Two recent lawsuits allege that internet service providers violated users’ privacy by sharing “referrer data” containing potentially identifying information. 

A former technologist with the Federal Trade Commission filed a privacy complaint (link via WSJ) against Google with his ex-employer.   The complaint alleges that Google does not allow users to easily prevent transmission of information that allows website operators to determine the search terms used to access their sites.  It claims that this constitutes a deceptive business practice by Google because “if consumers knew that their search queries are being widely shared with third parties, they would be less likely to use Google.”  

According to the complaint, Google search URLs contain the user’s search terms, and when users click on a search result the webmaster of that site can see the terms used to access it.   The complaint alleges that this conflicts with Google’s Privacy Policy and cites to Google’s court admissions that search queries may reveal “personally identifying information” and that consumers trust Google to keep their information private.  

Google has allegedly tested products that deleted search terms from the referrer data visible to webmasters but discontinued them after receiving complaints and posted reassurances that search terms would remain visible.  Apparently Google now offers an SSL encrypted search engine at https://www.google.com which protects search terms from being intercepted, but the complaint notes that this is not the default setting and it is not linked from the regular Google site.  It also notes that Google provides search term protection to Gmail users searching their inboxes. 

The merits of the complaint may hinge on whether search terms should be considered “personal information.”  The complaint notes that the New York Times was able to indentify supposedly anonymous AOL searchers in 2006 when AOL leaked a dataset of search queries. 

The second suit alleges that, from February through May, Facebook transmitted referrer information to advertisers about users who clicked on their ads.  It alleges violations of the federal Electronic Communications Privacy Act and Stored Communications Act as well as California computer privacy and unfair competition laws and common law claims of breach of contract and unjust enrichment.  The suit claims that “Facebook has caused users’ browsers to send Referrer Header transmissions that report the user ID or username of the user who clicked an ad, as well as the page the user was viewing just prior to clicking the ad . . . For example, if one Facebook user viewed another user’s profile, the resulting Referrer Headers would report both the username or user ID of the person whose profile was viewed, and the username or user ID of the person viewing that profile.”

 As in the Google complaint discussed above, the plaintiffs allege that Facebooks actions violate its privacy policy (which allegedly states “we never share your personal information with our advertisers”) and other representations to users as well as state and federal privacy laws.   The amended complaint may be stronger than the suit against Google because referring Facebook pages, unlike Google searches, are often highly personalized and contain the Facebook user’s name.  Facebook allegedly stopped embedding referrer data in May after media accounts exposed the practice.  

Although some tech executives have been quick to sound the death knell for online privacy, consumers – even those who are products of the Internet generation – continue to disagree.   A recent poll shows that 85 percent of teens believe social media sites should obtain their permission before using their information for marketing purposes. 

Excerpted from FVLD’s blog, http://www.postorperish.com, which regularly discusses these and other issues facing online publishers.