The lawyer’s view:  Why Google should be taken to task on secret snooping

As many readers will be aware, and will likely have seen from the considerable press coverage, three UK users of Apple’s Safari browser are awaiting the outcome of a High Court hearing on Monday and Tuesday ( 16-17 December) as the court decides whether it will allow Google to evade UK privacy laws in respect of its secret tracking of Safari users.

The case has attracted a lot of attention for one simple reason.  The protection of our privacy online, and ensuring that online giants treat our personal data responsibly, is something that affects all of us.

So, while many of us are happy to provide personal information for certain things – signing up for an email account or social media profile for example – it is important that internet companies such as Google know the limits of that consent and aren’t allowed to act as if they are above the law.

 

The Safari case

The case in the High Court in London this week was brought by three ordinary UK consumers – Judith Vidal-Hall, Robert Hann and Marc Bradshaw – in respect of Google’s use of so-called ‘third-party cookies’ to track the browsing preferences of internet users in order to serve them with targeted advertising. Google claims that, despite its tracking affecting potentially millions of UK internet users, the issue isn’t serious, and it doesn’t need to comply with British laws as it is based in California.

Advertising is seriously big business for Google – last year it reported global revenues of over $50 billion (about £30 billion), of which about 96% is estimated to come from its online advertising services.

As a result, Google doesn’t generally make much of a secret of the fact that it tracks users in order to make more money. It simply says that if users don’t like it they need to set their internet browser to reject the third-party cookies that allow it to track what users are looking at online, or manually opt-out of Google’s snooping via its ‘Ads preferences’ page.

Apple’s Safari browser, which comes pre-installed on all Macs, iPhones and iPads, is unique in that it is set by default to block these cookies in order to protect the privacy of its users.  Google therefore said on its website that this “effectively accomplishes the same thing” as manually opting out – in other words, Safari users didn’t need to worry that they were being spied on.

However, this wasn’t true.  In February 2012 a Stanford PhD researcher, Jonathan Mayer, discovered that Google had found a way around this protection using a loop-hole in the Safari code.  His findings, published on his blog and in the Wall Street Journal, revealed that between Summer 2011 and Spring 2012 Google was able to use this workaround to spy on millions of users of the Safari browser around the world, both on desktop computers and mobiles, without informing them or seeking their consent.

This meant that millions of users who thought they had done what they needed to protect their privacy online (by choosing a browser that stringently blocked this activity) were in fact being tracked by Google, which was using the data to sell its DoubleClick advertising services.  It also led to many users having details of their private browsing history being revealed to other users of their device from the nature of the adverts that were being displayed. In some cases the revelations were both personal and distressing.

 

Google’s bad behaviour

When details of Google’s secret tracking were revealed, it responded to say that it had done so by mistake and that it “didn’t anticipate that this would happen.” However, one need only look at some of Google’s other recent privacy violations to realise that the company has form when it comes to invading users’ privacy.

In 2010, it came to light that Google had been collecting details of internet usage from users’ own homes over unsecured WiFi network when it was collecting data for its Street View service. Regulators found that this included, amongst other things, “log-in credentials, medical listings and legal infractions, information in relation to online dating and visits to pornographic sites.” Google again claimed that this was a mistake – yet despite being ordered to delete the data in December 2010 it then revealed in July 2012 that it still hadn’t done so.

Then, in March 2011, Google agreed to settle charges brought by the FTC in the US after it found itself in hot water relating to its launch of Google Buzz, when it used personal information of Gmail users to automatically sign them up to the new service without their consent.

This incident led to Google promising to take better care of users’ personal data in future and put appropriate steps in place – however only a year later, details of its Safari workaround came to light. In response, it agreed to pay US $22.5 million in fines the FTC for breaking its promises.  It also ended up paying a further US $17 million to Attorneys General in 38 US states in a further settlement related to the Safari breach.

Despite all of these incidents, it still hasn’t changed its ways. It is currently being investigated by six European privacy regulators in respect of a new privacy policy that it unveiled in March 2012, under which it has sought to combine user data collected from over 60 products and services in one place.

 

Google in the UK

At least in the States, Google has had to put its hand in its pocket to pay fines relating to these breaches.  While it earned the $39.5 million that it has paid so far in fines in a matter of hours, US regulators have at least made it clear that Google can’t continue to flout privacy laws.

However, British consumers have been left out in the cold. For as long as the UK regulator fails to impose any effective sanctions, it will continue to do as it pleases with our data.

Google made 11% of its revenue (about £3.4 billion) here last year, and has four offices in the UK. Yet as far as it is concerned, when it comes to paying tax or abiding by UK laws, these don’t apply as it is based in California.

The case in the High Court is therefore important not only for the three individuals bringing the claim, but for all British internet users who think that Google should be made accountable for its actions and made to comply with our laws.

If individuals like Judith, Robert and Marc don’t stand up and challenge Google’s snooping, it will keep getting away with it.

 

Jack Gilbert, Olswang LLP
19 December 2013

Jack Gilbert is an Associate at Olswang LLP and is one of the lawyers representing the claimants in this case.