March 31, 2012
Lawsuit Against Google for Putting Search Queries in Referral URLs Moves Forward – Gaos v. Google
By Venkat Balasubramani with comments from Eric
Gaos v. Google, 5:10-CV 4809 (N.D. Cal.; Mar. 29, 2012)
Gaos sued Google based on the theory that: (1) Google allows website owners (and third parties) to see what search terms a user inputted; and (2) through “reidentification,” search terms could be linked with a user’s identity. Chief Judge Ware granted Google’s motion to dismiss on Article III standing grounds in April 2011. Goas filed an amended complaint, alleging claims under the Stored Communications Act and variety of state law claims. (Here’s a link to the Amended Complaint.) In the interim, the case got reassigned to Judge Davila.
State law claims: As to the state law claims, the court again says that Gaos lacks Article III standing. She alleges only that she searched for her own name and her family names. In contrast to the allegations in Does v. AOL (the “search Valdez” case) where AOL released sensitive information—such as bank account information and social security numbers—in search queries, disclosure of Gaos’s search queries to third parties will not cause her harm. Although the court grants Google’s motion to dismiss, it grants Gaos leave to amend a second time.
Stored Communication Act claims: As to the Stored Communications Act claim, the court says that she does not need to allege any actual injury other than a violation of the statute: “injury required by Article III . . . can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.” The court does not reach the merits of whether Gaos’s allegations actually state a claim under the Stored Communications Act, finding that Google’s motion “[did] not place this . . . issue before the court.” (The court cites to Fraley v. Facebook and In re Facebook Privacy Litigation and notes that the fact that Gaos has standing is distinct from whether she has stated a claim.) Instead, the court focuses on whether Gaos corrected the deficiencies identified by Judge Ware in his initial dismissal order, which found Gaos’s initial allegations conclusory in nature. The court says that Gaos corrected these deficiencies by alleging what particular search queries Google improperly disclosed.
Yikes, this is not an optimal result for Google to say the least. A dismissal of the Stored Communications Act claims on Article III grounds would have avoided the question of whether search queries are covered under the SCA, whether Google’s disclosure amounts to a violation, and Google’s possible defenses based on consent. (Contrast this result with Low v. LinkedIn, where the court grants a dismissal on Article III grounds in another referrer header case against LinkedIn.) I’m not even sure whether Google can challenge the SCA claims until summary judgment. Google will try to whittle away at the lawsuit by attacking it at the class certification stage, but plaintiff has to be pretty happy with this ruling.
A big question is how the Supreme Court’s decision in the Privacy Act case will affect the outcome here, and on this score the outlook is bleak for Gaos and other similar plaintiffs, at least as far as damages goes. (See Kash Hill’s post on that case: “Humiliation After A Privacy Invasion Is Not An 'Actual Damage,' Rules Supreme Court.”) It will come down to similarities in statutory language between the two statutes, but I would imagine Google may argue shortly that the Supreme Court’s limitation of “actual damages” to pecuniary or economic harm requires a re-examination of Gaos’s claims for damages. Gaos could still assert claims for injunctive relief, so I’m not sure this will successfully put the brakes on this lawsuit.
I don't share Venkat's "yikes" reaction to this ruling. It seemed fairly straightforward to me. The court dismissed the bulk of Gaos' lawsuit on Article III standing grounds. This is consistent with the broad trend that most privacy "victims" lack sufficient harm to deserve a day in federal court.
The only claim that didn't get wiped out is the SCA claim, and that's only because Gaos alleged a statutory violation. This court is bound by the Ninth Circuit's opinion in the Edwards v. First American case saying (in a real estate case) that plaintiffs satisfy Article III standing when they allege statutory violations. The Edwards case is on appeal to the US Supreme Court, and based solely on the Ninth Circuit's track record in the Supreme Court, I wouldn't be surprised if the Supreme Court reverses--at which point simply alleging an SCA violation without any further harm won't survive an Article III standing challenge.
I'll also add that the SCA's poor drafting means that no one (including the judges) knows exactly what's covered by the statute, so it's not that surprising to see an SCA claim survive a motion to dismiss. As we know, virtually every privacy lawsuit alleges an ECPA/SCA violation because the statute is so murky that it could apply to anything. Obviously privacy defendants would prefer that ECPA/SCA suits get screened on Article III grounds, which is why the Edwards' SCOTUS case is of substantial interest to the Internet community.
Finally, Google has made some technical changes that, in some cases, restrict its passing of search queries through referral URLs. Danny Sullivan's writeup of the issue from last Fall. I doubt the lawsuit will get that far, but if it does, I wonder if this development will take the wind out of the sails of any injunctive relief request. Note that while suppressing search queries in referral URLs might enhance individual searcher privacy, the loss of that information to publishers might ultimately degrade the overall ecosystem by hindering publishers' abilities to optimally respond to searchers' interests.
After reading Eric's comments, I agree that a yikes reaction may not be warranted. Maybe this lawsuit will be swatted away in short order. I'm still curious as to how often the practice (of disclosing search queries in a way that is not sufficiently protective of user identity) occurs and whether Google has done anything to address it on the technical side. It looks like it has. This also raises the issue of whether this was mere inadvertence or something more. Feels like bad timing for bad PR on the privacy front for Google, especially when people may be looking for alternatives.