The London Appeal Court says users can sue Google over alleged “secret and blanket” tracking of their web activity. Google and other tech firms who have supported users in evading Government surveillance now need to “eat their own dog food”, says cyber-expert.
UK users of the Apple Safari browser have been given the green light by the Court of Appeal to sue Google for invading their privacy.
In the so-called ‘Cookiegate' scandal dating back to 2011 and 2012, Google is accused of bypassing Safari users' security settings to install secret cookies that tracked their web activity to serve them with targeted ads.
And in a landmark ruling last Friday, the Court of Appeal in England and Wales upheld an earlier court ruling that the Safari users can sue Google in this country.
The three users concerned, who all live in England, are Robert Hann, business development director at encryption services supplier Trustis, and privacy campaigners Marc Bradshaw and Judith Vidal-Hall.
Their case is that Google exploited a loophole in their browser privacy settings to install cookies that monitored which websites they visited, and gathered personal data about them. Safari is the standard browser used by millions of iPad, IPhone and other Apple devices in the UK.
The Appeal Court verdict, delivered by Master of the Rolls Lord Justice McFarlane and Lady Justice Sharp, said: “These claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature and the subsequent use of that information for about nine months.
“The claimants allege that their personal dignity, autonomy and integrity were damaged, and claim damages for anxiety and distress. Compensatory damages may be relatively modest, but the issues of principle are large.”
The court action has been supported by a group dubbed “Safari Users Against Google's Secret Tracking”, which said in a statement that the ruling, “opens the doors to anyone who used the Safari browser between autumn 2011 and spring 2012 to take legal action against Google.”
The group is now inviting other affected users to join them.
“Individual users can't afford to sue Google on their own,” it said. “Our Google Action Group aims to bring together consumers into a group that can attract litigation funding. We are almost ready to go with this and anyone wanting to join the action can do so.”
The group is currently setting up a website to manage this at http://www.googleactiongroup.com/.
Google issued only a terse response, saying: “We're disappointed with the Court's decision, and are considering our options.”
But the case – which referred to other privacy claims including Hollywood couple Michael Douglas and Catherine Zeta Jones suing Hello! magazine for publishing their New York wedding photos – also attracted the interest of the UK privacy watchdog, the Information Commissioner's Office, which effectively supported the Safari users in their action.
An ICO spokesperson told SCMagazineUK.com it got involved because it wanted to clarify that browser-generated data, including IP addresses, does count as ‘personal data' and that damages can be awarded for non-financial loss.
“The court agreed with both our submissions and we welcome the decision,” the ICO official said.
The case concerns the operation of Google's 'Safari workaround' which it used to collect users' browser-generated data without their knowledge or consent. Google then aggregated the data and offered it as part of its 'doubleclick' service, helping advertisers to display adverts targeted or tailored to users' interests on their computer screens.
Robert Hann told SCMagazineUK.com via email why he got involved in the case: “Aside from the personal distress caused, my reasons are also that an organisation like Google should not flout the laws, or avoid its social responsibilities, in any country it operates in and makes (significant) profits from.”
Marc Bradshaw told BBC News the case is, “about the attitude towards privacy. Google seems to see users as a commercial object and we need to address that. If a user decides to opt out of something for their own personal privacy, they should have the right to do so and that needs to be respected. And that clearly is not Google's attitude at the moment.
“The same with other companies – they need to respect users' privacy and their wishes.”
Cyber-experts agree the case raises major issues over the way US high-tech companies continue to ignore user privacy in their quest to ‘monetise' the personal data they gather on customers and users.
Professor Alan Woodward of Surrey University, a Europol adviser, pointed out that, post-Snowden, US high-tech firms have introduced encryption and other privacy measures to defend users against mass spying by agencies such as the NSA and GCHQ – but have now been caught similarly monitoring their customers and users without their knowledge.
He told SCMagazineUK.com: “It's a betrayal of trust. One of the things the whole Snowden debate has done is it's talked about our privacy in terms of government surveillance.
“What these organisations after Snowden have been saying is ‘Mr and Mrs Customer, do trust us we will look after you and your data, we won't allow big governments to view it'. But actually they've got to eat their own dog food – they've got to be seen to be living and breathing that and that comes down to how they deal with their customers.”
Woodward said that while Cookiegate dates back to 2011, “this is a live issue. Google may not be doing that particular thing now but the direction of travel is still to monitor – and I'm talking about Facebook, Google, all the big companies.
“I think people are starting to wake up to the fact that on the internet, if you are not a paying customer you are the product. These guys make a lot of money and the way they do that is by selling you as a product or by marketing at you - and to do that they need to collect data about you.
“The Court of Appeal has signalled that people's privacy is a serious matter. If you are covertly tracking them for commercial purposes then you're going to fall foul of the law.
“Companies need to be absolutely upfront with people and they need to be allowed to opt-in not just have to opt-out. This will be a wake-up call to large American companies that you can't just play fast and loose like this.”
European cyber-expert Brian Honan of BH Consulting agreed the Google case is only one of a number of privacy challenges.
He told SCMagazineUK.com: ““We have seen a number of issues where large companies have undermined the privacy of their customers – for example, Lenovo recently with the SuperFish adware, whereby even HTTPS traffic was being intercepted and ads being served based on what people were looking at.
“It's happening out there – there are companies trying to use what are called super-cookies or persistent cookies to track their users, their movements and what they're doing.
“What large companies have to consider is that in the rush to monetise people's data they can't trample on people's privacy rights.
“At the same time individuals need to be more aware of what their privacy rights are, how companies can use - in some cases maybe misuse - their private information and be aware of their own privacy settings and tools they can use to protect themselves.”
Google has already fallen foul of US legislators over the case. In August 2012, it paid US$ 22.5 million (£15 million) to settle charges brought by the US Federal Trade Commission (FTC) that it misrepresented to Safari users that it would not place tracking cookies or serve targeted ads to them.
In November 2013, Google paid a further US$ 17 million (£11.5 million) to settle consumer-based claims against it by lawyers representing 37 US states and the District of Colombia.