In a blow to Google, a federal judge has refused to dismiss a lawsuit accusing the company of "leaking" personal information about Web users via referrer
headers. The decision, issued this week by U.S. District Court Judge Edward Davila in San Jose, Calif., stands in contrast to other recent rulings in similar lawsuits against Facebook, Zynga and
LinkedIn.
The decision marks the latest development in a lawsuit brought in 2010 by San Francisco resident Paloma Gaos. The case centers on allegations that Google violated its privacy policy
by including search queries in "referrer headers" -- information that is automatically transmitted to sites that users click on when they leave Google. Some queries, like users' vanity searches on
their own names, can provide clues to their identities -- although it's not always apparent whether users are searching their own names or the names of others.
Gaos alleged in her lawsuit that
she conducted searches for her own name, as well as her family members' names, and clicked on links on the Google search results. Therefore, she argued, Google disclosed her "sensitive personal
information" to third parties by transmitting her queries in the referrer headers.
Google argued that the lawsuit should be dismissed because Gaos couldn't show she was injured by the alleged
data leakage.
Davila rejected that position and ruled that Gaos could proceed on her claims that Google violated a federal privacy law. "Gaos alleges that her search queries were disclosed
without her authorization, provides examples of those queries, and explains how and by whom that disclosure was made," Davila ruled. "The court finds that Gaos has alleged a concrete and
particularized injury in fact as a result of the alleged violation of her statutory rights."
Last year, U.S. District Court Judge James Ware in San Jose came to the opposite conclusion in a
lawsuit against Facebook and Zynga. Ware dismissed a lawsuit alleging
that those companies leaked users' personal information via referrer headers. Likewise, U.S. District Court Judge Lucy Koh in San Jose threw out a similar case against LinkedIn.
Concerns about referrer headers
aren't new.
Internet pioneer Tim Berners-Lee warned as far back as 1999 that referrer headers could leak information about Web users. But lawsuits about referrer headers didn't reach the
courts until 2010, shortly after computer scientists from AT&T and Worcester Polytechnic Institute released the report "On the Leakage of Personally Identifiable Information Via Online Social
Networks." They alleged that Facebook and other social-networking sites leak personally identifiable information by including users' unique identifiers in the HTTP header information that is
automatically sent to ad networks.
Soon after that report was published, privacy expert Chris Soghoian asserted that Google also leaks users' information to publishers. In a complaint filed
with the FTC, Soghoian alleged that Google violates its own privacy policy by transmitting
referrer headers that include search queries because those queries often contain users' names.
In the last two years, Facebook, Google and other companies have changed the way they send
referrer headers to other sites. Google now encrypts search traffic for signed-in users who click on organic results.