SF Bay Area Indymedia indymedia
About Contact Subscribe Calendar Publish Print Donate

South Bay | Animal Liberation | Indymedia

New privacy policy, cooperation with law enforcement & your data: An interview with Google
by mark
Wednesday Sep 10th, 2008 4:50 PM
Just as Google unveiled a new, "improved" privacy policy, a sworn affidavit entitled "Statement of Probable Cause" was released showing that the cooperation of Google and Sonic.net with UC Police led, in part, to last month's raid on the Long Haul Infoshop. We took this opportunity to ask Google some questions about its privacy policy and how much of its users' data is really anonymized.
Yesterday it was disclosed that data retained by Google and Sonic.net (a Santa Rosa, CA-based ISP) and divulged to University of California police under a court order led, in part, to last month's police raid of the Long Haul Infoshop in Berkeley, CA. In the course of the Aug. 27th raid -- apparently part of an investigation into hostile e-mails sent to UC Berkeley staff, according to an affidavit filed by Detective Bill Kasiske -- UC police, an FBI agent and a Sheriff's deputy seized computers, hard drives and memory cards from the Infoshop's public computer lab and from the Slingshot newspaper office in the same building.

The Google connection inspired us to ask the Silicon Valley behemoth some questions about its newly-minted privacy policy, which Google heralded on Sept. 8th as "Another step to protect user privacy," and about the company's policies on contesting -- or cooperating with -- court orders to assist with the surveillance of its users. We wondered how much of the typical Google user's data is really "protected". Apparently, the answer is, "very little", as recent improvements to Google's privacy policy cover only usage by "unauthenticated" users.

In other words, if you are logged in to Google while using a service such as Gmail or Google Talk, your data may be logged and accessible to third parties through a court order forever -- unless you explicitly ask Google to delete it. And even if you do, Google's privacy policy doesn't promise to delete your data, if honoring the request would require too much "effort." On the other hand, if you access Google "anonymously", that is, without being logged in, Google says it will "anonymize" its logs of your activity nine months later by removing your IP address.

Sonic.net management has not yet responded to questions about its own privacy policy.

Does Google's new privacy policy concerning the anonymization of IP addresses, after nine months, cover all Google servers, including e-mail, chat and other non-search services?
GOOGLE: Our data anonymization policy applies to unauthenticated server logs, not to the logs of services that require a Google Account, such as Gmail. With respect to those Services, the user has the ability to delete or retain his/her data, as described in the privacy policies of those services.
Does Google have any policy on if or when to inform a user that his/her data has been provided to a third party, due to a court order or other legal process?
GOOGLE: Like all law-abiding companies, we comply with U.S. laws and legal processes. We strive to be as cooperative in the investigation and prosecution of crimes as we possibly can, while being careful to balance the interests of our users. We typically do not share information about these requests publicly. When possible, we notify the user in order to give them the opportunity to object.
Does Google keep records on how data which it has retained and provided to authorities is used? For example, in this case the data was used to conduct a raid and seizure of a computer lab and newspaper. In other countries there could be other (worse) ramifications due to human rights problems. Of course in many cases Google's data and cooperation could aid the investigation of a crime, from financial fraud to stalking.
GOOGLE: As a matter of policy, we don't comment on the nature or the substance of law enforcement requests to Google.
Does Google have a policy on if or when to contest court orders requesting identifying information, through the legal system?
GOOGLE: Google does comply with valid legal process, such as court orders and subpoenas. At the same time we have a legal team whose job is to scrutinize these requests and make sure they meet not only the letter but the spirit of the law. We have a history of being an advocate for user privacy. In 2006, we went to court to resist a Department of Justice subpoena for millions of search queries on the grounds that it was excessive and invaded our users' privacy. The judge ultimately ruled in Google's favor, establishing an important precedent for user privacy. It's also important to note that our new policy of anonymizing IP addresses in our server logs after 9 months and cookies after 18 months will make it impossible, practically speaking, for us to associate search queries with IP addresses or cookies after those periods of time, which will, in turn, make it impossible for us to provide such data to law enforcement.
Do you know approximately how many times a year Google turns over personal data in response to a court order?
GOOGLE: As a matter of policy, we don't provide that information publicly.