Until this announcement, the privacy community in the United States had just four data points regarding the scale of government requests to Internet and telecommunications providers: A 2006 New York Times article revealing that AOL was getting 1000 requests regarding criminal and civil cases per month; a 2009 Newsweek article revealing that Facebook was getting 10-20 police requests per day; a 2009 letter from Verizon's general counsel in response to a FOIA request that I filed, revealing that the company gets "tens of thousands of requests for customer records and other customer information from law enforcement" per year; and Sprint's 2009 disclosure at a surveillance industry conference that it let law enforcement agencies initiate 8 million GPS pings as part of "thousands" of requests for its customers' location data.
Google's new Government Requests Tool quite simply blows away the competition, in terms sharing useful information about governments' ever growing appetite for individuals' private data, and in particular, per-country level transparency.
Just a few weeks ago, one of Microsoft's lawyers told Wired News that "We would like to see more transparency across the industry ... But no one company wants to stick its head up to talk about numbers."
It seems that at least one company has now bravely stuck its head up by disclosing these numbers. Hopefully, the other big Internet firms will see the positive press that Google received from this move, and voluntarily follow Google's lead.
What other data do we need
Hopefully, Google will share even more detailed data on government requests in the future. In particular, I'd like to know the following:
- How many requests from the government were under exigent or emergency circumstances, in which there was no accompanying subpoena,search warrant or other court order? In such situations, the company is permitted to voluntarily disclose data to the government, but is under no legal obligation to do so. Thus, it is also important to know how many times the company refused these requests.
- Of the government requests that Google received, how many were subpoenas, search warrants, 2703(d) orders, "hybrid" location requests, and electronic intercept/wiretap orders?
- For each of these categories of government requests, how many did the company comply, and how many did the company go to court to fight the request?
- For each of these categories of requests, how many (or a %) were by local, state or federal agencies?
- For each of these categories of requests, what kind of information was being asked for? (e.g. 15% of requests were for search records, 50% were for email, 20% for GPS location info, etc).
- What is the median and mean age of the customer information requested by and disclosed to law enforcement? (e.g. Are most requests for private user data that is a week old, or 200 days old?)
Let us imagine that over the next few months, Microsoft, Yahoo, Facebook, Apple, Skype, Comcast, AT&T, Verizon, Sprint and T-Mobile follow Google's lead and publish these stats. While this'll be a great source of information for researchers, for those in Congress who are considering an update to the Electronic Communications Privacy Act, and for concerned citizens wishing to observe the rate of transformation of this country into a surveillance state, these statistics won't actually be that useful to privacy conscious consumers wishing to make a wise choice in picking a service provider.
As a hypothetical example, if Yahoo receives 6000 requests for customer email data per year and Google receives 3000 requests, what does that mean? How should consumers interpret it if they wish to vote with their feet, and pick an ISP that will best protect their privacy?
Unfortunately, the number of requests a company receives doesn't really reveal how much the company values user privacy -- it merely reveals how often government agencies are willing to type up a subpoena and fax it off. Furthermore, while companies may be willing to fight unreasonable requests, if the request is lawful, even the most pro-privacy company can't do much to protect its customers.
At the end of the day, what matters most is the privacy enhancing technologies that companies build into their products -- such as minimal/no data retention and the use of encryption with a key only known to the user -- which effectively neutralize the ability of governments to compel service providers into violating their customers' privacy.
Transparency is great -- but meaningful competition on privacy will come through privacy enhancing technologies, baked into products, enabled by default.
Disclaimer: These are my own personal views, and do not reflect those of any other individual or organization with which I am affiliated.