Subscribe to CIO Magazine »

What Google's Transparency Report doesn't tell us

Google's Transparency Reports, released every six months, are interesting not just for what they reveal about government requests for Internet user data, but also for what they do not reveal.

Transparency reports are basically a biannual compilation of requests Google receives from governments around the world for Internet user data. The reports, which have been generally lauded by privacy experts, are an effort by Google to keep users informed about the data requests and how often it complies with them.

The company's latest report, released on Wednesday, shows that the U.S. government again led other nations in submitting the most requests for user data with Google. In the second half of 2012, the U.S. put in 8,438 requests for Internet user data, up 6% from the 7,979 requests it placed in the first six months of the year.

Between 2011 and 2012, U.S. data requests from Google increased by more than 30%.

More than two-thirds of the data requests from the U.S. government were by subpoenas issued under the Electronic Communications Privacy Act (ECPA) that did not require any kind of judicial oversight. Only about 1,900 of the requests had probable cause warrants attached to them. Google complied with close to 88% of the requests it received from the U.S. government.

Sobering as the numbers are, they do not tell the full story, according to privacy advocates and rights groups.

Google's transparency reports do not include requests for user data made by the government under the U.S. Patriot Act, the Foreign Intelligence Surveillance Amendment Act or through the use of National Security Letters (NSLs). Most of the requests made via these statutes are tied to national security issues and often compel providers to disclose far more data than ECPA subpoenas and court orders permit.

Google has said that it will try to release more information about such requests in the future. But how it will do so remains to be seen, because companies that receive NSLs and requests under the Patriot Act and FISA are not allowed to publicly disclose the requests.

As a result, it's unclear how many more requests Google might have received from the government, how intrusive those requests were or how many people might have been impacted by the requests, said Trevor Timm, an activist with the Electronic Frontier Foundation.

Getting this information is "incredibly important, because we have no idea how much surveillance requests Google is getting or how many people are being targeted," he said.

The Patriot Act and FISA give the government enormous leeway to collect all kinds of information on wide swathes of people without requiring a warrant based on probable cause, Timm noted. "Even a few senators have said that if people knew how [the Patriot Act and FISA] are being interpreted they would be shocked," he said. "They have insinuated that the government is using [these laws] as a dragnet to gather information" on huge numbers of people.

Concerns about these laws recently prompted the European Parliament's Directorate General for Internal Policies to warn companies in the EU about the potential privacy implications of having their data hosted with U.S cloud services.

Google itself appears to be digging its heels in a bit. Google spokesman Chris Gaither said the company has been making an effort to ensure that all government requests for data follow the law and are not overly broad. "We notify users about legal demands when appropriate, unless prohibited by law or court order. And if we believe a request is overly broad, we seek to narrow it -- like when we persuaded a court to drastically limit a U.S. government request for two months' of user search queries," he said via email.

Gaither noted that Google has insisted on government agencies getting an ECPA search warrant based on probable cause for access to stored contents of Gmail and other Google services.

The type of information that Google provides varies quite a bit, Gaither he said. For example, a valid ECPA subpoena for a Gmail address could compel Google to disclose the name listed when creating the account, and the IP address from which the user created the account and signed in and signed out, along with all relevant dates and times, Gaither said.

Similarly, a valid ECPA court order could compel Google to disclose the IP address associated with a particular email sent from that account or used to change the account password, along with the non-content portion of email heads such as the "from," "to" and "date" fields, he noted. "A valid ECPA warrant could compel us to disclose stored content such as the contents of a Gmail account," he said.

Greg Nojeim, senior counsel for the Center for Democracy and Technology, said that the latest transparency report shows that Google's refusal to comply with law enforcement demands has gone up in the last two years -- even as the number of demands for data nearly doubled.

A "hat tip to Google for releasing this important information," Nojeim said. "This shows not only that law enforcement demands are skyrocketing, but that [the] proportion of those demands that are inappropriate may also be increasing. The data contribute to an already compelling case for Congress to take up ECPA reform to protect user privacy."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan. His e-mail address is

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Electronic Frontier Foundation, EU, European Parliament, Google, Technology
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Google, security, internet, privacy
Latest Blog Posts
  • Siemens Redefines Efficiency with Pure Storage
    Challenges - Server consolidation stalled due to storage performance limits - IO-intensive Oracle database would not consolidate with other applications - Multiple instances of virtual applications plus the Oracle DB Results - Consolidated 30 servers to 5 - 23% increase in Oracle performance after virtualization - 6.7-to-1 data reduction - Provisioning time reduced by 4x - 2x increase in VMware snapshot release time
    Learn more »
  • The F5 DDoS Protection Reference Architecture part 1 of 3
    Distributed denial of service attacks (DDoS) attempt to make a machine or network resource unavailable to its intended users, with a wave of crippling attacks on enterprises since 2012. This whitepaper offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer DDoS attacks.
    Learn more »
  • Using an Expert System for Deeper Vulnerability Scanning
    This paper serves security professionals interested in better techniques for finding vulnerabilities, who have a solid understanding of networking principles and familiarity with the concepts related to hacking, vulnerabilities, and exploits. Read on for an in-depth view of the use of expert systems to achieve accurate and detailed vulnerability results.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Latest Jobs
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments