This article is more than 1 year old
Google searchers from years past can get paid for pilfered privacy
$23 million set aside to compensate for leaking queries to websites
Between October 25, 2006, and September 30, 2013, Google allegedly revealed searchers' personal information to third parties in violation of privacy promises.
Now, those who used Google Search and clicked on a search result link during that period can recoup a small portion of the cash the search ad biz collected. Doing so requires providing personal information to the company administering the legal settlement that resolves the decade-old lawsuit challenging Google's behavior.
Under the terms of the settlement agreement, hammered out last August and published on a website earlier this month, Google is admitting no wrongdoing. However, having done nothing wrong, the company still intends to pay $23 million to resolve the privacy lawsuit, known as In re Google Referrer Header Privacy Litigation, Case No. 5:10-cv-4809-EJD.
Google users during this period have until Monday, July 31, 2023, to register and file a claim to be paid, to file for exclusion from the settlement, or to file an objection prior to the October 12, 2023 Final Approval Hearing.
For their trouble, valid claimants can expect an estimated $7.70, which may vary depending on how many people end up submitting claims.
Google – it's alleged – violated its privacy commitments by appending search terms to the HTTP Referer header, a text string passed by a web user's browser when a link is clicked that tells the destination page the address of the page with the link.
For anyone clicking on a Google search result, the Referer header would be google.com – and, during the time period at issue, it may have included the search query that created the Google search results list page.
"Since the service’s launch, and continuing to this day, Google’s search engine has included its users’ search terms in the URL of the search results page," the 2013 complaint [PDF] explains. "Thus, for example, a search for 'abortion clinics in Indianapolis' would return a page with a URL similar to http://www.google.com/search?q=abortion+clinics+in+Indianapolis
."
- Privacy Sandbox, Google's answer to third-party cookies, promised within months
- Guess who is collecting and sharing abortion-related data?
- Google Go language goes with opt-in telemetry
- Google sued over 'interception' of abortion data on Planned Parenthood website
"Because the search terms are included in the search results URL, when a Google user clicks on a link from Google’s search results page, the owner of the website that the user clicks on will receive from Google the user's search terms in the Referrer (sic) Header."
The complaint – which spells Referrer properly, contrary to now accepted typo in the specification – observes that this meant third-parties received not only personal information people submitted in search queries, like names, credit card numbers, and social security numbers, but also other information that might later be used to deanonymize an individual and build an identifying profile – a popular activity among marketing firms at the time.
It wasn't supposed to be that way. RFC 1945 HTTP/1.0 from 1996 includes a warning that this presents a privacy risk.
"Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent," the spec suggests.
"For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information."
The superseding spec, RFC 2616 HTTP/1.1, echoes these concerns.
Chrome never bothered to build in any form of user-oriented Referer control. But Microsoft principal software engineer Eric Lawrence told The Register that other browser makers have contemplated (Internet Explorer) or briefly implemented (Opera 12.17) the idea. He added that giving users control over Referer information comes with its own set of issues.
Some browser extensions provide this option. Website publishers, however, can now set a Referrer-Policy (spelled with two "r"s) that limits information passed through the Referer header. And the Brave browser goes a bit further.
Around 2009, Google began working on ways to limit search result data exposure and it implemented some changes in 2010 and 2011. Now, more than a decade later, the bill has come due. ®