In a blow to Google, a federal judge has refused to dismiss a lawsuit accusing the company of "leaking" personal information about Web users via referrer headers. The decision, issued this week by U.S. District Court Judge Edward Davila in San Jose, Calif., stands in contrast to other recent rulings in similar lawsuits against Facebook, Zynga and LinkedIn.
The decision marks the latest development in a lawsuit brought in 2010 by San Francisco resident Paloma Gaos. The case centers on allegations that Google violated its privacy policy by including search queries in "referrer headers" -- information that is automatically transmitted to sites that users click on when they leave Google. Some queries, like users' vanity searches on their own names, can provide clues to their identities -- although it's not always apparent whether users are searching their own names or the names of others.
Gaos alleged in her lawsuit that she conducted searches for her own name, as well as her family members' names, and clicked on links on the Google search results. Therefore, she argued, Google disclosed her "sensitive personal information" to third parties by transmitting her queries in the referrer headers.
Google argued that the lawsuit should be dismissed because Gaos couldn't show she was injured by the alleged data leakage.
Davila rejected that position and ruled that Gaos could proceed on her claims that Google violated a federal privacy law. "Gaos alleges that her search queries were disclosed without her authorization, provides examples of those queries, and explains how and by whom that disclosure was made," Davila ruled. "The court finds that Gaos has alleged a concrete and particularized injury in fact as a result of the alleged violation of her statutory rights."
Last year, U.S. District Court Judge James Ware in San Jose came to the opposite conclusion in a lawsuit against Facebook and Zynga. Ware dismissed a lawsuit alleging that those companies leaked users' personal information via referrer headers. Likewise, U.S. District Court Judge Lucy Koh in San Jose threw out a similar case against LinkedIn.
Concerns about referrer headers aren't new.
Internet pioneer Tim Berners-Lee warned as far back as 1999 that referrer headers could leak information about Web users. But lawsuits about referrer headers didn't reach the courts until 2010, shortly after computer scientists from AT&T and Worcester Polytechnic Institute released the report "On the Leakage of Personally Identifiable Information Via Online Social Networks." They alleged that Facebook and other social-networking sites leak personally identifiable information by including users' unique identifiers in the HTTP header information that is automatically sent to ad networks.
Soon after that report was published, privacy expert Chris Soghoian asserted that Google also leaks users' information to publishers. In a complaint filed with the FTC, Soghoian alleged that Google violates its own privacy policy by transmitting referrer headers that include search queries because those queries often contain users' names.
In the last two years, Facebook, Google and other companies have changed the way they send referrer headers to other sites. Google now encrypts search traffic for signed-in users who click on organic results.