Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


An interview with Google on government access to personal information

For the past couple of months we have been discussing with Google their transparency plans regarding governments accessing data held by Google. Last week Google released initial data on how many requests for data were coming from which governments.

We congratulate Google on this first step, and we believe that by seeking answers to some additional questions, greater clarity may yet emerge. Of course we have many more questions. We hope that this is the first step in an ongoing dialogue with Google on these matters, and we hope that other companies disclose useful information to the public.

Q: Why are you doing this?

A: We have been thinking about doing this sort of reporting for some time. We believe that transparency will give people insight into these kinds of government requests. Historically, information like this has not been broadly available. We hope this tool will be helpful in discussions about the appropriate scope and authority of government requests and that other companies will make similar disclosures.

Q: Aren't you afraid of a backlash from governments?

A: We hope this tool will give citizens greater visibility into their governments' actions. The information reported is straightforward and factual and we plan to continue to improve it. We believe it is important to start a global conversation about how governments regulate the Internet. Unless companies, governments and individuals work together, the free flow of information that we enjoy today may become ever more restricted.

Q: Have you considered the risk that countries may use this data to justify their actions on the basis of being "not the worst" or "amongst the best"?

A: It's important to keep in mind that the information we're presenting is limited in several ways. First of all, it only reflects the requests received by Google, when in fact similar requests are being made of other Internet and communications companies. Second, some countries where the state controls access to the Internet may be blocking or collecting data at the ISPs, obviating the need to send requests to application providers, like Google. Government activity on the Internet today is sophisticated and multi-dimensional. It would be wrong to draw conclusions based on the data in our report alone. We need more companies or governments to provide similar information in order to get an accurate picture.

Q: What types of information and/or unique identifiers do you keep and for how long? Are some of your decisions on retention affected by the numbers of requests you get from governments? If so, how?

A: In broad terms, we typically have two types of information about the users of our services: unauthenticated data which is not correlated to a specific person and authenticated data which is. Many of our services can be used without registering for the service (for example, Google search) and therefore we do not ask for any personally identifying information. For those services, we may have unauthenticated logs data and our retention policy is to obfuscate the IP addresses after 9 months and delete the cookie after 18 months. We also offer services that require user registration, such as Gmail or Blogger. For those services, we retain personal data in accordance with our privacy policy. Our policies for retaining data are based on a number of factors, including what is necessary for the operation of the service and what is best for the users.

Q: What is the largest number of people you have disclosed data about in a single request?

A: We can't currently count our historical data in this way, but we're looking at how we can provide greater meaningful transparency around user requests in the future.

Q: Will you break down the statistics about the data you disclose as follows, or if that is not possible specify how you define the number of requests you receive for data?

A: Given the complexity, we haven't figured out a way to categorize and quantify the requests in a way that adds meaningful transparency, but we plan to in the future.

Q: Do you intend to identify the general justification in each case (e.g. law enforcement, national security, private litigation)? Will you identify the nature of the data that is disclosed in each case?

A: It's too early to say how the tool will be develop, but we plan to add more meaningful transparency as we figure out how to do so. 

 

Add new comment