The company has clarified a bit about its process for responding to government requests for user data.
Every single day, dozens of requests from law-enforcement officials, courts, and other government agencies pour into Google's offices, requesting that Google hand over different pieces of information its users have amassed -- whom they've been communicating with, where they've been communicating from, what they've said.
Google recognizes that many of these requests are legitimate, but it certainly doesn't want to be in the business of rubber-stamping them either. In a post on its official company blog, David Drummond, Google's chief legal officer, spelled out the competing concerns the company is attempting balance: "It's important for law enforcement agencies to pursue illegal activity and keep the public safe. We're a law-abiding company, and we don't want our services to be used in harmful ways. But it's just as important that laws protect you against overly broad requests for your personal information."
That puts Google in the position of deciding which of those requests to honor, which to refuse outright, and which to return to sender for further information or refinement. What does that process look like? What standard does Google seek to meet?
Beginning in 2009, Google has published bi-annual updates to its Transparency Report, providing numbers on how many requests has received all over the world. Since that first iteration, Google has made the report deeper and more informative, adding information about compliance rates, copyright-based removal requests, and breaking down the data by type of request -- subpoena, warrant, or "other." In an update today, Google has created a new section called "Legal Process" which starts to answer some of those questions.
First, Google says, "When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google's policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law." They company will seek to narrow requests it deems are "overly broad." In the accompanying blog post, Drummond says, "We do this frequently."
Then, once a request has been deemed valid, Google will notify users when possible. Sometimes we can't, either because we're legally prohibited (in which case we sometimes seek to lift gag orders or unseal search warrants) or we don't have their verified contact information," Drummond writes.
Finally, in his post, Drummond clarifies that Google will not provide a user's search-query information or the contents of a user's account (email content, pictures, documents, etc.) without a warrant. (Subpoenas are easier to obtain than warrants.) Although the U.S. Electronic Communications Privacy Act (ECPA) does not require a warrant for emails older than 180 days, Google says it believes that under the Fourth Amendment a warrant is required. In addition, Google has advocated for updating ECPA, "so the same protections that apply to your personal documents that you keep in your home also apply to your email and online documents."
Google's policies on these questions aren't significant only because so many people around the world use Google. The company is also the industry leader in setting standards upon which many smaller companies -- Twitter, most prominently -- will model their own. If Google can establish clear practices now that somehow balance the competing needs of law-enforcement agencies and private users, that effort will pay off -- in tough situation after tough situation, across platforms and countries, in the years ahead.