United States v. Google Inc.

Last updated

United States v. Google Inc.
US DC NorCal.svg
Court United States District Court for the Northern District of California
Full case name United States v. Google Inc.
DecidedNovember 16, 2012
Docket nos. 3:12-cv-04177
Court membership
Judge sitting Susan Yvonne Illston

United States v. Google Inc., No. 3:12-cv-04177 (N.D. Cal. Nov. 16, 2012), is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. [1] The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". [2] It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc. [3]

Contents

2011 FTC administrative order

In February 2011, the Electronic Privacy Information Center (EPIC) filed a complaint before the FTC requesting an investigation against Google Inc. EPIC alleged that during the launching of its Google Buzz social network, Google's business practices violated the privacy interests of its consumers. EPIC specified that its "complaint concerns an attempt by Google, Inc., the provider of a widely used email service, to convert the private, personal information of Gmail subscribers into public information for the company's social network service Google Buzz." [4]

In October 2011, the FTC initiated an administrative proceeding against Google, charging that it had violated the FTC Act. The FTC asserted that Google, while launching its social networking tool, Google Buzz, had designed business practices which unfairly affected "commerce." [5] In the FTC's view, Google violated its privacy promises to its customers since it "misrepresented to users of its Gmail email service that: (1) Google would not use their information for any purpose other than to provide that email service; (2) users would not be automatically enrolled in the Buzz network; and (3) users could control what information would be public on their Buzz profiles." [6]

In the complaint, the FTC considered that Google launched the social network Google Buzz through its Gmail web-based email product. [7] The FTC alleged that the tools to decline or leave the social network were ineffective. Even more, in those cases where users declined to be part of the social network, they were nonetheless "enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on "Sweet!," the FTC alleged that they were not adequately informed that the identity of the individuals they emailed most frequently would be made public by default. Google also offered a "Turn Off Buzz" option that did not fully remove the user from the social network." [7]

As stated in the complaint, the FTC concluded that "...the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the controls that would allow the user to change the defaults were confusing and difficult to find" and that "certain personal information of Gmail users was shared without consumers' permission through the Google Buzz social network." [5]

In late 2011, the FTC and Google agreed to a settlement order, wherein Google was to implement a privacy program intended to efficiently protect consumer data. Additionally Google was to subject itself to independent privacy audits for the next 20 years. [8] According to the settlement, Google agreed that it will not, among other things, misrepresent in any manner, expressly or by implication, "the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including but not limited to, misrepresentations related to: (1) the purpose for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information," as well as the extent to which Google participated in any EU–US Safe Harbor. [8]

The consent order was served on Google on October 28, 2011. It is known to be the first decision of its kind, requiring a company to implement a comprehensive privacy program. The order prevented the company "from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next twenty years." [7]

Google–Safari case

On August 8, 2012, the United States filed a complaint ("Safari complaint") against Google Inc., alleging that it had violated the consent order which it had entered into with the FTC, (to settle the above-mentioned Google Buzz case). The government's complaint stems from a page on Google's website that tells Safari browser users "that Safari's default operation is to deny what are called third-party cookies, which can be used to track users. At the time they wrote it, this statement was true, but Apple later changed the behavior of Safari to allow third-party cookies from sites that had previously served cookies to the user." [9]

The Safari complaint stated that Google used "the 'DoubleClick Advertising Cookie' to collect information and serve targeted advertisement services to users who visit Google websites, Google partner websites, and websites that use Google's advertising services." [10] As part of Google's advertising privacy controls, Google offered to its users the possibility of "opting out" from the delivery of targeted advertising. As stated in the Safari complaint, "A user may opt out of targeted advertising either by clicking a button on Google's Ads Preferences webpage ('opt-out button') or by downloading Google's 'advertising cookie opt-out plug in'". [11] This "opt-out cookie" technology (also referred to as the "DoubleClick opt-out cookie") was available to users of only three browsers: Internet Explorer, Firefox, and Google Chrome. Since the opt-out extension was not available for the Safari browser, Google assured Safari's users that they need not take any action "to be opted out of DoubleClick targeted advertisements". According to Google's representation, Safari blocked by default (although allowed in certain exceptional circumstances) third-party cookies, and said blocking was enough to prevent Google from placing tracking cookies or serve targeted advertisements; however even when Safari users had activated the default privacy settings, they received tracking cookies and targeted advertisements. [10]

The government alleged that "despite its representations to Safari users, Google overrode the Safari default browser setting and placed the DoubleClick Advertising Cookie on Safari browsers." Google's conduct overrode Safari software that blocked cookies, by sending code that was invisible to the user to communicate with that user's Safari browser anytime that a Safari user visited a "Google website, Google partner website, or website that used Google's advertising services." [10] This allowed Google to store, collect, and transmit the users information.

In view of Google's conduct, the complaint addressed five relevant causes of action: (i) collecting covered information, (ii) serving targeted advertisements, (iii) misrepresenting Network Advertising Initiative Code compliance, (iv) civil penalties, and (v) prayer for relief. [10] Furthermore, the government alleged that Google's conduct violated the October 2011 (Google Buzz) order.

Court's opinion

The government filed a Proposed Stipulated Order for Permanent Injunction and Civil Penalty Judgment ("Proposed Order") which was approved by the District Court for the Northern District of California on November 16, 2012. [12]

In the Proposed Order, the parties agreed that Google denies any guilt regarding its failure to abide by the FTC v. Google Inc settlement order. However, Google agreed to: (i) pay a civil penalty of $22.5 million; (ii) maintain until February 15, 2014, a system that had to delete cookies from Safari browser users; and (iii) file a report with the FTC within 20 days of February 15, 2014 which would document that Google had complied with the remediation component of the order. [12]

Consumer Watchdog objected to the Proposed Order, calling for a greater civil penalty and an admission of liability from Google. [13] Consumer Watchdog further argued that the injunction will be in effect for too short of a duration, and that the Order gives Google the ability to resume its unauthorized practices after February 15, 2014. The Court held that the Proposed Order was the result of "good faith, arms-length negotiations," that the Proposed Order is presumed to be fair and reasonable, and thus the objecting party has the burden of disproving this presumption. [14] Judge Susan Illston found that Consumer Watchdog's objections were insufficient to satisfy this burden. Specifically, Judge Illston found that a longer injunction was unnecessary as Google was still legally obligated to work under the terms specified in its previous consent order with the FTC (Google Buzz)." [14]

Impact

This case had a great impact on the technology industry as it showed the range of enforceability with regard to FTC consent orders. It was not just the second case against the same company in less than twelve months, but it was also the first case in which the FTC was able to fine a private company. Françoise Gilbert, at Bloomberg, stated that "this Google II action is not just another FTC case under section 5 of the FTC Act. It is unique in many respects. The case is second one against Google in less than 12 months. The FTC does not have the authority to fine a company under Section 5 of the FTC Act, but it can fine a company that violates a consent order with the commission. The FTC took that power into account and built on its prior case against the company (Google I). The arguments are in some respects different than in other similar cases addressing consumer privacy, and the complaint (Google II Complaint) and proposed order provide significant insight into the reasoning of the FTC, which is very valuable information for companies that collect or use personal information and prefer to reduce the risk of government action." [15]

Additionally, the case also highlighted the impact that this case may have caused in the international community: "the FTC action against the world's most popular search engine provides the US government with an opportunity to show the rest of the world, and especially the European Union and the Asia–Pacific Economic Cooperation member economies, that it cares about privacy and is serious about enforcement. In its press release, the FTC announced that this settlement was "part of the FTC's ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers." [15]

Related Research Articles

<span class="mw-page-title-main">Children's Online Privacy Protection Act</span> 2000 American federal cyber law

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at 15 U.S.C. §§ 65016506.

<span class="mw-page-title-main">Gmail</span> Email service provided by Google

Gmail is the email service provided by Google. As of 2019, it had 1.5 billion active users worldwide, making it the largest email service in the world. It also provides a webmail interface, accessible through a web browser, and is also accessible through the official mobile application. Google also supports the use of third-party email clients via the POP and IMAP protocols.

DoubleClick Inc. was an American advertisement company that developed and provided Internet ad serving services from 1995 until its acquisition by Google in March 2008. DoubleClick offered technology products and services that were sold primarily to advertising agencies and mass media, serving businesses like Microsoft, General Motors, Coca-Cola, Motorola, L'Oréal, Palm, Inc., Apple Inc., Visa Inc., Nike, Inc., and Carlsberg Group. The company's main product line was known as DART, which was intended to increase the purchasing efficiency of advertisers and minimize unsold inventory for publishers.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

The term opt-out refers to several methods by which individuals can avoid receiving unsolicited product or service information. This option is usually associated with direct marketing campaigns such as e-mail marketing or direct mail. A list of those who have opted out is called a Robinson list.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

Google Buzz was a social networking, microblogging and messaging tool developed by Google. It replaced Google Wave and was integrated into their web-based email program, Gmail. Users could share links, photos, videos, status messages and comments organized in "conversations" and visible in the user's inbox.

The NAI (Network Advertising Initiative) is an industry trade group founded in 2000 that develops self-regulatory standards for online advertising. Advertising networks created the organization in response to concerns from the Federal Trade Commission and consumer groups that online advertising — particularly targeted or behavioral advertising — harmed user privacy. The NAI seeks to provide self-regulatory guidelines for participating networks and opt-out technologies for consumers in order to maintain the value of online advertising while protecting consumer privacy. Membership in the NAI has fluctuated greatly over time, and both the organization and its self-regulatory system have been criticized for being ineffective in promoting privacy.

<span class="mw-page-title-main">FTC regulation of behavioral advertising</span> US Regulations on Advertising Targeted by Online Activity

The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self-regulation and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.

In the middle of 2009 the Federal Trade Commission filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users' computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.

<i>Lane v. Facebook, Inc.</i> US District Court class-action lawsuit

Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.

A zombie cookie is a piece of data usually used for tracking users, which is created by a web server while a user is browsing a website, and placed on the user's computer or other device by the user's web browser, similar to regular HTTP cookies, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.

Do Not Track (DNT) is a deprecated non-standard HTTP header field designed to allow internet users to opt out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">Google Safe Browsing</span> Service that warns about malicious URLs

Google Safe Browsing is a service from Google that warns users when they attempt to navigate to a dangerous website or download dangerous files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem. This protection works across Google products and is claimed to “power safer browsing experiences across the Internet”. It lists URLs for web resources that contain malware or phishing content. Browsers like Google Chrome, Safari, Firefox, Vivaldi, Brave, and GNOME Web use these lists from Google Safe Browsing to check pages against potential threats. Google also provides a public API for the service.

In the Matter of TRENDnet, Inc., F.T.C. File No. 122-3090, is the first legal action taken by the Federal Trade Commission (FTC) against "the marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the Internet of things." The FTC found that TRENDnet had violated Section 5(a) of the Federal Trade Commission Act by falsely advertising that IP cameras it sold could transmit video on the internet securely. On January 16, 2014 the FTC issued a Decision and Order obliging TRENDnet, among other things, to cease misrepresenting the extent to which its products protect the security of live feeds captured and the personal information that is accessible through those devices.

<span class="mw-page-title-main">Jonathan Mayer</span> American computer scientist and lawyer

Jonathan Mayer is an American computer scientist and lawyer. He is an Associate Professor of Computer Science and Public Affairs at Princeton University affiliated with the Center for Information Technology Policy, and was previously a PhD student in computer science at Stanford University and a fellow at the Center for Internet and Society and the Center for International Security and Cooperation. During his graduate studies he was a consultant at the California Department of Justice.

Google has been involved in multiple lawsuits over issues such as privacy, advertising, intellectual property and various Google services such as Google Books and YouTube. The company's legal department expanded from one to nearly 100 lawyers in the first five years of business, and by 2014 had grown to around 400 lawyers. Google's Chief Legal Officer is Senior Vice President of Corporate Development David Drummond.

Google's changes to its privacy policy on March 16, 2012, enabled the company to share data across a wide variety of services. These embedded services include millions of third-party websites that use AdSense and Analytics. The policy was widely criticized for creating an environment that discourages Internet innovation by making Internet users more fearful and wary of what they do online.

References

  1. Forden, Sara (November 17, 2012). "Google Judge Accepts $22.5 Million FTC Privacy Settlement". Bloomberg. Retrieved March 18, 2014.
  2. Federal Trade Commission-FTC (August 9, 2012). "Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple's Safari Internet Browser" . Retrieved March 2, 2014.
  3. Federal Trade Commission-FTC (November 20, 2012). "Statement by FTC Bureau of Consumer Protection Director David Vladeck Regarding Judges Approval of Google Safari Settlement" . Retrieved March 2, 2014.
  4. Electronic Privacy Information Center-EPIC. "In re Google Buzz, complaint" (PDF). Retrieved March 2, 2014.{{cite web}}: |last= has generic name (help)
  5. 1 2 Google, Inc., In the Matter of (March 30, 2011). "Complaint Google Buzz". Federal Trade Commission-FTC. Retrieved March 2, 2014.{{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  6. Complaint (August 9, 2012). "United States v. Google, Inc., Case No. 5:12-cv-04177-HRL, FTC Docket No. C-4336 (N.D. Cal. Aug. 8, 2012)". Federal Trade Commission. Retrieved March 2, 2014.
  7. 1 2 3 Federal Trade Commission-FTC (March 30, 2011). "FTC Charges Deceptive Privacy Practices in Googles Rollout of Its Buzz Social Network" . Retrieved March 2, 2014.
  8. 1 2 Federal Trade Commission-FTC. "In the matter of Google, Inc. Decision and Order" (PDF). Retrieved March 2, 2014.
  9. Black, Ed. "Will FTC Online Privacy Settlements Do More Harm Than Good?". Forbes. Retrieved April 6, 2014.
  10. 1 2 3 4 Federal Trade Commission-FTC (August 9, 2012). "United States v. Google Inc. - complaint" . Retrieved March 2, 2014.
  11. United States Federal Trade Commission. Complaint For Civil Penalties and Other Relief, and Exhibits A and B . August 8, 2012. Retrieved November 22, 2012
  12. 1 2 "United States v. Google Inc.-Order Approving Stipulated Order for Permanent Injunction and Civil Penalty Judgment (November 16, 2012)" (PDF). Retrieved March 2, 2014.
  13. David Meyer; originally from ZDNET.COM (November 19, 2012). "Judge Approves $22.5M Google-FTC Settlement, Rebuffs Consumer Group" . Retrieved March 2, 2014.
  14. 1 2 Holzapfel, Casey (December 4, 2012). "Judges Approve Google's $22.5 Million Settlement with FTC for Safari Privacy Violation". Jolt Digest, Harvard Journal of Law & Technology. Retrieved March 2, 2014.
  15. 1 2 Gilbert, Françoise (2012). "THE FTC V. GOOGLE SAGA—EPISODE II: WHAT LESSONS FOR U.S. BUSINESSES?" . Retrieved March 2, 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.