Wednesday, October 26, 2011

Government Demand for Google User Data Spikes...But How and Why Still Unclear

This story caught my eye, particularly in light of my focus on government surveillance and data privacy on this blog. At first glance, the fact that Google is publicly detailing the the US government's increasing requests for access to its users data is a victory for transparency.

As for the motive, Google is a member of the Due Process Coalition, which supports the reform of a 25-year-old government privacy law that lets law enforcement get access to users’ online communications without having to get a judge’s approval. This of course, seems like a righteous effort. And to Google's credit, the coalitions other members - which include Amazon, AOL, AT&T, Dropbox, Facebook and Microsoft - provide no such data regarding how often the government requests data or how often they comply.

Of course, there's a whole lot more to this story. First, let's be clear about Google's long, sordid history when it comes to privacy protection. And, let's remember that Google has made a fortune from spying on what consumers do online, including what web sites they visit; creates dossiers on users’ online behavior without their prior permission; then harvests this private information to sell hundreds of millions of dollars in advertising. 

Consider Google's history on this issue, from Google Books  to the loss of "Locational Privacy" to the company's lobbying efforts in Congress, to its cloud computing, to its increasing usage and expansion of behavioral marketing techniques, to Google StreetView cars gathering private information from unaware local residents, to the company teaming with the National Security Agency (the agency responsible for such privacy violation greatest hits as warrantless wiretapping) "for technical assistance" to the infamous Google Buzz.

In other words, I view ANYTHING Google says or apparently does when it comes to privacy with a huge grain of salt. Still, in this case, I want to know what the government is up to, particularly in light of these new figures, and how the Patriot Act fits in. As I said at the beginning of the post, there's more to this story, and these new figures, than meets the eye.

But first, to the figures. AS reported by Wired Magazine:

The number of U.S. government requests for data on Google users for use in criminal investigations rose 29 percent in the last six months, according to data released by the search giant Monday. U.S. government agencies sent Google 5,950 criminal investigation requests for data on Google users and services from Jan. 1 to June 30, 2011, an average of 31 a day. That’s compared to 4,601 requests from July 1 to Dec. 31, 2010, the company reported Tuesday in an update to its unique transparency tool. Google says it complied in whole or part with 93% of such requests, which can include court orders, grand jury subpoenas and other legal instruments.

It's not what these numbers say that's the problem, its what they don't. Here's the REAL story: 

According to Google, the numbers do not include National Security Letters, a sort-of self-issued subpoena used by the FBI in drug and terrorism cases. At their post–Patriot Act peak, the FBI issued more than 50,000 such letters a year, nearly all with gag orders attached to them. The use of such letters dipped for a time after the Justice Department’s internal watchdog unveiled widespread abuses and sloppy procedures, but are on the rise again. Also not included are national security wiretap and data requests, known as FISA warrants, that are approved by a secret court in D.C. to combat spies and threats to national security. 

These are HUGE hole's in this whole "transparency" facade! Remember, National Security Letters (NSLs) – which allow the FBI, without a court order, to obtain telecommunication, financial and credit records deemed “relevant” to a government investigation - were PROVEN to have been flagrantly abused by the FBI perhaps tens of thousands of times. 

As Adam Sewer of the American Prospect noted:It's no secret that the FBI's use of NSLs - a surveillance tool that allows the FBI to gather reams of information on Americans from third-party entities (like your bank) without a warrant or without suspecting you of a crime - have resulted in widespread abuses. All that the FBI needs to demand your private information from a third-party entity is an assertion that such information is "relevant" to a national security investigation -- and the NSLs come with an accompanying gag order that's almost impossible to challenge in court." 

And what of FISA requests??? We know the Patriot Act allowed the government access to Internet sites we've visited as well as to listen in on the phone calls we make. It wasn’t long ago that the idea of our government wiretapping American citizens without warrants for purposes other than national security would have been revolting. Now its official Government policy – and the telecom companies that participated in these crimes have been given retroactive immunity while continuing to make billions off overcharging the same customers they betrayed.

My question is just how many times is Google being asked for our information by our government that falls into these categories?

Let's also remember, there's a clear pattern we should all be aware of when it comes to government access to our data: Facebook reportedly receives up to 100 demands from the government each week for information about its users. AOL reportedly receives 1,000 demands a month. In 2006, a U.S. Attorney demanded book purchase records of 24,000 Amazon.com customers. Sprint recently disclosed that law enforcement made 8 million requests in 2008 alone for its customer’s cell phone GPS data for purposes of locational tracking.

And if that's not enough, it was Google’s CEO, Eric Schmidt that said "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
As you let that sink in, he also said: "… the reality is that search engines including Google do retain this information for some time, and it's important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities."

In other words, the data that we need to be made public is precisely the data not being provided - particularly in light of the growing Occupy Wall Street protests spreading around the country and world. Believe me, the FBI wants access to this information. There may be some good news to report here though, as the agency appears to be increasingly going through the courts to obtain it (though knowing how bad our courts are on privacy its not exactly the time to pop champagne). 

The Washington Post details these efforts: 

The FBI is increasingly going to court to get personal e-mail and Internet usage information as service providers balk at disclosing customer data without a judge’s orders. Investigators once routinely used administrative subpoenas, called national security letters, seeking information about who sent and received e-mail and what Web sites individuals visited. The letters can be issued by FBI field offices on their own authority, and they obligate the recipients to keep the requests secret.

But more recently, many service providers receiving national security letters have limited the information they give to customers’ names, addresses, length of service and phone billing records.

...
Investigators seeking more expansive information over the past two years have turned to court orders called business record requests. In the first three months of this year, more than 80 percent of all business record requests were for Internet records that would previously have been obtained through national security letters, the FBI said. The FBI made more than four times as many business records requests in 2010 than in 2009: 96 compared with 21, according to Justice Department reports.

In response to concerns expressed by administration officials, Judiciary Committee Chairman Patrick J. Leahy (D-Vt.) has introduced a measure that would establish that the FBI can use national security letters to obtain “dialing, routing, addressing and signaling information.” It would not include the content of an e-mail or other communications, the administration has said. 

The administration, which last year contemplated legislation to expand the authority of national security letters, has not taken a formal position on the Leahy measure, officials said. But the FBI has told Congress that the number of business record orders will continue to grow unless a legal change gives the agency more routine access to customer data.

Civil liberties groups said Leahy’s measure, included in a bill to modernize the Electronic Communications Privacy Act, would expand the government’s authority to obtain substantial data about the private communications of individuals without court oversight.

Our view is data like e-mail ‘to-from’ information is so sensitive that it ought to be available only with a court order,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Privacy advocates said they support requiring the FBI to use court orders to seek the data. “This is an example of how the system should work,” said American Civil Liberties Union legislative counsel Michelle Richardson.

Business record requests are also known as Section 215 orders, after a provision in the Patriot Act, the law passed after the Sept. 11, 2001, terrorist attacks. The provision allows the government to obtain “any tangible thing” if officials can show reasonable grounds that it would be relevant to an authorized terrorism or espionage investigation. The ACLU and the Electronic Frontier Foundation on Wednesday plan to separately sue the government to force disclosure of its interpretation of Section 215. The groups are following the lead of Sen. Ron Wyden (D-Ore.), who has accused the administration of inappropriately withholding information about the law’s use.

In other words, there's a whole lot we still don't know...and a whole lot of reasons, based on past Patriot Act abuses, lax oversight, and the recent increase in efforts by the government to access our data, be it through Google requests we know about, those we don't, as well as FBI's attempts through the court system.

If these new figures released by Google can serve the purpose the company purports it seeks -
to encourage the passage of new laws that will give the company more leverage to deny government access to people's online communications and activities - then more power to them. In the meantime, I'll remain skeptical and concerned.

No comments: