What Google does when a government requests your data

What Google does when a government requests your data

Summary: In a "frequently asked questions" page, the search giant explains what exactly happens when a government agency or law enforcement requests your personal or private data.


It's time to face facts: Google wants your data, but governments around the world want it more.

Screen Shot 2013-01-28 at 08.36.09
Google Transparency Report shows US leads in user data requests.
(Credit: Google)

Google has as much, if not more, data on you than your own government does. Google, as a private company with its own interests, is not fully subject to the Fourth Amendment under US law, which guards against "unreasonable searches and seizures." Google is no different than Microsoft, Facebook, Yahoo, Apple, or any other major technology company that makes money from your information.

All of the aforementioned companies are subject to legal requests by US authorities, and other governments around the world. But it is in their own interests to hold onto your data and not turn it over to governments and other authorities--especially those with less-than-respectable track records on user privacy or human rights.

And that's why they sometimes fight.

Today, Google chief legal officer David Drummond took to Google's blog to state exactly that. In a rare move of transparency by a technology company, Drummond also explained the process in which user data is given to governments and law-enforcement agencies--not easily, it turns out, and more often than not with considerable conflict.

"We're a law-abiding company, and we don't want our services to be used in harmful ways," Drummond wrote. "But it's just as important that laws protect you against overly broad requests for your personal information," he added, noting that the company will "continue our long-standing strict process" for handling user data requests.

What does Google do when it receives a request?

In the blog post, Drummond said Google will "scrutinize the request carefully" to ensure that it meets a legal standard and its own internal policies. The request must be generally "made in writing, signed by an authorized official of the requesting agency, and issued under an appropriate law."

An "appropriate law," however, is particularly interesting wording. If Google has a presence in a country where that government is requesting data under the law of that jurisdiction, Google may have to comply; at the very least, it will listen. For instance, if a libel case is brought up from a UK court, Google must honor that request because it has a physical presence in that country.

But legal action in countries such as Zimbabwe, North Korea, or Myanmar (Burma)? It's a little easier for Google to flat-out refuse it.

Google can decide to ask the requesting authority to "narrow the request" if it is overly broad. It can also simply flat-out refuse the request, but this carries legal dangers.

The search giant said that if "your account has been closed," then it can't notify you. However, in some cases, "we sometimes fight to give users notice of a data request by seeking to lift gag orders or unseal search warrants."

Still, in many cases, Google cannot tell a user whose data is being requested that their government or a foreign law-enforcement agency is requesting it. Gag orders are often issued by requesting governments--to avoid legal action by the user in question, or to prevent the data from being deleted, or in cases where a group of people may be under the same or similar requests and the requesting agency don't want others to find out. This tends to occur during sensitive investigations relating to children, fraud, or terrorism.

Google may hand over data on user accounts--which may include IP addresses, metadata, and other personal data--but search queries are a "no," Drummond noted, thanks to a 2006 legal ruling in which the company fought the US Department of Justice over its overly broad request of user data, including search queries.

What kind of data is requested?

Arguably, the most important and privacy-sensitive Google service for customers is Gmail. Google explains that the data it reluctantly gives to requesting authorities differs depending on the type of request it receives.

For instance:

    • Subpoena:

      • Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)

      • Sign-in IP addresses and associated time stamps


    • Court order:

      • Non-content information (such as non-content email header information)

      • Information obtainable with a subpoena


    • Search warrant:

      • Email content

      • Information obtainable with a subpoena or court order.


Google said it will e-mail users if their data has been requested, so long as a gagging order does not prevent it from doing so. "Just because we receive a request doesn't necessarily mean that we did--or will--disclose any of the requested information," the FAQ said. But, "we can't give you legal advice," Google said, so "you may want to consult a lawyer."

Topics: Privacy, Google, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • i don't see any problem...

    I simply use my neighbors address.
    FBI stopped there several times now! LOL! ! ! ! !
    Poor little 87 year old lady.
  • So you're the reason

    my grandma was indicted last week!
  • Send them on wild goose chases.

    Weaponized Anthrax.
  • Short answer:

    we do what the government orders us to because they are the government and we are not. Yes, we know that you have been indoctrinated to think that governments are benevolent deliverers of utopia and the corporations are the focus of evil in the modern world, but, well, reality isn't interested in what you think is true.
    • So we should do what corporations order us to do?

      Perhaps look for a way to transfer governmental authority from the U.S.A to the U.S. Chamber of Commerce?
      John L. Ries
  • How much money Google receives from these requests

    Government use taxpayers money to pay Google for this requests, it is extermely important for Drummond to explain the price Google charges each government for these requests since it's public money that is being used.
    Gabriel Hernandez
    • A fair sum for retrieval costs.

      Of course it's public money being used. What's your point?
  • What Google does when a government requests your data

    I'm surprised that Google doesn't charge the government for requests. They sell the data to everyone else. Google only has your data if you sign in, don't sign in and they won't know who you are.
  • If Google wants to do business, they have to follow the rules

    Pursuant to European legislation, the applicable data privacy laws are regulated in accordance with the location of the client/customer. The same applies to other legislation, such as consumer rights, etc.

    In other words, Google must follow the regulations of every country where they want to do business.

    If they do not follow the rules, Google's products and services may be denied market access.

    Google is a signatory to the US-EU Safe Harbor provisions. This signifies that Google guarantees an adequate protection of data (as defined in the EU Directive). Google can be fined and assets seized etc.
  • Great article...

    Very informative article, Thanks a lot. :-)
  • Hey Google

  • Longer than you think...

    Many years ago, as a mainframe programmer for an airline that has long gone out of business (for other reasons), when airlines were almost the only business that validated credit cards with real time access to the data (if it was issued by the same airline), a request came from a government agency, with a search warrant, to trigger a call when a certain stolen card was used to buy a ticket, for police to go directly to the airport without tipping off the cardholder or the ticket agent. This was so rare and unprecedented that, rather than use the normal database (which had no such option; the only options were to sell, decline, or decline and confiscate the card), we had to put the logic to check for that number into the online software directly. But not in the source code where any other programmers in the company could find it. We had to code up, and punch into cards, a "patch" that altered the compiled code when that module was installed, by inserting direct machine language. Only the IT director and the programmers knew of that patch, which instructed the machine room operator to call the authorities. I believe it was triggered a few months later and the person of interest was caught doing something. Whether the patch was later altered to use on someone else, I have no idea.

    Now, it seems that an agent hacking into a server could do something like that from their own office without the company that owned the server, or the company issuing the card, even knowing! Times have changed!