travelocity gnome in my stuff from work area. :) We had lots of advertising on our pages too, but it was always clearly marked (for some value of clearly); Yahoo! had done some pay for search ranking deals long before I joined, but they were clearly frowned upon by the time I was there; organic results had to be organic, although certainly if an advertiser is pushing a hotel that's going to get traffic which could boost rankings (I don't think Y! Travel included traffic in hotel rankings, but we didn't have a super thorough data pipeline)
> Search is Google’s most lucrative unit. In 2020, the company generated $104 billion in “search and other” revenues, making up 71% of Google’s ad revenue and 57% of Alphabet’s total revenue.
From your second source. I guess you were conflating ad revenue to online advertisements. Its all ad revenue, but its not all online advertisements.
Your point is completely unclear. The vast majority of Google's money is coming from selling advertising. The have multiple ways of selling advertising - advertising on Google Search itself, advertising on other people's pages, advertising in YouTube videos etc. But it's ultimately all money from advertising.
They don't have to do paid placement. They know which sites are running their ads and can prioritize them to maximize impressions based on their pervasive tracking.
Google monetizes search but not with Google ads. This is the primary distinguisher. Its an auction selling space on page for a supplier to provide their own textual content. Google's online advertisement businesses don't sell space on Google pages, but online ad products for other peoples' pages.
Google considers all of this as ad revenue, but distinguishes search from their advertisement products in their revenue filings.
I don't understand what you are getting at. In both your comments, it sounds like you find the most convoluted way to describe "Ads", and then claim that because you didn't use the word "Ad" in your comment, we should pretend that what you described is something completely different (but totally not ads?)
> Ads aren’t worth very much. Google ads generate [...] maybe fractions of a penny.
Suppose someone types "hotel Paris" into a search engine. Then the ads auction is the search engine turning around and saying "here's someone that's (probably) about to spend a thousand euros on _some_ website. How much if I send them to yours?" You can't buy that kind of intent-to-buy for only pennies -- that's 2-3 orders of magnitude off.
There's definitely ads that are sold by the kilo-impressions, but search ads generally do not fall in that category.
> In 2022, the average Google AdWords cost per click is about $1 to $2 on the Google Search network. Some newer niches may still see lower costs, while more established businesses, might see higher cost-per-click averages.
> Children in every demographic group have been affected, but Black and Hispanic children, as well as those from low-income families, those with disabilities and those who are not fluent in English, have fallen the furthest behind.
The pandemic affected everybody almost equally by political jurisdiction so demographic stratification suggests there is more to blame in addition to the pandemic. Looking at young children in my area my first blame is convenient access to touchscreens.
There has been a massive surge in homeschooling since the pandemic as well, but it is mostly among those affluent enough to afford to have 1 parent not work so they can take the time to school their children at home.
I would imagine the same basic things are playing out here in these stats as well - the ability to have good reliable internet, a dedicated computer or tablet to work on, a proper physical space or desk space to do the work, etc. All of these things tend to be a given with higher income levels, but are not at all a forgone conclusion with lower income levels.
> I also constantly remind myself that "perfect is the enemy of shipped".
That is easy to say as marketing first personality with access to money. In this case shipping anything is critical and you can fix it later.
As a bootstrapped technologist product quality is all you’ve got. If the product isn’t revolutionary then nobody cares and you won’t change their opinion. So, in this case you need to get it mostly right, because you won’t get a second chance at a first impression.
It’s more subtle and monumental than that. Before this JS was already executing at the same speed as Java except for in arithmetic. At this rate of improvement eventually JS will execute much faster than Java in all areas except arithmetic where it will achieve near parity.
I am not seeing any other programming language continuously improve their execution speed this much.
Look at DOM performance. Chrome has a ceiling of about 45m ops/s where FF max speed is dependent upon your ram and bus speed reaching beyond 4-5b ops/s. In both though querySelectors perform at about the same speeds as slow as 25000 ops/s.
I have written an OS GUI that executes in the browser. It loads, including full state restoration in about 120ms. I was recently interviewing with a search engine company, one of the big ones, where I could demonstrate that JavaScript tool can execute file system search much faster than the OS and produce better results. They seemed really impressed.
Despite all of this my biggest learning about performance is that mentioning performance during job interviews shows that you are incompatible with other JavaScript developers and will not be hired.
> Despite all of this my biggest learning about performance is that mentioning performance during job interviews shows that you are incompatible with other JavaScript developers and will not be hired.
As someone who done plenty of JS, cares about performance and also has handled hiring for JS positions in the past, I can tell you that this is generally not true. Caring about performance is not a reason to not get hired.
But it is possible to be "technically superior" in every conceivable way, but still not be a good hire. Why? Because the candidate might be missing vital soft skills or even not be very good at describing their thoughts, something that can slow down an entire team.
"Learning the wrong lesson" when things go wrong would also be something I'd consider high up for reasons to reject a candidate.
I have been doing web work for over 20 years. Everybody claims to care about performance, training, security, and so forth. The only thing that really matters in practice is comfort. Until developers are willing to abandon certain areas of comfort things like performance are only given lip service. In doesn’t matter what they want if they are actively working in opposition. This is performance is a massive incompatibility to hiring.
> In doesn’t matter what they want if they are actively working in opposition. This is performance is a massive incompatibility to hiring.
No one is working towards degrading performance on purpose, and caring about performance is not "a massive incompatibility to hiring". But the fact that you keep stating this makes it clear that there seems to be plenty of other reasons organizations are not hiring you.
> No one is working towards degrading performance on purpose
You are not participating in the same interviews that I am then. Most developers know querySelectors, for example, are super slow. They will fight to death to retain them and anybody who suggests any alternative is not compatible for hiring. If they know its slow and deliberately choose to avoid faster alternatives how is that not degrading performance on purpose? How is that not common?
> "I was recently interviewing with a search engine company, one of the big ones, where I could demonstrate that JavaScript tool can execute file system search much faster than the OS and produce better results. They seemed really impressed."
How is this possible? OS should be using direct syscalls, any additional code you write should be pure overhead in theory, right?
No, its a common misunderstanding of search and tree models. The OS is faster, by a tiny bit, at traversing the file system than my JavaScript application. It is only search that is slower, and dramatically so. I don't have visibility of the OS code so I cannot be certain why that is. I speculate its because the OS is doing too much.
With the DOM querySelectors are dramatically slower than using static methods with arbitrary strings as arguments. This is likely because a query string must be parsed against each child node to determine if the child node is a match to the supplied query. Likewise, modern OSs use ancient conventions to search the file system, such as wildcards, along with more modern advanced search syntax. These are rules that must be parsed against each child artifact from a tree segment. My application deliberately doesn't do that.
To compound matters Windows, don't know about OSX, caches search results so that subsequent searches are a little less slow, which incurs a greater performance penalty on first search. My application doesn't do that either. Each search triggers tree traversal, so its always as fast reading from the file system.
Mentioning any of this during a job interview makes for intriguing conversation with the interviewer. I do detect genuine interest and curiosity from the interviewer. At the same time they know their team will fight to the death at many mention of alternatives to querySelectors and/or JSX, so you have just effectively terminated the interview. Anything there after is purely for the interviewer's personal interests.
No app I've ever written needs querySelector to be fast. I'm not saying I can't imagine such an app. But, I would never reach for some optimized but very uncommon solution unless the app really needed it.
A micro service to a localhost node application. There is a file system API in the browser now but it isn’t mature and is highly restricted compared to the terminal.
Why would you suspect that? Are you a JavaScript developer? If so have you seen the terrifying horror on people’s faces when you mention alternatives to querySelectors or that you can write/execute code faster by not using vDOM? Mentioning performance is the fastest way to exit a job interview.
Isn’t this comment behaving in a sensitive way? Your bio says sensitive people make you sad. Unfortunately quoting an [out of touch] billionaire, though that’s not the point :p.
I suspect cheating is not the primary problem. I suspect, like so many other decisions in software, the primary problem is unrealistic and unfounded expectations. This behavior typically comes from unmeasured assumptions that may work well in one narrow circumstance applied into an unrelated circumstance and then blaming the result instead of the decision. This is bias.
Unless there is a solution that directly addresses hiring bias this company will fail like all the others before it for exactly the same reason: their clientele will apply bias (the actual cause of the problem), be unhappy with the result, and then blame the service provider. In sales the client is never wrong, which means the service provider is always wrong. This is why software overspends on recruiters and then invents fantasies like React developers with a year of experience are rare.
Total control by whom? Most financial transactions occur between numerous financial institutions and wiring intermediaries in between. The finance network is far more decentralized than the web even after consideration for things like SWIFT.
Your financial transactions are already tracked by numerous parties. This is neither secret nor suspect. Without visibility over the transfers, distribution, and behaviors therein how would governments and financial institutions account for ethical violations?
There are legal reasons why that does not work. For example consider military separation. A candidate is under no obligation to disclose their military/veteran status. If that candidate then becomes mobilized the federal obligation trumps the commercial obligation. Employee leaves and not only are they separated from the work without any repercussion the employer is required to retain that employee in an unpaid status for at least 5 years unless a rare legal exclusion is met.
There is also pregnancy. An employer cannot terminal an employee for taking time to give birth and taking some more time off immediately after.
These are the two most obvious reasons though I am sure there are many more that they cannot enforce.
Certificates, certificate chains, certificate installation. In theory the concepts sound easy and there are numerous guides and instructions online. Once you try to become your own CA the challenge becomes real. Trying to write an automated solution cross-OS feels like running a marathon on your hands.
I’ve always been confused about this too. It seems to me like asymmetric encryption is all there is to it… shouldn’t it just be a bit of data encrypted with a private key? I don’t understand why it’s so complex.
The basic idea is simple: A certificate is just a signed document. The document has been encrypted with a private key so that anyone can decrypt it with the public key and know which private key was used to encrypt it.
The complexity comes from the many layers of detail that get added.
First, we don't encrypt the document directly, because public key operations on arbitrarily sized data can be slow, require padding, etc. So we hash the document, and encrypt the hash: Hashes are fast, they produce fixed sized output (mostly), etc.
Second, the document itself isn't an arbitrary document, it contains very specific, structured pieces of information. The two most important things are a) the public key being certified and b) the identity of the owner of that key.
We need "b", the identity, so that when we decrypt a signature using "a", the certified public key, we can have some assurance as to who the holder/owner of the private key was.
Identity gets complicated: A person? A machine? An email address? Etc. The original X.509 spec had directory names (think LDAP names) only; later revisions added email addresses, machine identifiers, etc.
Third, why should we trust a certificate? And what for?
Above, I wrote that the important things were "a", the certified public key, and "b", the owner's/holder's identity. Well, we also need "c", the certifier's identity.
The original X.509, e.g., basically had a, b, and c, and some date information (during what period is/was the certified key, a, considered valid); we date-limit keys for security assurance, because we cannot guarantee that key pairs generated today won't be cracked tomorrow or next year or next decade. The bigger we make the keys, the more resistant they are, but the slower is the crypto, so we strike a balance and go for more frequently generated and certified smaller keys, unless we really need long-term, in which case we use bigger keys. But hash algorithms get cracked too, so, again, a tradeoff.
So I've got a certifier's identity. Great. How do I verify the certificate they issued? For that, I need THEIR public key. Now we start getting into chains.
Somehow, I have to have a trustworthy copy of the public key of the certifier, the so-called certification authority (CA). The CA's certificate looks like mine and yours, a document containing a (key), b (identity), and c (CA), and some date info, etc.
I use that trustworthy copy of the CA's public key to verify a certificate, and that lets me know that I can rely on a, the key in that certificate, for some purpose.
But what purpose? In the original X.509, it was "fill your boots", whatever purpose you like.
Does that mean I can verify with that key? Encrypt with it? Use it for email, ssh, TLS, or even acting as a CA myself?
Later versions of X.509 addressed these questions by adding various markers that a CA includes to say to relying parties "I say this certificate is good only for these purposes". You are free to use it for other purposes, but if you get burned, you cannot go back to the CA, because those markers basically told you the certificate wasn't to be relied on for that.
Three of the most common restrictions are 1) is/isNot a CA (that is, does the CA recognize the certificate subject, the b, as a CA themselves? mostly the answer is no, this is an end-user or end-device; while there is nothing we can do to stop them from issuing certificates on their own, we DO NOT recognize them - the chain ends here); 2) encrypt/verify, used in two-pair cryptosystems, e.g.: the CA is saying that THIS key is good for verification, but don't encrypt with it, while THAT one is good for encryption, don't verify with it (there can be policy and security and operational reasons for all of those); and 3) purpose, e.g., this certificate is good for email only, that certificate is good for TLS only, this certificate represents a person, that certificate represents a machine, etc.
Fourth, what about that trusted copy of the CA's public key? Where does that come from? That requires a specific action OUTSIDE the overall infrastructure, outside the chain of trust. In many cases, it is a certificate import: We specifically say to our system "trust this specific certificate". How it gets used, the purposes for which it gets used, depend upon where it was imported (into a root certificate store, an intermediate store, a machine store, a user store) and upon the certificate properties previously discussed.
Fifth, and probably last, what if something goes wrong along the way? What if, despite my best precautions, a private key is compromised during the valid lifetime of the certificate?
How do I let people know? That's where revocation lists and online status checkers come in. I cannot remember who said it, but they described revocation lists as wandering anti-matter for certificates.
The basic idea of an RL is that it is a signed list of zero or more certificate identifiers - turns out certificates also include serial numbers which are intended to be unique within the set of all certificates issued by a specific CA. If the certificate is compromised, the CA writes the certificate's serial number on an RL.
Part of verifying a certificate is verifying that it isn't on an RL. Like certificates, RLs have validity periods, so one has to verify that the RL is also valid.
And that's pretty much what the original X.509 said about RLs. The expectation was that they would be in the directory (the whole point of X.500), in the CA's entry (the CA's certificate contains their directory name as their "b"; cf "a" and "b" way above). Original X.509 did make one distinction, between an RL for end-users, a CRL, and one for authorities, an ARL, but that distinction wasn't well described.
What if I am not using a directory? What if I want to have multiple RLs, maybe for different purposes? What if they get very large? How do I segment them? How do I tell people where to look for the RL that would apply to a given certificate?
And how do I know I have the right RL? If I am using a directory, what if an attacker replaces the RL I am expecting with another valid one? E.g., puts the ARL where I expect to find the CRL? Absent other information, the ARL will validate and of course the enduser certificate I am validating won't appear on it (it's on the CRL, the one the attacker hid), so it will appear valid.
Finally, what if the reason for revocation doesn't affect my purpose? The simplest example would be revoking certificates because of a change in business purpose. Maybe the business went out of business in July, so anything signed by them after July is invalid, but anything signed before then might still be.
Later versions of X.509 addressed all of these questions by including reason markers, revocation time markers, and a few other things.
Most importantly, these later versions of X.509 included the distribution point concept, the most important applications of which are 1) segmenting RLs so that instead of having a single monolithic CRL, a CA can maintain many smaller, perhaps more frequently issued RLs, and 2) tying a certificate to a specific RL BEFORE it is compromised.
In other words, the certificate contains a marker that says "if ever I am compromised, the CA will list me on an RL in this place", wherever that is. It goes one step further (since we trust signatures, not places): RLs themselves contain issuing distribution points that identify where they are from or are/were expected to be: The IDP on an IRL should/must watch the RL distribution point identified in the certificate itself.
That way you can know for sure that this is the right RL: If this certificate is NOT listed on this specific RL, then the CA has NOT revoked it.
This gets around attacks on the storage place, e.g., the directory, etc.
And that's just the management side of PKI, Public Key Infrastructure, and doesn't touch the crypto side, which is as complex.
So, yeah, it's a complex ball of wax.
(I worked for a PKI company for many years in the 1990s, did some PKI work before then, some X.500 work before that, and an awful lot of PKI, security, compliance, audit, and directory consulting in the first two decades of this millennium, but right now I mostly write code, either for high assurance network security devices or for an integrated risk and compliance management software product; this quarter is mostly the hardware product....)
I am a JavaScript developer so my opinions are limited to that slice of software.
Senior used to mean someone experienced enough to become an advanced problem solver. Those days are long over.
Now senior is equivalent to expert beginner. They are really fast and confident at using tools. This advanced and rapid tool usage means they can solve some problems quickly, but they cannot imagine any solutions aside from their favorite tools. The most important limitation there is that most senior developers cannot write original software. It’s a world of a few commonly known problems with commonly applied repeated solutions and everything else is discarded with excuses that equally lack originality.
If, as a JavaScript developer, you are able to write original software without popular tools you are commonly viewed as something like a dark wizard, equal bits of magic and evil. People view this as mysterious and incompatible with reality (you won’t be hired).
Google’s primary business is search. They monetize search in a couple different ways. The primary revenue model for search is micro auctions to determine ranking of product placement on search results.
I don’t have numbers but I suspect Google ads get far more eyeballs than do their search results. The distinction though is margin not quantity. Ads aren’t worth very much. Google ads generate a higher margin than Facebook ads but still tiny, like maybe fractions of a penny. When I was at Travelocity a million years ago I remember hotels bidding up to $18 per click for placement on searches related to Las Vegas. Not only is that click-through worth a fortune it is also relevant and thus far more likely to be clicked.
EDIT
Death by a thousand paper cuts.
Somebody provided a source below, they clearly did not read, which explains all of this:
https://www.cnbc.com/2021/05/18/how-does-google-make-money-a...
> Search is Google’s most lucrative unit. In 2020, the company generated $104 billion in “search and other” revenues, making up 71% of Google’s ad revenue and 57% of Alphabet’s total revenue.
This section of the article further details how the auctions differ from online advertisement products.
I don't have the source but Google's chief economist has been very clear about how the micro auctions work and generate revenue separately from display ads.