Google Sued for Invading the Privacy of Millions in UK

Written by

Google is being sued on behalf of millions in the UK over privacy violations, after it allegedly secretly accessed their browsing data on iPhones.

The former director of consumer group Which?, Richard Lloyd, is seeking compensation for up to 5.4m Britons in the equivalent of a class-action lawsuit. He alleges that Google circumvented the default privacy settings for Safari on iPhones and iPads between the summer of 2011 and spring of 2012, in a clandestine effort to surreptitiously collect browsing histories of individuals and serve targeted advertising.

The issue was first brought up back in 2013, but Google argued at the time that it did not have to answer to the English courts and that UK privacy laws don’t apply to it, as an American company. But in 2015, Britain’s Court of Appeal ruled that UK consumers do actually have the right to sue Google over the issue, after which the internet behemoth agreed to an undisclosed settlement in a subsequent lawsuit. Lloyd is now bringing a much larger “representative action”—which will pay out £300 to each plaintiff. People who owned an iPhone or iPad during the effective time period will be automatically included in the claim.

The claim is that Google manipulated a feature in Apple’s Safari web browser in order to place the DoubleClick ID Cookie on Apple devices. Allegedly, Google used the ‘Form Submission Rule’ exception within Safari (which allows users to click on Like buttons and similar interactions) to then trick the browser into thinking the user had visited the first-party domain that the DoubleClick cookie is sent from—thus allowing Google to set the ID Cookie and update it as a third-party cookie via other web sites. With that, it became able to trace a user’s browsing history.

“I believe that what Google did was quite simply against the law,” said Lloyd. “Their actions have affected millions, and we’ll be asking the courts to remedy this major breach of trust. Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back if our laws are broken.”

Lee Munson, security researcher at said that while the incoming General Data Protection Regulation (GDPR) will do little to change the illegality of collecting personal information without people’s consent, it will up the ante in terms of the financial penalties that could be handed to any company that engages in any such activity.

"Given how Google has previously been fined heavily for monitoring browsing histories, it is not that surprising to learn about its alleged historic collection of data from iPhone users,” he said, via email. “Also, considering how that data was reportedly collected, despite Apple having privacy settings in place to prevent it, it would not be surprising at all to find out that this is not an isolated case.”

He added, “Hopefully, therefore, this will be the last time we hear of any alleged surreptitious data collection from unknowing victims who may have believed they had taken the necessary steps to prevent it occurring."

What’s hot on Infosecurity Magazine?