Computers, Privacy & the Constitution

Exposing the tip of the iceberg – Google begins tracking government data requests

Fresh from its very public fistfight with the Chinese Communist Party, Google deserves praise for its unveiling of a new online tool that helps to shed light on the number of user data and content removal requests that it receives each year from government agencies around the world. The information, which can be found at www.google.com/governmentrequests, logs the total number of data and removal requests that the company received between July 1, 2009 and December 31, 2009.

‘User data requests’ refers to requests from (unnamed) government law enforcement agencies that are made in the context of criminal investigations. According to Google, these requests “do not follow a standard format or necessarily seek the same kinds of information”, and cover a range of data including “basic subscriber information or contents of emails”. A single request may relate to multiple users and/or categories of information.

The league table appearing on Google’s page grants Brazil the dubious honor of taking out first place, with a total of 3,663 data requests (Google says it was not able to include China’s statistics on the basis that such information is treated as a state secret by the Chinese government). The U.S. comes in a close second with 3,580 – more than double the number of requests by the U.K. (1,166), which rounds out the top three.

Assuming that the figures for the first half of 2009 reflect a similar pattern, the data suggests that the U.S. government can be expected to make something in the order of 7,000 to 8,000 user data requests to Google each year (though Google says on its site that the totals for each country have been increasing annually). Whilst this represents a far smaller number compared to what appear to be the millions of real time location requests that law enforcement agencies have been logging with American cell phone network providers, the data requests made of Google potentially have a far greater scope, not only in terms of the type and quantity of personal information that is being sought, but also the ways in which such information can be used.

Google says that it aims to eventually provide a more detailed breakdown of the specific categories of information being sought in the user data requests. This would be a crucial step forward in terms of introducing some minimal degree of transparency to what is a highly insidious form of government activity. We already know from Google’s site that some user data requests are directed at the contents of email, but what about the remainder of Google’s growing panoply of online products and services? Users have an interest in knowing whether their governments are seeking to learn about their YouTube? viewing habits, online map searches, electronic book viewing, or, perhaps most crucially, the records of their use of the principal Google search bar. People who use these products on the assumption that such information could never be routinely obtained and used against them might behave differently online if they knew otherwise. Should Google make good on its promise to provide more details about the form and scope of user data requests, it will be interesting to see whether such a move will trigger some form of pushback from government agencies (and whether Google will tell us about it).

The information provided by Google in relation to its compliance with these data requests is somewhat ambiguous. The company says that where a request is made in relation to a broad spectrum of data, it will “disclose only the information [that Google believes it is] legally required to share.” This raises several issues that pertain to the major themes of our course. From a Fourth Amendment perspective, aside from the question of whether user data requests constitute warrantless searches, it could be said that Google’s response is illustrative of the way in which the responsibility for adjudicating ‘probable cause’ has, at least in this context, shifted away from the courts and is now largely in the hands of corporate entities. Having been placed in this uncomfortable position, not every company will have the resources or altruistic values to adopt Google’s stance regarding compliance. And after all, why should they? It may be perfectly reasonable for such entities to argue that they never signed up to adjudicate this aspect of the legal relationship between the citizen and the state, and that it is consequently unfair to expect them to apply a judicial approach to weighing the competing claims of these two actors.

I don't think you've completed the analysis here. Google says it will only provide to governments data it is legally required to share because it wishes to avoid any possible civil liability to anybody for sharing information that it was not legally required to provide. Even where there are no possible liability consequences, Google's business is monetizing search through brokering advertising targeted to users on the basis of data-mining streams of relevant personal information they voluntary allow Google to mine. Such a business would be decisively interfered with by customers' conclusion that Google provides more to governments than it is legally required to share. Any competitor is automatically in the same position.

Whether corporate intermediaries have an obligation to at least disclose the fact of the existence and scope of data requests from government agencies, is, however, a different matter. In this regard, Google deserves applause for making some attempt to be open about its practices in the hope that it will encourage greater awareness of these issues.

Once again, unless it is legally prevented from releasing the information (in which case it has yet to show any inclination or motivation to break the law), Google can suffer no harm by releasing information it could conceivably be liable for withholding. Why would any conceivable competitor find a different outcome? Only because it did not believe it could be held liable for withholding that information. This is why immunizing telecommunications and information services providers is such a crummy idea.

There is no indication that phone or credit card companies, for example, would ever be prepared to make similar overtures. At the risk of understating the problem, it is not ideal that the defence of our civil liberties should be so reliant upon the altruistic whim of ultimately self-interested corporate actors who have become the repositories of vast amounts of our most valuable personal information. Thanks to Google, we can at least say that it’s better to be able to see only the tip of the iceberg than be fooled into thinking there’s nothing beneath the surface.

-- RicoJ - 23 Apr 2010

I think this is a strong draft. I've indicated where I think it needs to be considered a little further.

 

Navigation

Webs Webs

r2 - 11 May 2010 - 23:52:50 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM