Updated with a clarification from Google below.
It may be easier than you think for government entities to demand the private data you've stored on Google's servers. Most of the time, it doesn't even require a judge's signature.
On Wednesday Google released its semi-annual Transparency Report, its voluntary admission of how many times it removed data from its services or quietly handed users' information to government agencies in the last six months. Between July and December of 2012, Google says it received 8,438 U.S. government requests for its users' data and complied to some degree in 88% of those cases. That's up a remarkable 33% from the 6,321 data requests Google received in the same period the year before, and marks a 70% increase since Google first started issuing its Transparency Reports in 2009.
But the new wrinkle in Google's data is a breakdown of how many of those requests approached Google with a search warrant: Just 22%, according to the company. By contrast, 68% of requests were issued only with a subpoena, which unlike warrants don't require showing a judge "probable cause"--solid evidence that the data was relevant to a crime. (The other 10% of the requests involved some sort of court order or other miscellaneous process.)
That's not a surprise, but it is a dangerous sign for the privacy of data stored in the cloud, says Chris Soghoian, principal technologist for the ACLU. "It isn't surprising that the government so heavily relies on subpoenas," says Soghoian. "They are easier to get."
He points to the responses from wireless carriers to a letter from Congressman Ed Markey last year, which revealed that the companies handed data over to the U.S. at least 1.3 million times in the previous 12 months. Of those, 500,000 were warrantless subpoenas for user information from Sprint alone. "The lesson from Google's data and the data from the wireless carriers is that the vast majority of government electronic surveillance is not subject to judicial supervision," says Soghoian. "That, by itself, should alarm all Americans."
Google has never spelled out precisely how it determines which government data requests to comply with, although it has implied that it only does so when it is legally required. I asked Google policy director Dorothy Chou last year about the standard the company applies, and she responded that the company requires that the requests be made in a written form, are sent from an appropriate agency, cite a criminal case and are sufficiently narrow in their demands, both in terms of which users are affected and what time frame of data is requested. “We want to show that we’re advocating on your behalf. But we also want to do right by the spirit and letter of the law,” Chou said.
Update: In a statement to Wired, Google clarified that it demands a warrant for all content data from its email, storage and other services, despite the fact that a warrant isn't legally required under the Electronic Communications Privacy Act. (ECPA) But that warrant requirement leaves out so-called "non-content" data such as users' IP addresses, locations and the names of contacts.
Google has called for the reform of the ECPA that makes easy warrantless legal requests possible in the United States, along with other members of a group of tech firms and non-profits known as Digital Due Process that includes Apple, the ACLU, Facebook, Microsoft, the Electronic Frontier Foundation and many others.
The company, it's worth noting, has also been ever-so-slowly reducing its compliance with the governments' ballooning data demands. Its 88% fulfillment of the requests is down from 90% last year and 94% in 2010. And Google's willingness to reveal this data in the first place should be seen as a credit to the company's respect for privacy. Others like Facebook and Microsoft--as well as the wireless carriers that hemorrhage hundreds of thousands of users' information--offer no such transparency.
Other companies like Twitter and the regional Internet service provider Sonic.net have adopted Google's practice of reporting the government data requests they receive. But the search giant's new move to expose how few of those requests come with a warrant sets a new standard for openness about the issue of porous data borders between companies and law enforcement.
"We’ll keep looking for more ways to inform you about government requests and how we handle them," writes Google legal director Richard Salgado in a blog post. "We hope more companies and governments themselves join us in this effort by releasing similar kinds of data."
—
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.
