Google For First Time Reports FBI Non-Warrant Requests for User Data

ID THREATPOST:B951A42EBAC4C2499C6521086525AF97
Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:30:36


Google reportsGoogle today revealed – if in vague terms – it last year received less than 1,000 “national Security letters” from federal authorities seeking financial and communications data on up to almost 2,000 individuals. The disclosure of such government requests marks a first for a major Internet service provider.

NSLs are sometimes called “warrrantless requests” because they circumvent a judge or grand jury if there’s a national security threat. And they often are accompanied by gag orders that prevent an ISP from divulging details that could undermine an investigation.

That’s one reason the company in Tuesday’s Transparency Report used a range rather than specific number of requests to stay in compliance. This year’s requests for 1,000 to 1,999 users or accounts shows a reduction in requests from 2010, when it was up to 2,999.

“The FBI has the authority to prohibit companies from talking about these requests. But we’ve been trying to find a way to provide more information about the NSLs we get—particularly as people have voiced concerns about the increase in their use since 9/11,” wrote Richard Salgado, Google’s legal director for Law Enforcement and Information Security, in a blog post. “Starting today, we’re now including data about NSLs in our Transparency Report. We’re thankful to U.S. government officials for working with us to provide greater insight into the use of NSLs.”

Salgado explained that when illegal activity is suspected and the FBI or another government agency requests personal information, Google will first vet the request to make sure it is legal and specific enough. The company also requires “that government agencies use a search warrant if they’re seeking search query information or private content, like Gmail and documents, stored in a Google Account.”

And although the disclosure represents a change in policy, Google admits the limited information does not provide a complete picture of government requests for user’s private data.

“While we have tried to report as accurate a number as possible, the statistics are not 100% comprehensive or accurate,” the company said in a posted FAQ on its report. “For example, we have not included statistics for countries where we’ve received fewer than 30 requests for user data in criminal cases during the reporting period. Where the numbers of requests are relatively low from a particular country, revealing the statistics could place important investigations at risk and interfere with public safety efforts of the authorities.”

The numbers break down into two categories: criminal and “other.” An example of the latter would be an emergency request from local police trying to save someone from imminent danger.

“We would like to be able to share more information, but it’s not an easy matter. The requests we receive for user data come from a variety of government agencies with different legal authorities and different forms of requests. They don’t follow a standard format or necessarily seek the same kinds of information. A single request may ask for several types of data but be valid only for one type and not for another; in those cases, we disclose only the information we believe we are legally required to share. Given all this complexity, it’s a difficult task to categorize and quantify these requests in a way that adds meaningful transparency, but we may do so in the future.”