• by Wendy Davis  @wendyndavis, November 30, 2018

Web users whose names may have been “leaked” by Google to outside publishers didn't suffer any concrete harms, and therefore shouldn't be able to sue, the company told the Supreme Court on Friday.

The company's argument marks the latest turn in a legal battle dating to 2010, when Google was sued for allegedly violating users' privacy by including their search queries in "referer headers" -- the information Google automatically transmitted with outbound traffic.

The users who sued said they had typed their own names into Google's search engines. They argued that Google's transmission of their names, combined with other information, could effectively identify them to the companies they visited. (Google no longer transmits search queries when people click on links in the results.)

Google agreed to resolve the allegations by donating $5.3 million to six nonprofits and schools, and more than $2.1 million to the attorneys who brought the lawsuit. Ted Frank, founder of the Center for Class Action Fairness, challenged the deal. He argued that it should have been rejected because it didn't compensate Google's users.

His challenge was heard by the Supreme Court on October 31. At that hearing, several judges questioned whether the people who sued suffered the kind of concrete injury that warrants a lawsuit. Several days later, the court took the rare step of requesting additional written arguments addressing that question.

Google argues in its new court papers that the users should have never been allowed to proceed with the case, contending that it's not plausible for users to be identified by the information transmitted in the referer headers.

“'Vanity searches' consisting solely of a name indicate only that someone is searching for information about that individual -- they do not reveal anything about the individual or about who is conducting the search,” Google writes in its new court papers. “Neither does the inclusion of an individual’s name as one of several terms in a search plausibly support a conclusion that the search terms reveal personal information about the individual.”

The White House, which weighed in on the case, sided with Google on that point. “Plaintiffs do not allege that Google’s disclosure of their search terms would allow anyone to identify them as the users who conducted the searches,” the Solicitor General argues.

But lawyers representing the plaintiffs argue that data leakage in itself causes the kind of injury that justifies a lawsuit.

“For centuries, unauthorized disclosure itself has been sufficient injury to sustain an action in court, without proof of further harm,” they argue.

They add that search queries have previously been used to identify users, as happened in 2006, when AOL released three months of search queries from 650,000 users. AOL took steps to “anonymize” the users, but some people were nevertheless identified based on the patterns in their queries. Most famously, within days of the data release, The New York Times identified AOL user Thelma Arnold.

The new round of papers comes in response to a rare request by the Supreme Court for arguments addressing whether the users should have been able to proceed with a lawsuit.

The court made that request after an October 31 hearing that was expected to focus on a different matter.