What Google does when a government requests your data

What Google does when a government requests your data

Summary: In a "frequently asked questions" page, the search giant explains what exactly happens when a government agency or law enforcement requests your personal or private data.


US vs. non-US requests

Because Google is a US-based company, the firm falls squarely under US law, which makes it difficult for it to ignore a request from its home government.

The company explained that under one particular strand of US law, requests for "stored data" can be made, but that requests can also fall under different areas of law--including the Patriot Act, among others. Because Google is effectively a data-storage company, in that it stores your data online so you can access it at any point in any location, most of its requests fall under a specific "stored data" law.

"By far the most common is the subpoena, followed by search warrants. A federal statute called the Electronic Communications Privacy Act," the same law that General David Petraeus was busted for during the "Gmail-affair-gate" controversy, "known as ECPA, regulates how a government agency can use these types of legal process to compel companies like Google to disclose information about users. This law was passed in 1986, before the web as we know it today even existed. It has failed to keep pace with how people use the Internet today."

While ECPA can allow a government agency to compel the disclosure of certain kinds of data with a subpoena or an ECPA court order, "Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the US Constitution, which prohibits unreasonable search and seizure."

Google works with the Digital Due Process Coalition, a group that "[seeks] updates to this important law so it guarantees the level of privacy that you should reasonably expect when using our services."

EU law makes it difficult--though not impossible--for Google to hand over data to non-EU countries.

If Google was based in the European Union (EU), however, the situation would be slightly difficult. It's not easy for a European-based firm to hand over data to a country's government that doesn't have the same strict data-protection rules as the 27 member-state bloc of the European Union.

However, in some "emergency cases," the search giant will "voluntarily disclose user information to government agencies when we believe that doing so is necessary to prevent death or serious physical harm to someone." If a US or foreign law-enforcement agency tells Google that a case involves "kidnapping or bomb threats," for example, Google said the "law allows us to make these exceptions" and help authorities if the request is valid and an immediate threat to life exists.

How Google responds to foreign, non-US governments

But outside the US, Google doesn't really have the same level of requirement to hand over data to foreign governments or law-enforcement agencies--particularly if Google doesn't have a physical presence in the country of that requesting state.

Mutual Legal Assistance (MLA) allows a government to seek help from a foreign government where that person or company resides, because they have no jurisdictional power.

Read more on CBS News

CBS News: Patriot Act can "obtain" data in Europe, researchers say

European data stored in the "cloud" could be acquired and inspected by U.S. law enforcement and intelligence agencies, despite Europe's strong data protection laws, university researchers have suggested.

In this case, it means a foreign government--like the UK, France, or Germany, for example--would have to put in an "MLA request" to the US Department of Justice requesting help. The government agency would then knock on Google's big-data door as it has jurisdictional power.

MLA treaties exist between most countries in the world, but not all. This means it can keep some countries at a distance in order to protect other governments from harming their own citizens, such as in Syria, for example.

"If US law is implicated in the investigation, a US agency may open its own investigation and provide non-US investigators with evidence gathered. Google may also disclose data in response to emergency disclosure requests when we believe that doing so is necessary to prevent death or serious physical harm to someone," the FAQ noted.

If a non-US agency goes through a diplomatic channel such as an MLA request, "Google would produce the same information as if the request originated directly from a US agency."

However, Google will still occasionally hand over data under "emergency requests" to foreign governments on a "voluntary basis." Also, the company may provide user data to foreign, non-US governments if that government's request is "consistent with international norms," which allows Google to flat-out deny countries that may use that data to crack down on dissidents or political activists--ahem, China.

But MLA isn't the only option for foreign governments

"There are many ways that other countries can obtain information from companies like Google outside of the [mutual legal assistance] process, including joint investigations between US and local law enforcement, emergency disclosure requests, and others."

The "others" bit is interesting, however. Some foreign governments have laws that could force Google, and other companies based in the US and around the world, into performing actions in which it must do locally, rather than where it's headquartered in the US. For instance, the UK government could invoke the Terrorism Act or the Regulation of Investigatory Powers Act (RIPA) against Google UK, which could force the UK-based subsidiary into handing over local data, and prevent it from telling its parent company.

It could also work in reverse, with the US government forcing a Google subsidiary in the UK or Europe to hand over data belonging to an EU citizen--in spite of strong European data-protection laws--back to the US without that person's knowledge. But, Google will "sometimes fight to give users notice of a data request by seeking to lift gag orders or unseal search warrants." With some areas of US law, that would still be nigh on impossible.

These cases are hypothetical, but entirely possible--and if they do happen, very rare.

The bottom line

Google has done something extraordinary here. Through leaked documents and law-enforcement guides, it has been previously disclosed how some companies--Facebook comes to mind--deals with requests from law-enforcement agencies.

But it's very rare for a company as large as Google to openly admit that not only does data get requested by governments around the world, but that it actively gives that data away where it is all but forced to by local and international law. Google's pioneered the Transparency Report for many years, whereas Microsoft recently found itself in the firing line over Skype sans transparency.

The move should be applauded. That said, the company can only do so much. It can say "how," but not "why."

Speaking to NPR, Drummond said that Google still can't disclose "whether fraud cases generate more requests than, say, national security." He added: "The problem is, in the vast majority of cases, we don't know. Right? And the government isn't required to tell us what they're investigating."

Topics: Privacy, Google, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • i don't see any problem...

    I simply use my neighbors address.
    FBI stopped there several times now! LOL! ! ! ! !
    Poor little 87 year old lady.
  • So you're the reason

    my grandma was indicted last week!
  • Send them on wild goose chases.

    Weaponized Anthrax.
  • Short answer:

    we do what the government orders us to because they are the government and we are not. Yes, we know that you have been indoctrinated to think that governments are benevolent deliverers of utopia and the corporations are the focus of evil in the modern world, but, well, reality isn't interested in what you think is true.
    • So we should do what corporations order us to do?

      Perhaps look for a way to transfer governmental authority from the U.S.A to the U.S. Chamber of Commerce?
      John L. Ries
  • How much money Google receives from these requests

    Government use taxpayers money to pay Google for this requests, it is extermely important for Drummond to explain the price Google charges each government for these requests since it's public money that is being used.
    Gabriel Hernandez
    • A fair sum for retrieval costs.

      Of course it's public money being used. What's your point?
  • What Google does when a government requests your data

    I'm surprised that Google doesn't charge the government for requests. They sell the data to everyone else. Google only has your data if you sign in, don't sign in and they won't know who you are.
  • If Google wants to do business, they have to follow the rules

    Pursuant to European legislation, the applicable data privacy laws are regulated in accordance with the location of the client/customer. The same applies to other legislation, such as consumer rights, etc.

    In other words, Google must follow the regulations of every country where they want to do business.

    If they do not follow the rules, Google's products and services may be denied market access.

    Google is a signatory to the US-EU Safe Harbor provisions. This signifies that Google guarantees an adequate protection of data (as defined in the EU Directive). Google can be fined and assets seized etc.
  • Great article...

    Very informative article, Thanks a lot. :-)
  • Hey Google

  • Longer than you think...

    Many years ago, as a mainframe programmer for an airline that has long gone out of business (for other reasons), when airlines were almost the only business that validated credit cards with real time access to the data (if it was issued by the same airline), a request came from a government agency, with a search warrant, to trigger a call when a certain stolen card was used to buy a ticket, for police to go directly to the airport without tipping off the cardholder or the ticket agent. This was so rare and unprecedented that, rather than use the normal database (which had no such option; the only options were to sell, decline, or decline and confiscate the card), we had to put the logic to check for that number into the online software directly. But not in the source code where any other programmers in the company could find it. We had to code up, and punch into cards, a "patch" that altered the compiled code when that module was installed, by inserting direct machine language. Only the IT director and the programmers knew of that patch, which instructed the machine room operator to call the authorities. I believe it was triggered a few months later and the person of interest was caught doing something. Whether the patch was later altered to use on someone else, I have no idea.

    Now, it seems that an agent hacking into a server could do something like that from their own office without the company that owned the server, or the company issuing the card, even knowing! Times have changed!