Google has tentatively agreed to pay $8.5 million to settle a three-year-old class action lawsuit that claimed the Internet search company violated users’ privacy by leaking their search queries – which may include names or other identifying information – to operators of websites that the users may visit.
Under the proposed settlement, the $8.5 million will go into a fund that – after subtracting the plaintiffs’ attorney fees – would be divided among seven nonprofit groups that promise to use the money on public education campaigns about technology and privacy. The groups include the Stanford Center for Internet and Society, the World Privacy Forum, the MacArthur Foundation and AARP.
This kind of settlement has been used before in privacy lawsuits against Internet companies, where it’s difficult to award actual damage payments to potentially vast numbers of people who may be potentially affected, but who probably suffered relatively minor harm as individuals. (In at least some cases, critics have complained these settlements are mostly good for the lawyers and the nonprofit groups, while creating potential conflicts of interest since companies might steer payments to more sympathetic parties.)
Attorneys say the proposed settlement in this case, which will be up for court approval next month, is roughly comparable to similar funds created in settling lawsuits over alleged privacy violations from Google’s short-lived Buzz service ($8.5 million), from Facebook’s ill-fated Beacon program ($9.5 million) and another recent case involving Netflix ($9 million). And it’s a relatively small sum for Google, which reported more than $50 billion in revenue last year.
In the lawsuit, which draws on research by privacy advocate Christopher Soghoian, the plaintiffs complained that the company was routinely leaking private information through so-called “referrer headers” – or coding that lets a website operator know which page an Internet user was visiting immediately before coming to the operator’s site.
The problem was that Google’s search engine routinely incorporated words from users’ search queries into the URL of the results page. If a user then clicked on the link to a website listed on the results page, the operator of that website would see the URL of the referring page – which in this case would be a URL that includes the user’s search terms. This theoretically could include personal or identifying information if the user had included that information in their search terms.
Since the suit was filed in San Jose’s federal courthouse, Google subsequently began encrypting search queries and doesn’t share the terms with web-site operators if the searcher is signed into a Google account, according to the blog Search Engine Land. But this only affects a portion of all searches and doesn’t apply when a user clicks on an advertising link.
Google says referrer information is valuable for showing website operators how traffic comes to their sites. In a statement Monday, the company said:
“Referrers have long been an important part of the web, helping website owners understand how a visitor found their site. We’re pleased to have reached a settlement, avoiding the burden of further litigation and bringing users clarity around how referrers work.”
Under the settlement, Google didn’t admit to any privacy violations and it isn’t required to change what information it shares. But the company is agreeing to amend its privacy disclosures to explain how their search terms may be revealed to a website operator, and under which types of circumstances.