In a blow to Google, a federal judge has refused to dismiss a lawsuit accusing the company of "leaking" personal information about Web users via referrer headers. The decision, issued this week by U.S. District Court Judge Edward Davila in San Jose, Calif., stands in contrast to other recent rulings in similar lawsuits against Facebook, Zynga and LinkedIn.
Gaos alleged in her lawsuit that she conducted searches for her own name, as well as her family members' names, and clicked on links on the Google search results. Therefore, she argued, Google disclosed her "sensitive personal information" to third parties by transmitting her queries in the referrer headers.
Google argued that the lawsuit should be dismissed because Gaos couldn't show she was injured by the alleged data leakage.
Davila rejected that position and ruled that Gaos could proceed on her claims that Google violated a federal privacy law. "Gaos alleges that her search queries were disclosed without her authorization, provides examples of those queries, and explains how and by whom that disclosure was made," Davila ruled. "The court finds that Gaos has alleged a concrete and particularized injury in fact as a result of the alleged violation of her statutory rights."
Last year, U.S. District Court Judge James Ware in San Jose came to the opposite conclusion in a lawsuit against Facebook and Zynga. Ware dismissed a lawsuit alleging that those companies leaked users' personal information via referrer headers. Likewise, U.S. District Court Judge Lucy Koh in San Jose threw out a similar case against LinkedIn.
Concerns about referrer headers aren't new.
Internet pioneer Tim Berners-Lee warned as far back as 1999 that referrer headers could leak information about Web users. But lawsuits about referrer headers didn't reach the courts until 2010, shortly after computer scientists from AT&T and Worcester Polytechnic Institute released the report "On the Leakage of Personally Identifiable Information Via Online Social Networks." They alleged that Facebook and other social-networking sites leak personally identifiable information by including users' unique identifiers in the HTTP header information that is automatically sent to ad networks.
In the last two years, Facebook, Google and other companies have changed the way they send referrer headers to other sites. Google now encrypts search traffic for signed-in users who click on organic results.