What Google does when a government requests your data

Summary:In a "frequently asked questions" page, the search giant explains what exactly happens when a government agency or law enforcement requests your personal or private data.

It's time to face facts: Google wants your data, but governments around the world want it more.

Screen Shot 2013-01-28 at 08.36.09
Google Transparency Report shows US leads in user data requests. (Credit: Google)

Google has as much, if not more, data on you than your own government does. Google, as a private company with its own interests, is not fully subject to the Fourth Amendment under US law, which guards against "unreasonable searches and seizures." Google is no different than Microsoft, Facebook, Yahoo, Apple, or any other major technology company that makes money from your information.

All of the aforementioned companies are subject to legal requests by US authorities, and other governments around the world. But it is in their own interests to hold onto your data and not turn it over to governments and other authorities--especially those with less-than-respectable track records on user privacy or human rights.

And that's why they sometimes fight.

Today, Google chief legal officer David Drummond took to Google's blog to state exactly that. In a rare move of transparency by a technology company, Drummond also explained the process in which user data is given to governments and law-enforcement agencies--not easily, it turns out, and more often than not with considerable conflict.

"We're a law-abiding company, and we don't want our services to be used in harmful ways," Drummond wrote. "But it's just as important that laws protect you against overly broad requests for your personal information," he added, noting that the company will "continue our long-standing strict process" for handling user data requests.

What does Google do when it receives a request?

In the blog post, Drummond said Google will "scrutinize the request carefully" to ensure that it meets a legal standard and its own internal policies. The request must be generally "made in writing, signed by an authorized official of the requesting agency, and issued under an appropriate law."

An "appropriate law," however, is particularly interesting wording. If Google has a presence in a country where that government is requesting data under the law of that jurisdiction, Google may have to comply; at the very least, it will listen. For instance, if a libel case is brought up from a UK court, Google must honor that request because it has a physical presence in that country.

But legal action in countries such as Zimbabwe, North Korea, or Myanmar (Burma)? It's a little easier for Google to flat-out refuse it.

Google can decide to ask the requesting authority to "narrow the request" if it is overly broad. It can also simply flat-out refuse the request, but this carries legal dangers.

The search giant said that if "your account has been closed," then it can't notify you. However, in some cases, "we sometimes fight to give users notice of a data request by seeking to lift gag orders or unseal search warrants."

Still, in many cases, Google cannot tell a user whose data is being requested that their government or a foreign law-enforcement agency is requesting it. Gag orders are often issued by requesting governments--to avoid legal action by the user in question, or to prevent the data from being deleted, or in cases where a group of people may be under the same or similar requests and the requesting agency don't want others to find out. This tends to occur during sensitive investigations relating to children, fraud, or terrorism.

Google may hand over data on user accounts--which may include IP addresses, metadata, and other personal data--but search queries are a "no," Drummond noted, thanks to a 2006 legal ruling in which the company fought the US Department of Justice over its overly broad request of user data, including search queries.

What kind of data is requested?

Arguably, the most important and privacy-sensitive Google service for customers is Gmail. Google explains that the data it reluctantly gives to requesting authorities differs depending on the type of request it receives.

For instance:

    • Subpoena:

      • Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)

      • Sign-in IP addresses and associated time stamps

 

    • Court order:

      • Non-content information (such as non-content email header information)

      • Information obtainable with a subpoena

 

    • Search warrant:

      • Email content

      • Information obtainable with a subpoena or court order.

 

Google said it will e-mail users if their data has been requested, so long as a gagging order does not prevent it from doing so. "Just because we receive a request doesn't necessarily mean that we did--or will--disclose any of the requested information," the FAQ said. But, "we can't give you legal advice," Google said, so "you may want to consult a lawyer."

Topics: Privacy, Google, Government, Security

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.