Christopher T. Sheean is a partner in the Chicago office of Swanson, Martin & Bell, LLP, and the chair of the firm's Class Action Practice Group, as well as co-chair of its Commercial Litigation Group. He is an active member of the Defense Research Institute's Commercial Litigation Section. Chris writes us about the latest class action against Google:
On October 25, 2010, Google was sued in federal court in San Jose, California for allegedly violating the privacy rights of Google users by transmitting the users' search queries to its customers. (Gaos v. Google, No. 10-04809 (N.D. Cal.)). Although the practice of transmitting a search query in a URL has been a common practice on the internet for some time, recent attention from commentators has raised the question of whether it rises to the level of a privacy violation. That issue was recently brought to the attention of the FTC by privacy advocate and former FTC technologist Chris Soghoian. Two class action plaintiffs' firms quickly seized an opportunity to cash in by putting together the Gaos complaint. However, a closer scrutiny of the complaint suggests that only a very small handful of users may have suffered privacy violations, and in those instances, the underlying facts would vary so greatly that the class action format would not be a proper vehicle for resolution of their claims.
Google has become a primary target in the class action arena, particularly for claims relating to privacy. In February 2010, Google was sued in federal court in San Jose, California over allegations that its "Google Buzz" social networking site violated the Computer Fraud and Abuse Act because if a Gmail account holder opened a Google Buzz account, all of that user's contacts became visible to the public. Google ultimately settled that litigation with no admission of fault, in exchange for an $8.5 million donation to a privacy education fund - and a healthy fee to the class plaintiffs' attorneys. Individual class members received nothing in the settlement. On November 3, 2010, another class action suit was filed against Google in San Jose, Weber v. Google, (Case No. 10-05035), this one alleging that Google violated the privacy rights of users of the Google Toolbar, by collecting data regarding the users' internet activity and transmitting that data back to Google without the users' knowledge or authorization. From this recent raft of litigation it appears that class action plaintiffs' lawyers may be starting a modern day gold rush to the doors of the federal courthouse in Northern California, if they can be the first to file a newly fashioned complaint and assert novel theories of privacy violations.
In the Gaos suit, Google is alleged to have violated the privacy rights of those who use Google's search platform. The suit alleges that Google profits by providing its customers (companies seeking to improve their overall ranking and visibility in Google search results) with the search queries that are used to locate and click on a link to that customer's website. When a Google user enters a search query, activates a search, and then clicks on a result in the search, the web address of that site will have a "Referrer Header," a string of characters that contains the user's search query. For example, if a user typed in a search for "hardware store in Toledo, Ohio" the Referrer Header would look like "http://www.google.com/search?q+hardware+store +in+Toledo+Ohio". The Gaos suit alleges that by transmitting the search queries, Google has disclosed to third parties its users' private information in violation federal and California law, as well as in violation of Google's own privacy statement.
In apparent recognition that it would be near to impossible to identify a Google user solely by analyzing a single search query, the Gaos complaint theorizes that third parties are able to "deanonymize" Google users through a process called "accretion," where some ne'er-do-wells are able to link together the personal information of individuals, such as email addresses, with information about those individuals, such as shopping and searching habits gleaned from studying search queries. The complaint speculates that through accretion, these nefarious third parties will link up the information submitted with the query itself to the user's identity, and thereby learn all sorts of private and personal information about the user. The examples the complaint gives include those individuals who perform "vanity searches," where an individual enters his or her own name to discover where on the internet their name might appear. The complaint goes on to speculate that a Google user could be searching for medical information relating to personal medical issues, and the release of such information would constitute a significant privacy violation. While it's true that the release of an individual's medical records and related information would be a potential violation of that person's rights to privacy, the complaint fails to give any actual instance of such an occurrence, let alone a plausible explanation of how such a gaffe would occur.
There are at least 2 fundamental problems with the claims asserted in the Gaos suit: first, it asks the court to make huge leaps in facts and engage in rank speculation to find any privacy violations; and second, the facts of any actual privacy violations and the alleged harms that would result are so intertwined with individualized facts as to make the case wholly inappropriate for class action treatment.
The complaint speculates that through "deanonymization," a savvy third party can match the Google user's identity with that user's internet protocol address for the computer used in the search. The complaint fails, however, to offer any speculation as to the frequency or likelihood that such quantum leaps are being made by third parties. The complaint cites a New York Times article discussing an incident in 2006 where AOL disclosed 20 million searches performed by 658,000 AOL users over a three month period. However, in that incident, AOL identified each of the AOL users by number, and identified the searches performed by that user over the 3 month period. The New York Times reporters were able to identify one of the users by analyzing all of her searches performed over a 3 month period. The Gaos plaintiffs point to that incident as proof that disclosure of a search query will disclose private information about an individual. However, there is a critical distinction between the AOL users' data disclosed in 2006 and the search queries disclosed by Google. In the AOL incident, AOL disclosed by user number the author of each query. In the case of Google's disclosure of the Referrer Header, the identity of the user is not tied to a string of search queries by either a user name or an IP address. The complaint provides no plausible explanation for how a third party such as Rapleaf would be able to take a single URL containing a search query, and from that, determine the identity of the Google user.
The Gaos complaint attempts to vilify Google by citing to a declaration Google proffered in opposition to a 2006 subpoena issued by the Department of Justice. The Government sought thousands of search queries, and Google objected to the request, claiming that confidential information could be disclosed in the text of the search queries. The Gaos complaint argues that this declaration demonstrates Google's understanding that search queries are clearly private information that should never be shared with third parties. One critical distinction exists between the example of Google's opposition to the Government's subpoena and the allegations in the complaint. The Gaos complaint alleges that Google is sharing the Referrer Header to a single company, the company the Google user selected from the results of the search. That company is not gaining access to thousands of emails, but rather to the individual query that led the user to select its company website. Certainly the owner of a hardware store in Toledo is not receiving private information if she receives the search query that lead a Google user to select her store's website from the Google results. In the example of a vanity search, if Google user queries his name in the search, any website he later selects either already knows of the individual selecting the website with information about the user, or the information on that webpage relates to another individual with the same name. Otherwise, the website would not appear in the Google results. In either case, little if any "private information" has been disclosed.
Even if the suit had set forth a clear instance where the named plaintiff's privacy had been violated, there is little likelihood that a class could be certified based on the plaintiff's claims. The fundamental requirement for a court to certify a class under FRCP 23 is that common claims amongst the class predominate, and far outweigh any issues of individual fact. Here, the converse is true. There is no common set of facts that could give rise to a common claim involving violations of the millions of Google users' privacy rights. For each Google user allegedly impacted, the Court would need to analyze: the searches the user conducted; the results of that user's searches; the websites that user subsequently visited from the Google website; whether the owners of any of those visited websites actually received the Referrer Header from that search; whether, as a result, any of that user's private, personal information was improperly disclosed; and under some of the claims alleged, whether the user was actually damaged as a result of the disclosure. Each of these separate facts is highly individualized and will vary from class member to class member. These variations make class action an inappropriate means of resolving the claims against Google.
The Gaos complaint raises some interesting theories about possible privacy violations that could arise from Google's practice of forwarding URLs to customers that contain users' search queries. However, the complaint fails to establish even a remote likelihood that such a privacy violation has occurred. Moreover, the allegations of the complaint make it clear that the claims do not fall within the scope of a proper class action lawsuit. The Gaos and Weber filings demonstrate that, rather than seeking to prevent Google from violating internet users' privacy rights, the class action plaintiffs' bar is actively seeking an opportunity to get to the San Jose courthouse first with a novel claim, in hopes of striking it rich, not unlike the original Forty-Niners who traveled to California in search of gold.