Google allowing Android app vendors to illegally collect user data, lawsuit alleges

Complaint, filed recently in California, is amended version of an earlier lawsuit against the company

Several users of devices running Google's Android operating system have filed an amended version of an earlier lawsuit accusing the company of illegally collecting, and allowing others to collect, extensive amounts of mobile user data without proper notice or consent.

The lawsuit, filed last week in the US District Court for the Northern District of California, is an updated version of a consolidated lawsuit from January 2012. It alleged that Google's actions had harmed the privacy, security and financial interests of the six named plaintiffs in the case.

US District Court Judge Jeffrey White, who reviewed the original complaint from last year, had rejected it this March.

In his ruling, the judge noted that the plaintiffs had failed to clearly state how Google's actions had caused injury to them as defined under the federal Computer Fraud and Abuse Act, the California Unfair Competition Law and a handful of other state statutes. Judge White had offered the plaintiffs an opportunity to file an amended complaint if they chose to do so.

Last week's second complaint addresses the shortcoming identified by the judge the first time around said William Audet, interim class counsel for the plaintiffs in the case.

"Pursuant to the Court's order, the plaintiffs have added additional facts on a number of issues," Audet said.

"The second amended complaint also provides additional facts regarding recent disclosures of continued alleged privacy violations by Google, including the sharing of data without the full consent or knowledge of the consumer," he said. "We believe that the complaint now addresses all the issues raised by the court and we are now focused on two violations -- one federal and one state -- committed by Google."

According to Audet, the ultimate goal in filing the lawsuit is to get Google to provide full disclosure of its own data collection practices and that of Android application developers who are approved to distribute their products through Google's application store. "We are alleging that the company is participating in the collection of private data in exchange for the use of applications by the consumer."

The 36-page complaint filed last week accuses Google of putting hooks in its Android operating system that allow third-party application developers to collect a extensive of range of data about mobile users and their devices. The complaint accuses Google of allowing third-party application developers to collect geo-location data, user age and gender, zip codes, user activity, device IDs and other personally identifying information from Android-powered mobile devices.

"People don't know how much data they are giving up when they download these applications for free," Audet said. He added that it is Google's responsibility to ensure that applications made available through its mobile application store are not illegally collecting and sharing user data.

Google's own privacy policies do not inform users of the extensive data collection practices of Android mobile application providers, he said. Often, users download these applications based on Google's representations in its privacy polices and its terms of service agreements, he said. Many users are unlikely to download third party applications if they were more fully informed about the true nature and the extent of the data being collected, he said.

The complaint also accuses Google of using its analytics tools and other services to collect extensive user information for targeted advertising purposes and for selling to third parties.

In addition, it accused Google of taking "affirmative steps" to limit the ability of users to block such data gathering and tracking. As an example, the complaint pointed to Google's alleged removal of an ad-blocking tool called AdBlock Plus, from its Google Play application store.

Such complaints are not unusual for Google or others like Facebook and Apple. All three companies have been fairly regular targets of consumer complaints alleging all sorts of privacy violations.

In the present instance, it remains unclear how far the lawsuit will go. Even Audet concedes the battle will be very tough. There's a level of detail and specificity involved in these privacy cases that can sometimes be hard to achieve, he said. Proving that the alleged data collection hurts consumers financially, or has injured them in a specific manner, can also be challenging, he said. "This is a hard case," he said.

A Google spokeswoman said on Wednesday that the company had no comment on the pending litigation.

News of the amended complaint was first reported by Courthouse News Service.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile appsprivacy

More about AppleApple.FacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts