Following the release of its most recent Transparency Report last week, Google has revealed more details about how it deals with law enforcement requests for user data. The move comes amidst ongoing efforts to update a U.S. online privacy law that many, including Google, believe is outdated and broken.
“It’s important for law enforcement agencies to pursue illegal activity and keep the public safe,” writes David Drummond, Google Senior Vice President and Chief Legal Officer, on the company blog. “We’re a law-abiding company, and we don’t want our services to be used in harmful ways. But it’s just as important that laws protect you against overly broad requests for your personal information.”
Google says it helps ensure that you are protected from overly broad requests in a number of ways, which Drummond outlines below:
- We scrutinize the request carefully to make sure it satisfies the law and our policies. For us to consider complying, it generally must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law.
- We evaluate the scope of the request. If it’s overly broad, we may refuse to provide the information or seek to narrow the request. We do this frequently.
- We notify users about legal demands when appropriate so that they can contact the entity requesting it or consult a lawyer. Sometimes we can’t, either because we’re legally prohibited (in which case we sometimes seek to lift gag orders or unseal search warrants) or we don’t have their verified contact information.
- We require that government agencies conducting criminal investigations use a search warrant to compel us to provide a user’s search query information and private content stored in a Google Account—such as Gmail messages, documents, photos and YouTube videos. We believe a warrant is required by the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in [the Electronic Communications Privacy Act] ECPA.
In addition to these efforts, Google is also part of a broad coalition of tech companies and online rights advocacy groups called Digital Due Process, which is devoted toward changing the ECPA. Drummond says Google also has “other initiatives” to address problems with the ECPA.
As it is currently written, the ECPA does not require law enforcement agents to obtain a search warrant to gain access to emails, instant messages, and files stored with a third-party cloud storage service as long as the “communications” are older than 180 days. Instead, only a subpoena is required, which can be obtained with little to no judicial oversight. However, companies like Google have some legal wiggle-room when it comes to user data requests thanks to two federal court decisions which found that warrantless requests for user emails are unconstitutional.
According to Google’s most recent Transparency Report, 68 percent of the 8,438 requests made by the U.S. government from July through December 2012 were done through subpoena only. Google says it complied with 88 percent of all requests, and has added a new “FAQ” section to the Transparency Report regarding government requests for user data.
While past efforts to update the ECPA have failed to gain meaningful headway in Congress, Sen. Patrick Leahy (D-VT), who has led two unsuccessful reform efforts in the past few years, will reportedly try again in 2013.