You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Frank v. Gaos

Whether a settlement is “fair, reasonable, and adequate” in a consumer privacy case where there is no meaningful change in business practices and no monetary relief is given to class members.
  • ANALYSIS: Justice Thomas Charts Path for Consumer Privacy Cases: In his dissenting opinion in Frank v. Gaos, Justice Thomas set out two key guidelines for future consumer privacy litigation. First, Justice Thomas said that consumer privacy cases could go forward when a "private right" is violated, such as when a violation of a federal privacy law is alleged. The Supreme Court adopted a somewhat more narrow standard in the Spokeo v. Robbins case. Second, Justice Thomas made clear that class action settlements must provide a "meaningful" benefit to class members, which could include monetary relief or a change in business practices. Justice Thomas opposed the settlement in Gaos, explaining "because the class members here received no settlement fund, no meaningful injunctive relief, and no other benefit whatsoever in exchange for the settlement of their claims...." Justice Thomas did not rule out cy pres remainder settlements for "disposing of unclaimed or undistributable class funds" or cy pres-only settlements that provide some actual benefit to class members. EPIC set out very similar views in an amicus brief for the Supreme Court in the Gaos case, in related amicus briefs on standing and in court filings on class action fairness, as well as an academic article calling for reform of cy pres settlements. (Mar. 21, 2019)
  • Supreme Court Remands Controversial Cy Pres Deal: The Supreme Court today sent Frank v. Gaos back to the lower courts because the Court could not decide if the proposed settlement in a privacy case was "fair, reasonable, and adequate" or if the case was properly before the Court. The case involves Google's disclosure of search histories to third parties without consent, a business practice that could violate several privacy laws. Under the terms of the settlement, there was no benefit to Internet users and Google was not prohibited from continuing the allegedly unlawful practice. In an amicus brief, EPIC stated, "the proposed settlement is bad for consumers and does nothing to change Google's business practices." EPIC and several organization objected to the original settlement on three separate occasions. EPIC routinely opposes settlements that fail to provide an actual benefit to Internet users. In this case, the Justices ordered the parties to address whether the Spokeo v. Robbins decision permits consumer privacy to go forward. EPIC filed a brief in Spokeo in support of consumers, and has filed similar briefs siding with consumers in several other cases. (Mar. 20, 2019)
  • EPIC Urges Supreme Court to Protect Internet Users in Controversial Class Action Settlement: EPIC has filed an amicus brief in Frank v. Gaos, concerning a class action settlement that provided no benefit to Internet users and no change in the business practices of defendant Google. EPIC said the settlement was not "fair, reasonable, and adequate." The case involves Google's disclosure of Internet user search histories to third parties without user consent, a business practice that could violate federal and state privacy law. EPIC stated, "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved that settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC said that, "cy pres requires vigilant judicial oversight to guard against the risks of collusion and ensure that judges are not rubber-stamping settlements that pay attorneys while failing to benefit class members." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to provided a benefit to Internet users. (Jul. 16, 2018)
  • More top news »
  • House Judiciary Considering Antitrust Reform Bills » (Jun. 23, 2021)
    The House Judiciary Committee is today holding a markup session on six bills aimed at disrupting the monopoly power of Big Tech. EPIC has long argued that market consolidation in online platform threatens privacy. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp.
  • Records Show FTC Botched Google Antitrust Investigation » (Mar. 16, 2021)
    The Federal Trade Commission's 2013 failure to sue Google for antitrust violations went against the advice of FTC staff and disregarded evidence of Google's growing market dominance, according to records obtained by Politico. FTC antitrust attorneys advised the Commission to bring suit against Google to block future deals with mobile companies making Google an exclusive search provider. But the Commission rejected that recommendation on the view that mobile search was only a small part of the search market, a conclusion that quickly proved outdated. The records published by Politico also reveal that Amazon and Facebook—both of which are now facing their own antitrust proceedings—privately pushed the FTC to take enforcement action against Google. Google's anticompetitive practices in search and targeted advertising are the basis of two antitrust lawsuits brought by the Department of Justice and state attorneys general last year. On Monday, Texas announced that it would broaden its lawsuit to cover Google's planned replacement for third-party cookies—so-called "FLoCs"—which would do little to protect privacy but further consolidate Google's market power. EPIC has long targeted anticompetitive practices by Google, including its acquisition of DoubleClick and bias in YouTube search rankings. EPIC also helped bring about the FTC's 2011 order establishing privacy safeguards for Google users and sued when Google violated that order.
  • Google Closes Fitbit Acquisition While DOJ's Review of Merger Continues » (Jan. 14, 2021)
    Today, Google announced that it "completed its acquisition of Fitbit" in a $2.1 billion deal, even though the Department of Justice has not yet approved the merger. DOJ said that its investigation into the deal remains ongoing, and "[a]lthough the division has not reached a final decision about whether to pursue an enforcement action, the division continues to investigate whether Google's acquisition of Fitbit may harm competition and consumers in the United States." The announcement comes after Google gained EU antitrust approval for its Fitbit bid last month subject to limits on how it will use consumers' data, including pledging to not use Fitbit data for advertising purposes in Europe. EPIC has long opposed Google's acquisition of Fitbit, citing concerns about Google's history of data protection and privacy violations. In November 2019, EPIC told the House Judiciary Committee that the FTC should block the acquisition. EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services.
  • Google Faces Two Additional Antitrust Suits » (Dec. 18, 2020)

    Two antitrust lawsuits were filed against Google this week by state Attorneys General. On Wednesday, Texas and eight other states filed a suit alleging anticompetitive conduct, exclusionary practices and deceptive misrepresentations in connection with Google's role in advertising technology. "Google’s entire business model is to collect comprehensive data about every user in the service of brokering targeted ad sales," the suit says. "Google also has violated users’ privacy in other egregious ways when doing so is convenient for Google." On Thursday, a bipartisan group of thirty-eight states led by Colorado Attorney General Phil Weiser filed a lawsuit alleging that Google illegally maintains its monopoly power over general search engines and related search advertising markets through anticompetitive contracts and conduct. "Google recognizes that its continued market dominance would be vulnerable in a more competitive market," the suit says. "For example, new general search challengers could emerge to offer differentiated services, such as greater privacy protection, search without advertising, or simply better search results." More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward.

  • Department of Justice Files Antitrust Suit Against Google » (Oct. 20, 2020)
    The Department of Justice has filed an antitrust case against Google in federal court, alleging violations of anti-monopoly laws in the search and advertising markets. EPIC has long warned regulators about the harmful privacy consequences of market consolidation by Google and other technology firms. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned the FTC that other mergers posed similar risks to consumer privacy and competition. In 2011, EPIC warned the FTC that Google’s dominance in the internet search marketplace was allowing it to preference its own content in search results. Today Google occupies 92% of the search market worldwide.
  • House Judiciary Committee Reports on Competition in Digital Markets » (Oct. 6, 2020)
    The House Judiciary Committee has released its report following a years-long investigation of competition in digital markets. "[O]nline platforms’ dominance carries significant costs. It has diminished consumer choice, eroded innovation and entrepreneurship in the U.S. economy, weakened the vibrancy of the free and diverse press, and undermined Americans’ privacy," the Majority Staff report states. The Committee also found that the Federal Trade Commission had neglected to use the antitrust authorities granted to the agency by Congress. "In its first hundred years, the FTC promulgated only one rule defining an "unfair method of competition," the report notes. EPIC had previously told the Committee that merger review must consider data protection. "The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace," EPIC said. The Committee report makes numerous recommendations, including "structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business."
  • EPIC: "Regulators Failed and Google Turned The Internet Into a Surveillance Machine" » (Sep. 15, 2020)
    In advance of a Senate Judiciary Committee hearing on "Stacking the Tech: Has Google harmed competition in online advertising?," EPIC argued in a Medium post that the answer to that question is obviously yes, but Congress shares some of the blame. "There are many problems with today's online advertising systems," EPIC wrote, "[b]ut it didn't have to be this way. More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web.
  • Unsealed Documents: Google Employees Knew Location Privacy Settings Were Misleading » (Sep. 1, 2020)
    Documents recently disclosed in Arizona's consumer protection lawsuit against Google show that the company's employees admitted Google's location privacy settings were "confusing" and potentially misleading. The suit, brought by Arizona Attorney General Mark Brnovich, alleges that Google violated the Arizona Consumer Fraud Act by collecting and storing location data on mobile devices—even after users believed they had turned off location tracking. A newly-unsealed version of Arizona's complaint reveals that Google employees knew the interface was "[d]efinitely confusing from a user point of view[.]" One employee wrote that Google's interface "feels like it is designed to make things possible, yet difficult enough that people won't figure it out." In July, twenty-seven members of EPIC's advisory board signed a letter urging the court to reject Google's efforts to delay a decision on unsealing the documents. In 2018, EPIC told to the Federal Trade Commission that Google's surreptitious tracking of user location data violated the FTC's 2011 Google consent order. The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations.
  • Senators Again Question White House Google Website Plan » (Apr. 1, 2020)
    Five U.S. Senators have sent a follow-up letter to Google requesting more information about the company's plans to protect user data on the coronavirus screening website. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker had sent a letter to the White House expressing concern about the website two weeks ago. The Senators wrote now to say that personal data should "not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)." The Senators asked for responses to several questions by April 6, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices as a consequence of EPIC's complaints about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google.
  • Senators Question White House Google Website Plan » (Mar. 19, 2020)
    Five U.S. Senators have sent a letter to the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker said "If the Administration and the private company responsible for launching and maintaining the website does not establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination." The Senators asked for responses to thirteen questions by March 30, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices. The FTC consent order followed complaints by EPIC about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google.
  • Google Announces Limits on Data Transfer in Ad Bids » (Nov. 18, 2019)
    Google has announced that it will no longer describe the type of content on an app or webpage when conducting auctions for ads. Google stated the change was the result of "engagement with data protection authorities" and would help prevent those bidding on ads from linking individual people to sensitive content. The change raised concerns about entrenching Google's dominance over internet advertising and whether the policy change would further diminish advertising revenue for content publishers. Questions also remain as to whether the change is necessary under the GDPR if user IDs are effectively deidentified as Google has claimed. Google's modifications to its Street View data collection failed to halt multiple fines by data protection agencies for legal violations. The company's ad exchange is still under investigation for violations of the EU General Data Protection Regulation. EPIC recently urged lawmakers to unwind bad mergers, including Google's acquisition of YouTube and Nest.
  • EPIC to Oppose Google-Fitbit Deal » (Nov. 4, 2019)
    In a statement released today, Marc Rotenberg said that EPIC would oppose Google's proposed acquisition of the fitness tracking company Fitbit. Mr. Rotenberg said the deal should not be approved. "There is no reason to trust Google's assurances about privacy protection," Mr. Rotenberg said, citing previous matters involving Doubleclick, YouTube, Google HomeMini, and Nest. Noting statements antitrust enforcement by the the FTC Chairman and the Assistant Attorney General, Mr. Rotenberg also said, "The Google-Fitbit deal is a test of their commitment to competition, innovation, and data protection." EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services.
  • EPIC to Congress: Consumers Must Be Protected in Merger Reviews » (Oct. 18, 2019)
    In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram.
  • EPIC Renews Call for Antitrust Agencies to Unwind Bad Mergers » (Sep. 23, 2019)
    In a second statement to the Senate Judiciary Committee, EPIC urged lawmakers to unwind bad mergers such as Facebook's acquisition of WhatsApp and Google's acquisition of YouTube and Nest. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so.
  • EPIC Urges Antitrust Agencies to Unwind Bad Mergers » (Sep. 16, 2019)
    In a statement to the Senate Judiciary Committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so.
  • Google Seeks to Establish Facial Recognition in Homes » (Sep. 16, 2019)
    With opposition growing to facial recognition, Google has decided instead to build facial recognition into Nest Hub Max, an "always on" device intended for use in the home. Google's "face match" constantly targets the facial images of each person in the household. Any interaction with the Google device is added to the secret user profile Google maintains for ad targeting. In 2014, EPIC filed a complaint with the FTC and said the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest," a related device that enabled surveillance in the home. EPIC later asked the Federal Trade Commission to require Google to spin-off Nest and to disgorge the data obtained from Nest users. A 2017 complaint to the Consumer Product Safety Commission from EPIC and consumer organizations pointed out that the "touchpad on the Google device is permanently set to 'on' so that it records all conversations without a consumer's knowledge or consent."
  • FTC YouTube Settlement Fails to Safeguard Children's Privacy » (Sep. 4, 2019)
    Following a comprehensive complaint launched by the CCFC and the CDD concerning children's privacy, the Federal Trade Commission announced a settlement today with YouTube and parent company Google. The companies agreed to pay $170 million to settle claims that they violated the Children's Online Privacy Protection Act, but little will change in the companies business model. Writing in dissent, Commissioner Slaughter said, "Youtube and Google were knowingly profiting off of the unlawful tracking of children." She said the Commission should have required a "technological backstop" to ensure that behavioral advertising of children would not continue. Commissioner Chopra, also dissenting, wrote "the Commission repeats many of the same mistakes from the Facebook settlement." In a statement, Senator Markey said the FTC should have required Google to delete all data it collected from children under 13, prohibit Google from launching kids service without prior review, and required annual public audits. EPIC joined the CCFC and the CDD in the complaint to the FTC. Earlier, after Google acquired YouTube, EPIC sued the FTC to block Google's proposed consolidation of user data. The judge ruled against EPIC, but wrote "EPIC - along with many other individuals and organizations - has advanced serious concerns that may well be legitimate..."
  • Gallup Poll: Americans Divided on Regulation for Big Tech Firms » (Aug. 22, 2019)
    A new Gallup poll found that 48 percent of respondents said the government should boost its regulation of technology companies like Amazon, Facebook and Google, while 40 percent said regulation of these firms shouldn't change. Roughly 60 percent of self-identified liberals, union members, college graduates and Democrats support increased oversight of tech companies. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs.
  • Following EPIC's Advice, Third Circuit Nixes Google Deal » (Aug. 7, 2019)
    A federal appeals court has rejected a proposed class action settlement in a case involving Google's tracking of internet users in violation of the users' privacy settings. The court was particularly "troubled" by the prior relationships between Google, class counsel, and the organizations selected to receive funds in the settlement. The court found that "if challenged by an objector, a district court must review the selected cy pres recipients to determine whether they have a significant prior affiliation with any party, counsel, or the court." EPIC had urged the court to reject the deal in an amicus brief. EPIC said the settlement was "fundamentally flawed" because "Google is allowed to continue its unlawful conduct and the class members receive no monetary relief." EPIC also explained that the selection of organizations awarded in the settlement "raise significant conflicts of interest concerns." EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement.
  • Google Speech Transcription Suspended in Europe » (Aug. 2, 2019)
    Following an investigation by a German data protection agency, Google has suspended Assistant for a three-month period. Johannes Caspar, the head of the Hamburg data protection agency, found Google was recording and transcribing private conversations for examination by Google contractors. Caspar said there are "significant doubts" as to whether Google Assistant complies with EU data-protection law. Caspar previously uncovered the fact that Google Street View vehicles were intercepting and recording private wifi communications, a charge that Google denied until the hard drives in the Google vehicles were examined. In the US, Google settled a "Spy-Fi" case for $7 m with state AGs following the investigation by the German privacy agency. EPIC previously asked the FTC and the Department of Justice to determine whether "always on" devices violate federal wiretap law. Neither agency has made a determination.
  • Proposed Cy-Pres Only Settlement Provides No Benefit to Class Members » (Jul. 22, 2019)
    A proposed settlement with Google concerning the Street View program will provide no actual benefit to class members. With Street View, Google not only captured digital images of streets but also intercepted private wifi communications, including passwords. Beginning in 2007, EPIC and other consumer groups spent several years urging federal and state regulators to act. In 2013, 38 State Attorneys General settled claims against Google. In that settlement, Google agreed to end the collection of network data and launch a public service campaign to help users install secure wireless networks. Six years later, lawyers have just put before a federal judge a settlement that proposes that the company again end the program and launch a public service campaign. Chief Justice Robert has raised "fundamental concerns" about settlements that provide no benefits to class members and no change in business practices. In a cy press case earlier this year, Justice Thomas opposed the Gaos settlement, which also involved Google, explaining "because the class members here received no settlement fund, no meaningful injunctive relief, and no other benefit whatsoever in exchange for the settlement of their claims." EPIC seeks to promote class action fairness and has proposed objective criteria that courts should consider to protect the interests of Internet users in class action settlements.
  • EPIC To Congress: Require Algorithmic Transparency For Dominant Internet Firms » (Jul. 17, 2019)
    For a hearing on "Google and Censorship through Search Engines," EPIC sent a statement to the Senate Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But the European Commission found that Google rigged search results to give preference to its own shopping service. The European Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors.
  • Senator Hawley Bill Would Mandate Algorithmic Transparency, Limit 230 Immunity » (Jun. 20, 2019)
    Senator Hawley (R-MO) has introduced the "Ending Support for Internet Censorship Act." The Act would require big tech companies to submit to an external audit that proves that their algorithms and content-removal practices are politically neutral. The bill would remove the immunity big tech companies receive under Section 230 of the Communications Decency Act if the FTC found that the algorithms and content-removal practices were not neutral. In 2007 EPIC explained to the Senate Judiciary Committee that after Google acquired YouTube, Google substituted its own subjective algorithm based on "relevance" for objective criteria, such as number of hits and user ratings. The practical consequence was to elevate the rankings of Google's own web pages and to demote the ranking of other web pages, including EPIC's. EPIC subsequently launched a campaign for algorithmic transparency and urged federal agencies and Congress to mandate algorithmic transparency.
  • New Report on the FTC's Big Tech Revolving Door Problem » (May. 23, 2019)
    A new report from the consumer group Public Citizen finds extensive conflicts of interest at the Federal Trade Commission. According to Public Citizen, most top officials at the Federal Trade Commission (FTC) become lawyers and lobbyists for major technology companies after they leave the agency or bring Silicon Valley conflicts with them when they arrive. These conflicts help explain the FTC's chronic reluctance to enforce consumer protection and antitrust laws, said Public Citizen. EPIC previously urged the FTC to block anticompetitive mergers, such as Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp, as well as to enforce the pending consent order against Facebook that EPIC helped establish in 2011. EPIC even sued the FTC when the consumer agency failed to enforce the consent order against Google, following the Buzz consent order. As of today, 423 days have passed since the FTC announced in March 2018 that it would reopen the investigation of Facebook. But still there is no fine, no report, and no update.
  • ANALYSIS: Justice Thomas Charts Path for Consumer Privacy Cases » (Mar. 21, 2019)
    In his dissenting opinion in Frank v. Gaos, Justice Thomas set out two key guidelines for future consumer privacy litigation. First, Justice Thomas said that consumer privacy cases could go forward when a "private right" is violated, such as when a violation of a federal privacy law is alleged. The Supreme Court adopted a somewhat more narrow standard in the Spokeo v. Robbins case. Second, Justice Thomas made clear that class action settlements must provide a "meaningful" benefit to class members, which could include monetary relief or a change in business practices. Justice Thomas opposed the settlement in Gaos, explaining "because the class members here received no settlement fund, no meaningful injunctive relief, and no other benefit whatsoever in exchange for the settlement of their claims...." Justice Thomas did not rule out cy pres remainder settlements for "disposing of unclaimed or undistributable class funds" or cy pres-only settlements that provide some actual benefit to class members. EPIC set out very similar views in an amicus brief for the Supreme Court in the Gaos case, in related amicus briefs on standing and in court filings on class action fairness, as well as an academic article calling for reform of cy pres settlements.
  • Supreme Court Remands Controversial Cy Pres Deal » (Mar. 20, 2019)
    The Supreme Court today sent Frank v. Gaos back to the lower courts because the Court could not decide if the proposed settlement in a privacy case was "fair, reasonable, and adequate" or if the case was properly before the Court. The case involves Google's disclosure of search histories to third parties without consent, a business practice that could violate several privacy laws. Under the terms of the settlement, there was no benefit to Internet users and Google was not prohibited from continuing the allegedly unlawful practice. In an amicus brief, EPIC stated, "the proposed settlement is bad for consumers and does nothing to change Google's business practices." EPIC and several organization objected to the original settlement on three separate occasions. EPIC routinely opposes settlements that fail to provide an actual benefit to Internet users. In this case, the Justices ordered the parties to address whether the Spokeo v. Robbins decision permits consumer privacy to go forward. EPIC filed a brief in Spokeo in support of consumers, and has filed similar briefs siding with consumers in several other cases.
  • FTC Announces Task Force on Competition in Tech » (Feb. 26, 2019)
    The FTC announced a new task force dedicated to monitoring U.S. technology markets and investigating anticompetitive conduct. FTC Chairman Joe Simons said "it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition." According to the FTC, the Technology Task Force will examine "prospective merger reviews" and will review "consummated technology mergers." EPIC objected to Facebook's acquisition of Whatsapp in 2014 and Google's acquisition of DoubleClick in 2007. EPIC has called on the FTC to require Google to divest Nest, after reports that the company hid listening devices in the home thermostat, and pressed the Commission to use its equitable authorities, including divestiture, to enforce consent orders.
  • EPIC to FTC: After Home Spying Reports, Google Should Divest Nest » (Feb. 20, 2019)
    Following reports that Google installed secret listening devices in the homes security product Nest, EPIC asked the Federal Trade Commission to require Google to spin-off Nest and to disgorge the data obtained from Nest users. It is a federal crime to intercept private communications or to plant a listening device in a private residence. In 2014, EPIC filed a complaint with the Commission regarding a related merger review and noted specifically that the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest." EPIC also said at the time that the "early termination" approval of the Google/Nest merger was surprising given the Commission's extensive consideration of the Google acquisition of Doubleclick. Both the Senate Commerce Committee and the House Energy and Commerce Committee have expressed interest in merger review in the tech industry.
  • European Court Adviser Says Right to be Forgotten Need Not Be Applied Worldwide » (Jan. 11, 2019)
    The opinion of a key adviser to the Europe's top court finds that that the "right to be forgotten" need not be applied worldwide. Google v. Commission nationale de l'informatique et des liberté follows a ruling in Google v. Spain that Europeans have a right, in some circumstances, to remove links to their personal data posted online by Google. The advocate general said that while Europeans are entitled to have private information delisted in the EU, search engines do not have to remove links from view in foreign domains even though they make the personal data available in those domains for commercial benefit. EPIC has supported the CNIL's approach instead, contending "the right to privacy is global." The European Court of Justice will now decide whether to adopt the opinion from the Advocate General. EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the case by former Spanish Privacy Commissioner and EPIC Champion of Freedom Professor Artemi Rallo.
  • Consumer and Privacy Organizations Propose Framework for U.S. Data Protection » (Oct. 9, 2018)
    EPIC joined a group of twelve consumer and privacy organizations that submitted a statement to the Senate Commerce Committee in advance of a consumer privacy hearing. The groups outlined a draft framework for data protection in the U.S., advocating that Congress (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) establish algorithmic transparency and end discriminatory profiling; (4) prohibit “take it or leave it” and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a data protection agency. EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the FTC's failure to enforce its own consent orders.
  • FTC to Explore Competition and Consumer Protection Issues at Hearings this Week » (Sep. 12, 2018)
    The FTC is holding a hearing this week to examine the regulation of consumer data, the consumer welfare standard in antitrust law, and vertical mergers. This is the first in a series of hearings on "Competition and Consumer Protection in the 21st Century" that will examine how changes in the economy affect the FTC's enforcement priorities. EPIC and a coalition of consumer groups submitted extensive comments for the hearings. EPIC and the groups said that privacy protection is critical for competition and innovation. EPIC and the groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units; 3) block future acquisitions by Facebook and Google that would extend monopoly control over consumer data; 4) impose privacy safeguards for all mergers that implicate data privacy; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. The FTC reopened the investigation of Facebook in March after EPIC and consumer groups filed a formal complaint, but has still taken no action. The UK Information Commissioner completed its initial investigation, published a report, and issued a substantial fine in July.
  • Top European Court Hears Key "Right to Be Forgotten" Case » (Sep. 11, 2018)
    Today the Court of Justice for the European Union heard arguments in Google v. Commission nationale de l'informatique et des liberté concerning the "Right to Be Forgotten." Google v. CNIL follows a ruling in Google v. Spain that Europeans have a right, in some circumstances, to remove links to their personal data posted online by Google. Google has fought the judgement of the European high court and now is fighting the French agency, continuing to post links to personal data worldwide even after it is found to violate privacy rights in democratic countries. EPIC has supported the CNIL's approach, explaining that "the right to privacy is global." EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the case by former Spanish Privacy Commissioner Artemi Rallo, an EPIC Champion of Freedom.
  • Following EPIC Complaint, FTC Acknowledges Review of Google Consent Order » (Aug. 22, 2018)
    The FTC confirmed this week that it is investigating Google's compliance with the 2011 consent order. EPIC sent a letter to the FTC last week urging the Commission to determine whether Google violated the consent order following a report that Google tracked user location even when users opt-out. EPIC explained that modifying the "privacy policy" after obtaining the location data from users would not comply with the FTC's consent order. In the response to EPIC, the agency said that FTC attorneys monitor compliance with the agency's consumer protection orders and "the Google order is undergoing just such a review." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement, and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
  • EPIC to FTC: Google's Location Tracking Violates Consent Order » (Aug. 17, 2018)
    Following a report that Google tracks user location even when users opt-out, EPIC wrote to the FTC that Google violated the 2011 consent order. EPIC said "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fails to comply with the 2011 order." EPIC also told the FTC that "The Commission's inactions have made the Internet less safe and less secure for users and consumers." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
  • EPIC Urges Supreme Court to Protect Internet Users in Controversial Class Action Settlement » (Jul. 16, 2018)
    EPIC has filed an amicus brief in Frank v. Gaos, concerning a class action settlement that provided no benefit to Internet users and no change in the business practices of defendant Google. EPIC said the settlement was not "fair, reasonable, and adequate." The case involves Google's disclosure of Internet user search histories to third parties without user consent, a business practice that could violate federal and state privacy law. EPIC stated, "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved that settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC said that, "cy pres requires vigilant judicial oversight to guard against the risks of collusion and ensure that judges are not rubber-stamping settlements that pay attorneys while failing to benefit class members." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to provided a benefit to Internet users.
  • EPIC Renews Call for FTC to Stop Google's Tracking of Consumer Purchases » (May. 7, 2018)
    EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Google's tracking of consumer purchases. EPIC told the FTC that "this tracking of consumer purchases is without precedent and also raises questions as to what else Google does with the consumer data it obtains." EPIC originally filed the Complaint with the FTC on July 31, 2017. The Complaint alleges that Google collects billions of credit and debit card transactions and links that data to the activities of Internet users. Google claims to protect privacy but refuses to provide any details about a secret algorithm it uses, making it impossible for consumers to verify that their privacy is protected. EPIC has filed numerous complaints with the FTC, including the complaints that led to the FTC's 2011 Google Buzz Order and the 2011 Facebook Order. The FTC recently welcomed a new Chairman and three new Commissioners.
  • Supreme Court To Review Fairness of Cy Pres Awards In Class Action Settlements » (Apr. 30, 2018)
    The Supreme Court today granted certiorari to address for the first time whether a class action settlement that awards cy pres but provides no direct relief to class members is "fair, reasonable, and adequate." The case, Frank v. Gaos, involves a settlement arising from Google's tracking of Internet users by circumventing their browsers' privacy settings. The settlement awarded cy pres funds to several organizations but resulted in no change in Google's business practices nor payments to class members. EPIC objected to the proposed settlement on three separate occasions, arguing that, "The proposed settlement is bad for consumers and does nothing to change Google's business practices. The company will simply revise its notice so that it may continue to engage in the privacy-invading practice that class counsel claimed at one time provided the basis for class action certification and monetary relief." EPIC has routinely opposed class action settlements that fail to compensate class members or change business practices. In 2013, Chief Justice John Roberts wrote that the Court would soon need to address "fundamental concerns" surrounding the use of cy pres in class action settlements. EPIC has proposed an objective basis to evaluate cy pres awards.
  • EPIC Urges Congress to Require Algorithmic Transparency For Dominant Internet Firms » (Apr. 25, 2018)
    In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors.
  • EPIC, Consumer Groups Urge FTC To Investigate Facebook » (Mar. 20, 2018)
    In a statement issued today, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011.
  • Axios Poll: Public Wants Big Tech Regulated » (Feb. 28, 2018)
    A new Axios-SurveyMonkey poll found that 55% of Americans believe the government should do more to regulate tech companies such as Google and Facebook. The poll showed bipartisan support for increased regulation, with 45% of Republicans, 64% of Democrats, and 57% of Independents saying they are "more concerned" that the government will not go far enough to regulate tech. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs.
  • Group Asks Supreme Court to Weigh In on Fairness of Google Tracking Settlement » (Jan. 8, 2018)
    The Center for Class Action Fairness has asked the U.S. Supreme Court to decide whether a settlement that awards funds to certain organizations and fails to compensate injured class members is fair. The settlement involved Google's tracking of Internet users in violation of users' privacy settings but resulted in no change in business practices or payment to class members. Some of the organizations that received class settlement funds are separately funded by Google. EPIC recently filed an amicus brief opposing a similar settlement in a related class action against Google. EPIC has also opposed settlements against Facebook and Google that failed to compensate class members or change business practices. EPIC President Marc Rotenberg has proposed an objective basis to evaluate settlement proposals. The Supreme Court has yet to address cy pres fairness, but Chief Justice John Roberts, in Marek v. Lane concerning Facebook's Beacon program, echoed the concerns of EPIC when he wrote that the "vast majority of Beacon's victims" got nothing.
  • EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan » (Dec. 5, 2017)
    EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy."
  • EPIC Challenges Google Cookie Tracking Settlement as Unfair to Class Members » (Nov. 22, 2017)
    EPIC filed an amicus with a federal appeals court urging the court to reject a proposed class action settlement in a consumer privacy case. The case involved Google tracking internet users in violation of the users' privacy settings. EPIC said the settlement resulted in no change in business practices and wrongly awarded cy pres funds to organizations that Google would otherwise support. The settlement was also opposed by the Attorneys General of thirteen states. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google. EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement.
  • Missouri AG Cites EPIC's FTC Complaint in Announcing its Investigation into Google » (Nov. 13, 2017)
    Missouri Attorney General Josh Hawley has announced an investigation into Google's business practices concerning Internet privacy. The investigation also examines whether Google misappropriated content from competitors' websites and manipulated search results to preference Google sites. The Missouri AG stated, "when a company has access to as much consumer information as Google does, it's my duty to ensure they are using it appropriately." The announcement highlighted EPIC's recent FTC Complaint against Google regarding the company's tracking of in-store purchases as well as the record fine by the European Union for monopolistic search practices. Under the leadership of then Connecticut Attorney General Richard Blumenthal, the state Attorneys General previously investigated Google for the unlawful interception of private communications by means of the Google "Street View" vehicles. That state AGs fined Google $7,000,000 when it was found that the company "casually scooped up passwords, e-mail and other personal information from unsuspecting computer users."
  • EPIC Calls for Greater FTC Enforcement » (Sep. 28, 2017)
    In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders.
  • EPIC Urges Public Comments on FTC Settlement with Uber » (Sep. 6, 2017)
    EPIC is urging the public to comment on the proposed FTC settlement with Uber regarding consumer privacy. (Federal Register Notice). The FTC settlement follows EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. The proposed settlement requires regular privacy audits of Uber by third parties but fails to make substantial changes in the companies business practices or require the company to delete the personal data that was wrongfully obtained. The deadline to file a comment with the FTC is September 15, 2017. The FTC is required to consider public comments before finalizing a proposed settlement. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC also recently filed an FTC complaint to stop Google from tracking in-store purchases.
  • Following EPIC Complaint, Uber Agrees To Stop Tracking Riders » (Aug. 29, 2017)
    Uber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases.
  • Appeals Court OKs Collusive Google Privacy Settlement » (Aug. 23, 2017)
    A divided federal appeals court has upheld a decision that allows Google to continue consumer privacy violations by means of a collusive settlement. Though the case concerns Google's illegal disclosure of personal data from 129 million consumers, the settlement fails to compensate those consumers, does nothing to change Google's business practices, and diverts funds to organizations that don’t protect consumer privacy. The dissenting judge wrote that the settlement "raises a red flag" because "47% of the settlement fund is being donated to the alma maters of class counsel." EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to "continue to engage in the privacy-invading practice." EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases.
  • After EPIC Privacy Complaint, Uber Settles with FTC » (Aug. 15, 2017)
    After an EPIC complaint about Uber's privacy practices, Uber has entered into a consent agreement with the FTC. The agreement prohibits Uber from misrepresenting how it monitors or secures consumer information. As with most FTC privacy settlements, the agreement also requires Uber to implement a comprehensive privacy program and obtain periodic independent third-party audits. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases.
  • UK Government Releases Statement of Intent Describing New Data Protection Bill » (Aug. 10, 2017)
    The UK has released a statement of intent describing a forthcoming bill that would make major revisions to the the country's data protection law. The new rules would follow the EU's General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers' ability to access, move, and remove data about themselves. The bill would also expand the definition of "personal data" to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC supported the GDPR and the right to be forgotten, has explained that IP addresses are personal data, and has warned of the risks of improperly "de-identified" data. EPIC recently filed a complaint asking the FTC to investigate Google's use of a proprietary, secret algorithm Google claims can "de-identify" consumers while tracking their purchases.
  • EPIC Files FTC Complaint to Stop Google from Tracking In-Store Purchases » (Jul. 31, 2017)
    EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases. According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users. Google claims that it protects online privacy but refuses to reveal details of the algorithm that "deidentifies" consumers while tracking their purchases. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy. EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world.
  • Google Faces Record Fine for Monopolistic Search Practices » (Jun. 27, 2017)
    European antitrust officials have imposed a $2.7 billion fine on Google for favoring its own services over competitors on Google search, which now dominates 90% of the market in Europe. It is the largest antitrust fine in European history. European Commissioner Margrethe Vestager stated "Google has abused its market dominance in search by promoting its own services and demoting its competitors. What Google has done is illegal under EU antitrust rules. It has denied other companies the chance to compete on the merits and to innovate. And most importantly, it has denied European consumers the benefits of competition, genuine choice, and innovation." Google competitors and news organizations, based in the United States, favored the outcome. Over many years, EPIC had urged the US government to take a closer look at Google's anti-competitive practices. In testimony before the Senate Judiciary Committee in 2007, EPIC warned that Google's growing dominance of online advertising would diminish user privacy and market competition. In a statement to the FTC in 2011, EPIC explained that Google altered the search rankings of YouTube after it acquired the company to preference Google's content over that of competitors and NGOs, including EPIC. In 2012, EPIC told the FTC that "Google's business practices raise concerns related to both competition and the implementation of the Commission's consent order." EPIC later sued the FTC for its failure to enforce the consent order.
  • Google to End Email Content Scanning » (Jun. 23, 2017)
    After a decade of controversy, Google announced that it will stop scanning the content of all Gmail. Google stopped scanning e-mails for education in 2014 after a lawsuit charged that it violated wiretap laws. Google faced similar allegations in many other cases in the United States and around the world. EPIC warned about Google's e-mail scanning practices back in 2005 and filed a complaint with the FTC in 2009 over the privacy risks in Google's insecure cloud computing services, including Gmail. In 2014, EPIC led a successful campaign to stop Google from scanning student emails for commercial advertising. Last year, EPIC filed a friend-of-the-court brief in a Massachusetts case, again objecting to Google's Gmail scanning. EPIC explained in 2005 that Google's email service undermined online privacy and prevented the adoption of important security methods, such as end-to-end encryption.
  • News Report: FTC to Act on EPIC's Uber Complaint » (Jun. 15, 2017)
    According to news reports, the FTC is pursuing EPIC's privacy complaint regarding Uber. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC complaints typically lead to settlements following a change in business practices. EPIC has also recommended comprehensive privacy legislation for Uber.
  • Google Settles Wiretapping Suit, Shifts Scanning of Gmail Messages to Servers » (Dec. 15, 2016)
    Google and lawyers for a class of Gmail users have reached a settlement in a case concerning the company's interception of private emails. The 2015 lawsuit accused Google of violating the federal Wiretap Act and California law by surreptitiously scanning Gmail messages for advertising revenue. Google has now agreed "to eliminate any processing of email content" for advertising purposes "prior to the point" when a Gmail user can retrieve email, but scanning of Gmail users (and non-Gmail users) on Google's servers will continue. EPIC recently filed an amicus brief in a related case before the Massachusetts Supreme Court, calling attention to Google's "systematic data mining of millions of private email messages" as a clear violation of the state's Wiretap Act. EPIC has also warned of collusive settlements in consumer privacy cases that enrich lawyers and leave business practices essentially unchanged.
  • Google "Quietly" Changes Privacy Policy, Matches Tracking Data and User ID » (Oct. 25, 2016)
    Ars Technica reported this week that Google "quietly" changed its privacy policy this summer to combine tracking data and user ID - data it had previously promised to keep separated. The revised policy now says that "your activity on other sites and apps may be associated with your personal information" for ad delivery. In 2007, EPIC urged the FTC to block Google's proposed acquisition of Doubleclick, warning that Google would eventually link the Google user profile with the Doubleclick data despite the company's representations. When the FTC approved the merger without conditions, EPIC responded that the FTC "had reason to act and authority to act, and failed to do so." Currently before the FTC is a complaint from EPIC concerning WhatsApp plan to transfer user data to Facebook, breaking a privacy promise made by the company at the time of the 2014 acquisition to act "independently and autonomously."
  • EPIC Urges Massachusetts High Court to Protect Email Privacy » (Oct. 24, 2016)
    EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding email privacy. At issue is Google's scanning of the email of non-Gmail users. EPIC argued that this is prohibited by the Massachusetts Wiretap Act. EPIC described Google's complex scanning and analysis of private communications, concluding that it was far more invasive than the interception of a telephone communications, prohibited by state law. A federal court in California recently ruled that non-Gmail users may sue Google for violation of the state wiretap law. EPIC has filed many amicus briefs in federal and state courts and participated in the successful litigation of a cellphone privacy case before the Massachusetts Judicial Court. The EPIC State Policy Project is based in Somerville, Massachusetts.
  • Supreme Court Won't Review Privacy Violations by Facebook, Google » (Oct. 4, 2016)
    The U.S. Supreme Court has declined to review two important consumer privacy cases: K.D. v. Facebook, a suit challenging Facebook’s use of young childrens’ names and images in advertising without consent, and Gourley v. Google, a suit opposing Google’s covert use of web cookies to track browsing habits. In K.D., consumers urged the Supreme Court to review a Ninth Circuit opinion, which upheld a controversial settlement. EPIC filed an amicus brief in a companion case, Fraley v. Facebook, explaining that a settlement is unfair that allows a company to continue to engage in privacy violations. In Gourley, consumers asked the Court to overrule a Third Circuit decision holding that Google's exploitation of browser privacy loopholes did not violate the Wiretap Act or Stored Communications Act.
  • EPIC FOIA: Google Secretly Attempted to Narrow FCC Privacy Protections, Exclude Customer IP Addresses » (Oct. 4, 2016)
    In response to a Freedom of Information Act request filed by EPIC, the Federal Communications Commission has released communications about the FCC’s broadband privacy rulemaking. One of the key proposals for the privacy rules concerns the scope of consumer data covered by the rule, such as a customer’s IP address. An email exchange between Google’s Vinton Cerf and FCC Chairman Tom Wheeler reveals Google’s backdoor efforts to narrow the scope of the proposed rules to exclude privacy protections for customers’ IP addresses. While EPIC has repeatedly argued that the FCC’s rules can and should go further, the current proposal would safeguard some consumer data, including IP addresses.
  • Senate Examines FTC's Antitrust Enforcement » (Apr. 13, 2016)
    The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders.
  • EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order » (Apr. 1, 2016)
    Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices.
  • Google Concedes "Right to be Forgotten" Applies Worldwide » (Feb. 11, 2016)
    After waging an unproductive battle against the privacy rights of Internet users, Google will finally remove links to sensitive personal information. Google had challenged the legal authority of the Spanish people to protect their personal information, but lost the case Google v. Spain before the top court in Europe. Google then claimed that the links to personal data should only be removed in the country where the Internet user resided. Privacy experts said Google's position made no sense for the "global Internet." The French data protection agency threatened Google with sanctions. Google again fought back, claiming it did not need to comply with decision of the Court of Justice of the European Union. Now the company has decided to comply with the law.
  • Senator Franken Presses Google on Student Privacy » (Jan. 16, 2016)
    Senator Al Franken (D-MN) asked Google to explain what the company does with student data, including: what types of data Google collects, to whom Google discloses student information, and whether students and schools “have control over what data is being collected and how the data are being used?” Senator Franken stated, “I believe Americans have a fundamental right to privacy, and that right includes a student or parent’s access to information about what data are being collected about them and how the data are being used.” EPIC has called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework.
  • Federal Appeals Court Revives Google Cookie Tracking Suit » (Nov. 12, 2015)
    A federal appeals court has reinstated a class action alleging that Google and internet advertising companies unlawfully placed tracking cookies on users' web browsers. A reasonable jury could conclude that Google's "deceitful override of the plaintiffs' cookie blockers" constitutes a "serious invasion of privacy" under California law. The appeals court also held that tracked URLs could constitute "content" under the federal Wiretap Act, though it ultimately upheld the dismissal of all federal law claims for other reasons. EPIC filed an amicus brief in a similar case, arguing that Viacom's disclosure of IP addresses and unique device identifiers to Google violated the Video Privacy Protection Act.
  • News Reports: FTC Investigating Google Anti-Competitive Practices » (Sep. 28, 2015)
    According to the New York Times and Bloomberg News, the FTC is investigating whether Google unfairly prioritizes its own products on the Android platform. Google bundles several Google products on the Andriod platform and requires manufacturers to install them directly onto smartphones. DOJ pursued antitrust violations against Microsoft for this type of "tying" or "bundling" practice. EPIC previously urged the Senate and the FTC to investigate Google's business practices because of the privacy implications. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of former FTC Commissioner Pamela Harbor, who cited the close ties between monopoly practices and privacy violations.
  • Google Ordered to Comply with Ruling of European High Court » (Sep. 21, 2015)
    The French Data Protection Authority, the "CNIL," has ordered Google to comply with the judgement of the Court of Justice of the European Union concerning the "Right to be Forgotten." The CNIL rejected Google's proposal to remove only a few links to the personal information it publicized widely around the world. The President of the CNIL said the decision "simply requests full observance of European legislation by non European players offering their services in Europe." EPIC has previously explained that the right to privacy is global and that the position of Google, as an operator of search engines around the world, does not make sense.
  • After Losing Appeal, Google Moves to Block Scope of European Privacy Right » (Jul. 30, 2015)
    Google has indicated that it does not intend to comply with a judgement of the high court in Europe after earlier losing its appeal in Google v. Spain. Earlier this year, the French Data Protection agency, consistent with the landmark decision of the European Court of Justice, instructed Google to delist certain links in all domains in which the search company operates. A recently leaked version of a Google transparency report found that the vast majority of requests for delisting concern private matters of private individuals. Support for the "right to be forgotten" continues to grow around the world with courts in Japan, Canada, and the United States acknowledging similar claims.
  • Judge Approves Laughably Bad, Collusive Class Action Settlement » (Apr. 3, 2015)
    A federal judge has approved a settlement involving Google after the company routinely disclosed the search histories of Internet users to third parties in violation of federal law. Under the settlement, Google will continue the practice and the attorneys will receive several million in fees. Google will also distribute millions to the schools the lawyers attended. None of the class members will receive any benefit. A coalition of consumer privacy organizations, including EPIC, twice urged the judge to reject the settlement. The groups cited an opinion by Supreme Court Chief Justice John Roberts about a similarly collusive settlement.
  • EPIC Pursues Investigation of FTC's 2012 Investigation of Google » (Mar. 26, 2015)
    EPIC has filed a FOIA request with the Federal Trade Commission, reopening a 2013 FOIA request from EPIC regarding the Commission's Google antitrust investigation. After the agency closed the investigation in 2013, EPIC asked for agency communications with the White House. The FTC denied having any such records. Now, the Wall Street Journal has reported that the Chairman of the FTC attended White House meetings on the same day as Google lobbyists. EPIC also filed a request this week for the FTC staff reports recommending that the agency file an antitrust lawsuit against Google.
  • EPIC Pursues Reports from FTC's 2012 Investigation of Google » (Mar. 24, 2015)
    EPIC has filed a FOIA request with the Federal Trade Commission, seeking the two reports prepared by agency staff during the 2012 Google antitrust investigation. After the agency closed the investigation in 2013, asked for for agency communications with the White House. Now, the Wall Street Journal has obtained a report revealing that the Commission ignored recommendations to reform Google's anticompetitive practices. EPIC warned the FTC in 2011 about Google's search ranking manipulation after the company acquired YouTube.
  • Wall Street Journal Reveals FTC Ignored Google's Anticompetitive Practices » (Mar. 23, 2015)
    According to an internal document obtained by the WSJ, in 2012 the Federal Trade Commission ignored recommendations to reform Google's anticompetitive practices. The FTC staff report concluded that Google's "conduct has resulted-and will result-in real harm to consumers and to innovation in the online search and advertising markets." The internal FTC report said the company illegally took content from rival websites to improve its own rankings and "[w]hen competitors asked Google to stop taking their content, it threatened to remove them from its search engine. The report also found that Google altered search results "to benefit its own services at the expense of rivals." In 2011 EPIC detailed for the FTC Google's manipulation of rankings for a search on the term "privacy" after it acquired YouTube. EPIC pursued an FOIA request for agency communications with the White House after the agency closed investigation.
  • Most U.S. Voters Want "Right to Be Forgotten" » (Mar. 20, 2015)
    According to a new survey, nine out of ten voters in the United States want the right to delete links to personal information. Those voters say they would support a U.S. law that permits Internet users to ask search companies, such as Google, to remove links to certain personal information. Last May the top court in the European Union established the "right to be forgotten" as a fundamental right, protected by the EU Constitution. EU citizens may require search companies to remove personal information that is inadequate, irrelevant, and inaccurate. The recent US survey bolsters the findings of a previous US survey which found that 61% of Americans supported the right to be forgotten. EPIC has argued that the right should be established in the United States.
  • EPIC Files Comments with FTC on Merger Review and Consumer Privacy » (Mar. 18, 2015)
    EPIC, along with 26 technical experts and legal scholars, has submitted extensive comments for the FTC's review of the merger remedy process. EPIC urged the Commission to consider the privacy risks to consumers that result from the merger of big data firms. The comments detailed EPIC's efforts, over 15 years, to warn the FTC about such mergers as Abacus and DoubleClick, then DoubleClick and Google, AOL and Time Warner, and most recently Facebook and WhatsApp. EPIC urged the FTC to asses both competitive and privacy impacts of merger, and to enforce privacy commitments prior to granting merger approval.
  • Consumer Groups Urge FTC Review of Data Consolidation » (Feb. 9, 2015)
    A coalition of consumer groups has asked the Federal Trade Commission to undertake a comprehensive review of the impact on the American public of the growing consolidation of consumer data in the digital marketing industry. The groups asked the FTC to launch an investigation and hold a public workshop on protecting privacy in online transactions. EPIC has repeatedly urged the FTC to undertake a similar review. In 2007, EPIC opposed Google's acquisition of Doubleclick, the Internet advertising firm, citing the risks of growing consolidation of user data. In 2000, EPIC also opposed Doubleclick's acquisition of Abacus, a large catalog database firm. Privacy officials outside the US have begun to scrutinize these deals more closely.
  • Dutch Privacy Officials Find Google Violates National Privacy Law » (Dec. 16, 2014)
    The Dutch Data Protection Authority has found that Google's 2012 privacy policy change violates Dutch data protection law. Google's policy change, which EPIC also opposed, consolidated user data across more than 60 separate services and gave Google the ability to track and profile users in extraordinary detail. The Dutch DPA has ordered Google to: (1) obtain "unambiguous consent of users for the combining of personal data" from different Google services; (2) describe in detail the personal data are used by each Google service; and (3) clearly explain to consumers that YouTube is a Google service. Google must comply with the Dutch officials' order by February 2015 or face $19 million in fines. In issuing the decision, Jacob Kohnstamm, chairman of the Dutch DPA, stated, "Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested." In 2012, EPIC sued the Federal Trade Commission to block Google's 2012 policy change, which violated a 2011 FTC Consent Order. That Consent Order followed an extensive EPIC FTC Complaint and findings by the FTC concerning Google's business practices. For more information, see EPIC: EPIC v. FTC (Enforcement of the Google Consent Order), EPIC: In re Google Buzz, and EPIC: Federal Trade Commission.
  • Federal Judge - Google Privacy Settlement "Fails Smell Test" » (Sep. 2, 2014)
    A federal judge reviewing a proposed class action settlement in a case concerning Google's disclosure of user data to third parties has said "it doesn't pass the smell test." A coalition of consumer privacy organizations, including EPIC, urged the judge to reject the settlement because it required no substantial change in Google's business practices and provided no benefit to class members. The consumer privacy organization wrote to the judge when the settlement was first proposed and again last week, before the final fairness hearing. The groups cited the skepticism expressed by Supreme Court Chief Justice John Roberts about a similar privacy settlement. The consumer privacy groups also alerted the FTC Class Action Fairness Project and the California Attorney General about the pending settlement. For more information, see EPIC: Search Engine Privacy.
  • Consumer Privacy Organizations Urge Judge to Reject "Privacy Settlement" » (Aug. 27, 2014)
    EPIC, joined by leading consumer protection organizations, has asked a federal judge to reject a proposed class action settlement in In re Google Referrer Header Litigation. The settlement requires no substantial change in Google's business practices and provides no benefit to class members. EPIC wrote to the same judge last year when the settlement was first proposed, urging him not to approve. The Federal Trade Commission and the California Attorney General have opposed a similar settlement. And the Chief Justice of the US Supreme Court has expressed deep skepticism about settlements that provide no benefits to class members. The judge in the Google care will rule on the settlement August 29. For more information, see EPIC: Search Engine Privacy, and EPIC: FTC.
  • Federal Trade Commission Responds to EPIC Regarding Google Settlement » (Aug. 7, 2014)
    The Federal Trade Commission has responded to EPIC's letter urging the agency to oppose a collusive Google class action settlement. The agency stated that it "systematically monitors compliance" with its consumer protection orders and that it "takes alleged violation[s] of an order seriously," but that it cannot publicly disclose details of its investigations until a formal complaint is issued. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations urged the Commission to formally object because the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution." The agency has a history of filing objections - it filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information see EPIC: FTC and EPIC: Search Engine Privacy.
  • Privacy Lawsuit Against Google for Policy Change Moves Forward » (Jul. 22, 2014)
    A federal court in California has ruled that a class action privacy lawsuit against Google can continue. The plaintiffs are Android users who sued Google in 2012 after the company consolidated user data across many separate services, including Gmail, Google+, and Youtube. They allege that Google concealed a plan to modify its privacy policies and also that Google violated the privacy policy for GooglePlay. After dismissing similar claims, the court held that the case may now go forward. In 2012, EPIC objected to the same change in Google's policy and urged the Federal Trade Commission to block the change because of a 2011 consent order in which Google agreed not to combine user data without user consent. After the FTC failed to act, EPIC sued the agency. Members of Congress, state Attorneys General, European Justice Officials, technical experts, and IT managers in government and the private sector also expressed concern about the 2012 Google policy change. For more information, see EPIC: EPIC v. FTC (Google Consent Order) and EPIC: FTC.
  • FTC Releases 2014 Data Security Update, But Enforcement Questions Remain » (Jul. 1, 2014)
    The Federal Trade Commission has released the 2014 Privacy and Data Security Update. The report is "an overview of the FTC's enforcement, policy initiatives, and consumer outreach and business guidance in the areas of privacy and data security." In the report, the FTC explains that "If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations." However, the FTC has consistently failed to enforce consent orders with Google, Facebook, and other companies that have engaged in unfair or deceptive trade practices. The Commission has also failed to modify proposed settlement agreements after seeking public comment. For more information, see EPIC: FTC, EPIC: Facebook Privacy, and EPIC: In re: Google Buzz.
  • Supreme Court Rejects Google's Street View Appeal » (Jun. 30, 2014)
    The U.S. Supreme Court has denied a petition from Google to reverse the decision in the Google Street View case. In Joffe v. Google, Internet users sued Google for intercepting private communications, including passwords, medical records, and financial information, of millions of users across the country. EPIC filed a friend of the court brief in support of Internet users, arguing that Wi-Fi communications are not "readily accessible to the general public," and that companies should not intercept communications of private residential networks. The Ninth Circuit agreed and found that the wiretap exception for access to "radio communications" does not apply to Wi-Fi networks. More than twelve countries have investigated Google for its collection of private Wi-Fi data, and at least nine countries have found that Google violated their national wiretap laws. For more information, see EPIC: Joffe v. Google and EPIC: Investigations of Google Street View.
  • Google Plans Advertising on Appliances, Including Nest Thermostat » (May. 22, 2014)
    In a letter to the Securities and Exchange Commission, Google announced plans to place targeted ads on Google-controlled appliances. Google wrote that "a few years from now, we and other companies could be serving ads and other content on refrigerators, car dashboards, thermostats, glasses, and watches, to name just a few possibilities." The proposal raises significant privacy concerns for the "Internet of Things." Earlier this year, EPIC warned the FTC about Google's acquisition of Nest Labs, makes of a smart thermostat, that "Google regularly collapses the privacy policies of the companies it acquires." Nonetheless, the Commission approved Google's acquisition without further review. For more information, see EPIC: In re: WhatsApp, EPIC: Google/Doubleclick and EPIC: FTC.
  • EPIC Obtains Letter Concerning Justice Department Non-Investigation of Google Street View » (May. 13, 2014)
    Pursuant to the Freedom of Information Act, EPIC has obtained the closing letter from the Department of Justice to Google attorneys in the Street View matter. The letter briefly mentions Google's interception and collection of private Wi-Fi communications across the United States over several years. The disclosure of the activity occurred after a European data protection authority discovered that Google's "Street View" vehicles also captured private Wi-Fi data. More than 12 countries subsequently investigated Google's programs, and at least 9 countries found Google guilty of violating their laws. The letter from the DOJ states that US officials were aware that Google's "equipment collected 'payload' data, including contents of e-mail and Internet addresses typed by users," but the Department "decided not to seek charges" against Google for violating the Wiretap Act. The Ninth Circuit recently affirmed a federal court's decision to allow a class action lawsuit against Google to move forward for wiretap violations stemming from the Street View program. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google.
  • New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air » (May. 12, 2014)
    New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity.
  • Google Stops Scanning Student Emails, Ends Data Collection for Advertising » (Apr. 30, 2014)
    Google has announced it will stop scanning student emails for advertising purposes. Google has also stated that it will no longer display new advertisements in its Apps for Education. Google's announcement follows the demise of inBloom, a private company that acquired student data from school districts across the country. Amid public backlash, inBloom announced it was shutting down. Google and inBloom gained access to student data pursuant to the Education Department's revised regulations that significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. EPIC had previously sued the Education Department for weakening the privacy law that protects student data. Earlier this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy.
  • Patent to Block Facial Recognition Follows Sale of Google Glass » (Apr. 25, 2014)
    A patent for a technology that shields users from nearby video cameras has emerged. The patent describes a detector that would blur the images of people on portable camera displays, preventing video surveillance. The patent surfaced following Google's release of Google Glass for sale by the general public. Google is seeking a patent for a contact lens style for Glass that would escape public detection. Google is also seeking to trademark the word "glass," which the US Patent and Trademark Office opposes. EPIC previously submitted comments to the Federal Trade Commission recommending the suspension of facial recognition techniques pending the establishment of privacy safeguards. For more information, see EPIC: Google Glass and Privacy, EPIC: Facial Recognition and EPIC: Federal Trade Commission.
  • Judge Approves Controversial Settlement Over Objection of Consumer Privacy Organizations » (Apr. 1, 2014)
    A federal judge in California has approved a settlement agreement in a lawsuit against Google that will allow the company to continue to sell data about users' browsing history to advertisers. EPIC and several other consumer privacy organizations objected to the settlement, stating that it requires no change in Google's business practices and provides no benefit to those on whose behalf the case was brought. EPIC and the groups also recommended that the court adopt an objective basis for distributing cy pres funds, noting that the awards are often made for the benefit of the lawyers settling the case and not the class members. Class action settlements have come under increasing scrutiny in recent years, with courts increasingly concerned about collusion between attorneys and faux settlements that do not reflect the purpose of the initial lawsuit. In a case that reached the Supreme Court, Chief Justice Roberts said that courts will need to look more closely at these settlements to determine whether there are fair, whether organizations designated to receive funds reflect the interests of class members, and also the obligation of judges to carefully review these proposals. For more information, see EPIC: Search Engine Privacy and EPIC: Google Buzz.
  • French Data Protection Authority Fines Google for Data Consolidation » (Jan. 9, 2014)
    The CNIL, the French data protection authority, has fined Google 150,000 Euro (approximately $200,000) for consolidating user data. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. In 2012, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order.
  • States Reach $17 Million Settlement with Google Over Privacy Violations » (Nov. 18, 2013)
    The Maryland Attorney General Douglas Gansler, joined by attorneys general in 36 states and the District of Columbia, has reached a $17 million settlement with Google over privacy violations. Google violated state consumer protection and privacy law by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The Federal Trade Commission fined Google $22.5 million last year over similar practices which violated an earlier settlement that was the result of a complaint filed by EPIC. EPIC previously objected to the Google-DoubleClick merger on privacy grounds and specifically warned that Google’s use of Doubleclick techniques would lead to impermissible tracking of Internet users. Earlier EPIC had urged the Federal Trade Commission and other consumer protection agencies to support advertising models that are not linked to actual user identity. For more information, see EPIC: Google Buzz, EPIC: Google/DoubleClick Merger.
  • Supreme Court Lets Stand Contested Facebook Settlement, But Chief Justice Cautions About Future Cases » (Nov. 4, 2013)
    The Supreme Court has denied a petition for review in Marek v. Lane, a decision upholding the class action settlement of Facebook’s controversial "Beacon" Program. The settlement provided substantial fees to attorneys, no benefits to class members, and established a funding entity, controlled in part by Facebook "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement, but concerns have been raised about the misuse of cy pres procedures. Chief Justice Roberts, focusing on the "unusual" allocation of funds in the Facebook matter, suggested that the Supreme Court would eventually need to address "fundamental concerns surrounding the use of such remedies in class action litigation" including "how to assess its fairness as a general matter; whether new entities may be established as part of such relief; if not, how existing entities should be selected; what the respective roles of the judge and parties are in shaping a cy pres remedy; [and] how closely the goals of any enlisted organization must correspond to the interests of the class." EPIC and other consumer privacy organizations have routinely raised similar concerns about abuse of the class action process. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz.
  • Google Announces Plan to Post Names and Photos of Users for Advertising Without Consent, May Violate 2011 FTC Consent Order » (Oct. 11, 2013)
    Google announced changes to its Terms of Service that will allow “your Profile name, Profile photo, and actions you take on Google or on third-party applications” to be used in advertisements. The changes will not require Google to seek the affirmative consent of users before putting their personal information to commercial use. Minors, however, will not be subject to the changes. A 2011 Consent Order with the Federal Trade Commission prohibits Google from making misrepresentations and requires the company to obtain user consent before disclosing information to third parties. EPIC recently objected to similar practices by Facebook that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. For more information, see EPIC: Federal Trade Commission and EPIC: In re Google.
  • Court Rules that Gmail Case Can Go Forward, Internet Users Do Not Consent to Routine Inspection of Private Email » (Sep. 26, 2013)
    A federal district court has ruled that Google may have violated the federal Wiretap Act when it routinely intercepted, read, and acquired the contents of email users for advertising purposes. "The court finds that it cannot conclude that any party -- Gmail users or non-Gmail users -- has consented to Google's reading of e-mail for the purposes of creating user profiles or providing targeted advertising," Judge Lucy Koh stated. The court rejected arguments from Google that the activity occurred in the "ordinary course of business." The court said that the interception must be "instrumental" to the provision of an email service and that Google's business interest was not sufficient to meet that test. The court also found that Google had not obtained consent from users for the ad profiling practices. According to the court, "Google has cited no case that stands for the proposition that users who send emails impliedly consent to interceptions and use of their communications by other . . . than the indented recipient of the email." The ruling applies also applies to Google Apps for Education, through which Google obtains emails from educational organizations of students, faculty, staff, and alumni. For more information, see EPIC - Gmail Privacy FAQ.
  • Federal Appellate Court Upholds Privacy Protection for Wi-Fi Communications » (Sep. 10, 2013)
    The Court of Appeals for the Ninth Circuit has upheld a lower court ruling against Google in a case arising out of the Street View interception of private Wi-Fi communications. The lawsuit alleges that Google's ongoing interception of Wi-Fi payload data through its Street View program violated several laws, including the federal Wiretap Act. The court rejected Google's arguments that the interception was permissible. The court said that Google's interpretation could have the absurd result of rendering private communications, like email, unprotected simply because the recipient fails to encrypt their Wi-Fi network. Furthermore, the court explained that the unencrypted nature of the Wi-Fi networks did not make the data transmitted over them "readily accessible to the general public" because the data was still difficult for an ordinary person to intercept. EPIC filed a "friend of the court" brief in the case urging the court to uphold legal protections for Wi-Fi communications, and discussing both the intent of the federal law and the operation of a typical home W-Fi network. For more information, see EPIC: Ben Joffe v. Google and EPIC: Google Street View.
  • EPIC, Privacy Groups, Urge Court to Reject Proposed Google Settlement » (Aug. 22, 2013)
    EPIC, joined by several leading privacy and consumer protection organizations, submitted a letter to the Northern District of California regarding a proposed settlement in a class-action lawsuit against Google. The settlement was proposed by class action lawyers on behalf of Google users in a case concerning the unlawful disclosure of search terms by Google to third parties. Under the terms of the proposed settlement, Google would be allowed to continue to disclose user search terms to third parties. The letter explains that the proposed settlement "provides no benefit to Class members" because it does not require Google to change its business practices. "Furthermore," the letter states, "the proposed cy pres allocation is not aligned with the interests of the purported Class members." "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Under Ninth Circuit precedent, cy pres funds must be used to advance the interests of the class members. EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: Search Engine Privacy and EPIC: Google Buzz.
  • European Privacy Authorities Give Google 3 Months to Comply with Law » (Jun. 20, 2013)
    European data protection authorities have ordered Google to comply with data protection law or face fines. The French Data Protection Authority, which led the investigation into Google's consolidation of user data, said that "Google has not implemented any significant compliance measures" and gave the company three months to comply with its requirements. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google’s changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order.
  • Privacy Officials Seek Answers on Google Glass » (Jun. 19, 2013)
    Over thirty privacy officials, including the Privacy Commissioner of Canada and the Chairman of the Article 29 Working Party, have written to Google demanding information on Google Glass. "[W]e would strongly urge Google to engage in a real dialogue with data protection authorities about Glass," they wrote, and listed eight specific questions, including how Glass complies with privacy laws and how Google intends to use the information collected by Glass. Recently, members of the Bi-Partisan Privacy Caucus wrote to Google with similar questions about Glass. Following the letter, Google announced that it would not approve any facial recognition apps for Glass. For more information, see EPIC: Google Glass.
  • Google Bans Facial Recognition Glass Apps » (Jun. 3, 2013)
    Google announced that it will not approve any facial recognition apps for Google Glass, pending the development of privacy safeguards. "[W]e won't add facial recognition features to our products without having strong privacy protections in place," the company said in a blog post. In comments on facial recognition to the Federal Trade Commission last year, EPIC recommended that the Federal Trade Commission enforce Fair Information Practices against commercial actors when collecting, using, or storing facial recognition data. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques," EPIC wrote to the FTC in early 2012. For more information, see EPIC: Facial Recognition and EPIC: Federal Trade Commission.
  • FTC Opens Investigation into Google Advertising Dominance » (May. 29, 2013)
    The Federal Trade Commission has reportedly opened a new antitrust investigation into Google’s display advertising business. The Commission is investigating whether Google used its dominant position in the display advertising market, following the acquisition of Doubleclick, to harm competition. EPIC previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. Earlier this year, the Commission closed an antitrust investigation into Google’s search practices. For more information, see EPIC: Federal trade Commission and EPIC: Google/DoubleClick.
  • EU Takes Action Against Google for Privacy Policy Meltdown » (Apr. 2, 2013)
    Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order.
  • Federal Appeals Court Rejects "Neither Confirm Nor Deny" Defense for Government Secrecy » (Mar. 15, 2013)
    The Court of Appeals for the DC Circuit has ruled that the CIA must respond to an ACLU open government request for records pertaining to drone strikes. The CIA had said it could “neither confirm nor deny that it had responsive documents." The appeals court found that the agency itself had acknowledged it had such document. In EPIC v. NSA, a similar challenge to the "Glomar" response , the federal appeals court found that the agency had not acknowledged existence of documents responsive to a FOIA request even tough there were widespread news reports of a partnership between Google and the NSA. For more information, see EPIC: EPIC v. NSA: Google/NSA Relationship.
  • States Fine Google for Street View Privacy Violations » (Mar. 12, 2013)
    Attorneys general for 38 states and the District of Columbia today reached a "$7 Million Settlement" with Google over consumer protection and privacy claims. The company engaged in the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. A detailed Assurance of Voluntary Compliance, setting out the terms of the settlement, is now available. In 2010, EPIC urged the Federal Communication Commission to investigate the Google Street View program after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. EPIC subsequently pursued FOIA requests regarding the FCC and the Department of Justice investigations. Federal wiretap claims concerning Street View are still pending in federal court. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google.
  • Europe Prepares Action Against Google » (Feb. 19, 2013)
    The French Data Protection Commissioner, acting on behalf of the European Union, announced it will take action against Google after the company failed to reply to questions about its handling of user information. In October 2012, officials representing 24 countries in Europe sent a letter requiring Google to comply with European data protection laws, and give users greater control over their personal information. The action followed an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google. Google’s policy consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order.
  • FTC Closes Investigation into Google Search Bias » (Jan. 3, 2013)
    The Federal Trade Commission announced that it had concluded its investigation into allegedly anticompetitive practices by Google. The Commission reached a settlement with Google that would give competitors access to patents necessary to make smart phones, laptops, and other devices, and Google voluntarily agreed to stop borrowing others' content for use in its own services. On the issue of search bias, however, the Commission decided to close the investigation without taking action. Despite finding some evidence that changes to the company's search algorithm harmed competitors, the Commission said that these changes "could be plausibly justified as innovations that improved Google's product and the experience of its users." In 2011, EPIC wrote to the Commission about Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. EPIC had also opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Federal Trade Commission and EPIC: Google/DoubleClick.
  • FTC Releases 2012 Performance Report » (Nov. 20, 2012)
    The Federal Trade Commission has released its performance and accountability report for 2012. The report summarizes the agency’s activities, shows how the agency has managed its resources, and explains how it plans to address future changes. Regarding consumer privacy, the agency cites the release of a new privacy report, the adoption of a consent order with Facebook, and a $22.5 million fine against Google as its primary accomplishments . The Commission reported that it acted on 90.6% of all consumer complaints that it received, though it did not indicate how many of these actions concerned consumer privacy. The agency’s goals for the coming year include “promot[ing] stronger privacy protections through policy initiatives on a range of topics such as data brokers, mobile devices, and comprehensive online data collection.” Earlier this year, EPIC brought suit against the Federal Trade Commission for its failure to enforce a 2011 consent order. EPIC has also routinely urged the FTC to take account of public comments when the agencies sets out proposed settlements and asks for public comments. For more information, see EPIC: Federal Trade Commission and EPIC: EPIC v. FTC (Enforcement of Google Consent Order).
  • Google Transparency Report Reveals Risks of Cloud-based Computing » (Nov. 14, 2012)
    According to a recent report from Google, the company received 20,938 requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The United States accounted for 7,969 requests in the 2012 report. And of these requests, Google provided user data to the US government in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. And earlier this year, Google reduced safeguards for Gmail users, over the objections of many lawmakers and users, when it consolidated privacy policies across its various Internet services. In 2009, EPIC L3[urged] the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. For more, see EPIC - "Cloud Computing".
  • European Data Protection Agencies Order Google to Improve Privacy Practices » (Oct. 16, 2012)
    The French Data Protection Commissioner, acting on behalf of the European Union, has ordered (Appendix) Google to endorse key privacy principles, comply with data protection laws, and give users greater control over their personal information. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed and secret profiles on Internet users. The Commissioner determined that the change violated European data protection laws because Google "does not collect unambiguous consent of the user," and listed 12 steps that Google should implement in order to ensure compliance with the law. Earlier this year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have Google's changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, IT managers in the government and private sectors, and consumer organizations in the United States and Europe. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order.
  • EPIC FOIA Uncovers Google’s Privacy Assessment » (Sep. 28, 2012)
    Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Federal Trade Commission, EPIC: Google Buzz, and EPIC: Open Government.
  • FTC Fines Google $22.5 Million for Privacy Violations » (Aug. 9, 2012)
    The Federal Trade Commission fined Google $22.5 million for violating the terms of a settlement reached with the company last year. Google violated the settlement by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The settlement prohibits Google from misrepresenting the extent to which it maintains the privacy and security of personal information, and requires the company to submit to independent privacy audits for the next 20 years. The settlement follows from a complaint filed by EPIC over Google Buzz, the social network service launched in early 2010. Google recently consolidated user data across its products and services, prompting objections from European data protection authorities, state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order.
  • In UK, Google Admits It Retains Street View Data » (Jul. 27, 2012)
    In a letter to the UK Information Commissioner, Google has admitted it retained payload data improperly collected by Street View vehicles. Google had promised earlier it would delete the data. The UK privacy agency has now demanded that Google turn over the payload data for examination and forensic analysis. EPIC recently filed an amicus brief in a US federal appeals court, arguing that Google Street View violated federal wiretap law. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google.
  • EPIC Urges Privacy Safeguards for Defense Department Cybersecurity Program » (Jul. 11, 2012)
    EPIC has submitted comments to the Department of Defense, urging the agency to protect individual privacy when it obtains detailed information about Internet users from the private sector. Under current Department regulations, companies are encouraged to provide information about Internet users that may relate to "cyber incidents" and cyber "threats."This is similar to a controversial provision in Cyber Intelligence Information Protection Act ("CISPA"). EPIC recommended that the agency revise the regulations for the "Cyber Security and Information Assurance" program so that: (1) the program remain voluntary, (2) "cyber incident" and "threat" are narrowly defined, (3) liability is imposed on private companies for disclosing excess user information, (4) the Attorney General conduct annual audits, and (5) the agency adheres to federal privacy laws. EPIC also warned the agency to fully comply with the Freedom of Information Act, which has provided the public with important information about network security. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relationship).
  • National Association of Attorneys General to Focus on "Privacy in Digital Age" » (Jun. 22, 2012)
    The National Association of Attorneys General has elected Maryland Attorney General Doug Gansler president during its summer meeting. Gansler announced a new initiative for the organization -- "Privacy in the Digital Age" -- that will “bring the energy and legal weight of this organization to investigate, educate and take necessary steps to ensure that the Internet’s major players protect the privacy of online consumers while balancing their legitimate business interest.” Recently AG Gansler met with consumer and privacy advocates at a meeting hosted by the Privacy Coalition. And earlier this year, the organization sent a letter asking Google for a meeting to discuss the company’s plans to consolidate the personal information of users of Google’s products and services. For more information, see EPIC: Google Consent Order and EPIC: Privacy Preemption Watch.
  • Senator Schumer: High Resolution Mapping Must Respect Privacy » (Jun. 20, 2012)
    Senator Charles Schumer (D-NY) has sent a letter to Apple and Google after the companies announced high-definition, 3-D aerial mapping products. Apple’s Flyover displays detailed images of metropolitan areas, while Google will collect 3-D images for its mapping service. Neither company has indicated if aerial drones will be used to collect imagery. Senator Schumer expressed concern about the privacy implications of the new services. He asked the companies to provide advanced notification when the aerial surveillance was to occur, allow individuals to opt-out of having their property displayed, and ensure blurring of individuals and sensitive infrastructure. The full-scope of Apple and Google's aerial surveillance program is not known. In 2010, it was revealed that Google’s "Street View" vehicles were also collecting vast amounts of personal communications from private wi-fi networks. For more information, see EPIC: Investigations of Google Street View and EPIC: Unmanned Aerial Vehicles and Drones.
  • Swiss Court Sets Out Requirements for Google Street View in Switzerland » (Jun. 8, 2012)
    The Swiss Federal Supreme Court has allowed Google to continue operating its Street View service in Switzerland, subject to certain privacy protections. Google must completely obscure faces and license plates near "sensitive facilities" such as schools and prisons, and must not publish pictures of courtyards or lawns not visible to pedestrians unless the company obtains the owners' consent. Google must also honor requests from people who want to anonymize images of themselves. Recently, the unredacted version of an FCC report revealed that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. EPIC is pursuing FOIA requests with the FCC and the Department of Justice regarding the agencies' investigations into Google Street View. For more information, see EPIC: Investigations of Google Street View and EPIC: FCC Investigation of Google Street View.
  • French Data Protection Authority Sends New Questions to Google » (May. 25, 2012)
    The CNIL, the French data protection authority, has sent Google new questions regarding its privacy practices after finding the company's previous response was “often incomplete or approximate." The French agency is acting on behalf of governments across Europe that have raised questions about recent changes in Google's business practices. "The fact that Google's position on personal data processings is still unclear on many points after an in-depth exchange with the CNIL raises additional concerns about Google's adequate information of its users," the letter says. Google executives met with the CNIL on Wednesday, but the data protection authority said that many of its concerns had still not been addressed. Google’s decision to consolidate user data from over 60 products and services has also been criticized in the US by Members of Congress, state Attorneys General, and IT managers in government and the private sector. EPIC brought an enforcement action to block the March 1, 2012 changes. For more information, see EPIC: Enforcement of Google Consent Order.
  • On Google Spy-Fi, Senator Durbin Calls for Update to Wiretap Law, FCC Chair Agrees Law Should Protect Unencrypted Communications » (May. 11, 2012)
    In a hearing with Federal Communications Commission Chairman Julius Genachowski, Senator Dick Durbin (D. IL.) criticized the agency's decision to issue a mere $25,000 fine against Google following the investigation of Street View data collection. (Hearing video beginning at 64:20) Senator Durbin said that Google's interception and collection of private wi-fi communication was a clear violation of privacy. Chairman Genachowski defended the agency's decision but agreed with the committee chairman that "the law should protect people even if they have unencrypted wi-fi." Senator Durbin said that he would consider changes to the law if that is necessary. Senator Durbin also asked the FCC to provide the legal memoranda supporting the FCC's decision not to find Google guilty of violating the Communications Act. EPIC has a similar FOIA request pending with the agency. For more information, see EPIC: FCC Investigation of Google Street View and EPIC: Electronic Communications Privacy Act.
  • Federal Appeals Courts Sides with NSA, Rejects EPIC's Arguments that Agency Should Provide Information About Collaboration with Google » (May. 11, 2012)
    The DC Circuit Court of Appeals ruled today the National Security Agency need neither "confirm nor deny" the existence of any records about the agency's relationship with Google, even after such a collaboration was widely reported in the national media. EPIC filed a Freedom of Information Act (FOIA) request with the NSA following a cyber attack in January 2010 that led Google to contact the NSA. The NSA refused to either confirm or deny the existence of responsive records, claiming that such information is exempt from disclosure under the NSA Act. EPIC challenged this "Glomar" response and argued that the agency had a responsibility to locate records that could be disclosed, but a lower court ruled in favor of the NSA and the appellate court affirmed. EPIC has several other pending FOIA matters concerning the NSA, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. For more information, see EPIC v. NSA: Google / NSA Relationship.
  • Following EPIC FOIA Request to FCC, Google Releases "Spy-Fi" Report » (Apr. 30, 2012)
    Shortly after EPIC filed a Freedom of Information Act request with the Federal Communications Commission for the unredacted version of its report on Google Spy-Fi, Google has released a mostly unredacted version of the report. The FCC Report undercuts the company's prior statements that a rogue engineer was responsible for the payload data collection. Instead, it indicates that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. EPIC will continue to press for more details on the investigation through FOIA requests to the Federal Communications Commission and the Department of Justice. For more information see EPIC: Investigations of Google Street View.
  • EPIC Pursues Justice Dept. Records of Google Street View Investigation » (Apr. 27, 2012)
    EPIC has submitted a FOIA request to the Department of Justice for documents related to the agency's investigation of Google Street View and possible violations of federal wiretap laws. In an April 26, 2012 letter to the FCC In a related matter, Google claimed that the Department of Justice had "conducted and long ago completed its own thorough examination of the facts" related to the Google Street View matter. EPIC had asked the Justice Department to pursuer the matter. EPIC also has a pending FOIA request for the FCC's heavily redacted report on the Google Street View investigation. For more information see EPIC: Investigations of Google Street View.
  • Google Terms of Service Grant Company Broad Rights over Data of Google Drive Users » (Apr. 26, 2012)
    Google’s Terms of Service--which govern Google’s cloud-based file storage, Google Drive--give the company the right to “reproduce, modify, create derivative works” using uploaded content, as well as to “publicly perform, [and] publicly display” files. In 2009, EPIC asked the FTC to require privacy safeguards for Google's cloud-based services. EPIC cited previously-discovered privacy and security flaws, including one that disclosed user-generated documents saved on Google Docs to users of the service who lacked permission to view the files, and another that permitted unauthorized individuals to access user-generated Google Docs content. For more information, see EPIC: Cloud Computing and Privacy.
  • EPIC Demands Details of Federal Communications Commission's Google Investigation » (Apr. 19, 2012)
    EPIC has filed a FOIA request for the unredacted version of the FCC's Google Street View report. The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. A heavily redacted report released this week revealed that the Commission found that Google impeded the investigation by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." But the redacted report also raised questions about the scope of the FCC' Street View investigation. Surprisingly, the FCC concluded that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View.
  • EPIC Urges Justice Department to Investigate Google for Unlawful Wiretapping » (Apr. 17, 2012)
    EPIC wrote a letter to Attorney General Eric Holder asking the Department of Justice to investigate Google’s collection of Wi-Fi data from residential networks by means of "Street View" vehicles. The Federal Communications Commission recently fined Google $25,000 for obstructing an investigation concerning Street View and federal wiretap law. But as EPIC noted "by the agency’s own admission, the investigation conducted was inadequate and did not address the applicability of federal wiretapping law to Google's interception of emails, usernames, passwords, browsing histories, and other personal information." Members of Congress have expressed support for EPIC's recommendation to the Justice Department. Senator Richard Blumenthal said that "Google's interception and collection of private wireless data potentially violates the Wiretap Act or other federal statutes, and I believe the Justice Department and state attorneys general should fully investigate this matter." Congressman Ed Markey said that "[t]his fine is a mere slap on the wrist for Google," and called for a more comprehensive investigation. Many countries have found Google guilty of violating national privacy laws, and a US federal court recently held that unencrypted wireless network communications are not exempt from the protections of the Wiretap Act. For more information, see EPIC: Investigation of Google Street View and EPIC: Ben Joffe v. Google.
  • FCC Fines Google $25,000 for Failure to Cooperate with Street View Investigation » (Apr. 16, 2012)
    The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. The Commission found that Google impeded by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." In May 2010, EPIC wrote to the FCC and urged the agency to undertake an investigation after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. Shortly afterward, the head of the FCC Bureau of Consumer and Governmental Affairs wrote that Google's behavior "clearly infringes on consumer privacy." Many countries around the world have found Google guilty of violating national privacy laws. Surprisingly, the FCC said that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View and EPIC: Ben Joffe v. Google.
  • EPIC Urges Court to Affirm Privacy Protections for Home Wi-Fi Networks » (Apr. 2, 2012)
    EPIC has filed an amicus brief in the Ninth Circuit urging the court to affirm legal protections for users of home Wi-Fi networks. In Joffe v. Google, the plaintiffs sued Google for the interception and capture of private communications transferred over residential Wi-Fi networks. Google argued that it should be exempt from liability under the federal Wiretap Act because Wi-Fi communications are "readily accessible to the general public." However, a lower court held that saying "that a network is unencrypted does not render that network readily accessible to the general public and serve to remove the intentional interception of electronic communications from that network from liability under the ECPA." EPIC's brief for the Court of Appeals, which contains a detailed technical discussion of Wi-Fi technology, explains that residential Wi-Fi networks are unlike traditional radio broadcasts and should be protected Electronic Communications Privacy Act. EPIC also said that consumers should not bear the burden of securing their networks against sophisticated eavesdroppers when the purpose of the ECPA is to protect communications from such interception. For more information, see EPIC: Investigation of Google Street View, EPIC: Ben Joffe v. Google.
  • EPIC Publishes 2012 FOIA Gallery » (Mar. 12, 2012)
    In celebration of Sunshine Week, EPIC published the EPIC FOIA Gallery: 2012. The gallery highlights key documents obtained by EPIC in the past year, including the Federal Bureau of Investigation's watch list guidelines, records of the Department of Homeland Security's social media monitoring program, Google's first Privacy Compliance Report, records detailing the government's FAST scanning program, records of the FBI's surveillance of Wikileaks supporters, and DHS records detailing the use of body scanners at the U.S. border. EPIC regularly files Freedom of Information Act requests and pursues lawsuits to force disclosure of critical documents that impact privacy. EPIC also publishes the authoritative FOIA litigation manual. For more, see EPIC Open Government and EPIC Bookstore: FOIA.
  • Pew Study: Search Engine Users Anxious About Collection of Personal Information » (Mar. 9, 2012)
    A Pew study found that users of search engines were pleased with the quality of search results but opposed targeted advertising and search results, and were generally anxious about the collection of personal information by search engines. Specifically, 73 percent of those surveyed were opposed to search engines tracking their searches, and 68 percent opposed behavioral advertising. 83 percent of respondents reported using Google to conduct searches. Recently, Google began combining user data gathered from more than sixty Google products and services—including Google search--to create a single, comprehensive profile for each user. For more information, see EPIC: Search Engine Privacy and EPIC: EPIC v. FTC.
  • European Justice Minister Says Google Now in Violation of EU Law » (Mar. 1, 2012)
    European Justice Minister Vivian Reding said today that Google's March 1 changes to its terms of service violate European Union law "in numerous respects." Commissioner Reding pointed to the failure of the company to obtain user consent, the lack of transparency, and the fact that most users do not read privacy policies. European privacy officials recently concluded that the changes do not comply with the European Union Data Protection Directive and asked the company to suspend its planned changes. In the US, EPIC has urged a federal court to require the Federal Trade Commission to determine whether Google's changes changes violate a 2011 Consent Order. The court denied the motion. The case is now on appeal. For more information, see EPIC v. FTC (Google Consent Order).
  • EU and US Consumer Groups to Google: "This plan is a mistake" » (Feb. 29, 2012)
    The Transatlantic Consumer Dialogue, a coalition of leading consumer organizations in North America and Europe, today urged Google CEO Larry Page to drop the plan to combine user data on March 1. Citing the pending changes to Google's terms of service, the groups said "It is both unfair and unwise for you to 'change the terms of the bargain' as you propose to do." TACD said "consumers have relied on your policies and your terms of service in choosing your products." Late Friday, EPIC filed an emergency appeal with the DC Circuit of Appeals in an attempt to force the Federal Trade Commission to take action prior to March 1. For more information, see EPIC: EPIC v. FTC (Google Consent Order).
  • FTC Chairman: Google Users Face a "brutal choice" -- Europeans: "Google's new policy does not meet the requirements of the European Directive on Data Protection." » (Feb. 28, 2012)
    Pressure is building as the March 1 deadline for Google's planned changes in user privacy approaches. In an interview with C-Span, the Chairman of the Federal Trade Commission said that users of Google services face a "brutal" choice." The head of the French Data Protection Agency, on behalf of European privacy agencies, has warned that Google's proposed change violates European Union privacy law. She is reiterated the recommendation of Europe's Justice Minister that Google suspend the change. In Washington, DC, EPIC has filed an emergency appeal with the DC Circuit Court of Appeals to force the FTC to enforce the 2011 consent order against Google. For more information, see EPIC v. FTC (Google Consent Order).
  • EPIC Appeals Court Ruling in Google Privacy Case » (Feb. 27, 2012)
    Within hours after a federal court in Washington, DC ruled that it could not require the Federal Trade Commission to enforce a consent order against Google, EPIC filed an emergency appeal with the Court Appeals for the DC Circuit. EPIC has asked the appellate court to overturn the lower court decision before March 1, when Google will change its terms of service and consolidate user data without consent. For more information, see EPIC - EPIC v. FTC (Google Consent Order).
  • Privacy Groups to Rep. Bono-Mack: "Hold *Public* Hearings on Google Privacy Changes" » (Feb. 24, 2012)
    Five privacy organizations, including EPIC, wrote today to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1. Rep. Bono-Mack has held closed-door meetings with the Internet giant, but so far has scheduled no public hearings on the plan to consolidate user data, which EPIC alleges violates a 2011 Consent Order with the Federal Trade Commission. The consumer groups also asked the Congresswoman to urge Google to suspend its plan pending an investigation. They said there would be "overwhelming public support for this action" and cited recent statements from Members of Congress, Attorneys General, European Justice Officials, the President, technical experts, and IT managers in government and the private sector. For more information see EPIC: EPIC v. FTC.
  • Judge Rules that Courts Lacks Jurisdiction over FTC, Acknowledges "Serious Concerns" with Google Privacy Changes » (Feb. 24, 2012)
    A federal court today dismissed EPIC's lawsuit against the FTC, because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." EPIC will appeal the decision on judicial review, asking the DC federal appeals court to rule that courts can require federal agencies to enforce final orders. For more, see EPIC: EPIC v. FTC (Google Consent Order).
  • State Attorneys General Cite Privacy Risks to Android Users, Demand Meeting with Google » (Feb. 22, 2012)
    Attorneys general from 36 states and territories sent a letter to Google raising new questions about the plan to consolidate user data on March 1. "The new policy forces consumers to allow information across all of these products to be shared, without giving them the ability to opt out.," the letter says. The state AGs also say "this invasion of privacy is virtually impossible to escape for the nation's Android-powered smartphone users, who comprise nearly 50% of the national smartphone market. For these consumers, avoiding Google's privacy policy change may mean buying an entirely new phone at great personal expense." The AGs point out that Google told Android users "We will not reduce your rights under this Privacy Policy without your explicit consent." Last week, EPIC filed a lawsuit to force the Federal Trade Commission to require Google to honor its previous commitments to Google users. EPIC has alleged that the proposed changes in the company's practices violate a 2011 Consent Order. For more information, see EPIC: EPIC v. FTC (Google Consent Order).
  • EPIC Urges Federal Court To Hold FTC Accountable for Failure to Enforce Google Consent Order » (Feb. 21, 2012)
    In a reply brief filed today in Washington, DC, EPIC said that the Federal Trade Commission's failure to enforce the Consent Order against Google prior to March 1 would cause "irreparable injury." EPIC cited Google's plans to combine user data without consent, and pointed to numerous cases that establish the need for the Court to assess the FTC's failure to act. Dismissing arguments asserted by the government that "FTC enforcement decisions are not subject to judicial review," EPIC said that Congress has clearly told the Federal Trade Commission to enforce its final orders. And in response to a claim that EPIC's request for action by March 1 is "arbitrary," EPIC wrote "If the government is unaware that Google plans to make a substantial change in its business practices on March 1, 2012, it should turn on a computer connected to the Internet." For more information, see EPIC, EPIC v. FTC (Google Consent Order).
  • FTC Files Opposition / Motion to Dismiss in EPIC v FTC » (Feb. 17, 2012)
    The Federal Trade Commission today filed an opposition and a motion to dismiss in response to EPIC's complaint to compel the agency to enforce the October 2011 Consent Order against Google. The government stated that EPIC would "deprive the Commission of the discretion to exercise its enforcement authority." The government also charged that EPIC's lawsuit is "completely baseless." The papers were filed in federal District Court on the same day that the Wall Street Journal reported that Google had subverted the privacy settings of millions of users of the Internet browser software Safari. For more information see: EPIC: EPIC v. FTC (Google Consent Order).
  • "FOIA Matters" - EPIC Obtains Google Privacy Compliance Report » (Feb. 17, 2012)
    As the result of a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained a full copy of Google's first Privacy Compliance Report. Last year, spurred by a complaint pursued by EPIC, the FTC reached a settlement with Google and required the company to file regular reports with the Commission detailing its steps to comply with the Consent order. However, the report obtained by EPIC raises new questions about the company's efforts to safeguard user privacy. EPIC has recently filed a lawsuit against the FTC to compel the agency to enforce the Consent Order. For more information see: EPIC: EPIC v. FTC (Google Consent Order) and EPIC: In re Google Buzz.
  • EPIC to FTC: Enforce the Google Consent Order » (Feb. 17, 2012)
    Today EPIC wrote to the Federal Trade Commission urging it to enforce the consent order with Google in light of a recent Wall Street Journal article based on research from Stanford's Jonathan Mayer that described how Google had been circumventing the privacy settings of Safari users despite Google's promise to respect such settings. EPIC said that Google "took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained." EPIC has filed a lawsuit to force the FTC to require Google to comply with the Consent Order to protect the privacy interests of Google users. The FTC's Response to the EPIC motion is due February 17; EPIC's reply is due February 21, 2012. For more information, see EPIC: EPIC v. FTC (Google Consent Order).
  • Google Report Raises New Questions About Compliance with Consent Order » (Feb. 10, 2012)
    The Google privacy compliance report, made public today, raises new questions about the company's failure to comply with an FTC Consent Order. The Order required Google to answer detailed questions about how it protects the personal information of Google users. But Google chose not to answer many of the questions. Most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1. EPIC has filed a lawsuit to force the Federal Trade Commission to require Google to comply with the Consent Order to protect the privacy interests of Google users. For more information, see EPIC v. FTC (Google Consent Order).
  • Federal Court Grants Accelerated Briefing Schedule in EPIC v. FTC » (Feb. 9, 2012)
    In response to EPIC's complaint and motion to compel the Federal Trade Commission to enforce a consent order against Google, a federal district court judge has ordered an accelerated briefing schedule. The FTC's Response to the EPIC briefs is due February 17, EPIC's reply is due February 21, 2012. The Court's deadlines reflect Google's imminent, substantial changes to the company's business practices. Google intends to consolidate the personal data of Google users across 60 services on March 1. EPIC contends that these changes constitute a violation of the consent order with the Federal Trade Commission. For more information, see EPIC v. FTC (Google Consent Order).
  • EPIC Sues Federal Trade Commission to Enforce Google Consent Order » (Feb. 8, 2012)
    EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network."
  • Google Backs Off Privacy Policy Change for Federal Government » (Feb. 3, 2012)
    In response to growing concern about the impact of Google's proposed policy change on user privacy and cloud-computing services, the company said that its planned privacy changes will not apply to US federal agencies. A report from Safegov.org "Google’s New Privacy Policy Is Unacceptable and Jeopardizes Government Information in the Cloud" recommended that "Google immediately suspend the application of its new privacy policy to Google Apps For Government users." Google told POLITICO's Morning Tech "cloud contracts are crafted with 'narrow, specific obligations' on how data can be used and stored. And those data requirements in the cloud contracts trump the company's standard privacy policy."
  • Google Policy Change Triggers EU Privacy Revolt » (Feb. 3, 2012)
    Leading privacy officials in Europe have asked Google "for a pause" in the company's planned consolidation of user data "in the interests of ensuring that there can be no misunderstanding about Google's commitments to the information rights of their users and EU citizens. . ." EU Commissioner Vivian Reding (@VivianeRedingEU) has expressed support, tweeting "Good that Europe's data protection authorities are ensuring @Google's new privacy policy complies with EU law." EPIC has urged the United States to begin the process of ratification of Council of Europe Privacy Convention, which would establish global standards for privacy protection.
  • EPIC Seeks Public Release of Google's Privacy Report » (Feb. 1, 2012)
    EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz.
  • Congress Seeks Answers on Google's Plans for Data Consolidation » (Jan. 27, 2012)
    Eight members of Congress wrote to Google asking the company to explain the "steps [that] are being taken to ensure the protection of consumers' privacy rights." The letter follows Google's announcement that it would begin combining data gathered on consumers of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. The members' letter includes 11 specific questions ranging from the ways in which Google collects information to the specific consequences for Android phone users. In 2010, EPIC, along with other privacy groups, wrote a letter to Google about the company's decision to combine user data among 12 Google services. The groups warned that the practical effect would be to reduce privacy protection for users of Google services. For more information, see EPIC: In re: Google Buzz and EPIC: Google search.
  • Google Changes Privacy Practices, Consolidates User Data » (Jan. 25, 2012)
    Google announced that it would begin combining data gathered on users of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. Previously, users could use one Google service, such as Google+, without having their information combined with that gathered from other services, such as Youtube. Users cannot opt out of having their data combined unless they avoid signing into their user accounts or stop using Google’s services altogether. Google’s changes come after the company began surfacing personal information from Google+ in Google search results, a move that EPIC said raised privacy and antitrust issues. In 2010, EPIC, along with other privacy groups, wrote a letter to Google over the company's decision to combine user data among 12 Google services. Google is subject to a settlement with the Federal Trade Commission that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. For more information, see EPIC: Federal Trade Commission and EPIC: Google Search.
  • FTC Adds Google+ to Antitrust Investigation » (Jan. 13, 2012)
    Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
  • Google Changes Search Results, Preferences Google+ Results » (Jan. 10, 2012)
    Google is changing the results displayed by its search engine to include data from its social network, such as photos or blog posts made by Google+ users, as well as the public Internet. Although data from a user’s Google+ contacts is not displayed publicly, Google’s changes make the personal data of users more accessible. Users can opt out of seeing personalized search results, but cannot opt out of having their information found through Google search. Also, Google's changes come at a time when the company is facing increased scrutiny over whether it distorts search results by giving preference to its own content. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. Google has also acknowledged that the FTC is investigating whether Google uses its dominance in the search field to inhibit competition in other areas. For more information, see EPIC: Google/DoubleClick.
  • EPIC Urges Appeals Court to Shed Light on Google-NSA Agreement » (Jan. 4, 2012)
    EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship.
  • Senate Opens Investigation Into Google Search » (Dec. 20, 2011)
    Senator Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking member of the Judiciary Antitrust Subcommittee, have sent a letter to FTC Chairman Jon Leibowitz, expressing concern about Google's business practices and the company's impact on competition in Internet search and commerce. In September, EPIC wrote to the FTC and described how Google biased YouTube search rankings to give preferential treatment to its own content following the acquisition of the Internet's largest video service provider. The EPIC letter preceded a Senate hearing on "The Power of Google: Serving Consumers or Threatening Competition?" EPIC testified before the Senate Antitrust Subcommittee in 2007 on Google's growing dominance of essential Internet services.
  • Senate Holds Hearing on Google’s Anticompetitive Practices » (Sep. 21, 2011)
    Today's Senate Judiciary Committee hearing "The Power of Google: Serving Consumers or Threatening Competition?” examined Google’s use of its dominance in the search market to suppress competition. The company’s executive chairman, Eric Schmidt, testified on the first panel, while witnesses from Google’s rivals Yelp and Nextag appeared on the second panel. The hearing covered a wide range of issues, including search bias, Google’s proprietary search algorithm, and the downgrading of search rankings. EPIC testified before the the same committee in 2009 on Google’s growing dominance of essential Internet services, and recently sent a letter to the Federal Trade Commission regarding Google’s biasing of Youtube search rankings to give preferential treatment to its own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
  • EPIC Urges FTC to Examine YouTube Search Rankings Following Google Acquisition » (Sep. 8, 2011)
    EPIC sent a letter to the FTC urging the Trade Commission to investigate the extent to which Google has used its dominance in the search market to influence the marketplace of online video content. EPIC pointed specifically to the Google acquisition of YouTube and the change in the YouTube search rankings that followed. EPIC said that Google substituted its own subjective, "relevance" ranking in place of objective search criteria, such as "Hits" or "Rankings," to preference Google's own video material over non-Google material. EPIC's letter includes detailed examples using the search term "privacy." Google has acknowledged that the Commission has opened an investigation into the company's business practices for possible antitrust violations. EPIC previously testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
  • EPIC Settles Street View Case with Trade Commission » (Aug. 26, 2011)
    EPIC and the Federal Trade Commission have agreed to settle an open government lawsuit concerning the FTC's decision to close the investigation of Google Street View. EPIC sought documents from the Commission after Members of Congress had urged the agency to pursue an aggressive investigation and many privacy agencies around the world found that Google violated national privacy laws. The agency turned over to EPIC agency records which suggested that the agency believed it lacked enforcement authority. However, the closing letter in the case also indicated that the Commission never undertook an independent investigation to determine whether other violations of law may have occurred. The case is EPIC v. FTC, No. 11-cv-00881 (D.C. Dist. Ct 2011). For more information, see EPIC: Google Street View.
  • Twitter Adopts Privacy Enhancing Technique, Defaults to HTTPS » (Aug. 24, 2011)
    Twitter has joined the ranks of Gmail with a decision to implement HTTPS functionality by default for all users in order to encrypt data and protect privacy. The change stems from several security problems in early 2011, including two incidents where hackers gained administrative control of the popular service and led to a settlement with the Federal Trade Commission requiring Twitter to adopt stronger security measures. Earlier, EPIC had pointed out the importance of HTTPS by default in a complaint to the Commission regarding Google and Cloud Computing Services. For more information, see EPIC: Social Networking Privacy and EPIC: In re Google and Cloud Computing.
  • EPIC v. NSA: Agency Can "Neither Confirm Nor Deny" Google Ties » (Jul. 13, 2011)
    A federal judge has issued an opinion in EPIC v. NSA, and accepted the NSA's claim that it can "neither confirm nor deny" that it had entered into a relationship with Google following the China hacking incident in January 2010. EPIC had sought documents under the FOIA because such an agreement could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The "Glomar response," to neither confirm nor deny, is a controversial legal doctrine that allows agencies to conceal the existence of records that might otherwise be subject to public disclosure. EPIC plans to appeal this decision. EPIC is also litigating to obtain the National Security Presidential Directive that sets out the NSA's cyber security authority. And EPIC is seeking from the NSA information about Internet vulnerability assessments, the Director's classified views on how the NSA's practices impact Internet privacy, and the NSA's "Perfect Citizen" program.
  • FCC Confirms Google Street View Investigation » (Jul. 8, 2011)
    FCC Chairman Julius Genachowski, responding to letters from Congressmen Graves Rogers and Barrow Scalise regarding Google Street View, wrote[1][2][3] that "the Bureau's inquiry seeks to determine whether Google's actions were inconsistent with any rule or law within the Commission's jurisdiction." The FCC Chairman declined to provide specifics, though there is growing frustration in Congress about the investigation, which has been pending for more than a year following a complaint filed by EPIC. Recently, in a case in which EPIC filed an amicus brief, a federal judge found that Google's purposeful and secretive collection of wi-fi data as part of its "Street View" activities could constitute illegal wiretapping. For three years in thirty countries, Google's Street View cars collected data, including the content of personal emails, from wireless routers located in private homes and businesses. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. For more information, see EPIC: Google Street View.
  • Judge Rules Google Street View Data Collection May Violate Wiretap Act » (Jul. 1, 2011)
    In a lawsuit filed by several private citizens, a federal judge has found that Google's purposeful and secretive collection of Wi-Fi data as part of its "Street View" activities could constitute illegal wiretapping. EPIC filed an amicus brief in the case, providing a detailed legislative history of the Electronic Communications Privacy Act (ECPA) and arguing that private Wi-Fi communications are entitled to privacy protection under ECPA. EPIC said that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." For three years in thirty countries, Google's Street View cars collected data, including the content of personal emails, from wireless routers located in private homes and businesses. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, but the Commission has failed to announce a ruling. For more information, see EPIC: Google Street View.
  • Lawmakers Urge Federal Communications Commission to Speed Up Google Street View Investigation » (Jul. 1, 2011)
    The House of Representatives Financial Services Appropriations bill contains an amendment requiring the Federal Communications Commission to report on its Google Street View Wi-Fi investigation within 180 days. The bill was voted out of committee and is headed for a full House vote. The Commission opened an investigation into Google Street View after EPIC filed a complaint, asking the Commission to investigate possible violations of federal wiretap law and the Communications Act. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. For more information, see EPIC: Google Street View.
  • Federal Trade Commission Launches Google Antitrust Investigation » (Jun. 27, 2011)
    Google has acknowledged that the Federal Trade Commission has opened an investigation into the search company's business practices for possible antitrust violations. The investigation likely focuses on whether Google uses its dominance in the search field to inhibit competition in other areas. EPIC had previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of then Commissioner Pamela Harbor. EPIC later testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
  • Court Awards Funds to EPIC in Google Buzz Case » (Jun. 1, 2011)
    A federal district court overseeing a class action case concerning Google Buzz has revised a proposed settlement agreement to ensure that EPIC receives part of the settlement fund. EPIC's complaint about Buzz to the Federal Trade Commission resulted in sweeping new privacy safeguards for Google users. But EPIC was excluded from a proposed agreement in which a Court had ordered distribution of settlement funds to organizations "who would reasonably benefit the class through established Internet privacy education and policy programs." Judge Ware held that "the Court does not find good cause to exclude EPIC from the list of recipients of the cy pres funds. EPIC has demonstrated that it is a well-established and respected organization within the field of internet privacy and that it has sufficiently outlined how the cy pres funding will be used to further the interests of the class." For more information, see EPIC - In re Google Buzz.
  • Senate Judiciary Committee Holds Mobile Privacy Hearing » (May. 10, 2011)
    The Senate Judiciary Subcommittee on Privacy, Technology, and Law held a hearing on "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy." Lawmakers heard testimony from the Federal Trade Commission, as well as from from Apple and Google representatives. Chairman Leahy said that safeguarding privacy "is one of the most important and challenging issues facing the nation," and indicated that he would introduce legislation to update the Electronic Communications Privacy Act. EPIC previously recommended new privacy safeguards for location data. For more information, see EPIC: Locational Privacy and EPIC: In re Google Buzz.
  • EPIC Proposes "Fair Information Practices" for Google » (May. 3, 2011)
    Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. The FTC investigation and settlement arises from a complaint filed by EPIC with the Commission in February 2010. For more information, see EPIC: In re Google Buzz and FTC - Public Comments on In Re Google.
  • Public Submits Comments on Proposed Google Consent Order » (May. 2, 2011)
    Today marks the end of the public comment period for the Federal Trade Commission's landmark Consent Order with Google regarding Buzz, Gmail, and all Google products and services. As part of the legal order, Google must adopt a "Comprehensive Privacy Plan" to safeguard its users data and personal information. EPIC launched an online petition and a "Fix Google Privacy" page to promote public participation in the FTC's deliberations. The FTC's action against Google follows a Complaint and an Amended Complaint, filed by EPIC on behalf of Gmail subscribers and other users. For more information, see EPIC: In re Google Buzz.
  • In Court Filing, EPIC Argues Residential Wi-Fi Routers are Not Exempted Under Federal Wiretap Laws » (Apr. 15, 2011)
    EPIC filed an amicus brief in federal court arguing that users of private residential routers are entitled to privacy protection. The EPIC brief is in response to a series of questions asked by a federal judge as to whether private WiFi communications are covered under the Federal Wiretap Act. EPIC explained that a "Wireless Local Area Network (WLAN)" provides functionality for those within the home who take advantage of shared services, such as printers and Internet access. In contrast, WiMAX, WWAN, and WiLD are wireless devices that broadcast over a long distance and are intended for public access. EPIC also pointed out that users of residential WLANS can configure their devices to operate as "Hot Spots," but few choose to do so. EPIC said that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." For more information, see EPIC: Google Street View.
  • Swiss Court Finds Google Street View Violates Privacy Rights » (Apr. 5, 2011)
    Switzerland's top Court ruled against Google's Street View mapping service, forcing Google to blur faces and license plate numbers before putting images on the Internet. The Swiss Court stated, "the interest of the public in having a visual record and the commercial interests of the defendants in no way outweighs the rights over one's own image." Other countries, including the U.K., France, and Spain, have found that Google broke privacy laws when Street View cars collected wi-fi data from private wireless networks. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint asking the Commission to investigate violations of federal wiretap law and the U.S. Communications Act. For more information, see EPIC: Google Street View.
  • EPIC Launches "Fix Google Privacy" Campaign » (Apr. 5, 2011)
    In response to the recent announcement that Google has agreed to adopt a "Comprehensive Privacy Plan," EPIC has launched "Fix Google Privacy," a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. Submissions to EPIC will be forwarded to the Federal Trade Commission and considered by the agency as part of the final Privacy Plan. All comments must be sent before May 2, 2011. For more information, see EPIC - In Re Google Buzz and FTC - Analysis to Aid Public Comments.
  • EPIC, Privacy Groups File Objection to Proposed Google Buzz Settlement » (Apr. 1, 2011)
    EPIC and a coalition of consumer and privacy organizations have filed an objection to the "cy pres" allocation proposed by the attorneys in the Google Buzz matter. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. In these cases, courts are often concerned about collusion between attorneys that produces quick settlements and does not protect the interests of the class members. EPIC, which filed the successful complaint with the Federal Trade Commission that led to the Google Buzz agreement, and the other groups say that the proposed settlement does not satisfy the "cy pres" requirement. They note that several of the organizations proposed by Google are currently funded by Google. Other parties in the case have also objected to the proposed settlement. The Court has already stated that "the final approval list of cy pres organizations may draw, but need not be drawn, entirely from the submission of nominations by Class Counsel." The Court also said, "The Court reserves the right to designate cy pres recipients who would reasonably benefit the Class through established Internet privacy education and policy programs on its own motion." For more information, see In re Google Buzz.
  • FTC Announces Agreement in EPIC Google Buzz Complaint » (Mar. 30, 2011)
    The Federal Trade Commission has reached a agreement with Google regarding Buzz, the social network service launched in early 2010. The FTC action follows a complaint and an amended complaint filed by EPIC on behalf of Gmail subscribers and other Internet users. The FTC agreement with Google is far-reaching. It is the most significant privacy decision by the Commission to date. For Internet users, it should lead to higher privacy standards and better protection for personal data. EPIC has pursued similar successful complaints at the FTC in the past, including Microsoft Passport and Choicepoint, the databroker firm. For more information, see EPIC - In re Google Buzz.
  • France Fines Google for Street View Wi-Fi Data Collection » (Mar. 22, 2011)
    France's National Commission for Computing and Civil Liberties fined Google 100,000 euros for violating French privacy rules when Google’s Street View cars collected peoples' e-mails and passwords without their knowledge. The Commission cited the "established violations and their gravity, as well as the economic advantages Google gained," as reasons for the highest fine it has ever levied. Several other countries, including the U.K., Canada, Germany, and Spain have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate possible violations of federal wiretap law and the Communications Act. For more information, see EPIC: Google Street View.
  • Senate Antitrust Agenda Includes Google, FTC Oversight » (Mar. 14, 2011)
    Senator Kohl (D-WI) has announced the agenda for the Senate Subcommittee on Antitrust, Competition Policy, and Consumer Rights. Among other issues, the Subcommittee will focus on competition in online markets and internet search, as well as oversight of the Justice Department and the Federal Trade Commission. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
  • EPIC v. NSA FOIA Lawsuit: NSA Will Neither Confirm Nor Deny Communications with Google » (Feb. 18, 2011)
    In a Freedom of Information Act lawsuit filed by EPIC against the National Security Agency for information about the NSA's relationship with Google, the NSA has replied that "confirming or denying the existence of any such records would reveal information relating to its core functions and activities . . ." EPIC sought the information, including a widely discussed cooperative research agreement between NSA and Google, because the agency's practices would impact the privacy interests of millions of Internet users both in the United States and around the world. The case is EPIC v. NSA, Civ. Action No. 10-1533 (RJL). EPIC has a related release against the NSA concerning the agency's cybersecurity authority. For more information, see EPIC - EPIC v. NSA.
  • EPIC Pursues Investigation of FTC's Spy-Fi Noninvestigation » (Feb. 11, 2011)
    EPIC has filed an administrative appeal with the Federal Trade Commission, challenging the agency's failure to disclose to information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking a slide presentation that the FTC provided to Congress about the matter. The agency has claimed that the presentation to Congress is exempt from disclosure under the Freedom of Information Act. Privacy agencies around the world found that Google intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential wifi routers in the US. For more information, see Google: Street View.
  • NIST Seeks Comments on Guidelines for Cloud Computing » (Feb. 3, 2011)
    The National Institute for Standards and Technology (NIST) has announced that it is accepting comments on two draft documents on cloud computing: the NIST Definition of Cloud Computing and the Guidelines on Security and Privacy in Public Cloud Computing. The documents were prepared after the Federal Chief Information Officer asked NIST to develop standards and guidelines to assist the federal government’s secure adoption of cloud computing. EPIC has warned of the ongoing privacy risks associated with cloud computing since its expansion into the public sphere in 2008. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Comments on both NIST documents are due no later than February 28, 2011. For more information, see EPIC: Cloud Computing and EPIC: In re Google and Cloud Computing.
  • FTC: Investigating Google Street View is a "waste of summer" » (Jan. 20, 2011)
    In documents obtained by EPIC through a Freedom of Information Act request, a senior attorney with the Federal Trade Commission describes the Google WiFi investigation as a "wasted summer" and hopes that a Hill briefing on Google WiFi "won't be too much of a time suck." EPIC sought these documents after the FTC dropped its investigation of Google Streetview. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate violations of US wiretap law and the Communications Act. For more information, see EPIC: Google Street View.
  • Google Violated New Zealand Privacy Law » (Dec. 15, 2010)
    The New Zealand Privacy Commissioner found that Google violated New Zealand privacy law when its Street View vehicles collected data, including the content of personal emails, from wireless routers located in private homes and businesses. The Privacy Commissioner said that Google "breached our privacy law when it collected the content of people's communications." Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate possible violations of federal wiretap law and the Communications Act. For more information, see EPIC: Google Street View.
  • Connecticut Attorney General Demands Google Street View Data » (Dec. 10, 2010)
    Connecticut Attorney General, and Senator-elect, Richard Blumenthal issued a "civil investigative demand," similar to a subpoena, for access to the data Google's Street View cars collected from homes and businesses in Connecticut. "Google's story changed," Blumenthal said, "first claiming only fragments were collected, then acknowledging entire emails." Google's purposeful and secretive collection of wifi data occurred in thirty countries over a three-year period, and several countries are investigating. The data sought by the Connecticut AG could provide evidence of illegal activity in the United States. The Federal Communications Commission has also opened an investigation after EPIC filed a complaint, asking the Commission to investigate Google's possible violations of federal wiretap law and the U.S. Communications Act. For more information, see EPIC: Google Street View.
  • European Union Opens Anti-Trust Investigation of Google » (Dec. 1, 2010)
    The European Commission announced it is investigating Google for potential anti-trust violations. The Commission decided to initiate formal proceedings against Google after complaints from search-service providers "about unfavorable treatment of their services in Google's unpaid and sponsored search results coupled with an alleged preferential placement of Google's own services." EPIC previously filed a complaint with the Federal Trade Commission regarding Google’s proposed merger with the advertising company DoubleClick and its implications for consumer privacy. EPIC Executive Director Marc Rotenberg also testified in Congress during the review of this merger, urging the Federal Trade Commission to establish privacy safeguards as a condition of the merger. When the Agency approved the merger without any conditions, EPIC charged that the Agency had "reason to act, and authority to act, but failed to do so." For more information, see EPIC: Google DoubleClick.
  • Google Seeks to Patent Scheme to Use Street View Data to Identify Internet Users » (Nov. 29, 2010)
    In a pending patent application, Google describes its plans for using wireless data, some captured by its Street View vehicles, to identify and link users to their geographical location. In the application, Google explains how it would verify a user's identity by sending the user a "challenge" based on the user's geographic location. Wi-Fi data collection is critical for this patent application. Google had previously denied that it would link Wi-Fi data to particular users, and omitted any mention of user identification from its statement regarding its Street View Wi-Fi data collection. For more information, see Google: Street View.
  • Wall Street Journal Confirms FCC Investigation of Google Street View Following EPIC Complaint » (Nov. 10, 2010)
    The Wall Street Journal reported today that the Federal Communications Commission has opened an investigation into Google's secretive interception and collection of wifi data collection. This occurred in thirty countries over a three year period and is linked to Google "Street View" vehicles which many thought simply captured digital images. In May, EPIC filed a complaint with the Commission, asking it to investigate Google's possible violations of federal wiretap law and the U.S. Communications Act. Investigations in other countries have revealed that Google secretly collected passwords, email, and sensitive medical data from millions of Internet users, and also built an extensive database of personal information associated with private residential wifi routers. The Federal Trade Commission recently ended its inquiry into Google Street View, even though members of Congress had urged a comprehensive investigation. For more information, see EPIC - Investigation of Google Street View.
  • Information Commissioner Finds Google Violated UK Privacy Laws » (Nov. 3, 2010)
    British officials announced that Google violated UK data protection laws when the company's Street View cars collected wifi data from private wireless networks. In lieu of a fine, Google UK will undergo an audit and must sign a commitment to ensure that data protection breaches do not happen again. UK Information Commissioner stated that "the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act.". EPIC is requesting documents from the US Federal Trade Commission under the Freedom of Information Act to determine why the agency ended the US inquiry into Google Street View, even after members of Congress urged a comprehensive investigation. For more information, see EPIC: Street View.
  • Federal Trade Commission Closes Noninvestigation of Google Street View » (Oct. 27, 2010)
    The Federal Trade Commission has sent a letter to Google, ending an investigation that never began. In May, the Federal Trade Commission was asked by members of Congress to investigate Google's secretive collection of wifi data as part of Street View, a mapping program characterized by the collection of digital imagery. In a letter to Federal Communications Commission, EPIC further explained that Google's conduct likely violated federal wiretap law. Subsequent investigations in other countries revealed that Google secretly collected passwords, email, and sensitive medical data from millions of Internet users, and also built an extensive database of personal information associated with private residential wifi routers. However, the Federal Trade Commission never pursued an independent investigation of Street View, examined the data collected by Google in the United States, or even acknowledged the findings of other agencies. Investigations are still pending in several countries and 37 states in the U.S. For more information, see EPIC: Google Street View.
  • Google Ends Secret Wifi Data Gathering » (Oct. 22, 2010)
    Following numerous protests around the world, Google has ended its illegal collection of wifi data transmissions. The company, which originally claimed it was not even collecting wifi data, was forced to admit that the practice has been ongoing for three years in more than thirty countries, following an independent investigation initiated by European privacy officials. Investigations are still underway to determine the extent of Google's liability. EPIC wrote to the FCC earlier this year, pointing out that the practice violated US wiretap laws. For more information, see EPIC: Streetview.
  • Canada: Google Street View Violates Privacy Laws » (Oct. 20, 2010)
    Canada's Privacy Commissioner has determined that Google violated Canadian privacy law when the company's Street View cars collected user information from wireless networks. The personal information Google captured included e-mails and the names, addresses, and home phone numbers of people suffering from a certain medical condition. The Commissioner called on Google to strengthen its controls and designate an individual to be responsible for privacy issues. In May, EPIC urged the Federal Communications Commission to open an investigation into Street View, as Google's practices appear to violate U.S. federal wiretap laws as well as the U.S. Communications Act. For more information, see EPIC: Google Street View.
  • Investigation of Google Street View Moves Forward in Spain » (Oct. 19, 2010)
    The Spanish Data Protection Agency has filed suit against Google Street View for five violations of Spanish law. The Agency found that Google collected and stored personal data transmitted through open Wi-Fi networks, as well as SSIDs and MAC addresses that contained subscribers real names. Many countries and several US states are currently investigating Google Street View. In May, EPIC urged the Federal Communications Commission to open an investigation into Street View, as Google's practices appear to violate U.S. federal wiretap laws as well as the U.S. Communications Act. For more information, see EPIC: Google Street View.
  • Privacy Groups Object to Google's "Simplified" Privacy Policy » (Oct. 6, 2010)
    EPIC and 14 other privacy and consumer protection groups sent a letter to Google CEO Eric Schmidt about Google's revised privacy policy. Under this new policy, twelve specific Google privacy policies will be replaced by a single policy that will enable greater data sharing within the corporation. EPIC previously raised similar concerns about Google Buzz in a complaint to the Federal Trade Commission. In the complaint, EPIC argued that Google's Gmail-specific privacy policy was more protective of users than their general privacy policy. For more information, see EPIC: In re Google Buzz.
  • Google Adds Two-Factor Authentication to Google Apps » (Sep. 24, 2010)
    Google announced today that it is adding two-factor verification for Google Applications. This will allow users to set up a one-time code delivered to a mobile phone, in addition to a regular password. Currently this option is only available for paid Google apps, although it will be available to all users in the coming months. If an administrator of a paid Google Apps account enables two-factor verification, then all users will be required to submit their mobile phone number. Google Apps operate by using cloud computing. In March 2009, EPIC filed a complaint with the Federal Trade Commission over Google's lack of adequate safeguards for its Cloud Computing Services. For more information, see EPIC: Cloud Computing.
  • Google Street View Blocked Again » (Sep. 14, 2010)
    The Czech Office for Personal Data Protection turned down Google's application to collect personal data for its Street View service. Street View is controversial mapping tool that has allowed Google to capture Wi-Fi signals in addition to street level imagery in thirty countries over a three-year period. Google obtained Wi-Fi data, including email passwords and content, from receivers that were concealed in the Street View vehicles. Many countries and several US states are currently investigating Google Street View. In May, EPIC urged the Federal Communications Commission to open an investigation into Street View, as Google’s practices appear to violate U.S. federal wiretap laws as well as the U.S. Communications Act. For more information, see EPIC: Google Street View.
  • EPIC Files Suit For Documents Regarding Google/NSA Partnership » (Sep. 13, 2010)
    Today, EPIC filed a Freedom of Information Act lawsuit against the National Security Agency in the United States District Court in the District of Columbia. The agency failed to respond to EPIC's FOIA request for documents about an "Information Assurance" partnership with Google. EPIC previously appealed to the agency to comply with its legal duty to produce the documents, but he agency failed to respond. EPIC is also seeking the Presidential Directive that grants the NSA authority to conduct electronic surveillance in the United States. For more information, see EPIC: Open Government.
  • Google Settles Buzz Lawsuit, Allocates Funds for Internet Privacy Groups » (Sep. 7, 2010)
    Google has entered into a settlement agreement in a class action suit concerning the social network service Buzz. With Buzz, Google made private email contacts of Gmail susbcribers publicly available without consent. Gmail users filed a class action lawsuit. The plaintiffs alleged violations of federal privacy and consumer fraud laws. As part of the settlement agreement, Google will establish an $8.5 million settlement fund to pay the attorneys, compensate the lead plaintiffs, and establish a cy pres fund for "existing organizations focused on Internet privacy policy or privacy education." Earlier this year, EPIC raised similar concerns about Google Buzz in a formal complaint to the Federal Trade Commission. EPIC has also objected to a settlement in the Facebook Beacon case on the grounds that the settlement would allow Facebook, the defendant, to control the private foundation established by the settlement. The Google settlement would not establish a similar entity. For more information see EPIC: In re Google Buzz.
  • State Attorneys General Press Google on Street View Scandal » (Jul. 22, 2010)
    Connecticut Attorney General Richard Blumenthal announced in a press release that 38 states and the District of Columbia are seeking additional information about Google's collection of Wi-Fi data from private, residential computer networks. Blumenthal also sent a letter to Google, asking for information about Google's packet-sniffing software, the testing and review procedures, and the internal investigation of the code that "accidentally" recorded unencrypted Wi-Fi traffic in 30 countries over a three-year period. In May, EPIC wrote to the Federal Communications and recommended an investigation, noting that the collection of Wi-Fi data likely violates several federal privacy laws. Google has since suspended its Wi-Fi data collection activities. For more information, see EPIC: Street View Investigations.
  • Several States Launch Investigations of Google Street View, Connecticut Attorney General Calls Activity "Pernicious Invasion of Privacy" » (Jun. 18, 2010)
    Several state attorneys general have opened investigations of Google, following disclosures that the company captured and stored Wi-Fi data in addition to digital images. These states include Connecticut, Illinois, Massachusetts, Michigan, and Missouri. Maryland and New York are also reported to be pursuing investigations. Connecticut AG Richard Blumenthal described the "driveby data sweeps" of WiFi networks as "deeply disturbing, a potentially impermissible, pernicious invasion of privacy." In a subsequent statement, the Connecticut Attorney General said he will determine the legality of Google's WiFi collection practices. Earlier, EPIC sent a letter to the Federal Communications Commission urging the FCC to determine whether Google may have violated the Wiretap Act and the Communications Act. Google has since grounded its entire Street View fleet and ceased all WiFi data collection. For more information, see EPIC - Investigations of Google Street View.
  • French Privacy Officials Find that Google Captured Email Passwords, Private Email Content » (Jun. 18, 2010)
    The French National Commission on Computing and Liberty (CNIL) has released preliminary results (French) (English) of the Google Street View investigation in France. According to the CNIL, Google "saved passwords for access to mailboxes" and obtained content of electronic messages. The CNIL is pursuing the investigation to determine whether Google engaged in "unfair and unlawful collection of data" as well as "invasion of privacy and individual liberties." Investigations are now underway in at least 18  countries and five states in the US. EPIC has prepared a preliminary survey of Investigations of Google Street View.
  • FCC Consumer Bureau Chief Says Google Street View "Clearly Infringes on Consumer Privacy," Charges Company with "Cyber Snooping" » (Jun. 14, 2010)
    The Chief of the Consumer and Governmental Affairs Bureau for the Federal Communications Commission warned consumers that Google's "behavior" raises important privacy concerns and said that the collection of Wi-Fi data, "whether intentional or not . . . clearly infringes on consumer privacy." Mr. Gurin further stated that the FCC Public Safety and Homeland Security Bureau is "now addressing cyber security as a high priority." EPIC recently wrote to the FCC Chairman Jules Genachowski and urged the Commission to open an investigation of Google Street View. EPIC said, "The Commission plays a critical role in safeguarding the integrity of communications networks and the privacy of American consumers."
  • Investigation of Google "Spy-Fi" Expands, Congress to Hold Hearings » (Jun. 14, 2010)
    In the expanding probe of the "Spy-Fi" matter, Google admitted in a letter to the House Energy and Commerce Committee that Street View cars were purposefully downloading and capturing Wi-Fi data. Google claimed that the practice was legal, though it also said it "would stop Street View cars from collecting WiFi data entirely." The response comes two weeks after House members Henry Waxman (D-CA), Joe Barton (R-TX), and Edward Markey (D-MA) wrote to CEO Eric Schmidt demanding answers about Google's Street View vehicles. Google's responses to lawmakers have raised new questions, most notably why didn't Google reveal the full scope of its Street View activities? Representative Barton said, “this matter warrants a hearing, at minimum" and commented that Google's conduct is "ironic in view of the fact that Google is lobbying the government to regulate Internet service providers, but not Google." Representative Markey said, "We will continue to actively and aggressively monitor developments in this area."
  • Privacy International Charges Google with Criminal Intent in "Spy-Fi" Matter » (Jun. 11, 2010)
    International privacy watchdog Privacy International asserts that an audit of Google's Street View data collection shows that Google separated out and systematically stored network content obtained from private Wi-Fi devices. According to PI, this establishes that Google's Wi-Fi data collection was intentional, despite Google's assurances to the contrary. The audit follows an investigation which revealed that Google Street View vehicles were secretly capturing and recording private Wi-Fi data in addition to photographic images. Street View vehicles operated in 30 countries over a three-year period until Google was forced to suspend the program. In the US, EPIC has sent a letter to the Federal Communications Commission, urging the FCC open an investigation to determine whether Google violated US wiretap laws.
  • Congress Pursues Investigation of Google and Facebook's Business Practices » (Jun. 1, 2010)
    Following similar letters from other Congressional leaders, the head of the House Judiciary Committee has asked Google Inc. and Facebook to cooperate with government inquiries into privacy practices at both companies. Rep. Conyers (D-MI) noted that Google's collection of user data "may be the subject of federal and state investigations" and asked Google to retain the data until "such time as review of this matter is complete." Rep. Conyers also asked Facebook to provide a detailed explanation regarding its collection and sharing of user information. The House Judiciary Committee is expected to hold hearings on electronic privacy later this year. For more information, see EPIC: Facebook Privacy, EPIC: In re Facebook II, and EPIC: Search Engine Privacy.
  • Congressional Leaders Write to Google's Schmidt About "Spy-Fi" » (May. 26, 2010)
    Congressmen Henry Waxman (D-CA), Joe Barton (R-TX), and Ed Markey (D-MA) have sent a detailed letter to Google CEO Eric Schmidt about the reports that Google Street View vehicles scarfed up Wi-Fi data in thirty countries, including the United States. The letter follows a complaint that EPIC has sent to the Julius Genachowski, chairman of the Federal Communications Commission, suggesting that Google may have violated federal wiretap laws. For more information, see Congress Urges FTC to Investigate Google.
  • EPIC Urges Federal Communications Commission to Open Investigation Into Google Street View » (May. 21, 2010)
    EPIC wrote today to FCC Chairman Julius Genachowski to recommend that the Commission open an investigation into the consumer data collected from wi-fi hotspots by Google Street View.  In its letter, EPIC stated that Google routinely and secretly intercepted and stored user communications data and routinely and secretly intercepted and stored private communications hotspots. EPIC said that this conduct appears to violate federal wiretap laws as well as the Communications Act and asked the Commission to begin an investigation. EPIC noted that "The Commission plays a critical role in safeguarding the integrity of communications networks and the privacy of American consumers." For more information, see Congress Urges FTC to Investigate Google.
  • Congress Urges FTC to Investigate Google Following Revelation that "Street View" Scarfed Wi-Fi Data » (May. 19, 2010)
    Congressmen Joe Barton (R-TX) and Edward Markey (D-MA) wrote to FTC Chairman Liebowitz about Google's collection of consumer's private Wi-Fi transmissions. The House members asked the FTC Chairman to investigate whether Google's actions violate federal privacy laws or consumer protection laws. Google has admitted to collecting email and internet surfing data, but has not clarified the extent or nature of the data collection. The letter from Congress follows an investigation in Europe which revealed that Google's "Street View" vehicles in 30 countries collected not only digital images, but also data transmitted on private wireless networks. EPIC has several privacy complaints pending at the FTC, including one on Cloud Computing.
  • Lawmakers Urge FTC to Investigate Google Buzz » (Mar. 29, 2010)
    Ten House Members have asked the Federal Trade Commission to pursue an investigation into the Google social networking service Buzz, given "Google's practice of automatically using consumers' e-mail address books to create contact lists for Buzz and then publicly disclosing the names of those private contacts" online. The lawmakers also asked the Commission to consider the privacy implications of Google's proposed acquisition of AdMob, the mobile phone advertising company. EPIC has filed a complaint with the FTC, asking the Commission to investigate Google Buzz. Previously, EPIC recommended that the FTC block Google's acquisition of Doubleclick, the banner advertising firm, because of the privacy implications. For more information, see EPIC: In re Google Buzz.
  • FCC Release National Broadband Plan, Privacy Strategy Unclear » (Mar. 17, 2010)
    The Federal Communications Commission (FCC) released its National Broadband Plan today. The FCC notes that “many users are increasingly concerned about their lack of control over sensitive personal data" and warns that "Innovation will suffer if a lack of trust exists between users and entities with which they interact over the internet.” The FCC makes several recommendations, but there is no clear plan to address growing concerns about cloud computing, smart grids and unfair and deceptive trade practices. Last year, EPIC urged the FCC to develop a comprehensive strategy for online privacy as part of the national broadband strategy.
  • EPIC Recommends Effective Consumer Privacy Standards, Calls Notice and Choice a "Failed Experiment" » (Mar. 17, 2010)
    At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing.
  • EPIC Google Buzz Complaint Raises “A Number of Privacy Concerns” for the FTC » (Mar. 8, 2010)
    The FTC has sent a letter to EPIC regarding the February 2010 EPIC complaint about Google’s recently launched social networking tool, Google Buzz. In the letter, the Bureau of Consumer Protection Director states that the complaint “raises interesting issues that relate to consumer expectations about the collection and use of their data.” Further, the FTC Director highlights the importance of having consumers “understand how their data will be used” and allowing consumers the “opportunity to exercise meaningful control over such uses.” EPIC has since filed an amended complaint with the FTC that describes how Google Buzz violated Google’s own privacy policy for Gmail. For more information, see EPIC: In re Google Buzz.
  • White House Publishes Outline of Cyber Security Policies » (Mar. 2, 2010)
    The White House announced today that it has made a description of the Comprehensive National Cybersecurity Initiative (CNCI) available online for public viewing. The12 CNCI initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains secret. EPIC has been involved in ongoing litigation regarding a Freedom of Information Act request for the text of the critical cybersecurity document NSPD 54 that President Bush signed in 2008. For more information, see EPIC: EPIC Sues NSA to Force Disclosure of Cyber Security Authority and EPIC: EPIC Seeks Records on Google-NSA Relationship.
  • EPIC Files Amended Complaint on Google Buzz » (Mar. 2, 2010)
    EPIC has filed a supplement to its earlier complaint with the Federal Trade Commission, urging the FTC to investigate Google Buzz.  EPIC's original complaint cited clear harms to service subscribers, and alleges that the change in business practices "violated user expectations, diminished user privacy, contradicted Google's privacy policy, and may have violated federal wiretap laws." EPIC's supplemental complaint elaborates on the specific ways in which Google Buzz constituted a violation of Google's stated Privacy Policy for Gmail. For more information, see EPIC: In re Google Buzz.
  • Study Ranks Top 20 Companies for Privacy in 2010, Facebook Drops Off List » (Feb. 26, 2010)
    Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity.
  • EPIC Urges Federal Trade Commission to Investigate Google Buzz » (Feb. 16, 2010)
    EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Google Buzz. Last week, Google tried to transform its popular email service into an untested social networking service. As a consequence, Google displayed social networking lists based on a user's most frequent address book contacts. The change was widely criticized. EPIC's complaint cites clear harms to service subscribers, and alleges that the change in business practices "violated user expectations, diminished user privacy, contradicted Google's privacy policy, and may have violated federal wiretap laws." EPIC also noted that the FTC has failed to take action in another matter involving Google and Cloud Computing services. For more information, see EPIC: In re Google Buzz and EPIC: Google Buzz Press Release.
  • EPIC to Defend Readers' Privacy at Google Books Hearing » (Feb. 9, 2010)
    On February 18, 2010, EPIC President Marc Rotenberg will appear in federal court in New York to represent readers' privacy and right to read anonymously. EPIC will urge Judge Chin to reject Google's deal with publishers, which requires readers to provide sensitive personal information to view digital books offered by Google, but fails to protect their privacy. EPIC previously moved to intervene in the case, observing that readers' interests are not represented, and warning that the settlement "threatens well-established standards that safeguard intellectual freedom," "imperils longstanding Constitutional rights," and "threatens to eviscerate state library privacy laws that safeguard library patrons in the United States." For more, see EPIC: Google Books and Privacy, EPIC: Google Books Litigation, and EPIC: Google Books: Policy Without Privacy.
  • EPIC Statement to Congress on Google, NSA, and Cybersecurity » (Feb. 9, 2010)
    EPIC has submitted a statement for the record for a House Foreign Affairs Committee hearing on Google and U.S. Cyberspace Policy. EPIC's statement recommends investigation into the newly-announced partnership between Google and the National Security Agency and the public release of the secret document that grants the NSA broad surveillance authority in cyberspace. The EPIC statement also urges the Congressional Committee to support US ratification of the Council of Europe privacy convention. For more information, see EPIC Critical Infrastructure Protection, Experts' Letter to Secretary Clinton on the Council of Europe Convention.
  • Revised Google Books Settlement Fails to Fix Key Problems » (Feb. 5, 2010)
    Even after revisions, the Google Books Settlement still fails to address antitrust, privacy, and copyright concerns, according the the US Justice Department, privacy advocates, and academic authors.On February 4, the Justice Department filed a brief and issued a statement opposing the revised settlement. The Department said the revisions still ran afoul of authors' copyrights and did not fix antitrust problems. EPIC also continues to object to the settlement because it does not contain adequate privacy protections for readers. On February 4, EPIC informed the court of its intent to appear at the February 18 Fairness Hearing on behalf of users' privacy interests. For more information, see EPIC: Google Books and Privacy, EPIC: Google Books Litigation, and EPIC: Google Books: Policy Without Privacy.
  • EPIC Seeks Records on Google-NSA Relationship » (Feb. 4, 2010)
    Today EPIC filed a Freedom of Information Act request with the National Security Agency, seeking records regarding the relationship between Google and the NSA. The press reported that Google and the NSA have entered into a partnership following a recent hacker attack on Google originating from China. The EPIC FOIA request also seeks NSA communications with Google regarding Google's failure to encrypt Gmail and cloud computing services. In March 2009, EPIC filed a complaint with the Federal Trade Commission urging it to investigate the adequacy of Google's cloud computing privacy and security safeguards. Today EPIC also filed a lawsuit against the National Security Agency and the National Security Council, seeking a key document governing national cybersecurity policy. For more information, see EPIC FOIA Litigation and EPIC Cloud Computing.
  • EPIC Urges FTC to Protect Users' Privacy On Cloud Computing and Social Networking Services » (Jan. 28, 2010)
    EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers. For more information, see EPIC: Cloud Computing and EPIC: Social Networking Privacy.
  • Google Expands Control of Internet Architecture » (Dec. 8, 2009)
    Google has announced Google Public DNS, which will route all requests for internet addresses, a core Internet function, through Google's servers. These requests would normally only pass through the servers of the users' internet service providers. Google's DNS service does not use the new authentication standard DNSSEC, but instead uses a proprietary security method. By tradition, DNS is a distributed function, subject to an open standard-setting process. For more information, see EPIC DNSSEC.
  • Revised Google Books Settlement Announced, Privacy Problems Remain » (Nov. 17, 2009)
    The parties in the Google Books Settlement have filed an amended settlement. The Department of Justice, authors, EPIC and other privacy advocates criticized the original settlement. The revised settlement attempts to address price fixing and concerns about orphan works. However, the revised settlement does little to address privacy. Professor Pamela Samuelson stated “There are dozens of provisions in the settlement agreement that call for monitoring of what users do with books and essentially no privacy protections built into the settlement agreement.” For more information, see EPIC Google Books Settlement and Privacy, EPIC Google Books Litigation, and EPIC Google Books: Policy Without Privacy.
  • Expert Group Asks Google to Improve Cloud Computing Privacy » (Jun. 16, 2009)
    A letter signed by 38 researchers and academics in the fields of computer science, information security and privacy law was sent to Google's CEO. The letter asks Google to uphold privacy promises made to users of Google Cloud Computing services. In March, EPIC filed a complaint with the FTC urging an investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." The EPIC complaint specifically recommended the adoption of encryption to help safeguard privacy and security. Addressing concerns about data vulnerability and interception, the expert group has asked Google to enable HTTPS (web-based encryption) by default in several Google apps, including Gmail. See also EPIC's page on Cloud Computing and EPIC's Page on In re Google and Cloud Computing.
  • EPIC Petitions FTC to Investigate Google, Cloud Computing Services » (Mar. 17, 2009)
    EPIC has formally asked the Federal Trade Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines.
  • Report: Google Latitude Poses Significant Privacy Risks » (Feb. 5, 2009)
    Privacy International has identified a major security flaw in Google's new phone locational tracking service. According to the London-based organization, the tracking feature in Google Latitude can be easily enabled by anyone with access to the phone. Moreover, there is no simple way for a user to determine the tracking status of their phone. Question have also been raised about Google's plan to use cell phone data location records for advertising purposes. For more information, see EPIC's page on Personal Surveillance.

Summary

The Supreme Court has agreed to review an important case concerning fairness in class action settlements in consumer privacy cases. The case raises the question of whether a settlement involving a monetary award distributed to non-profits, without any meaningful change in business practices, is “fair, reasonable, and adequate” as required under Federal Rule of Civil Procedure 23. The lower court approved the proposed settlement, finding that the distribution of funds to groups (via cy-pres) in the settlement was appropriate because it was not feasible to distribute funds to the (potentially more than 100 Million) class members and because the cy pres recipients had a substantial nexus to the interests of class members. The Ninth Circuit, in a closely divided decision, found that the district court did not abuse its discretion in granting the settlement.

Background

This case arises from class members’ claim that Google violated users’ privacy by disclosing their internet search terms to owners of third-party websites. The Google search engine processes more than a billion user-generated search requests every day. When users search queries, information that often contains highly-sensitive and personally-identifiable information (“PII”), are routinely transferred to marketers, data brokers, and sold and resold to countless other third parties. The information transferred can include: real names, street addresses, phone numbers, credit card numbers, social security numbers, financial account numbers and more. Search queries can also include more sensitive information such as confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality.

Procedural History

U.S. District Court for the Northern District of California

The plaintiffs - three individuals, Paloma Gaos, Anthony Italiano, and Gabriel Privery - alleged that Google’s actions violated the Stored Communications Act, constituted a breach of contract, breach of the covenant of good faith and fair dealing, breach of implied contract, and unjust enrichment.

The parties went into mediation and reached a settlement that provided that Google would pay a total of $8.5 million and provide notice on its website disclosing how users’ search terms were disseminated to third parties. In return, all claims would be released by the approximately 129 million people who used Google Search within the U.S. between a given date of 8 years. Of the total payout, $3.2 million would be set aside for attorneys’ fees, administration costs, and incentive payments to the named plaintiffs. The remaining $5.3 million would be distributed between six cy pres recipients, including: AARP, Inc.; The Berkman Center for Internet and Society at Harvard University; Carnegie Mellon University; The Illinois Institute of Technology Chicago-Kent College of Law Center for Information, Society and Policy; The Stanford Center for Internet and Society; and the World Privacy Forum.

The district court certified the class action for settlement purposes and preliminarily approved the settlement. The court held oral argument from both parties and objectors to the settlement and ultimately found that (1) a cy pres-only settlement was appropriate because the settlement fund was non-distributable; (2) the disposition of the settlement as cy pres-only has no bearing on whether Rule 23(b)(3)’s superiority requirement for class action certification is met; (3) the cy pres recipients had a substantial nexus to the interests of class members; and (4) the fees granted to attorneys’ was reasonable.

Objectors appealed to the Ninth Circuit.

U.S. Court of Appeals for the Ninth Circuit

The Ninth Circuit reviewed the district court’s approval of the class action settlement and held: (1) the cy pres-only settlement was appropriate; (2) the recipients receiving the cy pres funds were appropriate; and (3) the district court did not abuse its discretion in awarding $2.125 million in attorney fees.

The Court emphasized that cy pres-only settlements are the “exception, not the rule.” But these settlements are appropriate when the fund is non-distributable. Citing Ninth Circuit precedent Facebook v. Lane, the court found that dividing the funds between class members would result in roughly 4 cents per person and was therefore non-distributable.

Turning to the cy pres recipients, the Court determined that the awards met the “nexus” requirement that satisfied the objectives of the underlying statute (Stored Communications Act) and promotes the interests of the silent class members. Objectors took issue, however, with the fact that Google had in the past donated to some of these cy pres recipients, three of which previously received settlement funds and another three serving as class counsel’s alma maters. The Court, however, found that there was transparency in the process and Google considered the interest of the class members in choosing the recipients. To impugn the settlement, the Court found that there would need to be something more, such as fraud or collusion.

Judge Wallace disagreed with the Court and wrote separately, taking concern with the fact that 47% of the settlement fund was being donated to the alma maters of class counsel. He believed the district court should have taken a more serious inquiry upon discovering this information. Because the settlement was cy pres-only, was reached prior to class certification, and almost half of the settlement funds are going to the alma maters of class counsel, Judge Wallace found that the settlement raised a red flag. This should be enough to shift the burden to proponents of the settlement show that the settlement is fair.

Supreme Court of the United States

Objectors to the class action settlement filed a petition for a writ of certiorari on February 7, 2018. Objectors argued that the settlement was not “fair, reasonable, and adequate.” Objectors further emphasized that there was a deep Circuit split on the issue. The Supreme Court granted the petition on April 30, 2018. On November 7, 2018, the Court ordered the parties to brief the issue of whether class plaintiffs have standing to sue in federal court.

EPIC's Objections to the Settlement

EPIC twice set letters to Judge Davila in the District Court opposing the proposed class action settlement. EPIC first urged the Judge to reject the settlement because it (1) “fails to require Google to make any substantive changes to its business practices,” (2) “it provides no monetary relief to the class,” and (3) “the proposed cy pres allocations do not meet the Ninth Circuit’s requirements for alignment with the interests of class members.”

As to the first deficiency, EPIC emphasized that it was “absurd to argue that a benefit is provided to the Class where the company makes no material change in its business practices and is allowed to continue the practice that provides the basis for the putative class action.” The only change brought by the settlement is a modification of Google’s privacy policy to allow the company to continue the disputed practice. EPIC emphasized, however, that privacy notices “have been widely recognized as ineffective,” in that “users do not read privacy policies.”

As to the second deficiency, EPIC highlighted that plaintiffs brought suit under several statutes, including the Stored Communications Act, which provides for a minimum of $F1,0000 per violation. EPIC asserted that “[g]iven the potential statutory damages at stake, the omission of any monetary relief to class members is a glaring deficiency.”

As to the third deficiency, EPIC argued that the proposed cy pres allocations does not meet clear Ninth Circuit standards for distribution. In Nachshin v. AOL, LLC, the Ninth Circuit determined that (1) the objectives of the underlying statute and (2) the interests of the class members must be taking into consideration when selecting cy pres recipients. With regard to the first prong, EPIC found that “furthering the objectives of the privacy statutes requires, at a minimum, that the proposed cy pres recipients be organizations that seek to protect privacy.” EPIC, however, found that only one of the seven recipients - the Wild Privacy Forum - maintained the protection of privacy as its mission. As to the second prong, EPIC found that the proposed settlement is not the “next best” to promote the interest of class members, noting “a disturbing amount of overlap between the proposed cy pres recipients and the alma maters of the counsel in this matter…”

Legal Background

Under the Federal Rule of Civil Procedure 23(e)(2), a proposed settlement may be approved “only after a hearing and on finding that it is fair, reasonable, and adequate.

The Supreme Court has recently expressed an interest in the fairness of class settlements. In Marek v. Lane, Chief Justice Roberts expressed "fundamental concerns" over a settlement that allowed Facebook to continue its "Beacon" program and provided no monetary relief to the class:

“In the end, the vast majority of Beacon's victims got neither remedy. The named plaintiffs reached a settlement agreement with the defendants before class certification. Although Facebook promised to discontinue the "Beacon" program itself, plaintiffs' counsel conceded at the fairness hearing in the District Court that nothing in the settlement would preclude Facebook from reinstituting the same program with a new name.”

EPIC's Interest

EPIC is dedicated to class action fairness in privacy cases and has objected to many similar settlements that failed to provide actual benefits to internet users. EPIC has also proposed objective criteria for courts to follow in class action cases. EPIC has routinely advised courts in consumer privacy class actions to ensure that settlements are aligned with the purpose of the litigation and that the cy pres allocations advance the interests of the class members.

In Campbell v. Facebook, EPIC urged the court to reject a proposed class action settlement over Facebook’s practice of scanning private messages. EPIC challenged the settlement because it did not require Facebook to stop scanning private messages. In fact, the company can continue scanning messages by simply burying a notice on its website. Also, there was no compensation to internet users for the prior violation of federal and state laws. In an amicus brief, EPIC stated:

“A class action settlement should result in substantial change in business practice. A class action settlement should not permit the continuation of the business practice that provided that basis for the lawsuit. A class action settlement should provide monetary relief to class members. If it is not possible to provide monetary relief to class members, then a cy pres award may be appropriate if the award advances the aims of the underlying investigation and is provided to organizations aligned with the interest of the class members.”

In In Re Google Cookie Placement Litigation, EPIC urged the Third Circuit to reject a settlement that allowed Google to continue tracking Internet users across the web and failed to provide any monetary relief to the class members. The only relief in the settlement were cy pres funds dedicated to organizations to which Google already contributed. The case involved practices by Google which EPIC had challenged in the past. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google.

In In Re Google Referrer Header Privacy Litigation, EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to “continue to engage in the privacy-invading practice.” A divided federal appeals court ultimately upheld a decision that allows Google to continue consumer privacy violations by means of the collusive settlement. The case concerned Google’s illegal disclosure of personal data from 129 million consumers; however, the settlement failed to compensate those consumers, did nothing to change Google’s business practices, and diverts funds to organizations that do not protect consumer privacy. The dissenting judge wrote that the settlement “raises a red flag” because “47% of the settlement fund is being donated to the alma maters of class counsel.”

In Fraley v. Facebook, EPIC opposed a settlement allowing Facebook to continue its practice of scanning private messages. The settlement also did not compensate internet users for the prior violation of federal and state laws and it misallocated cy pres funds to organizations that were not aligned with the interests of class members.

EPIC has taken a particular interest in the use of cy pres as a remedy in class action settlements. “Cy pres” is the Latin term for “as near as.” In the legal context, it refers to settlement funds that are distributed to organizations in lieu of direct payments to the class members. Although EPIC has been the beneficiary of cy pres funds in consumer privacy class actions, EPIC has raised serious concerns regarding its use. In particular, EPIC opposed settlements in In re Google Referrer Header and Lane v. Facebook because the cy pres funds would not be awarded to organizations whose main focus was protecting consumer privacy. Chief Justice John Roberts echoed the concerns of EPIC in Marek v. Lane; although the Court declined to review the Lane v. Facebook settlement, Roberts opined that the Supreme Court would eventually need to address “fundamental concerns surrounding the use of such remedies in class action litigation.” EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement.

Legal Documents

United States Supreme Court, No. 16-402

Merits Stage

Petition Stage

U.S. Court of Appeals for the Ninth Circuit, No. 15-15858

U.S. District Court for the Northern District of California, No. 10-4809

  • In re Google Referrer Header Privacy Litigation, 87 F.Supp.3d 1122 (N.D. Cal. Mar. 31, 2015)

Resources

EPIC Resources

News

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security