Google in the United States

The Google Gmail Case

A class action in San Jose challenges Google’s scanning of email content to gather personally identifiable information. Google says its policies are clear, and users should just get over it.

Not only does the case (see below) have profound implications for online privacy, but if successful it could trigger a payout of $10.5 trillion in damages. The suit alleges that Google – in pursuit of its commercial interests and without any help from the government – is violating federal wiretap laws and state privacy statutes by mining the contents of untold email messages. Needless to say, Google is not taking this legal challenge lightly.

The Google Gmail Litigation

By Thomas Peele. He is an investigative reporter for the Bay Area News Group and the co-chair of the Freedom of Information Committee for the Society of Professional Journalists’ Northern California Chapter.

A class action in San Jose challenges Google’s scanning of email content to gather personally identifiable information. Google says its policies are clear, and users should just get over it.

Dunbar approached a Texarkana lawyer, Sean F. Rommel at Wyly-Rommel, who specializes in complex federal litigation. Together they took the jump, filing a complaint that alleged Google violated the Wiretap Act as amended by the Electronic Communications Privacy Act (18 U.S.C. §§ 2510-2522) and its own terms of service by intercepting and using email sent from non-Gmail addresses to Gmail account holders. (Dunbar v. Google, No. 10-CV-00194 (E.D. Tex. filed Nov. 17, 2010).)

Around the country, other plaintiffs lawyers were having similar discussions with potential clients about Google’s data extraction practices. In Illinois, a woman identified in court filings as “A.K.” noticed lots of ads for hockey equipment popping up in her son’s Gmail. “I remember my first thought was … ‘Oh great, he’s going to try to purchase something,” she testified. “[But] it could have been something personal that I sent to someone, and they’re scanning it and viewing it,” A.K. stated. “It just feels like an invasion of privacy that anyone would go into anyone’s email and be able to read their emails.”

The core allegation in each of these cases is Google’s unauthorized reading of email messages to and from Gmail users to extract “personally identifiable information” – a legal concept that includes an individual’s name, Social Security number, date and place of birth, as well as linked medical, educational, financial, and employment information. Google, however, maintains that its terms of service and eight-page privacy policy – available to Gmail users online – makes its business practices transparent and legal.

In Dunbar, the company moved to dismiss the first amended complaint in March 2011, arguing that one of the parties to the email – the Gmail user – had consented to the alleged interception by agreeing to Google’s terms of service. A federal judge in Texas denied the motion, and the parties began discovery.

It was during this process that Google’s counsel, in response to a request, notified Rommel that Google could produce Dunbar’s own email in-box from his account with his local Internet service provider, Cable One. As it turns out, Cable One delivered email through a Google Apps Partner program that allowed Google to scan account holders’ messages – which Google “treated the same as” email received by Gmail users. Dunbar contends that this revelation was news to him.

And he didn’t have much choice about the situation. “You have to be able to email,” Dunbar said in the 2011 deposition. “My choices in Texarkana are limited. … I can’t sign pleadings in federal court if I don’t have an email account to receive the electronic communications.”

But Charles L. “Chip” Babcock, a partner in Jackson Walker’s Houston office who was conducting the deposition for Google, had his own take on Dunbar’s complaint: “If Google stops [scanning email content], they might have to stop free emails,” he commented. “They would have to go to a different business model.”

The threat of potential consequences increased as plaintiffs lawyers around the country filed six other class actions involving similar allegations against Google.

In June 2012 the Gmail litigation was transferred to the Northern District of California, where the Mountain View company is headquartered. The consolidated complaint – including cases filed in California, Illinois, Pennsylvania, Maryland, and Florida – alleged violations of the Wiretap Act and various state privacy statutes. Dunbar was named lead plaintiff, and Rommel selected as lead counsel. (In re Google Gmail Litig., No. 13-MD-02430 (N.D. Cal. order filed May 16, 2013).)

Google moved to dismiss the consolidated complaint last year. But in late September, U.S. District Judge Lucy H. Koh denied the motion on most claims, and permitted plaintiffs to amend the complaint regarding certain others she dismissed. “[T]he court finds that it cannot conclude that any party – Gmail users or non-Gmail users – has consented to Google’s reading of e-mail for the purposes of creating user profiles or providing targeted advertising,” the judge stated.

Koh’s unexpected Google ruling soon shook the server farms of every Internet business that collects, extracts, and sells personally identifiable information. Google lawyer Kathleen M. Sullivan of Quinn Emanuel Urquhart & Sullivan asked Koh to certify an order for interlocutory appeal to the Ninth Circuit, arguing that the case and others like it “are going to determine the course of business in the Valley.”

Other attorneys apparently felt the same way: Within weeks of Koh’s ruling, plaintiffs lawyers filed six lawsuits (since winnowed to four) against Yahoo Inc., alleging that the company’s interception of email sent by non-Yahoo Mail users violated federal and state wiretap laws. In late December, Lieff Cabraser Heimann & Bernstein in San Francisco filed suit alleging similar violations against Facebook Inc., which, according to the complaint, earned $2.7 billion from targeted advertising sales in 2011. (Campbell v. Facebook, Inc., No. 13-CV-05996 (N.D. Cal. filed Dec. 30, 2013).)

Lawyers on both sides of In re Google Gmail Litigation declined to be interviewed, citing the protective order Judge Koh granted Google. Indeed, tremendous amounts of documentation and exhibits in the case are under seal, presumably to guard trade secrets, and many of the pleadings are highly redacted. But the size of the putative classes – and of plaintiffs’ potential awards – emerged in early depositions.

“[I]t’s not just to me,” Dunbar testified, “it’s everybody who ever sent [email] to a Gmail account holder.”
Babcock, however, predicted that certifying a class of that magnitude is “going to be a nightmare to figure out.” He estimated as many as 100 million people could be involved.

Awards could be a nightmare, too. “The best road map to this was through statutory damages,” Dunbar told Babcock, adding that he’s seeking $100 per violation of the Wiretap Act.

“Is it your contention that every time you send an e-mail to somebody that has got a Gmail account, a violation has occurred?” Babcock asked.

“Yes,” Dunbar answered.

As the two lawyers sparred, Babcock mentioned in an aside that such a finding would mean potential damages could exceed the collective imagination of Google itself: $10.5 trillion dollars.

Google began to dawn over the culture in the late 1990s, rising like the sun on a cloudless morning. Its founders’ stated goal – “to organize a seemingly infinite amount of information on the Web” – seemed both benevolent and daunting.

As the search-engine company’s fortunes soared, it entered the Silicon Valley tradition of April Fools’ hoaxes. On April 1, 2000, it announced the launch of “MentalPlex,” a Web page featuring a spinning, red-and-blue sphere. Stare into it, Google directed, think about the search you want to perform, and the results would appear on your computer screen. The company claimed it had invented technology that could read its users’ minds.

Now, that little gag doesn’t seem so far-fetched, given everything that has happened in big data since. “Google actually diverts email messages to separate devices to extract the meaning from the message,” Rommel wrote in court pleadings. “Google designed these devices to capture the author’s actual thoughts for Google’s secret use.”

According to plaintiffs, Google does not disclose its data mining to anyone – which runs contrary to its expressed agreements. “This company reads on a daily basis every email that is submitted through it. And when I say, ‘read,’ I mean the literal definition of looking at the written text to determine the meaning,” Rommel told Judge Koh at a September hearing.

Google has admitted privacy violations before. Last November it agreed to pay $17 million to 37 states and the District of Columbia for making an end run around the privacy protections of Apple Inc.’s Safari Web browser to track users’ online activities and create personally tailored advertisements. In 2012 the Federal Trade Commission hit Google with a $22.5 million fine – the largest in FTC history – over the same Safari issue.

“Consumers should be able to know whether there are other eyes surfing the web with them,” said New York Attorney General Eric T. Schneiderman, whose office led the investigation that resulted in the multistate settlement. “By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust.”
By now, however, few people reasonably expect to enjoy much privacy on the Internet. Google, which grossed $14 billion in a single quarter last year, has proved that vast sums can be generated by the collection of consumer data.

And privacy laws lag badly behind advances in digital technology – in part because of industry lobbying, according to Nicole A. Ozer, director of technology civil liberties policy for the ACLU of Northern California. “We continue to see a lot of opposition to providing transparency,” she says.

For example, California’s Shine the Light law (Cal. Civ. Code § 1798.83), was in the vanguard of privacy protections when the Legislature passed it in 2003, Ozer says. The statute requires companies to inform California residents, upon request, what personal data they share with third parties, and to identify those parties. But in 2003 Facebook and Twitter weren’t yet live, and Google hadn’t introduced Gmail. “It’s very, very outdated,” Ozer says.

Last year, efforts to recast the law stalled in the Legislature. One measure, the Right to Know Act – introduced by Assemblymember Bonnie Lowenthal (D-Long Beach) – was delayed in committee because of opposition. That proposal, AB 1291, would allow people to safeguard information about their location, their online habits, and even, if they choose, their sexual orientation. The ACLU promises to push the measure forward again this year.

The organization’s research shows that “when people know what’s happening to their information, they make different choices,” Ozer says. “Gmail isn’t free. People are paying a very high price for it, and it’s in their private information.” The more people know about what is done with their personal data, she contends, the more they will do to protect it.

But limiting the gathering and sale of personally identifiable information would frustrate the de facto business model used by most providers of consumer email and Web browsing. Unless, of course, the business model were radically changed to protect the privacy rights of Internet users. Last summer, a former state legislator and a retired trial lawyer proposed just such a move.

Radical change is what Steve Peace had in mind when he launched an initiative campaign to enact the California Personal Privacy Protection Act. The former San Diego assemblyman and state senator, who briefly served as finance director for Democratic Gov. Gray Davis, is probably best known for championing an electricity deregulation bill widely blamed for the state energy crisis of 2000-01. (He also co-produced the cult film classic Attack of the Killer Tomatoes and its three sequels.) Toward the end of his tenure as a state senator, Peace dabbled in consumer privacy issues. He wrote and secured passage of SB 129, which in 2000 established the Office of Privacy Protection in the state Department of Consumer Affairs. More than a decade later, he decided to extend that work.

In August, Peace and attorney Michael T. Thorsnes sought to gather signatures to qualify their privacy measure for this year’s statewide ballot. The initiative would amend the state Constitution to define personally identifiable information as any information “which can be used to distinguish or trace a natural person’s identity … [or] which is linked or linkable to a specific natural person.” Most important, it would create a presumption that such information is confidential, and establish a presumption of harm for sharing it without the person’s express consent.

Judging by the reaction their proposal drew, Peace and Thorsnes had grabbed the third rail of Internet commerce. “Is Steve Peace Leading California to Disaster … Again?” asked the headline on Los Angeles attorney Bennett Kelley’s Huffington Post column. Peace’s idea, Kelley argued, “rewrites the economic equation of free Internet sites … by imposing a rigid opt-in regime in place of the prevailing opt-out approach to Internet privacy.” If voters approved such a measure, Kelley predicted, it “could have an immediate impact of stifling growth in the vibrant Silicon Beach and Silicon Valley corridors … or even worse, precipitating an exodus of Internet businesses from California.”

In another scathing critique. Jim Halpert, a partner at the Washington, D.C., office of DLA Piper, wrote in a client alert that the initiative “would establish a presumption of ‘harm’ for any disclosure by a commercial or governmental entity that does not meet these narrow criteria. This would mean that the plaintiffs bar could sue violators.” Halpert called the proposal “potentially revolutionary.”

Two months after the launch, Peace announced he was dropping the campaign. He cited a report issued by the Legislative Analyst’s Office warning that his proposal could spur “unknown but potentially significant costs to state and local governments from additional or more costly lawsuits, increased court workload, [the need for] data security improvements, and changes to information-sharing practices.”

But Peace remains unabashed in his belief that fundamental change is needed in the way personally identifiable information is collected. “We are letting pieces of ourselves be used, controlled, owned,” he contends in an interview, adding, “Google is the Enron of the technology business” – a reference to the energy giant’s role in defrauding utility consumers in the wake of the deregulation debacle.

Peace quickly added that he’s not alleging Google is engaged in fraud. But he says the company is one of “the gods of the industry, and they have a very radical view about privacy and the ability to chop up [consumers’] data. They are going to lead us over a cliff.”

Tanya L. Forsheit, a partner at InfoLawGroup in Manhattan Beach who frequently represents Internet companies, disagrees with that assessment. Google is “not Big Brother,” she says. “Google is in the business of providing people with innovative products, not trying to get into their heads. When you get a free service, you give something up. It’s nothing new.”

Forsheit admits that former NSA contractor Edward Snowden’s revelations of widespread government surveillance “have obviously colored a lot” of the debate, fostering popular anxiety about dragnet data collection. “But it’s all about the government,” she contends. “People conflate what’s going on. It’s true, there are laws that allow the government to have access to data. But the companies required to provide it want to be as transparent as possible. We don’t want paranoia.”

The ACLU’s Ozer, too, says that Internet companies should be open and transparent about what they do with consumers’ information. “Google is an advertising company,” she says. “Gmail isn’t free. People are paying a very high price for it, and its [cost is] in their private information.”

At its heart, Butch Dunbar’s class action challenges Google’s underlying business model. And of course, the Internet giant is in business to do more than organize all of the world’s information in one convenient place.

In 2004 Google began offering a free email service it dubbed Gmail, which featured local hard-disk storage and transmission speeds far superior to its competitors’ – by June 2012, the number of active users topped 425 million. Gmail had also evolved into a commercial venture, with customized versions offered to public educational systems such as UC Berkeley, the California State University system, and the University of Hawaii.

All it takes to open a Gmail account is Internet access and a few minutes to provide basic information, including name, gender, birth date, a cell phone number (optional), and another email address for recovery purposes. Then the only thing left is clicking to accept Google’s terms of service – a hyperlinked document that is at the center of the company’s Dunbar defense.

Google argues that its privacy policy alerts account users of its data collection practices. “We collect information in two ways: Information you give us, and information we get from your use of our services,” it states. It warns users, “We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising.”

But at a September 2013 hearing on Google’s motion to dismiss, chief plaintiffs counsel Rommel told Judge Koh, “This issue of advertising is the greatest smokescreen in our modern era. Advertising has nothing to do with the data that is being amassed by this company about the thoughts and ideas and concepts from people’s private communication.”

Whitty Somvichian, Google’s counsel and a partner at Cooley LLP in San Francisco, responded that Gmail users shouldn’t expect their communications to be private. “It is inconceivable that somebody who’s using the Gmail service would not view this information in their Gmail account to be information that they have made available to Google simply by the fact that Google maintains the email account,” he said.

Somvichian added that Google’s reading of any emails falls within the “ordinary course of business” exception to Wiretap Act violations.

Judge Koh was immediately skeptical. “Is anything that enhances Google’s ad revenue ‘ordinary course of business?’ ” she asked. “That seems awfully broad.”

“The display of ads is very clearly an integrated part of the Gmail service provided in the ordinary course of doing business,” Somvichian replied.

Koh wasn’t satisfied, asking if the ordinary course of business was “the actual transmittal of the email communications, the management of that flow? The targeted advertising is separate and supplemental.” Users who receive Gmail service through Google Apps for Education don’t receive its advertising, she pointed out – yet Google also extracts data from their emails.

The judge said she’d looked through two versions of Google’s terms of service for Gmail and four privacy policies. “I just don’t see in there any explicit language that the content of emails is going to be reviewed to create targeted advertising or to create user profiles.”

Koh wasn’t offering Somvichian any encouragement.

A short while later, he stated that Google believes it has a “worldwide license” to the emails that pass through its systems.

Rommel reacted with surprise. “That’s the scariest interpretation I’ve ever heard,” he said. “Google has just said that a Gmail account gives Google a license to that email and its contents. So if that’s what Google really means … Google itself can be a party to all kinds of activities that the user has no control over.”

Later that month Koh issued an unambiguous order, denying the motion to dismiss the class action. “The court finds that the ordinary course of business exception is narrow,” she wrote. “Specifically, the exception would apply here only if the alleged interceptions were an instrumental part of the transmission of email.” In fact, she found, “Google’s alleged interception of email content is primarily used to create user profiles and to provide targeted advertising.” These alleged interceptions, Koh concluded, are both “physically and purposely unrelated to Google’s provision of email services.”

The order also affirmed the plaintiffs’ standing. Citing Ninth Circuit precedent on the issue, Koh ruled that “the injury required by Article III may exist by virtue of ‘statutes creating legal rights, the invasion of which creates standing.’ ” (In re Google Gmail Litig., No. 13-MD-02430 order filed Sept. 26, 2013.)

Despite Judge Koh’s favorable ruling, Dunbar and Rommel have a long way to go before they pop the tops off some Lone Star longnecks in celebration.

In its motion for interlocutory appeal, Google called Koh’s ruling “a novel interpretation of wiretapping statutes enacted and amended by Congress long before the rise of the Internet and never since updated to reflect the new technological commercial realities of the Internet age.”

Then in December, Magistrate Judge Paul S. Grewal – whose San Jose courtroom is in the same building as Koh’s – issued a ruling that took the opposite view of the ordinary course of business exception. In an unrelated case against Google, Grewal rejected the plaintiffs’ claim of Wiretap Act violations, granting in part Google’s motion to dismiss certain claims. (In re Google, Inc. Privacy Policy Litig., No. 12-CV-01382 (N.D. Cal. Dec. 3, 2013).)

Plaintiffs in that class action had challenged Google’s new unified privacy policy permitting the company to commingle users’ data across different Google products. They also challenged Google’s disclosure of this data to third parties – including application developers and advertising partners.

Grewal’s order acknowledged he was “mindful” that only recently, in In re Google, Inc. Gmail Litigation, his colleague on the same court had interpreted the Wiretap Act exception narrowly. But he took an expansive view of Google’s business model, which he noted had grown from a simple search engine to encompass many other products, including Gmail, Google Documents, Chrome, and YouTube. “With little or no revenue from its users,” Grewal wrote, “Google still manages to turn a healthy profit by selling advertisements within its products that rely in substantial part on users’ personal identification information. As some before have observed, in this model, the users are the real product.”

Grewal cautioned, however, that to proceed a plaintiff “must allege how the defendant’s use of the information deprived the plaintiff of the information’s economic value. Put another way, a plaintiff must do more than point to the dollars in a defendant’s pocket; he must sufficiently allege that in the process he lost dollars of his own.”
Rejecting some of the plaintiffs’ theories of harm, Grewal nevertheless found that they had suffered certain statutory and economic injuries – including consumption of battery and bandwidth on their cell phones, and overpayment for certain devices – sufficient to support standing for each of their stated claims. Although Grewal dismissed the suit, he granted plaintiffs leave to file a third amended complaint.

Two federal judges in the same courthouse have now issued conflicting rulings on whether the Wiretap Act’s ordinary course of business exception applies to Google’s email operations. Eric Goldman, a professor at Santa Clara University School of Law and director of its High Tech Law Institute, says that exception “gets very much to the core of the entire email industry.” Goldman, who joked recently to a reporter that Koh and Grewal should just go to Starbucks and hash out their differences, says it’s likely the Ninth Circuit will have to settle the matter.

“Google isn’t in the data business,” Goldman says. “It’s in the matchmaking business,” linking its users’ interests to advertisers and products based on “the best possible data set,” culled from users’ email and Web searches.
He adds, “Much is at stake, and no one knows what’s going to happen.” If Judge Koh’s order is upheld on appeal, “that’s a problem for the entire email industry.”

Where does that leave Butch Dunbar and the other plaintiffs challenging the data-mining practices of Google, Yahoo, and Facebook? Like Steve Peace, they’re reaching for that third rail of the Internet economy – the control of personally identifiable information. Someone is bound to feel a jolt soon: It’s just a question of whom.