Google just about manages to avoid another massive fine

The High Court in the UK has quashed an attempted class-action lawsuit against Google for the illegal collection of iPhone user’s data during 2011-2012.

The case, which was first heard in May, was brought forward by a group called ‘Google You Owe Us’, headed up by Richard Lloyd, a former Executive Director at Which. Lloyd believes in acting illegally, Google should financially compensate the iPhone users who were affected. The number of affected users has been estimated at 4.4 million, meaning Google would have been liable for damages between £1 and £3 billion. As it stands, the class-action suit can no longer proceed as it would be impossible to accurately calculate the number of iPhone users who have been impacted sufficiently.

Google, which has already admitted to wrong-doing, used a practise now known as the ‘Safari Workaround’ to obtain sensitive information without obtaining permission from the user. As a data controller in this instance, Google has breached its responsibilities under the Data Protection Act, though this case is not to punish illegal activity, but to seek compensation for users as a result of the illegal activity.

For those who are familiar with legal jargon, Justice Mark Warby concluded:

“In my judgment the facts alleged in the Particulars of Claim do not support the contention that the Representative Claimant or any of those whom he represents have suffered ‘damage’ within the meaning of DPA s 13. If that was wrong, the Court would inevitably refuse to allow the  claim to continue as a representative action because members of the Class do not have the ‘same interest’ within the meaning of CPR 19.6(1) and/or it is impossible reliably to ascertain the members of the represented Class.”

Section 13 of the Data Protection Act states individuals who suffer ‘damage’ by reason of any contravention by a data controller (in this case, Google) are entitled to compensation. Civil Procedure Rules (CPR) section 19.6(1) states each individual in the class would have to have the same ‘damage’, though as there has been only one case brought forward in the last six years, the damage cannot be logically concluded or attributed.

The case was brought to the courts in 2017. Lloyd claims Google profited from illegally collecting and processing information on iPhone users, which was then used in the ‘DoubleClick’ advertising business to create a hyper-targeted advertising service.

In the simplest of terms, Google managed to find a way of collecting information about users without going through the accepted opt-in route. Google wrote code which bypassed the opt-in on the Safari browser, and placed a third-party cookie onto the iPhones. This practise, known now as the ‘Safari Workaround’, essentially allowed Google to track iPhone users, collecting information without seeking the appropriate opt-in.

Through the collection of sensitive information including race, social class, location data and interests, Google was able to build a detailed profile of individuals and organize the users into categories such as ‘football fans’. This categorization is critical to advertisers, who want to make sure ROI is as high as possible for every pound spent. At the time of the incident, 2011-12, such hyper-targeted would have been a relatively new concept, with Google pushing the boundaries of what would be considered acceptable.

Google has already admitted to wrong-doing, and has been punished by the relevant authorities in the US, paying out multi-million sums. In the UK, such investigations would fall into the jurisdiction of the Information Commissioner’s Office, though it has not taken any action to date. What is worth noting is that this ruling against Lloyd should not restrict any action from the ICO, as it is related to class-action suits against Google compensating victims of the wrong-doing, not the wrong-doing itself. It’s a nuance, but worth noting, as the ICO could in theory take action.

For Google, this ruling will certainly come as a relief. Not only does it save the accountants from having to sign another multi-billion pound cheque, but it sets precedent. In stating it would not be possible for Lloyd to understand and identify the ‘damage’ done to each of the individual users, Justice Warby has made it more difficult for consumer groups to organize class action suits against major organizations.

The ripples of this ruling go further than the technology world. Consumer groups throughout the UK would have been watching this saga with interest; the ruling would have set precedent as to whether class-action suits are a realistic possibility in the UK. Justice Warby has not ruled out class-action suits, though he has simply stated Lloyd was not able to attribute an appropriate amount to the ‘damage’ column. More work on the foundations will be needed on the future for such class-actions suits to progress in the future.

Feel like you’re being watched? Probably Google violating privacy rights

More often than not we’re writing positively about Google, but the ‘do no evil’ company has been caught out tracking smartphone locations even if the user has opted out.

An investigation from by Associated Press, and ratified by researchers at Princeton University, found several Google services on Android and iOS devices have been storing location data of users, even if the individual has set privacy settings to remain invisible. As privacy and the right to access personal data increasingly become hot-topics, Google might have stepped on a bit of a PR and legal landmine.

Generally Google is quite upfront about discussing privacy and location enablement. It has faced various fines over the years for data-dodginess and is even facing an European Commission investigation over its alleged suspect coercion of users into opting-in to various services, though this is potentially either an example of extreme negligence, or illegally misleading the consumer. Neither explanation is something Google execs would want to be associated with.

One of the issues here is the complexity of getting off the grid. Although turning location tracking off stops Google from adding location data to your accounts timeline, leaving ‘Web & App Activity’ on allows Google to collect other location markers.

We mentioned before this is either negligence or illegal activity, but perhaps this is just another example of an internet giant taking advantage of the fact not everyone is a lawyer. The small print is often the best friend of Silicon Valley. Few would know about this little trick from the Googlers which allows them to appear like the data privacy hero, while simply sneaking in through the slight ajar window in your kitchen.

“When Google builds a control into Android and then does not honour it, there is a strong potential for abuse,” said Jesse Victors, Software Security Consultant at Synopsys.

“It is sometimes extremely important to keep one’s location history private; such as visiting a domestic violence shelter, for example. Other times you may simply wish to opt out of data collection. It’s disingenuous and misleading to have a toggle switch that does not completely work. This, and other examples before it, are one of the reasons why my phone runs LineageOS, a Google-free fork of Android.”

On the company support page, Google states users can switch off location services for any of its services at any time, though this would obviously impact the performance of some. The Maps application for example cannot function without it, and does track user movements by the minute once switched on. With such opportunity for abuse, Google introduced pause features for some of its apps, allowing the user to become invisible for a undefined period of time.

The relationship with the user and the concept of trust is critical to Google. Revenues are generated off creating free services and implementing advertising platforms into the services, though to remain relevant Google needs the consumer data to improve applications. Without constant upgrades and fine-tuning, Google could not maintain the dominant position is enjoys today.

Collecting this data requires trust. The user must trust Google is not mishandling the data it acquires, but also respects the users right to privacy. Without this element of trust between the user and Google, it would not be able to acquire the critically important insight. With this revelation, Google has put a dent in its own credibility and damaged the relationship with the user.

The impact on Google overall will of course be limited. There are too many good stories to drown out the negative and ultimately the user needs Google. Such is the importance of Google’s services to the digital economy, or perhaps it should be worded as a lack of effective enough alternatives, we suspect few users will allow this invasion of privacy to impact their daily routines.

This is not supposed to be any form of validation for the contradictory ‘do no evil’ business, but more a sad truth of today.

Should privacy be treated as a right to protect stringently, or a commodity for users to trade for benefits?

Loading ... Loading ...