Online marketing thought-leader Tye DeGrange interviewed me in his podcast Always Be Testing. Our broad focus was affiliate marketing abuse — why enforcement is hard, how incentives shape outcomes, what advertisers can do.
Listen via Spotify, Apple Pod, YouTube. Tye’s notes.
I represented Chaim Zeev Rozen in a portion of his formal DOT complaint against Virgin Atlantic. Mr. Rozen had transferred points from a credit card to Virgin’s frequent flyer program in order to redeem travel for relatives who shared his last name. Inexplicably, Virgin cancelled the tickets — without telling him or the passengers.
I filed a Reply on Mr. Rozen’s behalf. I pointed out that, contrary to Virgin’s repeated claim and even its Answer, nothing about his conduct was “fraudulent.” I criticized Virgin’s “fraud detection tools” which supposedly “flagged the booking”. I pointed out that Virgin’s Answer was oddly silent on whether any human even attempted to check whether those tools were correct. I argued that Virgin did not act reasonably in the penalty it imposed and its handling of Mr. Rozen’s complaint and correspondence alleging error. I identified a DOT regulation and Virgin contract provision that were implicated.
The parties subsequently filed a Notice of Withdrawal of Complaint and Joint Motion to Dismiss, indicating that they reached an amicable resolution of the matter. A footnote in that filing explains specific improvements Virgin made: new tools to better identify actual fraud, a new process for customer complaints and appeals, and new communications to passengers indicating that bookings have been canceled. Kudos to Mr. Rozen for his role in bringing about these benefits for the traveling public.
Today I announced joining the security startup VPT Digital as Chief Scientist. VPT operates in a space I feel I pioneered: Automated testing to find misconduct in affiliate marketing. As early as summer 2004 (not a typo!), I was catching affiliates using adware to claim commission they hadn’t earned. I later built automation to scale up my efforts.
Think affiliate fraud is no big deal? I was proud to recover large amounts for my clients. For one large client, I once proved that nine of its top ten biggest affiliates were breaking its rules – which might sound like a disaster, and in some sense it was, but ejecting the rule-breakers yielded ample funds to pay more to those who genuinely drove incremental value. Affiliate marketing experts may also remember Shawn Hogan and Brian Dunning, who faced both criminal and civil litigation for affiliate fraud – allegations that the FBI said stemmed from reports from me. Litigation reported that defendants collected more than $20 million in 18 months. “No big deal,” indeed.
The web is a lot messier than when I started down this path, and tricksters use a remarkable range of methods. Reviewing VPT’s automation, I’ve been suitably impressed. They test a range of adware, but also cookie-stuffing, typosquatting, and more. Of course they test Windows adware and browser plug-ins, but they and have Mac and mobile capabilities too. They test from multiple geographies, at all times of day. Their testing is fully automated, yielding spiffy reports in a modern dashboard – plus email alerts and API integration. It’s all the features I used to dream of building, and then some.
I’ll be working with VPT part-time in the coming months and years to continue to hone their offerings, including making their reports even more accessible to those who don’t want to be experts at affiliate fraud. I’ll also blog about highlights from their findings.
This post is part of Revisiting Litigation Alleging Google Discovery Violations.
In re: Google Digital Advertising Antitrust Litigation. 1:21-md-03010-PKC. (S.D.NY.)
MDL docket originated August 12, 2021. First filing as to spoliation May 30, 2025.
May 30, 2025 letter presents MDL Plaintiffs’ request to file motions seeking an adverse inference against Google based on its spoliation — grounded in its scheme to encourage employees to use Google Chat set to automatically delete messages for employees subject to litigation hold; its failure to ensure that employees complied with litigation holds; and its policy to mislabel sensitive information as “privileged and confidential” to attempt to avoid discovery.
Explains the evidence of Google’s intent to spoliate evidence, including employees discussing what information they should discuss where and how.
Summarizes critical remarks from other courts that examined Google’s spoliation. Donato: “a permissive adverse inference instruction is a reasonable and proportionate remedy to Google’s intentional failure to preserve relevant evidence.” Mehta: “Google’s failure to preserve chat messages might” “warrant” sanctions. Brinkema: “systematic disregard of the evidentiary rules regarding spoliation of evidence … may well be sanctionable.”
Criticizes’s Google’s “systematic abuse of privilege” including by CEO Sundar Pichai personally, noting his admission that he “marked e-mails privileged, not because [he was] seeking legal advice, but just to indicate that they were confidential.” Notes criticism from other courts: Donato: “frankly astonishing abuse of the attorney-client privilege designation to suppress discovery.” Mehta: “the court is taken aback by the lengths to which Google goes to avoid creating a paper trail for regulators and litigants.” Brinkema: “misuse of the attorney-client privilege may well be sanctionable.” Notes that other courts only withheld an adverse instruction because it would have been superfluous given the liability findings already made.
Aviation enthusiast Mike Borsetti last month alerted the US Department of Transportation to Qatar Airways adding bogus fees contrary to prior representations: Their online check-in allowed him to select a seat free of charge, but at the airport, both check-in staff and a manager said he’d have to pay to keep that seat. In response, Qatar tried to trivialize Borsetti’s problem — as if this overcharge doesn’t matter or isn’t important enough for DOT to investigate. In a public comment filed today, I explained why Borsetti is absolutely right:
First, having already complained to both line staff and a manager at the airport, Borsetti had put Qatar amply on notice of the dispute. Qatar says he should have complained again, after travel, so they could refund him then. But two unsuccessful discussions with airline staff is more than enough to justify Borsetti’s decision to bring this matter to a regulator.
Second, by all indications the problem stretches well beyond Borsetti alone, and is bigger than Qatar admits. Online comments already revealed four other customers with substantially the same problem — online check-in seating dishonored unless customers pay more at the airport. Of customers affected, only a tiny fraction would both realize they were overcharged and then happen to see the one blog discussing Borsetti’s complaint. So the problem must be substantial. And that’s as you’d expect: If there’s a defect in Qatar’s software or process, such as airport systems mistakenly saying a seat fee is due even though online check-in already authorized a seat without charge, that problem would occur for a broad swath of passengers since software ordinarily operates predictably and consistently.
On some level Borsetti’s complaint is unusually simple. He was overcharged, he wants a refund, and he wants Qatar Airways to stop charging passengers for seats it had said would be free. Will DOT act to make sure all the other affected passengers — who didn’t realize they were overcharged, or didn’t take the time to complain — are also fully refunded? And will DOT act to make sure that Qatar Airways finally fixes its systems so this problem doesn’t recur?
Congratulations to Mirel Baumgarten, who in 2020 used my formal DOT complaint template to report Turkish Airlines delivering bags 31 hours late and arbitrarily withholding compensation in violation of US law and international treaty. DOT today cited Mirel in a Consent Order with Turkish, which had to admit its wrongful acts and pay a total of $1.3m (both for delaying refunds after COVID-19 schedule changes and cancellations, and for arbitrarily limiting mishandled bag reimbursements).
DOT summarizes the violation: Turkish Airlines “arbitrarily limited reimbursement for delayed or lost baggage to a maximum amount of $50 USD payment per day for a maximum of six days regardless of the content consumers submitted in their claims.” But, DOT explains, under the Montreal Convention, an airline may not limit its liability for expenses related to delayed baggage to any amount lower than 1,288 SDRs (currently about $1,670). See Consent Order page 5.
If you enjoy this sort of thing, Mirel’s complaint shows the kind of nonsense airlines all too often inflict on passengers. Mirel reported bags delivered 31 hours late (complaint page 12) and provides proof with timestamps, yet Turkish oddly categorized the baggage delay as less than 24 hours (not that that would eliminate or even reduce reimbursement under governing treaty and law). Mirel was traveling for a wedding, had to buy expensive replacement clothes to attend, and had receipts documenting the expenditure. (See complaint page 11.) Turkish refused to consider Mirel’s evidence, saying the only relevant factor was “the framework of the rules” which purportedly say the Turkish rep “cannot re-evaluate your case” (page 10). When Mirel cited the specific treaty that required reimbursement of all reasonable expenses subject to the treaty’s cap, disallowing the limitation Turkish proposed, the Turkish rep remarked that no further discussion was possible, “we do not have phone service”, and the specified amount was “our final offer.” Most consumers would give up. Kudos to Mirel for sticking with it, telling the DOT, and thereby causing DOT to include this matter in its broader investigation of Turkish.
The DOT’s $1.3m settlement with Turkish is substantial, but that entire amount goes to the US Treasury. Not a penny flows to the passengers who received arbitrarily reduced reimbursements from Turkish. Both DOT and Turkish know the names and contact information of affected passengers. I’d like to see Turkish affirmatively provide every affected passenger with the full amount shown in receipts previously submitted, plus interest.
Other affected Turkish customers should be emboldened by this consent order to demand their full documented loss, no matter any prior protestation by Turkish that its policies called for paying less. I don’t know if Turkish customer service representatives are trained to honor and pay those claims. If not, Turkish customers could contact the attorneys who represented Turkish in this matter, David Endersbee and Barbara Marrin of KMA Zuckert, who should be in a position to press Turkish staff to pay claims consistent with the consent order.
On December 21, YouTuber MegaLag dropped a 23 minute video eviscerating Honey. Calling Honey a “scam”, he made two core allegations.
Honey takes payments that would otherwise go to influencers who recommended products users buy. (video at 2:50) MegaLag shows Honey claiming payments in four scenarios: i) if a user activates a function to search for coupons (even if none are found), ii) if a user activates a function to claim Honey Gold (no matter how meager the rebate), iii) if the user gets the message “We searched for you but didn’t find any deals” and merely presses the button “Got it”, and iv) If Honey shows the message “Get Rewarded with PayPal” “Shop eligible items to earn cash off future purchases” and the user presses “checkout”.
16 million views and growing, MegaLag’s video has prompted a class action lawsuit and millions of users uninstalling Honey.
I’m a big fan of MegaLag. I watched most of his other videos, and they’re both informative and useful—for example, testing Apple AirTags by intentionally leaving items to be taken; exploring false claims by DHL about both package status and their supposed investigations. Meanwhile, nothing in MegaLag’s online profile indicates prior experience in affiliate marketing. But for a first investigation on this subject, he gets most things right, and he uses many appropriate methods including browser dev tools and screen-capture video. Based on its size and its practice, Honey absolutely deserves the scrutiny it’s now getting. Kudos to MegaLag.
Nonetheless there’s a lot MegaLag doesn’t say. Most notably, he doesn’t mention contracts—the legal infrastructure that both authorizes Honey to get paid and sets constraints on when and how it may operate. Furthermore, he doesn’t even consider whether merchants get good value for the fees they pay Honey. In this piece, I explore where I see Honey most vulnerable—both under contract and for merchants looking to spend their marketing funds optimally.
Affiliate marketing comprises a web of contracts. Most affiliate merchants hire a network to track which affiliate sent which traffic, to provide reports to both merchant and publishers, and to handle payments. For a single affiliate-merchant relationship, an affiliate ends up subject to at least two separate contracts: the network’s standard rules, and any merchant-specific rules. Of course there are tens of thousands of affiliate merchants, and multiple big networks. So it’s impossible to make a blanket statement about how all contracts treat Honey’s conduct. Nonetheless, we can look at some big ones. Numbering added for subsequent reference.
Commission Junction Publisher Service Agreement
C1 “You must promote Advertisers such that You do not mislead the Visitor”
C2 “the Links deliver bona fide Transactions by the Visitor to Advertiser from the Link”
C3 “You must accurately, clearly and completely describe all promotional methods by selecting the appropriate descriptions and providing additional information when necessary.”
C4 “You agree to: (i) use ethical and legal business practices”
C5 “Software-based activity must honor the CJ Affiliate Software Publishers Policy requirements (as such requirements may be modified from time to time), including but not limited to: (i) installation requirements, (ii) enduser agreement requirements, (iii) afsrc=1 requirements, (iv) requirements prohibiting usurpation of a Transaction that might otherwise result in a Payout to another Publisher (e.g. by purposefully detecting and forcing a subsequent click-through on a link of the same Advertiser) and (v) non-interference with competing advertiser/ publisher referrals.”
Rakuten Advertising Downloadable Software Applications (DSAs) Overview, Testing Process, Policies
R1 “Your DSA should become inactive on the sites of any advertisers who opt-out or stand down on those that do not want you to redirect their traffic. Publishers who fail to comply with this rule will jeopardize their relationship with advertisers as well as with Rakuten Advertising.”
R2 “[W]e expect your DSA to: Stand down when it recognizes any publisher links”
R3 “[A]ll software must recognize Supplier domains and the linksynergy tracking links. When a Supplier domain or the linksynergy code is detected, the software may not operate or redirect the consumer to the advertiser site using the Software Publisher tracking ID (also known as Supplier Affiliate ID or Encrypted ID). We do not allow any DSA software that interferes with or deters from any Publisher or Advertiser website.”
R4 “The DSA must stand-down and not display any forms of sliders or pop-ups to prompt activation if another publisher has already referred an end user.”
R5 “The DSA must not force clicks or “cookie stuff”. The DSA must not insert a cookie onto the user’s computer without the user knowingly taking an action that results in the cookie being placed.”
R6 “The end user must click through the offer that is presented. Placing the mouse over an offer, only viewing it or viewing all offers is not a click through.”
R7 “The DSA must not automatically drop a cookie when the end user is only viewing offers. The cookie should only be dropped once the end user clicks on a specific offer.”
Awin including ShareASale – Code of Conduct, Awin US Publisher Terms, SAS US Publisher Agreement
A1 “’Click’ means the intentional and voluntary following of a Link by a Visitor as part of marketing services as reported by the Tracking Code only;”
A2 “Publishers only initiate tracking via a tracking link used for click tracking if the user voluntarily and intentionally interacted with the Ad Media or Tracking link.”
A3 Publishers only initiate tracking for a specific advertiser if the consumer interacted directly with ad media for this advertiser.”
A4 ”do not mislead consumers”
A5 “transparency about traffic sources and the environment that ads are displayed in”
In addition, all networks indicate that publishers must disclose their practices to both networks and merchants. Awin Code of Conduct is representative: “Publishers proactively disclose all promotional activities and obtain advertiser approval for their activities.” Rakuten’s Testing Process is even more prescriptive, requiring an affiliate both to submit a first version and to notify Rakuten about any changes so it can retest; plus requiring publishers to answer 16 questions about their software including technical details such as DOM ID and Xpath of key functions.
MegaLag’s video show violations of these network policies. I see three clusters of violations.
(1) Honey invokes its affiliate links although users did not fairly request any such thing. Consider “We searched for you but didn’t find any deals” with button labeled “Got it” (MegaLag scenario iii above). “Got it” doesn’t indicate that the user wants, expects, or agrees that Honey will invoke its affiliate link. That’s certainly misleading (contrary to rule C1). Nor can Honey claim that a user who clicks “Got it” is “knowingly taking an action that results in the cookie being placed” (R5) because clicking “Got it” isn’t the kind of action that rule contemplates. Rakuten rules R6 and R7 are equally on point, disallowing invoking an affiliate link based on an activity that doesn’t indicate intent (such as a mouseover), and requiring that an affiliate link only be invoked “once the end user clicks on a specific offer.” “Got it” isn’t an offer, so under R7, that’s not grounds for invoking a Rakuten link. So too for Awin, where A1 defines “click” to include only links that are “part of marketing services” (but “Got it” is not marketing service). See also A2 and A3 (allowing links only as part of “ad media”, but “Got it” is not ad media); and of course A4 (“do not mislead consumers”).
Honey’s invocation of affiliate links upon a “Get rewarded with PayPal” message (MegaLag scenario iv above) is on similarly shaky ground. For example, responding to a PayPal offer is not “knowingly taking an action that results in the cookie being placed” (R5) – the user knows only that he’s closing the message, not that he’s requesting an affiliate referral back to the merchant. Similarly, a PayPal offer is not “marketing services” or “ad media” for an Awin merchant (rules A1-A3).
The rule to invoke affiliate links only when a user so requests is no mere technicality. In affiliate marketing, an affiliate may be paid if 1) the user sees a link, 2) the user clicks the link, and 3) the user buys from the specified merchant. Skipping step 2 sharply increases the circumstances in which a merchant has to pay commission—not a term a merchant would agree to. When an affiliate skips step 2, it’s cookie-stuffing. Publishers have gone to jail for this (and had to pay back commissions received). Honey didn’t quite stuff cookies as that term is usually used—the user did click something. But when nothing on the button (not its label, not the surrounding message, not any principle of logic or engineering) indicates or even suggests the button will activate an affiliate link—that’s terrible value for the merchant.
(2) Honey presents its affiliate links although a user recently clicked through another publisher’s offer. (MegaLag at 2:50) But networks’ rules require Honey to stand down if another publisher has made a referral. See rule C5.v (“non-interference with competing advertiser/ publisher referrals”) and R2 (“Stand down when it recognizes any publisher links”). Rakuten even makes explicit that the stand-down obligation applies not just to automatic clicks (which, uh, aren’t permitted in any event) but also to sliders and popups: “The DSA must stand-down and not display any forms of sliders or pop-ups to prompt activation if another publisher has already referred an end user.” (R4)
Here too, this is no technical violation. Other publishers need “stand down” rules so they have a fair chance to earn commission for their work promoting a given merchant. Standing down from another affiliate’s click is the most fundamental affiliate network rule for downloadable software and browser plug-ins.
(3) Honey falls short of disclosure obligations. “You must accurately, clearly and completely describe all promotional methods by selecting the appropriate descriptions and providing additional information when necessary” (C3). Publishers must provide “transparency about traffic sources and the environment that ads are displayed in” (A5). I’m open to being convinced that Honey told networks and merchants it would invoke affiliate links with buttons as weakly labeled as “Got it.” I don’t buy it. Merchants have a clear contractual basis to expect complete and forthright disclosures—it is literally their money being paid out. And merchants authorized networks to collect and evaluate these disclosures for them. No shortcuts.
One might object that networks can waive rules or create exceptions for key partners. Not so fast! Merchants and publishers rely on networks to enforce their published rules exactly as promised. In fact, in 2007, both merchants and publishers sued ValueClick to allege that it had been less than diligent in enforcing its rules. ValueClick’s Motion to Dismiss argued that it could do what it wanted, that it had disclaimed all warranties, and that it made no promises that merchants or publishers were entitled to rely on. But the court denied ValueClick’s motion, eventually yielding a settlement requiring both improved efforts to detect affiliate fraud as well as certain refunds to merchants and payments to publishers. There’s room to disagree about how much benefit the settlement delivered. (Maybe the settlement promised changes that ValueClick was going to do anyway. Maybe the monetary payments were a small fraction of the amount lost by merchants and publishers.) But the fundamental principle was clear: Networks must follow their contractual representations including policies about prohibited behaviors. And while networks may try to disavow quality responsibilities, for example via disclaimers in contracts, courts are skeptical of the unfettered discretion these provisions purport to create. A network that promises to track affiliate transactions ultimately ought to do so accurately, and should neither grant arbitrary waivers nor look the other way about serious misconduct.
Honey’s one-sentence response to MegaLag was “Honey follows industry rules and practices, including last-click attribution.” It’s no surprise that Honey claims compliance. But I was surprised to see affiliate thought-leaders agree. For example, long-time affiliate expert Brook Schaaf remarked “Honey appears to be in compliance with network standards.” Awin CEO Adam Ross says MegaLag’s video “portray[s] performance marketing attribution as a form of theft or scam”—suggesting that he too thinks Honey did nothing wrong.
I’ll update this piece with when others dig into the contracts and compare Honey’s practices with the governing requirements. But after more than 20 years working on affiliate fraud—my first piece on this subject was, wow, 2004—let me offer four observations.
One, it’s easy to get complacent. Much of what Honey does is distressingly normal among browser extensions. Test the Rakuten Cashback app and you’ll find much the same thing. Above, I linked to litigation against Honey, but there’s also now similar litigation against Capital One, alleging that its Capital One Shopping browser extension is out of line the same way as Honey. Brook and Adam are right that Honey’s tactics aren’t a surprise to anyone who’s been in the industry for decades. Many people have come to accept behaviors that don’t follow the literal meaning of stated policies. Some would say the policy is out of date. I’d say, instead, that key decision-makers have been asleep at the switch.
Two, networks’ incentives are mixed. On one hand, networks want affiliate marketing to be seen as trusted and trustworthy, which requires eliminating practices widely seen as unfair. At the same time, affiliate networks typically charge a commission on every dollar of commission paid. As a result, networks directly benefit from anything that increases the number of dollars of commission paid—such as allowing browser plug-ins to change non-commissionable traffic into commissionable traffic. Merchants should be skeptical of networks too quickly declaring traffic compliant when networks literally get paid for that finding. With Rakuten operating both a cashback service (with browser plugin) and an affiliate network, their incentives are particularly muddy: If Rakuten Advertising declares a given browser plugin tactic to be permitted, Rakuten Cashback can then use that tactic, increasing both Cashback fees (the Cashback margin on each dollar of rebate) and Advertising fees (the network margin on each dollar of affiliate activity). I like and respect Rakuten and its leaders, but their complicated incentives mean serious people should give their pronouncements a second look.
Three, most people read the governing contracts hastily if at all. I’m proud to have pulled out the 17 rules above, and I encourage readers to follow my links to see these and other rules in the larger policy documents. Fact is, there’s lots of material to digest. I’ve found that networks’ compliance teams often build rules of thumb that diverge from what the rules actually say, and ignore rules that are in some way seen as inconvenient or overly restrictive. That’s a mistake. The rules may not be holy, but they have the force of contract, and there’s real money at issue. Importantly, networks are spending other people’s money—making sure normal publishers get every dollar they fairly earned; and making sure merchants pay the correct amount, but not a penny more. This calls for a high level of care. We’re two weeks into the response to MegaLag. How many people posted video-responses, blogs, or other remarks without finding, reading, and applying the governing policies?
Four, personalities and work styles invite even merchant staff to accept what Honey is doing. Representative short-hand: “Go along to get along.” Most marketers chose this line of work to make connections, not to play policeman. Attend an affiliate marketing conference and you’re a lot more likely to see DJs and beer (party!) than network sniffers and virtual machines (forensic tools). Meanwhile, it’s awfully easy for an affiliate manager to tell a boss “we’re working with Honey, the billion-dollar product from PayPal”—then head to the Honey gala at an industry conference. Conversely, consider the affiliate manager who has to explain “we wasted $50k on Honey last month.” People have been fired for less. Ultimately, online marketing plays a procurement function—trying to spend an employer or client’s money as skillfully as possible, to get as much benefit as possible for as little expense as possible. That’s hard work, and I don’t fault those who want an easier path. I also don’t fault those who prefer the networking and gala side of marketing over the software forensics. Nonetheless, collective focus on the fun stuff goes a long way towards explaining how problems can linger (and grow).
For a merchant evaluating Honey, the fundamental question is pretty simple: Does Honey bring the merchant incremental sales and positive ROI? Clearly Honey’s browser extension positions it to claim credit on purchases users were already going to make, but incremental sales are what matter to merchants—purchases made only thanks to Honey.
My hypothesis is that Honey is ROI negative for most merchants. If a user goes to (say) dell.com, the user is already interested in Dell. Why should Dell let Honey’s browser plug-in jump in and claim a commission on that user’s purchase? Maybe Honey will increase the user’s conversion rate from 5% to 5.1% (by proclaiming what a good deal the user has found, or by touting a Honey Gold sweetener). But with payment to Honey, Dell’s margin will drop from (say) 7% to 5%. Would Dell prefer 7% profit on 500 sales, or 5% profit on 510? That math is pretty easy.
Of course the numbers in the preceding paragraph are just hypotheticals. If users sufficiently trust Honey (whether correctly or otherwise), their conversion rate might increase enough to justify Honey’s fees to merchants. If Honey could somehow persuade users to spend more—“add one more item to your cart, and you can get this $10 coupon”—that could increase value to merchants too (though I’ve never seen Honey deliver such a message). Some merchant advisors think this is plausible. I have my doubts.
Alarmingly, many merchants decide to work with Honey (and other “loyalty” software) without rigorously measuring incrementality (or even trying). Most merchants take some steps to measure the ROI of search and display ads. For years, affiliate ROI has been more challenging. But I recently devised a rigorous method that’s doable for most merchants. I’d enjoy discussing with anyone interested. When I have findings from a few merchants, with their permission I’ll share aggregate results.
It’s easy to watch MegaLag’s piece and come out sour on affiliate marketing. (“What a mess!”) For that matter, the affiliate marketing section of my site has 28 articles over 20+ years, almost all about some violation or abuse.
Yet I am fundamentally a fan of affiliate marketing. Incentives aren’t perfectly aligned between affiliate, network, and merchant, but they’re a whole lot closer than in other kinds of online advertising. One twist in affiliate is that when a rogue affiliate finds a loophole, they can often exploit it at scale—by some indications, even more so than in other kinds of online advertising. Hence the special importance of networks and merchants both providing fairness and being perceived as providing fairness. MegaLag’s critique of Honey shows there’s no shortage of work to do.
This post is part of Revisiting Litigation Alleging Google Discovery Violations.
The State of Texas, et. al., v. Google – docket. 4:20-cv-00957-SDJ (E.D. Tex.)
Filed December 16, 2020. First filing as to discovery violations: April 26, 2024.
Case disposition: Google Motion for Summary Judgment pending.
Plaintiff States’ Motion to Compel Written Discovery Regarding Destruction of Google Chats (July 3, 2024). Alleges “rampant destruction of relevant communications was no accident; it was Google’s policy and design.” Seeks discovery to reveal the extent of Google’s destruction of relevant chats.
Plaintiff States’ Motion for Spoliation Sanctions (January 6, 2025).
As to intent: “Google instructed its employees to use “history off” chats for work-related communications because they would not be preserved for future litigation.” Notes that in the 2008 Walker Memo, Google both remarked on “significant legal and regulatory matters” and announced that it would set Chat history to “off the record” — indicating that the former motivated the latter, which the motion claims is improper. Remarks on Google training to employees: “Google taught employees that sending an ‘off the record’ Chat is ‘[b]etter than sending [an] email’ because ‘off the record’ Chats ‘are not retained by Google as emails are.’”
As to Google’s approach to preservation: Google put “the onus … on each individual employee under a litigation hold to determine in real time whether a particular part of a particular Chat might be relevant to any actual or reasonably anticipated litigation,” and says Google failed to provide suitable guidance to those employees. Google did not instruct employees to turn history on for discussions related to a litigation hold until October 2021. Google did not audit whether employees complied with litigation holds.
As to untimeliness of Google’s preservation: Notes that Google claimed privilege over documents relating to ad tech as early as 2006, and specifically anticipated litigation in this area by 2013. Notes Texas’s first Civil Investigative Demand to Google in September 2019. Yet 61 of 202 custodians in this case were not placed on a litigation hold until 2022, more than 3 years after that CID was issued and more than 2 years after Google told plaintiffs that it had implemented appropriate litigation holds. (Table of delays in hold dates.)
As to specific individuals who failed to preserve: Reports that Google CEO Sundar Pichai never switched on Chat history, not a single time, to preserve even a single communication. Reports that Google failed to preserve 96% of Pichai’s chats from a two-month period for which partial data is available.
As to the volume of Chat messages at issue: Claims the relevant Google employee-custodians sent and received about 20,000 Chat messages per employee per year, totaling between 2.8 and 4 million Chat messages per year across all employees at issue in this litigation.
As to remedy: Asks the Court to “(1) instruct the jury that (i) Google had an obligation to preserve Chats, (ii) Google intentionally deleted millions of Chats, and (iii) the jury must presume the deleted Chats contained information unfavorable to Google, (2) find that Chats likely would have provided further evidence against Google’s motions for summary judgment; (3) award Plaintiffs’ fees and costs associated with this motion.”
42 attachments to the motion including:
January 31, 2025 supplemental expert report of Jacob Hoschstetler as to the scope of Chat messages lost due to Google’s failure to preserve (87% of messages lost, at least 18,566/21,269). Hoschstetler also reports that not a single custodian in the Log Dataset produced by Google personally switched the history to “on” for any of the conversations during the period of that log, although Google said it instructed employees to do so if discussing a topic within the scope of their litigation hold. 94.5% of chat conversations had chat history turned off for at least some of the time period covered by the Log Dataset. For Google CEO Sundar Pichai, more than 96% of Chat messages were not preserved, and in a single conversation, more than 300 messages were not preserved.
Uber this week emailed San Francisco users of Uber Teen (a service that transports kids ages 13-17) both to announce that it is suspending that service in California, and to blame new California Public Utilities Commission rules for that closure. Uber claims CPUC made “new and onerous changes” which left the company “no choice” except to suspend service. I emphatically disagree. The problem, such as it is, is of Uber’s own creation — and Uber had and has a viable path forward.
Narrowly: Nothing forces Uber to suspend service. Uber could comply with the CPUC’s requirement and continue service by implementing reasonable driver registration precautions, in fact the same precautions that competitor HopSkipDrive has used for years. The words “no choice” have literal meaning, and that’s just not the situation here. The real issue is that Uber disagrees with CPUC’s requirement that it check driver fingerprints, arguing that its background checks suffice. But that disagreement does not compel Uber to discontinue service. Many people and companies disagree with many laws and regulations. The normal process is to submit comments in a legislative or rulemaking process, to sue if you think the rule is so broken that (say) it’s unconstitutional, to invoke political remedies such as replacing whoever imposed the rule, and ultimately to honor the democratic process by complying. Win some, lose some, and hope to win more than you lose. In contrast, Uber’s approach is a threat: Either the regulation goes Uber’s way, or Uber will cease service.
Broadly: Uber suggests that CPUC’s regulation is ill-advised. To evaluate, start with the rationale according to CPUC:
When an adult is being tasked to provide a service to a minor, the adult is placed in a position of trust, responsibility, and control over California’s most vulnerable citizenry—children. Not conducting a fingerprint-based background check to identify adults with disqualifying arrests or criminal records would place the unaccompanied minor in a potentially dangerous, if not life-threatening situation. That is why California Assembly Bill 506 … requir[es] that administrators, employees, or regular volunteers of youth service organizations undergo a background check that includes fingerprinting.
In response, Uber claims that its background checks work well and are sufficient. Who’s right? Consider the broader context. Uber’s background checks rightly deny accounts to drivers with bad driving records, prior ejections from Uber’s platform, or no documentation establishing right to work. But if a driver can’t pass those checks, the standard strategy is to “borrow” an account from someone who can. Many people tolerate a certain amount of this for ordinary adult rides. As the CPUC explains above, the stakes are higher when transporting minors unaccompanied. In that special context, higher standards are no surprise.
If fingerprinting drivers were massively costly, it might nonetheless be an unwise investment — a cost exceeding plausible benefits. For all its protestations to CPUC and to users, Uber never quite explains why it’s (supposedly) so difficult to do what CPUC specifies. If I had to implement CPUC’s requirement, I’d collect driver fingerprints through smartphones or at the inspection centers that check drivers’ vehicles. This sounds like software plus business operations — some work, but proportional to the business opportunity of the Uber Teen service. It feels particularly reasonable because fingerprint security is increasingly common. While an employee at Microsoft, I had to present my fingerprint to my phone’s Authenticator app to activate two-factor authentication to access company resources. CPUC similarly seeks fingerprint security for drivers transporting unaccompanied minors. Why should a minor’s safety get less protection than a company’s secrets?
In a filing before the CPUC, Uber argued that higher registration requirements for Uber Teen drivers would reduce the number of drivers, hence increasing prices to passengers. But if Uber Teen rides pay drivers materially more than regular rides, drivers have corresponding incentive to get registered. The only sustainable price gap is the result of the time or difficulty of registration, but by all indications that’s minimal. If a driver’s registration burden is small, as it should be, the price gap should also be small. Supply and demand.
The most charitable reading of Uber’s message to users is that Uber would like to comply with CPUC’s requirements, but had too little time. Yet here too, Uber’s position is in tension with the facts. Uber had long known CPUC took a dim view of its service to teens, including correspondence with CPUC staff as early as January 5, 2024. On March 14, 2024, Uber filed a motion seeking approval of its service for teens. CPUC’s rulemaking was published on October 30, 2024, giving Uber a further 30 days to come into compliance. And Uber says it intends to continue service for teens until December 23, 2024. That marks 353 days since Uber was on notice of the disagreement, and 54 days between CPUC’s rulemaking and Uber’s scheduled withdrawal of service. If Uber had used those 54 days effectively, not to mention those 353, there’s every indication it could have met CPUC’s requirements. If Uber needed additional time, it could have explained how long and why. Nothing about CPUC’s approach or timetable compelled Uber to withdraw its service for teens.
Any Uber complaint about too little time to comply is further undermined by CPUC’s 2016 guidance and Uber’s reply. In particular, CPUC specifically put Uber on notice that it would need an additional approval to launch service for minors, and Uber promised to discuss with CPUC before launching any such service. So any new urgency is of Uber’s creation.
Nothing could be more fundamental to the Democratic process than informed constituents making their views heard. And the CPUC did solicit comments, though for whatever reason none were received.
But what Uber envisions now is something quite different than informed public comments. Instead, Uber provides its users with, at most, a portion of the information they would need to evaluate the disagreement. Consider: Uber’s email to users claims “new rules requiring significant changes to Teen accounts” but doesn’t say a word about what those rules are or what changes would be required. (In fact by all indications the changes are only to driver verifications, not to user accounts.) While CPUC posted a detailed rulemaking with discussion of rationale and alternatives, Uber doesn’t mention any such document available — not a link, not even the title of the proceeding. Uber’s email asks users to “let the CPUC know” “if teen rides are important to your family”, but the question before CPUC isn’t whether teen rides are important, but rather what verifications are appropriate to provide sufficient safety for those rides.
When Uber delivers user comments to CPUC, will it deliver them all? Or just those that support its position? There’s reason to suspect shenanigans: In 2015, Uber delivered 8 boxes of supposed user petitions to regulators in St. Louis, but the boxes turned out to contain only water bottles.
Uber’s attempt to turn users against CPUC is reminiscent of the company’s infamous 2015 “De Blasio mode” which mobilized users against proposed New York regulations. There, as here, Uber treated users like pawns in an astroturf operation — giving users incomplete information designed to prompt an immediate forceful response. Uber plainly hopes to flood CPUC with complaints about regulation supposedly causing suspension of Uber Teen. But users might have second thoughts if they knew the full picture. Users surely value the low prices Uber emphasizes, but for transporting unaccompanied minors, safety is bound to be a priority too. Ultimately Uber gave users no way to judge whether its protections are sufficient or whether CPUC’s requirements would actually be useful. With the limited context Uber provides, what can a user usefully tell CPUC? At a minimum, Uber should have linked to the CPUC rules at issue, should have summarized what it saw as most objectionable, and should have offered a specific alternative. A better approach, to give users a full sense of the debate, would have summarized the rationale CPUC offered for its approach, fairly and evenhandedly, so users would be closer to deciding for themselves. Predictably, Uber did none of this.
These days, Uber seeks to portray itself as kinder and gentler, supposedly reformed from its scandalous peak of 2015-2017. Uber now sponsors NPR. Chief Legal Officer Tony West is Kamala Harris’s brother-in-law and campaign advisor. But has the leopard really changed its stripes? Tellingly, Uber’s terms of service still require users with disputes to file arbitrations (not lawsuits) before an arbiter Uber chooses, and ban users from filing class actions so a single set of lawyers can efficiently pursue the claim for everyone affected. Suppose Uber gets its way and returns to transporting unaccompanied minors without the fingerprints CPUC requires. If something terrible happens — a kidnapping, assault, or worse — Uber’s terms says passengers cannot even sue. This episode smacks of the Uber of a decade ago. I’ve added it to Uberscandals.org in lobbying, regulators, and safety.
Deep-dives with extended quotes
United States v. Google (ad tech)
Texas et al. v. Google (ad tech)
United States v. Google (search)
Epic Games v. Google / In Re Google Play Store Antitrust Litigation
Google Discovery Violations in In re Google Digital Advertising Antitrust Litigation
Google has been in the news not just for multiple litigation losses on the merits of antitrust cases, but also for repeated failures to preserve and produce relevant documents. Let me offer five themes from the discovery proceedings.
First, Kent Walker’s 2008 memo warned employees against putting their frank ideas into documents that might be “used against” Google in litigation. In the same memo, Walker also announced a reduction in retention for certain chats, all but instructing employees to move sensitive discussions to off-the-record chats. The United States called the Walker memo “an early hallmark of Google’s intent to deprive litigants of evidence.” Indeed, with Walker counseling employees on what to retain, litigants must wonder whether surviving documents truly reflect genuine business discussions, versus a strategically-incomplete record created in anticipation of litigation. Examining Google’s documents in the search case, Judge Mehta remarked:
[T]he court is taken aback by the lengths to which Google goes to avoid creating a paper trail for regulators and litigants. It is no wonder then that this case has lacked the kind of nakedly anticompetitive communications seen in Microsoft and other Section 2 cases. … Google clearly took to heart the lessons from these cases. It trained its employees, rather effectively, not to create ‘bad’ evidence.
Second, Google employees moved communications out of email and into “chat” where, as Walker indicated, Google did not preserve documents by default. In any 1:1 chat, even among employees whose business responsibilities made them subject to document preservation obligations, Google’s internal chat tool defaulted to not saving materials—thereby causing them to be deleted and not provided in litigation. So too for group chats where an employee set history to off. Of course employees knew this and often discussed the need to move to an off-the-record environment exactly to avoid document retention. Employees’ use of these methods wasn’t some rogue tactic, nor any surprise; quite the contrary, Google’s training encouraged exactly this, calling chat “better than email” because it is “not retained by Google as emails are.” Even current Google CEO Sundar Pichai participated in the ruse, remarking “also can we change the setting of this group to history off.” Like others, Pichai knew exactly what he was doing: In a special hearing in the search case as Judge Mehta investigated Google’s discovery violations, Pichai testified that he “was aware” that default chat settings and history-off chats deleted messages after just 24 hours even if a litigation hold required their retention.
Third, Google employees practiced “fake privilege”—adding an attorney to an email thread not genuinely to seek legal advice, but to create a veneer of privilege. For years, Google withheld such emails from its litigation adversaries, and only under pressure from litigants did Google recently begin to reclassify documents. Even when Google ultimately de-privileged some documents, this caused substantial delay to litigation and, as the Department of Justice remarked in the ads case, created “administrative chaos” including Google retroactively “downgrading” the privilege of more than 40,000 documents. Here too, the problem goes all the way up to Google CEO Sundar Pichai, who admitted adding lawyers when he was “seeking confidentiality for the document” and not “really seeking legal advice.”
Fourth, Google’s most senior executives showed a lack of candor in both their memories and their document preservation practices. This problem first arose in Viacom v. Google copyright litigation. For example, Google co-founder Larry Page was strikingly evasive when deposed in that case, stating 132 times “I don’t recall,” including on subjects that were widely discussed internal to Google, at Google’s board, and even in public. Meanwhile, then-CEO Eric Schmidt unapologetically reported that “it was my practice to delete or otherwise cause the e-mails that I read to go away as quickly as possible,” despite participating in discussions on subjects where litigation was foreseeable, actually foreseen, or for that matter underway. Viacom summarized the problem:
This Court can decide whether these key executives and witnesses behaved with the level of candor and respect for the legal process that this Court has a right to expect from senior executives of important public companies.
In comparison, Sundar Pichai’s recent approach is, in these respects, an improvement. Yes, Pichai improperly used chat to avoid creating an unfavorable record. And yes, he added lawyers to a thread to try to increase confidentiality (not actually seeking legal advice). But when called to testify under oath, at least Pichai told the truth about what he did and why. At least sometimes. In Epic Games, Plaintiffs presented evidence of Pichai not just asking for history to be turned off, but trying to delete history himself—an action which Pichai said he “d[id]n’t recall.”
Ultimately there’s no escaping the role of senior executives in these discovery violations. Above I remarked on discovery disputes implicating CEO Pichai, co-founder Page, and former CEO Schmidt. Also at issue: Susan Wojcicki, then-CEO of YouTube, who proposed that Robert Kyncl (then Chief Business Officer of YouTube) “send via Hangouts” because that is “off the record,” or if not, she “can change to off the record.” And Kent Walker, whose guidance and policy change set this mess in motion, was and remains Google’s General Counsel. I do not even attempt to list the countless senior vice presidents and vice presidents who appear in the discovery violation proceedings. Of Google’s many participating executives, only Walker currently faces even the possibility of a personal sanction—a request from American Economic Liberties Project and others that the California State Bar investigate and penalize according to its rules.
Fifth, Google’s discovery violations have been unfolding in slow-motion for years, with no real penalty to date. Below, I trace Google’s discovery tactics back to Viacom v. Google—where discovery questions were only partially briefed, and never decided, but nonetheless show the beginnings of this problem more than a decade ago. This year, the DOJ’s two antitrust cases against Google revealed many new details about Google’s discovery tactics. Yet Google Play Store Antitrust Litigation in 2022 uncovered the basic problem—Google training employees to use chat rather than email, and not retaining those chats. Two years later, courts are still grappling with the problem and exploring what, if anything, to do about it.
***
Many excellent articles summarize courts’ decisions about Google document preservation. But these articles largely focus on what judges wrote, without the color that comes from detailed briefing by plaintiffs, not to mention extended quotes from the underlying documents. In the pages linked below, I organize (what I hope to be) most relevant exhibits, briefing, and decisions in the cases at issue. Realistically, I don’t have it all—but with the deep links I offer (to detailed filings with detailed quotes) and with the free online tools I invoke (where full dockets are organized and, mostly, full-text searchable), diligent readers are positioned to find even more. Send suggestions for addition.
For those who have followed Google spoliation proceedings, the newest three cases are familiar—though I’ve found documents and quotes not elsewhere called out. Meanwhile, the 2010 Viacom v. Google proceedings are also worth a read because, more than a decade earlier, that case raised much the same questions—whether Google honored its discovery obligations, and if not, what to do about it.
United States v. Google (ad tech)
United States v. Google (search)
Epic Games v. Google / In Re Google Play Store Antitrust Litigation
Google Discovery Violations in In re Google Digital Advertising Antitrust Litigation