Judith Vidal-Hall: Taking on the giant


On 27 March 2015, a group of claimants in the United Kingdom, including myself, won what is being called a “landmark victory” against Google Inc. It handles three billion searches a day globally, exercises a virtual monopoly and is valued at around £250 billion. It is also among the world’s biggest advertising agencies with revenue in 2013 of some £49 billion.

After fighting the claim for over two years, Google has been ordered to appear in court in the UK to answer the charges of invasion of privacy by the tracking and collation of browser generated information (BGI) via Apple’s Safari browser. In other words, “hacking” computer searches by getting behind the protections built into Safari on Apple devices – iPhone, iPad and Mac computers – in order to track the user’s browsing preferences. Google is thereby able to determine private information such as age, health issues, gender, sexual interests and preferences, and to sell this information to advertisers who can target the users. This is no different from what is commonly called “stalking”, only on a global scale.

But let’s begin at the beginning. In 2012, Simon Davies, one of the UK’s leading voices on the virtues of privacy, contacted me about the possibility of suing the internet search giant for the invasion of privacy. Three years later, after much to-ing and fro-ing in the British courts, what began as a speculative long-shot has taken wing in the legal imagination, becoming an important test case for the boundaries of privacy law in the UK and, by extension, the EU. This concerns not only the nature of privacy as understood in the context of Article 8 of the European Convention on Human Rights, but the definition of the term “damages’ in the context of the Data Protection Act (DPA) of 1988. For many in the legal profession, the chief significance of the case is in the possibility it opens up of suing non-resident companies and individuals in English courts on privacy-related grounds. This is a game changer and could set a precedent in UK law.

“You have a Mac, don’t you?” said Simon. “Yes, and an iPhone,” I replied. “Have you done much searching on Safari recently?” “More than usual as it happens. My car insurance, driving license and road tax were all up for renewal in November. And I’ve been shopping online, not something I usually do, but with grandchildren’s very specific Christmas demands only available there, I’ve been more active than usual in territory I don’t normally venture into.” All this in addition to my standard use of the internet in pursuit of facts, figures and data-checking familiar to any journalist or editor.

He went on to ask if I’d had been receiving an unusual amount of targeted advertising. Indeed I had! Given that Apple boasts of the superior security of its Safari browser, this was not only unusual, it was alarming. What had been going on? It seemed that Google had circumvented Safari’s default setting whereby cookies – small chunks of text with unique information such as the time of a user’s visit to a site – are accepted only if they come directly from the sites that users are browsing.

According to The Guardian, “Google wanted to use its DoubleClick and other ad systems to track where people go online, so that it can serve ‘relevant’ ads. It also wanted to be able to integrate its Google+ data into that information.” As the US-based Electronic Frontier Foundation (EFF) noted: “That had the side effect of completely undoing all of Safari’s protections against doubleclick.net.” It was, it added, “Like a balloon popped with a pinprick, all of Safari’s protections against DoubleClick were gone.”

Playing catch-up

The thought of making a claim, any claim, against Google was laughable. This was several years before Edward Snowden’s revelations of the NSA and GCHQ snooping activities in June 2013 raised privacy issues to a new level and put them squarely on the public agenda. It also preceded Google’s subsequent settlement with the US Federal Trade Commission (FTC) for the same offence. But it coincided with the revelation of News International’s massive phone hacking of celebrities, politicians, the Royal Family and, above all, of the murdered schoolgirl Millie Dowler. It was this that excited the public imagination and raised the matter of privacy to a new level. Suddenly it mattered in a different way; more personal, more threatening to the ordinary person in the street. The Leveson Inquiry kept the issue on the front pages through much of 2011 and 2012.

What is at stake here? How should we understand privacy in the different contexts in which we live and interact online? What powers should consumers have over their data? How can the power of corporations and advertisers be reined in? We are urgently in need of new definitions and concepts; those that served us even a decade ago are no longer adequate given the exponential advance of digital technology. What does “territoriality” or “residence” mean when Google can stretch out its hand from California and rifle through our data as we sit at our computers thousands of miles away? How can “jurisdiction” be confined to a geographical entity in the age of cyber crime and the global reach of search engines and browsers? What do we mean by “privacy” online when people are giving it away freely, not to say promiscuously, on social networking sites such as Facebook, Instagram and YouTube? And finally, though the case was not brought with this in mind, can “damages” be limited to pecuniary loss alone as apparently determined by the DPA?

The case against Google is not only about holding Google to account, but about beginning to clarify and modernise rules and definitions. Most important, it is about creating the laws needed to hold Google et. al. to account. As Guy Aitchison wrote in Open Democracy: “We are to a great extent playing catch-up. The rapidity of technological change has vastly outpaced the development of our laws, institutions and regulatory systems, along with the articulation of the ethical categories and principles with which to understand and evaluate them.”

Or, as Tim Berners Lee, inventor of the World Wide Web, put it: we need an “online Magna Carta” to protect the web. His “Web We Want” campaign was launched on UN Human Rights Day last year and calls on “ordinary people” to take control of the web and challenge “those who seek to control [it] for their own purposes”. It is within that context that we decided to pursue the present case.

A landmark judgment

It was not until June 2013 that we were allowed to serve our claim on Google to appear in a UK court to answer our accusations. Google was quick to point out that since it was not domiciled in the UK and did not pay taxes here, the courts had no authority to try the case and it would not answer our summons. We were, it said dismissively, entirely welcome to confront them on its home ground in California and set about getting this decision reversed. It did not deny the charges; on the contrary, Google admitted in February 2012 in the US that it had done precisely what we claimed. For this it had been fined by the FTC a record 22.5 million dollars for breaching the privacy of US users. In 2013, it paid a further 17m dollars to 37 US states plus the District of Columbia for the same offence. Following these judgements, Google promised not to repeat the activity and said it was taking all necessary measures to put right the damage it had caused.

In August 2013, Google was granted permission to challenge the decision and in January 2014 appeared before London’s High Court. Mr Justice Tugendhat rejected all Google’s arguments, namely that:

1. the cause of action was not a “tort” (see below);
2. there was no serious issue to be tried in relation to the claim in misuse of private information/breach of confidence;
3. there was no serious issue to be tried in relation to the claim for breach of the Data Protection Act 1998;
4. the claimants had not shown that England was clearly the most appropriate forum for the trial of the claims;
5. “damage’ means significant physical or economic harm and no such damage was alleged by the claimants.

Under the UK’s complex legal system, Google was able up the stakes and go one higher in its effort to evade UK justice. In the hope that it would reverse Tugendhat’s ruling, it went to the Court of Appeal.

And, for almost a year we waited; the courts of England are second only to the “mills of God” in the speed of their actions. Finally, in December 2014, we returned to court, but the single day allowed for the hearing proved inadequate and again we waited. It was not until March 2015 that the Appeal hearing was concluded over a further two days. Listening to the legal jargon, the citation of innumerable precedents and the complexities of the technical issues involved was mind-numbing: a six-hour-long address by the counsel for Google on the definition of the word “tort” came close to watching the proverbial paint dry. On later investigation, this word so crucial to the case turned out to mean a civil wrong causing damage to the persons involved and demanding redress in court. Because the invasion of privacy had previously never been considered a tort, Google argued that it could not be tried as a civil offence in a UK court.

Once again, the judge dismissed all Google’s claims, leaving us open to pursue the case. Announced on 27 March, it was a famous victory or, in the words of the lawyers involved, “a landmark judgment”. The Master of the Rolls, the Right Honourable Lord Dyson concluded in brief that:

On the face of it, these claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion upon autonomy has caused.

In addition to determining the matter of “serving out” on non-residents, it clarifies some important issues – the nature of privacy and its definition in law, the definition of damages – and prepares the ground for the determination of future law in this area, a change that reflects the changing nature of “privacy” in the world of global information technology.

What next?

Yet the so-called “landmark judgment” aroused little excitement in the UK media. Could it be that everyone is simply waiting for the next chapter? Or do the suspicions in some quarters that even the media is running scared of Google have some traction?

Much depends on what Google does next. Will it choose to up the ante once more by going to the Supreme Court? Or will it acknowledge the error of its ways and face trial? In the event that the Supreme Court refuses an appeal, will it settle out of court to avoid a potentially damaging judgement?

We shall see. Meanwhile, it’s only fair to acknowledge that Google is not entirely the monster this case presents it as. Not only does it provide a service without which most of us would be ineptly fumbling our way around the web, it is an employer of 50,000. Their terms and condition of employment are such as to foster the envy of their peers. But the utopian dystopia of Dave Eggers 2013 novel The Circle, whose inhabitants lead an isolated cult-like existence reminiscent of some of the more bizarre sects in the US might be nearer the mark.

And it can acknowledge fault, even though it has defended its record on privacy by claiming that much of its illicit information gathering was “by mistake”. As Google’s head of “people operations”, aka human resources, Lazlo Bock admitted in an interview in The Guardian: “There’s a lot of responsibility that comes with having a global brand and the kind of footprint we have and the kind of impact we have and we need to live up to that.”

Corporate responsibility is one thing, however, and abiding by the law another. The days when Google was free to roam the unregulated territories of the internet are slowly, but surely, coming to an end.

A full account of the appeal judgement in Vidal-Hall et al. v Google, including technical and legal terms and definitions, plus details of the claim are available at: www.bailii.org/ew/cases/EWCA/Civ/2015/311.html

Editor’s Note: Google is a funder of Index on Censorship

This article was originally posted at Eurozine

African convention on cybercrimes could silence free speech online

Amid concerns that the proposed African Union Convention on Cybersecurity (AUCC) will limit free speech online the drafters of the AUC have agreed to receive input from outside organisations.

The Web We Want, a campaign aimed at promoting an internet where everyone can participate in the free flow of knowledge, ideas, collaboration and creativity, put forward a proposal after criticism that the convention should not be passed until changes have been made to it.

The convention, which will be signed in January 2014, proposes the prevention of cybercrime in 15 African states “through the organisation of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combating cybercrime”. According to the Norton Cybercrime Report 2012, South Africa ranks 3rd globally for the number of cybercrime victims, behind Russia and China.

However it has been suggested that the convention should not be passed in its current form as it “dangerously imposes broad limitations on freedom of expression by permitting the interception of content data and traffic data on unfounded grounds, such as ‘where the imperatives of the information so dictate’”.

According to the Kenyan-based Strathmore University’s Centre for Intellectual Property and Information Technology (CIPIT) the convention could abuse Africans’ right to privacy, harm freedom of expression and place too much power in the hands of judges who, in the “public interest”, will have the authority to intercept individuals’ electronic communications without their permission.

Taking this into account this week will see an online discussion on the proposed changes to the AUCC by Kenyan and Ugandan stakeholders. Sponsored by KICTAnet, the Kenya ICT Action Network, and in partnership with Web We Want the five day digital event will call for a discussion of articles from the convention in need of further clarification and recommendations. The Web We Want has called upon international NGOs to put forward their concerns regarding the AUCC and internet freedom to be deliberated over the coming week.

This article was posted on 26 Nov 2013 at indexoncensorship.org