Will the lawyers shut down the Web over privacy?

Who is Paloma Gaos? She runs Liaisons Interpreters, a translation service with an address on Bush Street in San Francisco’s Lower Pacific Heights. Her business has an estimated revenue of $140,000 a year and employs two people. And one more thing: Gaos is the complainant in a class-action suit against Google, alleging that Google has violated her privacy by passing along search queries embedded in referral links. If she wins, business on the Web will never be the same.

Ironically, I located her in about two minutes by searching with Google, looking at her LinkedIn profile, then checking a business directory. With one phone call (the number was on the Web), I found out a few more details, which I won’t reveal. The point, of course, is that while her lawsuit targets a fairly unlikely chain of events that would identify a user, she herself has left a trail that anyone could follow.

[ Get the spin on key tech news that you’ll find nowhere else at InfoWorld’s Tech Watch blog. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. ]

“Someone voluntarily posting information about her business is very different than having deeply personal information passed along by Google,” her co-attorney, Kassra P. Nassiri, told me.

He’s right of course. But I’m beginning to think it doesn’t matter. Some years ago, Sun co-founder Scott McNealy, when asked about privacy and the Web, said, “You already have zero privacy. Get over it.” I really, really, hate to think it, but maybe he was right too.

The selling or sharing of users’ personal data is so pervasive and so deeply intertwined with the business model of the Internet that separating them might be a solution akin to King Solomon’s suggestion that the mothers cut the baby in two. (Google has declined, for now, to comment on the suit.)

Google in the cross-hairs The suit against Google was filed earlier this week in federal court in San Jose. It claims that Google violates the privacy of users when it passes along URLs containing the text of search strings to the publisher of the website the user clicks on.

There’s no argument about some of that. Google, along with Bing and other search engines, does pass that information on. It has to, because it allows Web publishers (including InfoWorld.com) to see which sites are sending them traffic and which search terms are generating most of that traffic.

Here’s the nub of the argument made in the filing:

The user search queries disclosed to third parties can contain, without limitation, users’ real names, street addresses, phone numbers, credit card numbers, Social Security numbers, financial account numbers, and more, all of which increases the risk of identity theft. User search queries can also contain highly-personal and sensitive issues, such as confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality, which are often tied to the user’s personal information.

As you may know, the information is actually passed on by the user’s browser via “referrer” data that tells a website the page that someone came from. (There’s a great discussion of this whole matter on the Search Engine Land website, replete with deep explanatory material.)

How damaging is that information? It depends on what the search query was about and how likely it is that the query can be linked to a specific individual. By and large, the data is anonymous — but not necessarily.

Four years ago, AOL released a huge trove of search date: the text of 20 million search queries for 650,000 users. It did so to help researchers, but reporters at the New York Times dug into it and were able to link a few searches to the people who made them. It was a huge embarrassment for AOL and a shock to the people who were, well, outed.

Yes, the reporters went to a good deal of trouble to make those links, something few advertisers or other parties would have the resources or even the motivation to do. But it wasn’t as hard as you might expect, argues Paul Ohm, an associate professor University of Colorado Law School. In a paper published last year, Ohm says that removing the most obvious forms of personally identifying information (PII) doesn’t guarantee anonymity [PDF]. He writes:

How many other people in the United States share your specific combination of ZIP code, birth date, and sex? According to a landmark study, for 87 percent of the American population, the answer is zero; these three pieces of information uniquely identify each of them.

How many users of the Netflix movie rental service can be uniquely identified by when and how they rated any three of the movies they have rented? According to another important study, a person with this knowledge can identify more than 80 percent of Netflix users. Prior to these studies, nobody would have classified ZIP code, birth date, sex, or movie ratings as PII.

Can Web business and privacy co-exist? I don’t why Gaos launched the suit; she hasn’t returned my calls. As is common in class actions, the suit does not yet ask for specific damages. That amount will come as the suit progresses. For now, the class is a class of one, though attorney Nassiri says he is looking for others to join.

Maybe he’s the equivalent of an ambulance chaser, or maybe he and his client are really fighting for the right of privacy. We’ll see. But for me, the issue is the business model of the Web and how that is making it increasingly difficult to maintain privacy.

Last week, I wrote about the necessity of Facebook to at least condone (if not abet) privacy leaks via applications on its site. Because hundreds of millions of dollars in revenue are on the table, expecting Facebook to really crack down seems naïve. It’s in business to make money, and sharing data with advertisers and app developers helps bring in the green.

What Facebook and Google do, so does everybody else on the Web, though usually on a much smaller scale. Advertisers were originally very skeptical of the use of Web-based advertising. They figured, rightly at first, that there was no way to know who actually looked at their ads, let alone who took the next step and bought goods.

Those questions have largely been answered, and Web advertising is overshadowing advertising in all other media. The knowledge of what moves users to and from particular sites is now a fundamental part of business on the Web.

Ohm makes several suggestions to minimize the damage, including a limit on how much search (and other) data may be stored and for how long. I haven’t examined his ideas in detail, but will do so in a future post.

For now, I’m struggling to see how our need for privacy can be reconciled with the business of the Web, a business most of us are happy to participate in, as customers or entrepreneurs. Let me know what you think, and for now, don’t beat on Gaos. She’s raising issues of great importance.

I welcome your comments, tips, and suggestions. Post them here so that all our readers can share them, or reach me at bill.snyder@sbcglobal.net. Follow me on Twitter at BSnyderSF.

This article, “Will the lawyers shut down the Web over privacy?,” was originally published by InfoWorld.com. Read more of Bill Snyder’s Tech’s Bottom Line blog and follow the latest technology business developments at InfoWorld.com.