Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
Google battles sanctions in US hearing over 'Incognito' privacy evidence
22 April 2022 02:17 by Mike Swift
Back in 2019, more than a year before Google announced it would phase out third-party cookies in its Chrome browser for privacy reasons, the Internet giant faced a critical business question: How much would it cost in lost ad revenue?
A previously secret internal project by Google software engineers to try to answer that question, revealed in sworn testimony today in a US federal courtroom in Silicon Valley, is now at the center of the question whether Google will face sanctions that could include a jury instruction that it deleted key evidence in litigation over its allegedly illegal tracking of people using Chrome’s “Incognito” mode.
The remarkable court hearing amounted to a day-long mini-trial in San Jose, California over Google’s handing of evidence and opened a new window into the workings of the data-collection infrastructure behind Chrome, the world’s most widely used browser.
Through live testimony from a succession of Google engineers, complete with direct testimony and sharp-elbowed cross-examination, a plaintiff team that featured nationally prominent lawyer David Boies and Google lawyers battled over allegations that the search giant concealed key documents and withheld disclosing employees with knowledge about its collection of personal data about people using Chrome's private browsing mode.
Boies told US Magistrate Judge Susan van Keulen that software engineer Chris Liao, who manages Google’s Ads Identity Infrastructure Team, provided inaccurate testimony during a sworn deposition in December, and that Google concealed the existence of two other engineers, Mandy Liu and Bert Leung, who were knowledgeable about software signals built into Chrome that could digitally flag people using Incognito mode.
“They may have given us the tip of the iceberg, but they did not give us the bulk of those documents. And they were required to do that,” Boies told van Keulen in a hearing that drew about 20 lawyers for the two sides, including court-appointed Special Master Douglas Brush, who listened from the jury box. “Those documents were withheld, and we couldn’t ask questions about them because we didn’t have them.”
Finally, Boies said and other plaintiff lawyers said, Google complained about the burden of preserving the volume of data the plaintiffs wanted retained, winning a court ruling that allowed it to destroy data that it knew included relevant evidence. That prejudiced the plaintiffs, he said, because without that evidence they lacked the factual foundation to direct questions about how Google may have continued to harvest identifying data and might have combined it with data it collects about Chrome.
"Monetary sanction here isn't enough," said plaintiff lawyer Alison Anderson. "It isn't going to deter Google. It’s not the remedy the plaintiffs want."
Liao and Leung were two of the three Google software engineers who testified in court today, with both claiming in often highly technical testimony that their purpose was never to identify individual Chrome users in Incognito mode. Rather, their use of software signals built into the browser such as one called “X-Client Data Header” was intended to estimate what phasing out tracking cookies might do to Google’s advertising revenue.
Caitlin Sadowski, who leads Google’s Chrome Data team, testified that Google does not deploy the “X-Client Data Header” signal when users are in Incognito mode for privacy reasons.
“User privacy is important, and we don’t want to have any way to be tracking users between Incognito and non-Incognito mode,” Sadowski testified. “So even though there’s not a lot of information in the X-Client Data Header, we don’t send it for privacy reasons.”
But confronted in cross-examination by plaintiff lawyer John Yanchunis about whether software fingerprints such as the absence of the X-Client Data Header and other digital markers in Chrome could identify everyone using Incognito mode as well as some other unrelated “edge cases,” Liao acknowledged, “That is correct.”
The question of whether Google has the means to exactly determine which individual users are using Chrome’s private browsing mode is central to the plaintiffs’ allegation that the Internet giant violated federal and state wiretapping laws by continuing to harvest personally identifiable data when it tells users on Incognito’s startup screen that “you can browse privately” in that browser mode.
During the grueling seven-hour hearing, which didn’t even break for lunch, Google lawyers argued that the company did not hide the existence of Liu and Leung, and in fact disclosed their names in thousands of documents among the more than 800,000 documents Google produced to the plaintiffs last year.
“Google did not mislead or conceal,” Google lawyer Viola Trebicka told van Keulen, adding that Liao did not mislead the plaintiffs in his deposition. “Had he answered any differently, he would have perjured himself,” she told the judge. “We did not alter evidence. It’s pure fabrication to say so.”
“At worst, what has happened in this case is what happens in discovery in all kinds of complex cases with lots and lots of documents,” Andrew Schapiro, another lawyer for Google, told van Keulen. “It happens in ordinary litigation that sometimes documents aren’t produced right away,” meaning the plaintiffs have to ask follow-up questions to get what they need, he said.
The plaintiffs were not prejudiced by having to go through that process in the Incognito case, Schapiro said. “After dozens of depositions, millions of pages of produced documents, getting gigabytes of data, they have a vast amount of information,” Shapiro said. “The fact is . . . there is no reliable means to identify Incognito traffic.”
While the Incognito case is under the oversight of US District Judge Yvonne Gonzalez Rogers, van Keulen is handling the “scorched earth” battle — as Schapiro described it today — over which evidence might ultimately go before a jury if the case reaches trial in 2023.
Google was first hit with the wiretapping suit in June of 2020. The presence of Boies in the courtroom, who represented US Vice President Al Gore in the recount of the 2000 Presidential election and who led the US Department of Justice's antitrust prosecution of Microsoft in the 1990s, was one measure of the stakes in today’s hearing.
The plaintiffs asked van Keulen in a court filing in February to impose sanctions that would include a jury instruction that the company hid evidence, as well as paying monetary penalties. Much of the day revolved around testimony about whether software flags such as “X-Client-Data-Header” and another called the “Maybe_Chrome_Incognito_bit” were reliable trackers for Incognito users.
“It is not very reliable as an indicator” of whether a person was using Incognito mode, Liao testified of the X-Client-Data-Header, which led to multiple questions from plaintiff lawyers about if that was so, why the Google engineers were using that header to estimate the impact of removing third-party cookies.
At one point, Leung was confronted on cross-examination about a 2020 email he wrote that set out a very specific number of Chrome users in Incognito mode — 3.08 percent — and said that was a “ground truth” about usage of the mode.
Van Keulen did not hint how she might rule, or provide any timetable for a ruling, at the close of the hearing. The judge only asked a handful of questions during the day, but one appeared worrisome for Google.
The judge asked Trebicka if there could be other digital flags like the X-Client-Data-Header that could be used to track Incognito user. “So there could be, in theory, additional fields that have not been identified?” van Keulen said.
“We don’t believe so,” Trebicka answered, but acknowledged it was possible “in theory.”
26 May 2023 14:59 by Sam ClarkWhen the EU’s General Data Protection Regulation came into force five years ago, some said it would usher in a new era of EU supremacy over Silicon Valley's tech giants, reining in their rampant data-driven power.
24 May 2023 15:39 by Mike SwiftSince the General Data Protection Regulation took effect five years ago this week, more than 40 countries have enacted national privacy laws, most of which drew liberally from the canonical text of the EU law.
23 May 2023 23:47 by Mike SwiftThe count of countries with data protection laws more than doubled to 162 over the past dozen years, a total that includes a wide majority of the world’s nations, with new research suggesting data protection rules are approaching ubiquity.