Category Archives: Public Policy Blog

Google’s views on government, policy and politics

Digital security and due process: A new legal framework for the cloud era

Editor’s note: This is an abbreviated version of a speech Kent delivered today at The Heritage Foundation in Washington, D.C.

For as long as we’ve had legal systems, prosecutors and police have needed to gather evidence. And for each new advance in communications, law enforcement has adapted. With the advent of the post office, police got warrants to search letters and packages. With the arrival of telephones, police served subpoenas for the call logs of suspects. Digital communications have now gone well beyond the Postal Service and Ma Bell. But the laws that govern evidence-gathering on the internet were written before the Information Revolution, and are now both hindering the flow of information to law enforcement and jeopardizing user privacy as a result.

These rules are due for a fundamental realignment in light of the rapid growth of technology that relies on the cloud, the very real security threats that face people and communities, and the expectations of privacy that internet users have in their communications.

Today, we’re proposing a new framework that allows countries that commit to baseline privacy, human rights, and due process principles to gather evidence more quickly and efficiently. We believe these reforms would not only help law enforcement conduct more effective investigations but also encourage countries to improve and align on privacy and due process standards. Further, reducing the amount of time countries have to wait to gather evidence means would reduce the pressure to pursue more problematic ways of trying to gather data.

Current laws hinder law enforcement and user privacy

The U.S. Electronic Communications Privacy Act (ECPA) governs requests for content from law enforcement. Under ECPA, foreign countries largely have to rely on diplomatic mechanisms such as Mutual Legal Assistance Treaties (MLAT) to obtain content that is held by a company in the United States. The last data we’ve seen suggests that the average wait to receive content through the MLAT process is 10 months, far too long for most criminal cases. While law enforcement waits for this data, crimes could remain unsolved or a trial might happen missing key evidence.

The current legal framework poses a threat to users’ privacy as well. Faced with the extended delays under the MLAT process, some countries are now asserting that their laws apply to companies and individuals outside of their borders. Countries asserting extraterritorial authority potentially put companies in an untenable situation where we risk violating either the law of the requesting country or the law of the country where we are headquartered.

We are also seeing various proposals to require companies to store data within local borders as a means to gain easier access. There are a host of problems with this: small, one-off data centers are easier targets for attackers and jeopardize data security and privacy. Further, requiring businesses to build these data-centers will raise the costs for cloud services, erecting significant barriers for smaller companies.

The legal ambiguity concerning cross-border law enforcement requests has also created complications for law enforcement in the United States. Last year, the Second Circuit Court of Appeals was asked to determine the reach of ECPA search warrants issued under the now out-of-date statute. The Court ruled that under existing law, an ECPA search warrant cannot be used to compel service providers to disclose user data that is stored outside of the U.S. But even those judges agreed that ECPA should be updated by Congress to reflect the new reality of today’s global networks.

Principles for reform

Our proposal to address these challenges for domestic and international law enforcement, for companies, and for users has two core principles:

First, countries that honor baseline principles of privacy, human rights, and due process should be able to make direct requests to service providers for user data that pertains to serious crimes that happen within their borders and users who are within their jurisdiction.  

While the U.S. cannot solve the problem on its own, and many countries have blocking regulations, policy reform in the US is a necessary first step. We’ve been pleased to see serious debate around ways to update digital evidence laws in Washington on this issue.

In May, the U.S. Department of Justice presented legislation that would amend ECPA and  authorize U.S. providers to disclose records and communications content to foreign governments that adhere to baseline due process, human rights, and privacy standards. This legislation would be the critical starting point for the new framework of direct requests.

ECPA should also be updated to address what data is available using an ECPA search warrant in a way that serves broader public policy objectives. Law enforcement requests for digital evidence should be based on the location and nationality of users, not the location of data. A key component of this reform is the International Communications Privacy Act (ICPA), which Google supports. ICPA provides a unique opportunity for Congress to update laws governing digital evidence both for investigations in the U.S. and abroad. While refinements to ICPA may be necessary, we believe the principles upon which ICPA is based are sound.

Second, provided that countries can meet baseline standards and the U.S. amends ECPA, the next step would be for the United States and foreign governments to sign new agreements that could provide an alternative to the MLAT process. The bilateral agreements that could be authorized by the legislation put forward by the Department of Justice provide a promising avenue to improve global privacy standards and create a pathway for foreign governments to obtain digital evidence for investigations.

We’re ready to do our part

We know that this will be an involved process. It’ll require action here in Washington and in capitals around the world. However, we can’t accept the complexity of action as a reason for inaction in addressing an important and growing problem.

Our proposal asks for a lot of movement from governments. But we recognize our role as well. Google is ready to work with legislators, regulators, civil society, academics, and other companies to progress these proposals and make sure that we get this right. And I look forward to conversations that we’ll have in Washington, D.C. and beyond in the months to come.

An international framework for digital evidence

Today, we’re releasing the latest version of our Transparency Report regarding government requests for user data. In the second half of 2016, we received over 45,000 government requests for user data worldwide. This is the most government requests we’ve received for user data in a six-month period since we released our first transparency report in 2010.

In many ways, this shouldn’t be surprising. As more people use more of our services, and as we offer new ones, it is natural that we are seeing an increase in government requests. For example, Gmail had around 425 million active users in 2012, and more than 1 billion by 2016. And as digital evidence increasingly becomes part of criminal investigations, other companies are seeing similar trends. We of course continue to require appropriate legal process for these requests, and resist overbroad requests not narrowly calibrated to legitimate law enforcement requirements.  

Cross-border requests for data continue to increase over time as well, from 30,755 requests from countries other than the United States in the first half of 2016 to 31,877 in the second half of the year. This underscores the need for an improved international framework that meets legitimate law enforcement needs and ensures high standards of due process, privacy and human rights. The Mutual Legal Assistance Treaty (MLAT) process facilitates the production of digital evidence in cross-border investigations (when the crime occurs in one country but data is held by a company in another country). But the MLAT process is too often slow and cumbersome: on average, it takes 10 months to process an MLAT request in the United States.  That’s a long time for an investigator to wait.

Without better and faster ways to collect cross-border evidence, countries will be tempted to take unilateral actions to deal with a fundamentally multilateral problem. A sustainable framework for handling digital evidence in legitimate cross-border investigations will help avoid a chaotic, conflicting patchwork of data location proposals and ad hoc surveillance measures that may threaten user privacy and generate uncertainty for users and businesses, all without fundamentally advancing legitimate law enforcement and national security interests.

We believe that governments can develop solutions that appropriately balance the various interests at stake. This includes respecting the legitimate privacy rights of users, wherever they are, as well as the obligations of governments to investigate crimes and protect their residents. These issues must be addressed by a broad group of stakeholders, including governments, citizens, civil society groups and providers of information services that cross national borders.

This discussion will raise difficult questions about the scope of government surveillance powers, the extent of digital jurisdiction, the importance of rapid investigations, and privacy rights in the Internet age — fundamental issues that can’t be adequately addressed by courts using antiquated legal standards or by governments acting in an ad hoc fashion.

We look forward to sharing more thoughts about the legal frameworks that can address some of these challenges in the coming weeks and months. And we look forward to working with relevant stakeholders to craft viable and lasting solutions.

Resounding support for updating electronic privacy laws

Today, the House of Representatives passed the Email Privacy Act (H.R. 387) by voice vote.  This is the second year in a row that the House of Representatives has resoundingly passed this bill, which is a testament to its widespread support across the political spectrum.

The Email Privacy Act updates the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before it can compel companies like Google to disclose the content of users’ communications.  Since 2010, Google has has testified before Congress four times in support of this reform, which will protect all users, and we are proud of our efforts.  We are particularly grateful to the House of Representatives leadership and to Representatives Yoder (R-Kan.), Polis (D-Colo.), Goodlatte (R-Va.), and Conyers (D-Mich.) for securing passage of this bill so early in the 115th Congress.

This Act will fix a constitutional flaw in ECPA, which currently purports to allow the government to compel a provider to disclose email contents in some cases without a warrant, in violation of the Fourth Amendment.  The Email Privacy Act ensures that the content of our emails are protected in the same way that the Fourth Amendment protects the items we store in our homes. 

This is consistent with the practice around the country already and what the Constitution requires; the Sixth Circuit Court of Appeals concluded in 2010 that ECPA is unconstitutional to the extent it permits the government to compel a service provider to disclose to the government a user’s electronic communications content without a warrant.  Today’s vote demonstrates that this conviction is widely shared.

The Senate now has a historic opportunity to shepherd this landmark reform toward enactment.  While there are disagreements about other aspects of surveillance reform, there is no disagreement that emails and electronic content deserve Fourth Amendment protections.  We urge the Senate to advance this common sense measure, which will begin the process of updating ECPA for the Internet age.

Reflecting on Google’s GNI Engagement

 As the year comes to a close, we’re reflecting on Google’s Global Network Initiative (GNI) assessment and some of this year’s important developments in our work to protect the free expression and privacy interests of our users.

Last week, in our continued effort to increase transparency around government demands for user data, we made available to the public the National Security Letters (NSLs) Google has received where, either through litigation or legislation, we have been freed of nondisclosure obligations. Our goal in doing so is to shed more light on the nature and scope of these requests. We’ve also supported policy efforts to ensure that the privacy interests of non-U.S. persons are addressed as U.S. policymakers consider government surveillance issues.

Earlier this month, we highlighted our efforts to comply with the right to be forgotten in Europe. For much of the last year, we’ve worked to defend the idea that each country should be able to balance freedom of expression and privacy in the way that country sees fit, and not according to another country’s interpretation. One Data Protection Authority, the French Commission Nationale de l'Informatique et des Libertés (the CNIL), ordered Google to delist French right to be forgotten removals for users everywhere. We agree with the CNIL that privacy is a fundamental right — but so, too, is the right to free expression. Any balance struck between those two rights must be accompanied by territorial limits, consistent with the basic principles of international law.

These are some examples of Google’s public policy work that illustrate our commitment to the freedom of expression and privacy rights of our users. We know that pressing global issues are best addressed in partnership with with key stakeholders — and the GNI is critical to Google’s efforts.

The GNI is at the core of our multi-stakeholder engagement on free expression and privacy issues. Google is proud to be a founding member of the GNI, an initiative that brings together ICT companies with civil society organizations, investors, and academics to define a shared approach to freedom of expression and privacy online. The GNI provides a framework for company operations, rooted in international standards; promotes accountability of ICT sector companies through independent assessment; enables multi-stakeholder policy engagement; and creates shared learning opportunities across stakeholder boundaries.

Earlier this year, GNI released the second round of assessments, and announced the board’s determination that Google is compliant with the GNI framework. The assessment is an important tool for companies, NGOs, academics, and others working together to review how companies address risks to privacy and free expression.

The assessment process includes a review of relevant internal systems, policies and procedures for implementing the GNI Principles (“the process review”), and an examination of specific cases or examples that show how the company is implementing them in practice (the “case review”).

Our cases were selected for their salience to our approach to implementing the GNI Principles, taking into consideration Google’s products and services, geographical footprint, operating environments, and human rights risk profile. In addition, to the Google-specific cases discussed in GNI’s public assessment report, we wanted to provide additional examples to illustrate the types of non-U.S. cases reviewed.

Request for user data
A request was made for Gmail user information by a federal police department. A key part of our process is making sure that the requests we receive are appropriately supported by legal process. In this case, we found that the initial request was inadequate due to failure to have a judicial stamp or signature, and we therefore pushed back, as we would not comply unless the request was judicially authorized. Once these items were obtained and, we determined that it was a valid legal request (including that it was not overbroad), we complied with the request.

Request for removal
A request for Blogger content removal was made by a regulatory agency. The requestor claimed that content was subject to removal under the country’s statute prohibiting appeals to mass riots, extremist activities, and mass actions against established order. In reviewing the request, we determined that the content did not violate our terms of service.  We then responded by requesting a copy of the decision citing specific URLs that are illegal. This would be evidence of an authoritative interpretation of the local law as applied to the content.  As there was no response from the requestor, and the content did not violate our company policies, the request was denied and we did not remove the material.

RTBF: Push for Judicial Review; Careful Development and Implementation of Rigorous Removal Process for Requests
This example describes how we responded to requests subsequent to the Google Spain v AEPD and Mario Costeja ruling, which presented risks to freedom of expression. In the Costeja case, we appealed through the court process, but were unsuccessful.  We pushed back on this ruling because we considered the requirement for Google to take down this information to be in conflict with freedom of expression. On appeal, the Court of Justice of the European Union found that people have the right to ask for information to be removed from search results that include their names if it is “inadequate, irrelevant or no longer relevant, or excessive.” In deciding what to remove, search engines must also have regard to the public interest, without additional guidance regarding what information constitutes “public interest.” The court also decided that search engines don’t qualify for a “journalistic exception.” We continue to fight court cases seeking to expand this requirement for takedowns globally.

We also convened the Advisory Council to Google on the Right to be Forgotten to review input from dozens of experts in meetings across Europe, as well as from thousands of submissions via the Web. The Council included Frank La Rue, the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. The Council advised us on performing the balancing act between an individual’s right to privacy and the public’s interest in access to information.

In response to the Costeja ruling, Google established a dedicated team to develop and implement a system to remove valid RtbF requests. We evaluate each request appropriately, complying with the law, but making sure that, if there is a legal basis for the content to remain available, we will assess how that applies. To address the ruling, we assembled a team to address the new category of requests arising from the rights articulated in Costeja. Our web removals site was updated to include information about and a portal for RtbF requests. Requests are reviewed by the legal removals team; after review, the requester is notified of the determination. Since implementing this system, we have delisted approximately 780,000 URLs. Our process responds to individual requests and carefully evaluates  each request against the criteria for removal. We also notify websites when one of their pages has been removed pursuant to a RtbF claim. In addition to removing URLs, we include information about RtbF requests and removals in our Transparency Report.

Our assessors also provided us with recommendations for enhancing our implementation of the GNI Principles. These recommendations, combined with feedback and ongoing engagement with GNI stakeholders, will inform our policies and practices and strengthen our advocacy in 2017.


Sharing National Security Letters with the Public

In our continued effort to increase transparency around government demands for user data, today we begin to make available to the public the National Security Letters (NSLs) we have received where, either through litigation or legislation, we have been freed of nondisclosure obligations. We previewed this back in October when we updated our Transparency Report.

As we have described in the past, we have fought for the right to be transparent about our receipt of NSLs. This includes working with the government to publish statistics about NSLs we’ve received, successfully fighting NSL gag provisions in court, and leading the effort to ensure that Internet companies can be more transparent with users about the volume and scope of national security demands that we receive.   

In 2015, Congress passed the USA Freedom Act, which allowed companies like Google to make more granular disclosures  about National Security Letters they receive.  In addition, the Act restricts the use of indefinite gag restrictions that prevent providers from ever notifying customers or talking about the demands. The Department of Justice (DOJ) must now regularly review disclosure restrictions in NSLs and lift those that are no longer needed. The United States Attorney General approved procedures to do this, and as we mentioned recently, the FBI has started lifting gag restrictions on particular NSLs.

We are now making copies of those NSLs available.  Our goal in doing so is to shed more light on the nature and scope of NSLs. We minimized redactions to protect privacy interests, but the content of the NSLs remain as they were when served.  We are also publishing the correspondence reflecting the lifting of the nondisclosure restrictions. We have links to the documents below.  In the near future, we will establish a more permanent home for these and additional materials from our Transparency Report.  

Redacted NSLs and FBI correspondence

NSL-10-272979 (FBI notice)

NSL-13-375880 (FBI notice)

NSL-14-394627 (FBI notice)

NSL-14-395838 (FBI notice)

NSL-14-396103 (FBI notice)

NSL-14-396300 (FBI notice)

NSL-15-417535 (FBI notice)

NSL-15-418313 (FBI notice)

While we are encouraged by this development, we will remain vigilant in opposing legislation that would significantly expand the universe of information that can be obtained with an NSL.

Building on Surveillance Reform

Today, we've updated our Transparency Report on government requests for user data.  Globally, we received 44,943 government requests for information regarding 76,713 accounts during the first half of 2016.  We provided user information in response to 64% of those requests, which remains unchanged from the previous reporting period (i.e. the second half of 2015).  We also received our first ever requests from the following countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period — July to December 2015 — from 0-499 to 1-499.

As we have noted in the past, when we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request.  The privacy and security of the data that users store with Google is central to our approach.  Before producing data in response to a government request, we make sure it strictly follows the law, for example to compel us to disclose content in criminal cases we require the government use a search warrant, and that it complies with Google's strict policies (to prevent overreach that can compromise users’ privacy).  

In the US, in the current reporting period, Google saw an increase in the number of accounts covered by requests made under the Foreign Intelligence Surveillance Act (FISA) (21,000-21,499), compared to the previous reporting period (16,000-16,499). (Note that the USA Freedom Act authorizes companies like Google to report these figures in ranges, but not precise numbers.) 

In recent years, the United States has implemented or enacted meaningful surveillance reforms.  And the U.S. Congress is beginning the process of assessing potential reforms to Section 702 of FISA, which authorizes surveillance of non-U.S. persons outside of the United States.   We look forward to working together with others in our industry on continuing surveillance reform in the U.S. and around the world.

Building on Surveillance Reform

Today, we've updated our Transparency Report on government requests for user data.  Globally, we received 44,943 government requests for information regarding 76,713 accounts during the first half of 2016.  We provided user information in response to 64% of those requests, which remains unchanged from the previous reporting period (i.e. the second half of 2015).  We also received our first ever requests from the following countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period — July to December 2015 — from 0-499 to 1-499.

As we have noted in the past, when we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request.  The privacy and security of the data that users store with Google is central to our approach.  Before producing data in response to a government request, we make sure it strictly follows the law, for example to compel us to disclose content in criminal cases we require the government use a search warrant, and that it complies with Google's strict policies (to prevent overreach that can compromise users’ privacy).  

In the US, in the current reporting period, Google saw an increase in the number of accounts covered by requests made under the Foreign Intelligence Surveillance Act (FISA) (21,000-21,499), compared to the previous reporting period (16,000-16,499). (Note that the USA Freedom Act authorizes companies like Google to report these figures in ranges, but not precise numbers.) 

In recent years, the United States has implemented or enacted meaningful surveillance reforms.  And the U.S. Congress is beginning the process of assessing potential reforms to Section 702 of FISA, which authorizes surveillance of non-U.S. persons outside of the United States.   We look forward to working together with others in our industry on continuing surveillance reform in the U.S. and around the world.

Building on Surveillance Reform

Today, we've updated our Transparency Report on government requests for user data.  Globally, we received 44,943 government requests for information regarding 76,713 accounts during the first half of 2016.  We provided user information in response to 64% of those requests, which remains unchanged from the previous reporting period (i.e. the second half of 2015).  We also received our first ever requests from the following countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period — July to December 2015 — from 0-499 to 1-499.

As we have noted in the past, when we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request.  The privacy and security of the data that users store with Google is central to our approach.  Before producing data in response to a government request, we make sure it strictly follows the law, for example to compel us to disclose content in criminal cases we require the government use a search warrant, and that it complies with Google's strict policies (to prevent overreach that can compromise users’ privacy).  

In the US, in the current reporting period, Google saw an increase in the number of accounts covered by requests made under the Foreign Intelligence Surveillance Act (FISA) (21,000-21,499), compared to the previous reporting period (16,000-16,499). (Note that the USA Freedom Act authorizes companies like Google to report these figures in ranges, but not precise numbers.) 

In recent years, the United States has implemented or enacted meaningful surveillance reforms.  And the U.S. Congress is beginning the process of assessing potential reforms to Section 702 of FISA, which authorizes surveillance of non-U.S. persons outside of the United States.   We look forward to working together with others in our industry on continuing surveillance reform in the U.S. and around the world.

Strengthening the security of your Google account


Our users trust Google with some of their most precious data — family photos, emails, work documents, and more. It's our responsibility to keep your information safe and secure, and provide simple, useful ways for you to manage it.
We also have additional tools you can use to give your account extra protection. More than five years ago, we introduced two-step verification, a tool which offers an added layer of security to your account. With two-step verification, you need something more than just your password—a simple prompt on your phone, a code generated by an app, or a security key— in order to access your account. This makes it much tougher for the bad guys to get into your account, even if they’ve somehow gotten your password.
Today, the White House, in partnership with the National Cyber Security Alliance, launched the Lock Down Your Login campaign to educate Americans about better ways to keep their online accounts secure. It’s a great opportunity to remind everyone about the different two-step verification options available to protect your Google account. To enable two-step verification, go to the “Sign-in & Security” section of My Account or click here to learn more.

Strengthening the security of your Google account

Our users trust Google with some of their most precious data — family photos, emails, work documents, and more. It's our responsibility to keep your information safe and secure, and provide simple, useful ways for you to manage it.

We also have additional tools you can use to give your account extra protection. More than five years ago, we introduced two-step verification, a tool which offers an added layer of security to your account. With two-step verification, you need something more than just your password—a simple prompt on your phone, a code generated by an app, or a security key— in order to access your account. This makes it much tougher for the bad guys to get into your account, even if they’ve somehow gotten your password.

Today, the White House, in partnership with the National Cyber Security Alliance, launched the Lock Down Your Login campaign to educate Americans about better ways to keep their online accounts secure. It’s a great opportunity to remind everyone about the different two-step verification options available to protect your Google account. To enable two-step verification, go to the “Sign-in & Security” section of My Account or click here to learn more.