A wave of bad publicity ensued, as did some Federal Trade Commission investigations. Eventually some of the Web companies accused of leaking data revised their practices and curtailed the information that's included in the referrer headers -- the URLs that Facebook, Zynga and other companies send to advertisers when directing traffic their way. The headers themselves previously included information that could reveal users' identities, as well as the specific pages people were reading at the time they clicked on an ad.
filed class-action lawsuits against the alleged leakers. Those suits had varying degrees of success in court. A case against Google settled -- though the judge hasn't signed off on the agreement yet.
search queries in referrer headers. Some queries, like users' vanity searches on their own names, can provide clues to their identities.
But the lawsuits against Facebook and Zynga were dismissed at a preliminary stage, on the ground that the consumers weren't harmed by any alleged disclosures. Late last week, a panel of the 9th Circuit Court of Appeals heard arguments about whether to revive those lawsuits.
The judges on the panel had plenty of questions for the attorneys for all sides, but seemed especially interested in whether referrer headers should be considered content or metadata. If the former, passing them along potentially violates the federal Stored Communications Act. But if the referrer headers are only metadata, sending them arguably doesn't violate federal privacy laws.
Judge Richard Tallman pointed out that one reason the question defies easy answers is that the federal privacy laws date to the 1980s -- long before the Web took shape.
But another judge on the panel suggested that referrer headers are akin to telephone numbers -- which aren't considered content, even though they can be quite revealing. She pointed out a call to 1-800-Mattress could indicate that the caller was shopping for a new bed, but that wouldn't make the number content.
That same question took center stage in another recent privacy lawsuit -- a case alleging that Google (and other companies) violated users' privacy by circumventing Safari's default settings in order to place cookies on people's computers. U.S. District Court Judge Sue Ann Robinson in Delaware dismissed that case, ruling that Google didn't violate federal privacy law because any information gleaned from cookies -- including URLs of Web sites that people visited -- wasn't “content.”
“While URLs may provide a description of the contents of a document, e.g., www.helpfordrunks.com, a URL is a location identifier and does not 'concern the substance, purport, or meaning' of an electronic communication,” she wrote. Consumers recently appealed that ruling to the 3rd Circuit Court of Appeals.