Google has published the latest update to its Transparency Report, which documents requests from governments for Google to remove content from its services or hand over information about Google account holders. Google started reporting the information back at the beginning of 2010, when Google was going head-to-head with the Chinese government over censoring search results and alleged involvement in a cyberattack on Google services. Google has since updated the report every six months. Google is the only sizable Internet service company that publishes this sort of information.
What does the latest report show? Among other things, the United States government leads the world with requests to Google for information about Google users. Google fielded some 5,950 requests for information about 11,057 unique Google accounts from January through June 2011. That’s a record number, and represents a 29 percent increase from the previous six months. Google complied with 93 percent of those government requests.
So when does Google hand over user account information to governments? And what can that include?
User data requests
Google does not provide case-by-case details about requests it receives to hand over user account data, but claims that the requests are primarily made over criminal matters. It’s worth noting the breadth of that category: Google would file a request from an emergency agency (say, rescuers asking for a user’s most recent location information) the same way. However, Google notes in some cases it has no way of knowing if some requests involve criminal matters or terrorism.
In the United States, provisions of the Patriot Act and the Foreign Intelligence Surveillance Act enable the government to classify the nature of certain information requests. In cases like that, Google would have no way of knowing why the requests were being made, only that the request is classified.
What could Google turn over to authorities? In the United States, Google can be required to turn over essentially all account information on receiving a subpoena. That can include a user’s email address, access history, and any details the user has supplied to Google. For folks using free Google services, that might be next to nothing, but for folks who pay Google (or earn money from Google programs like AdWords) it can be a lot more, including a name, address, phone number, and other billing information. No search warrant is required.
The U.S. Patriot Act has significantly expanded the government’s access to information without a search warrant. If a government attorney can convince a judge that tapping a user’s Internet communications is likely to turn up material relevant to an ongoing criminal investigation (this is not the same standard as “probable cause”), the U.S. Patriot Act can authorize surveillance and disclosure of a great deal of information about user accounts. The Patriot Act also sets up a “flexible standard” that enables the government to indefinitely postpone notification that searches have been executed. In other words, if the feds demand your account information, no one is going to tell you.
If the FBI claims an investigation involves terrorism or clandestine intelligence activities, they can be authorized to access “any tangible thing” including documents, business records, medical records, and more. This is the origin of the FBI’s controversial ability to obtain users’ library lending records. In these cases, the FBI could demand essentially any data Google might have about a user, including location information.
Outside the context of terrorist and intelligence activities, the U.S. government’s ability to access the content of email messages without a search warrant (justified by probable cause) was limited in United States vs. Warshak (PDF). However, if the government can get a search warrant, service providers like Google can be compelled to hand over email they may have on their systems.
Just like in the United States, in other countries, Google has to comply with lawful requests for user account data, where “lawful” is defined under local law. Google claims that it carefully reviews each request and provides only the information that is clearly within the scope and authority of the agency or government making the request, and in some cases may refuse to produce information or attempt to narrow the scope of the information request. The myriad of regulations, sources of authority, and requests Google receives makes it difficult for the company to meaningfully categorize many of the requests. Google notes that it might receive a request for several types of data, but only return a subset of the request. Google hopes to better categorize and quantify the user data requests it gets from governments in the future, but for now all we get is a raw number.
And the winners are…
During the last six months, the top five countries making request to Google for account information are as follows:
Country | Requests | Accounts | Compliance |
United States | 5,950 | 11,057 | 93% |
India | 1,739 | 2,439 | 70% |
France | 1,300 | 1,662 | 48% |
United Kingdom | 1,273 | 1,443 | 64% |
Germany | 1,060 | 1,759 | 67% |
Google complied with more requests from the United States than any other country, although Brazil and Japan come close with compliance rates of 87 percent. Brazil might seem like an odd data point, but remember that Google’s early social networking effort Orkut took off in Brazil… and almost nowhere else. Google has previously pledged to battle child pornography and other illegal activites on Orkut, and fielded more than 700 request for information on over 1,800 user accounts in Brazil, complying with 87 percent of those requests. However, that actually represents a decline in the number of requests Google received from Brazil.
Amongst the top five, the United States, France, Germany and the United Kingdom made more requests for user data in the last six months than they had previously; India stayed about even.
Google says it complied with no data requests it received from Turkey or Russia, and fewer than half the user data requests it received from nine other countries (Poland, Argentina, South Korea, Chile, Hong Kong, Mexico, Canada, France, and the Netherlands).
Content removal
Google’s transparency report also documents requests it receives to remove content from its services, and, unlike user data requests, Google provides some breakdowns on the reasons for the requests as well as the Google service involved. Most often, content removal requests concern Google Web search results as well as services like YouTube and Blogger, but can also apply to services like Picasa, Google Maps, and even Google+. Like user data requests, content removal is a bit tricky for Google to track. For instance, Google will remove some content (like child pornography) as soon as its discovered, regardless of whether it receives a request to take down the content. Content removal requests also don’t reflect when Google services are banned in countries. For instance, Google received no content takedown requests from China for content on YouTube, probably because YouTube is officially banned in China.
In terms of content takedown requests, the United States again led the way, racking up some 2,405 items be removed. Google complied or partially complied with 63 percent of the requests. Google notes that it did not comply with requests to remove YouTube videos purportedly portraying police brutality or defaming local law enforcement officials. Interestingly, defamation is by far the most common reason for content removals from the U.S., covering almost a quarter of the items concerned—and of those, more than half concerned Google Groups. Web search and YouTube came in second and third place, but Web search led the way with the number of takedown requests accompanied with a court order — again, the most common cause was defamation.
In cases where the items didn’t appear to violate Google’s terms of service, Google left the information intact.
Interestingly, the United States did not lead the way in terms of the total number of content removal requests Google received in the last six months: It came in third place behind Brazil and Germany. Brazil’s rank, again, has to do with the popularity of Orkut, and many of the requests from Germany concern violations of German youth protection laws barring content featuring pornography, extreme violence, and Nazi memorabilia.
Cloudy future
Google publishes its transparency report in an effort to stimulate “discussions about the appropriate scope and authority of government requests.” Although the company may have begun publishing the data in response to its difficulties in China, the reports do serve as one of the few data sets surrounding government censorship, as well as government requests for users’ personal information and that information be taken off the Internet. Although Google’s reach is extensive, it is by no means universal. For instance, Google’s reports of user information and takedown requests from China should not be taken as representative of the global Internet industry, and especially not of how the Chinese government interacts with Chinese firms like Baidu and Alibaba.
As people increasingly rely on Internet-based services to manage their day-to-day lives, especially with the popularity of smartphones and tablets supported by Google services and things like Apple iCloud, it’s worth considering that even if a service has a spotless track record for security, it can still be required to hand over copious amount of user information in response to lawful government requests. In the United States, that can include quite a lot of information without the need for a search warrant, and if officials can get a search warrant or decide to wave the terrorism flag, it can include essentially everything.
It’s common to assume that only people who have something to hide have any reason to be concerned. However, it’s important to remember that wanting to keep aspects of one’s life private is not the same thing as doing something illegal, and governments’ track records for managing and utilizing information they obtain for lawful purposes isn’t all that great. How many people have been barred from flying because their names appear for no reason on some watch list or another? And how many have had their identities, personal information, and finances put at risk because of data lost by the governments — or even unwittingly sold at auction? When we place our information in other people’s hands, the bottom line is that it is out of our hands. And, as Google’s transparency reports show, governments seem to be asking for it more and more.