Category Archives: Public Policy Blog

Google’s views on government, policy and politics

An international framework for digital evidence

Today, we’re releasing the latest version of our Transparency Report regarding government requests for user data. In the second half of 2016, we received over 45,000 government requests for user data worldwide. This is the most government requests we’ve received for user data in a six-month period since we released our first transparency report in 2010.

In many ways, this shouldn’t be surprising. As more people use more of our services, and as we offer new ones, it is natural that we are seeing an increase in government requests. For example, Gmail had around 425 million active users in 2012, and more than 1 billion by 2016. And as digital evidence increasingly becomes part of criminal investigations, other companies are seeing similar trends. We of course continue to require appropriate legal process for these requests, and resist overbroad requests not narrowly calibrated to legitimate law enforcement requirements.  

Cross-border requests for data continue to increase over time as well, from 30,755 requests from countries other than the United States in the first half of 2016 to 31,877 in the second half of the year. This underscores the need for an improved international framework that meets legitimate law enforcement needs and ensures high standards of due process, privacy and human rights. The Mutual Legal Assistance Treaty (MLAT) process facilitates the production of digital evidence in cross-border investigations (when the crime occurs in one country but data is held by a company in another country). But the MLAT process is too often slow and cumbersome: on average, it takes 10 months to process an MLAT request in the United States.  That’s a long time for an investigator to wait.

Without better and faster ways to collect cross-border evidence, countries will be tempted to take unilateral actions to deal with a fundamentally multilateral problem. A sustainable framework for handling digital evidence in legitimate cross-border investigations will help avoid a chaotic, conflicting patchwork of data location proposals and ad hoc surveillance measures that may threaten user privacy and generate uncertainty for users and businesses, all without fundamentally advancing legitimate law enforcement and national security interests.

We believe that governments can develop solutions that appropriately balance the various interests at stake. This includes respecting the legitimate privacy rights of users, wherever they are, as well as the obligations of governments to investigate crimes and protect their residents. These issues must be addressed by a broad group of stakeholders, including governments, citizens, civil society groups and providers of information services that cross national borders.

This discussion will raise difficult questions about the scope of government surveillance powers, the extent of digital jurisdiction, the importance of rapid investigations, and privacy rights in the Internet age — fundamental issues that can’t be adequately addressed by courts using antiquated legal standards or by governments acting in an ad hoc fashion.

We look forward to sharing more thoughts about the legal frameworks that can address some of these challenges in the coming weeks and months. And we look forward to working with relevant stakeholders to craft viable and lasting solutions.

Resounding support for updating electronic privacy laws

Today, the House of Representatives passed the Email Privacy Act (H.R. 387) by voice vote.  This is the second year in a row that the House of Representatives has resoundingly passed this bill, which is a testament to its widespread support across the political spectrum.

The Email Privacy Act updates the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before it can compel companies like Google to disclose the content of users’ communications.  Since 2010, Google has has testified before Congress four times in support of this reform, which will protect all users, and we are proud of our efforts.  We are particularly grateful to the House of Representatives leadership and to Representatives Yoder (R-Kan.), Polis (D-Colo.), Goodlatte (R-Va.), and Conyers (D-Mich.) for securing passage of this bill so early in the 115th Congress.

This Act will fix a constitutional flaw in ECPA, which currently purports to allow the government to compel a provider to disclose email contents in some cases without a warrant, in violation of the Fourth Amendment.  The Email Privacy Act ensures that the content of our emails are protected in the same way that the Fourth Amendment protects the items we store in our homes. 

This is consistent with the practice around the country already and what the Constitution requires; the Sixth Circuit Court of Appeals concluded in 2010 that ECPA is unconstitutional to the extent it permits the government to compel a service provider to disclose to the government a user’s electronic communications content without a warrant.  Today’s vote demonstrates that this conviction is widely shared.

The Senate now has a historic opportunity to shepherd this landmark reform toward enactment.  While there are disagreements about other aspects of surveillance reform, there is no disagreement that emails and electronic content deserve Fourth Amendment protections.  We urge the Senate to advance this common sense measure, which will begin the process of updating ECPA for the Internet age.

Reflecting on Google’s GNI Engagement

 As the year comes to a close, we’re reflecting on Google’s Global Network Initiative (GNI) assessment and some of this year’s important developments in our work to protect the free expression and privacy interests of our users.

Last week, in our continued effort to increase transparency around government demands for user data, we made available to the public the National Security Letters (NSLs) Google has received where, either through litigation or legislation, we have been freed of nondisclosure obligations. Our goal in doing so is to shed more light on the nature and scope of these requests. We’ve also supported policy efforts to ensure that the privacy interests of non-U.S. persons are addressed as U.S. policymakers consider government surveillance issues.

Earlier this month, we highlighted our efforts to comply with the right to be forgotten in Europe. For much of the last year, we’ve worked to defend the idea that each country should be able to balance freedom of expression and privacy in the way that country sees fit, and not according to another country’s interpretation. One Data Protection Authority, the French Commission Nationale de l'Informatique et des Libertés (the CNIL), ordered Google to delist French right to be forgotten removals for users everywhere. We agree with the CNIL that privacy is a fundamental right — but so, too, is the right to free expression. Any balance struck between those two rights must be accompanied by territorial limits, consistent with the basic principles of international law.

These are some examples of Google’s public policy work that illustrate our commitment to the freedom of expression and privacy rights of our users. We know that pressing global issues are best addressed in partnership with with key stakeholders — and the GNI is critical to Google’s efforts.

The GNI is at the core of our multi-stakeholder engagement on free expression and privacy issues. Google is proud to be a founding member of the GNI, an initiative that brings together ICT companies with civil society organizations, investors, and academics to define a shared approach to freedom of expression and privacy online. The GNI provides a framework for company operations, rooted in international standards; promotes accountability of ICT sector companies through independent assessment; enables multi-stakeholder policy engagement; and creates shared learning opportunities across stakeholder boundaries.

Earlier this year, GNI released the second round of assessments, and announced the board’s determination that Google is compliant with the GNI framework. The assessment is an important tool for companies, NGOs, academics, and others working together to review how companies address risks to privacy and free expression.

The assessment process includes a review of relevant internal systems, policies and procedures for implementing the GNI Principles (“the process review”), and an examination of specific cases or examples that show how the company is implementing them in practice (the “case review”).

Our cases were selected for their salience to our approach to implementing the GNI Principles, taking into consideration Google’s products and services, geographical footprint, operating environments, and human rights risk profile. In addition, to the Google-specific cases discussed in GNI’s public assessment report, we wanted to provide additional examples to illustrate the types of non-U.S. cases reviewed.

Request for user data
A request was made for Gmail user information by a federal police department. A key part of our process is making sure that the requests we receive are appropriately supported by legal process. In this case, we found that the initial request was inadequate due to failure to have a judicial stamp or signature, and we therefore pushed back, as we would not comply unless the request was judicially authorized. Once these items were obtained and, we determined that it was a valid legal request (including that it was not overbroad), we complied with the request.

Request for removal
A request for Blogger content removal was made by a regulatory agency. The requestor claimed that content was subject to removal under the country’s statute prohibiting appeals to mass riots, extremist activities, and mass actions against established order. In reviewing the request, we determined that the content did not violate our terms of service.  We then responded by requesting a copy of the decision citing specific URLs that are illegal. This would be evidence of an authoritative interpretation of the local law as applied to the content.  As there was no response from the requestor, and the content did not violate our company policies, the request was denied and we did not remove the material.

RTBF: Push for Judicial Review; Careful Development and Implementation of Rigorous Removal Process for Requests
This example describes how we responded to requests subsequent to the Google Spain v AEPD and Mario Costeja ruling, which presented risks to freedom of expression. In the Costeja case, we appealed through the court process, but were unsuccessful.  We pushed back on this ruling because we considered the requirement for Google to take down this information to be in conflict with freedom of expression. On appeal, the Court of Justice of the European Union found that people have the right to ask for information to be removed from search results that include their names if it is “inadequate, irrelevant or no longer relevant, or excessive.” In deciding what to remove, search engines must also have regard to the public interest, without additional guidance regarding what information constitutes “public interest.” The court also decided that search engines don’t qualify for a “journalistic exception.” We continue to fight court cases seeking to expand this requirement for takedowns globally.

We also convened the Advisory Council to Google on the Right to be Forgotten to review input from dozens of experts in meetings across Europe, as well as from thousands of submissions via the Web. The Council included Frank La Rue, the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. The Council advised us on performing the balancing act between an individual’s right to privacy and the public’s interest in access to information.

In response to the Costeja ruling, Google established a dedicated team to develop and implement a system to remove valid RtbF requests. We evaluate each request appropriately, complying with the law, but making sure that, if there is a legal basis for the content to remain available, we will assess how that applies. To address the ruling, we assembled a team to address the new category of requests arising from the rights articulated in Costeja. Our web removals site was updated to include information about and a portal for RtbF requests. Requests are reviewed by the legal removals team; after review, the requester is notified of the determination. Since implementing this system, we have delisted approximately 780,000 URLs. Our process responds to individual requests and carefully evaluates  each request against the criteria for removal. We also notify websites when one of their pages has been removed pursuant to a RtbF claim. In addition to removing URLs, we include information about RtbF requests and removals in our Transparency Report.

Our assessors also provided us with recommendations for enhancing our implementation of the GNI Principles. These recommendations, combined with feedback and ongoing engagement with GNI stakeholders, will inform our policies and practices and strengthen our advocacy in 2017.


Sharing National Security Letters with the Public

In our continued effort to increase transparency around government demands for user data, today we begin to make available to the public the National Security Letters (NSLs) we have received where, either through litigation or legislation, we have been freed of nondisclosure obligations. We previewed this back in October when we updated our Transparency Report.

As we have described in the past, we have fought for the right to be transparent about our receipt of NSLs. This includes working with the government to publish statistics about NSLs we’ve received, successfully fighting NSL gag provisions in court, and leading the effort to ensure that Internet companies can be more transparent with users about the volume and scope of national security demands that we receive.   

In 2015, Congress passed the USA Freedom Act, which allowed companies like Google to make more granular disclosures  about National Security Letters they receive.  In addition, the Act restricts the use of indefinite gag restrictions that prevent providers from ever notifying customers or talking about the demands. The Department of Justice (DOJ) must now regularly review disclosure restrictions in NSLs and lift those that are no longer needed. The United States Attorney General approved procedures to do this, and as we mentioned recently, the FBI has started lifting gag restrictions on particular NSLs.

We are now making copies of those NSLs available.  Our goal in doing so is to shed more light on the nature and scope of NSLs. We minimized redactions to protect privacy interests, but the content of the NSLs remain as they were when served.  We are also publishing the correspondence reflecting the lifting of the nondisclosure restrictions. We have links to the documents below.  In the near future, we will establish a more permanent home for these and additional materials from our Transparency Report.  

Redacted NSLs and FBI correspondence

NSL-10-272979 (FBI notice)

NSL-13-375880 (FBI notice)

NSL-14-394627 (FBI notice)

NSL-14-395838 (FBI notice)

NSL-14-396103 (FBI notice)

NSL-14-396300 (FBI notice)

NSL-15-417535 (FBI notice)

NSL-15-418313 (FBI notice)

While we are encouraged by this development, we will remain vigilant in opposing legislation that would significantly expand the universe of information that can be obtained with an NSL.

Building on Surveillance Reform

Today, we've updated our Transparency Report on government requests for user data.  Globally, we received 44,943 government requests for information regarding 76,713 accounts during the first half of 2016.  We provided user information in response to 64% of those requests, which remains unchanged from the previous reporting period (i.e. the second half of 2015).  We also received our first ever requests from the following countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period — July to December 2015 — from 0-499 to 1-499.

As we have noted in the past, when we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request.  The privacy and security of the data that users store with Google is central to our approach.  Before producing data in response to a government request, we make sure it strictly follows the law, for example to compel us to disclose content in criminal cases we require the government use a search warrant, and that it complies with Google's strict policies (to prevent overreach that can compromise users’ privacy).  

In the US, in the current reporting period, Google saw an increase in the number of accounts covered by requests made under the Foreign Intelligence Surveillance Act (FISA) (21,000-21,499), compared to the previous reporting period (16,000-16,499). (Note that the USA Freedom Act authorizes companies like Google to report these figures in ranges, but not precise numbers.) 

In recent years, the United States has implemented or enacted meaningful surveillance reforms.  And the U.S. Congress is beginning the process of assessing potential reforms to Section 702 of FISA, which authorizes surveillance of non-U.S. persons outside of the United States.   We look forward to working together with others in our industry on continuing surveillance reform in the U.S. and around the world.

Building on Surveillance Reform

Today, we've updated our Transparency Report on government requests for user data.  Globally, we received 44,943 government requests for information regarding 76,713 accounts during the first half of 2016.  We provided user information in response to 64% of those requests, which remains unchanged from the previous reporting period (i.e. the second half of 2015).  We also received our first ever requests from the following countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period — July to December 2015 — from 0-499 to 1-499.

As we have noted in the past, when we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request.  The privacy and security of the data that users store with Google is central to our approach.  Before producing data in response to a government request, we make sure it strictly follows the law, for example to compel us to disclose content in criminal cases we require the government use a search warrant, and that it complies with Google's strict policies (to prevent overreach that can compromise users’ privacy).  

In the US, in the current reporting period, Google saw an increase in the number of accounts covered by requests made under the Foreign Intelligence Surveillance Act (FISA) (21,000-21,499), compared to the previous reporting period (16,000-16,499). (Note that the USA Freedom Act authorizes companies like Google to report these figures in ranges, but not precise numbers.) 

In recent years, the United States has implemented or enacted meaningful surveillance reforms.  And the U.S. Congress is beginning the process of assessing potential reforms to Section 702 of FISA, which authorizes surveillance of non-U.S. persons outside of the United States.   We look forward to working together with others in our industry on continuing surveillance reform in the U.S. and around the world.

Strengthening the security of your Google account


Our users trust Google with some of their most precious data — family photos, emails, work documents, and more. It's our responsibility to keep your information safe and secure, and provide simple, useful ways for you to manage it.
We also have additional tools you can use to give your account extra protection. More than five years ago, we introduced two-step verification, a tool which offers an added layer of security to your account. With two-step verification, you need something more than just your password—a simple prompt on your phone, a code generated by an app, or a security key— in order to access your account. This makes it much tougher for the bad guys to get into your account, even if they’ve somehow gotten your password.
Today, the White House, in partnership with the National Cyber Security Alliance, launched the Lock Down Your Login campaign to educate Americans about better ways to keep their online accounts secure. It’s a great opportunity to remind everyone about the different two-step verification options available to protect your Google account. To enable two-step verification, go to the “Sign-in & Security” section of My Account or click here to learn more.

Strengthening the security of your Google account

Our users trust Google with some of their most precious data — family photos, emails, work documents, and more. It's our responsibility to keep your information safe and secure, and provide simple, useful ways for you to manage it.

We also have additional tools you can use to give your account extra protection. More than five years ago, we introduced two-step verification, a tool which offers an added layer of security to your account. With two-step verification, you need something more than just your password—a simple prompt on your phone, a code generated by an app, or a security key— in order to access your account. This makes it much tougher for the bad guys to get into your account, even if they’ve somehow gotten your password.

Today, the White House, in partnership with the National Cyber Security Alliance, launched the Lock Down Your Login campaign to educate Americans about better ways to keep their online accounts secure. It’s a great opportunity to remind everyone about the different two-step verification options available to protect your Google account. To enable two-step verification, go to the “Sign-in & Security” section of My Account or click here to learn more.

Preserving a Free and Open Internet

Why the IANA Transition Must Move Forward





The Internet community is about to take an important step to protect the Internet for generations to come.


Over the past several years, an ecosystem of users, civil society experts, academics, governments, and companies has worked to protect the free and open Internet.  These efforts have produced a detailed proposal that will enable the U.S. government to relinquish its contract with a California non-profit called the Internet Corporation for Assigned Names and Numbers (ICANN) to perform certain technical functions called IANA, short for the Internet Assigned Names Authority.  IANA essentially maintains the Internet’s address book, which lets you browse the web and communicate with friends without worrying about remembering long strings of numbers or other technical information.


When this proposal takes effect at the end of this month, you won’t notice anything different when you go online, but we are transitioning the IANA functions into good hands.


Why?  Although this is a change in how one technical function of the Internet is governed, it will give innovators and users a greater role in managing the global Internet.  And that’s a very good thing.  The Internet has been built by -- and has thrived because of -- the companies, civil society activists, technologists, and selfless users around the world who recognized the Internet’s power to transform communities and economies.  If we want the Internet to have this life-changing impact on everyone in the world, then we need to make sure that the right people are in a position to drive its future growth.  This proposal does just that.


The proposal will also protect the Internet from those who want to break it into pieces.  Unfortunately, some see the Internet’s incredible power to connect people and ideas around the world as a threat.  For them, the U.S. government’s contract with ICANN proves that governments are the only ones who should play a role in the way the Internet works.  We disagree.


Thinking that only governments should have a say in the Internet’s future is a dangerous proposition.  It incentivizes those who fear the Internet’s transformative power to impose burdensome restrictions online, and over time could even lead some repressive governments to try to build their own closed networks operating independently of ICANN, at the expense of a thriving Internet ecosystem.


The Internet community’s proposal avoids this risk by ensuring that the Internet is governed in a bottom-up way that puts its future in the hands of users and innovators, not authoritarian governments.  That’s why it’s not just engineers and companies, but also civil society and national security experts, who see the proposal as a critical way to protect Internet freedom.


Finally, and importantly, the proposal will fulfill a promise the United States made almost two decades ago: that the Internet could and should be governed by everyone with a stake in its continued growth.  The U.S. government’s contract with ICANN was always supposed to be merely temporary.  In fact, since ICANN was created in 1998, the U.S. government has invited the global Internet community to decide the Internet’s future in a bottom-up fashion.  The community has proven more than up to the task.  The U.S. government’s continued contractual relationship with ICANN is simply no longer necessary.


We’re grateful to have worked with so many stakeholders, including the dedicated officials at the U.S. government who have worked so hard to fulfill the promise made by their predecessors nearly twenty years ago, during this effort to protect one of the greatest engines of economic and social opportunity the world has ever seen.  And because the proposal makes sure that ICANN is more accountable and transparent than ever before, we hope that more people from around the world will take this opportunity to get involved.  The Internet’s future is in all of our hands.

Preserving a free and open internet (why the IANA transition must move forward)

The Internet community is about to take an important step to protect the Internet for generations to come.

Over the past several years, an ecosystem of users, civil society experts, academics, governments, and companies has worked to protect the free and open Internet.  These efforts have produced a detailed proposal that will enable the U.S. government to relinquish its contract with a California non-profit called the Internet Corporation for Assigned Names and Numbers (ICANN) to perform certain technical functions called IANA, short for the Internet Assigned Names Authority.  IANA essentially maintains the Internet’s address book, which lets you browse the web and communicate with friends without worrying about remembering long strings of numbers or other technical information.

When this proposal takes effect at the end of this month, you won’t notice anything different when you go online, but we are transitioning the IANA functions into good hands.

Why?  Although this is a change in how one technical function of the Internet is governed, it will give innovators and users a greater role in managing the global Internet.  And that’s a very good thing.  The Internet has been built by -- and has thrived because of -- the companies, civil society activists, technologists, and selfless users around the world who recognized the Internet’s power to transform communities and economies.  If we want the Internet to have this life-changing impact on everyone in the world, then we need to make sure that the right people are in a position to drive its future growth.  This proposal does just that.

The proposal will also protect the Internet from those who want to break it into pieces.  Unfortunately, some see the Internet’s incredible power to connect people and ideas around the world as a threat.  For them, the U.S. government’s contract with ICANN proves that governments are the only ones who should play a role in the way the Internet works.  We disagree.

Thinking that only governments should have a say in the Internet’s future is a dangerous proposition.  It incentivizes those who fear the Internet’s transformative power to impose burdensome restrictions online, and over time could even lead some repressive governments to try to build their own closed networks operating independently of ICANN, at the expense of a thriving Internet ecosystem.

The Internet community’s proposal avoids this risk by ensuring that the Internet is governed in a bottom-up way that puts its future in the hands of users and innovators, not authoritarian governments.  That’s why it’s not just engineers and companies, but also civil society and national security experts, who see the proposal as a critical way to protect Internet freedom.

Finally, and importantly, the proposal will fulfill a promise the United States made almost two decades ago: that the Internet could and should be governed by everyone with a stake in its continued growth.  The U.S. government’s contract with ICANN was always supposed to be merely temporary.  In fact, since ICANN was created in 1998, the U.S. government has invited the global Internet community to decide the Internet’s future in a bottom-up fashion.  The community has proven more than up to the task.  The U.S. government’s continued contractual relationship with ICANN is simply no longer necessary.

We’re grateful to have worked with so many stakeholders, including the dedicated officials at the U.S. government who have worked so hard to fulfill the promise made by their predecessors nearly twenty years ago, during this effort to protect one of the greatest engines of economic and social opportunity the world has ever seen.  And because the proposal makes sure that ICANN is more accountable and transparent than ever before, we hope that more people from around the world will take this opportunity to get involved.  The Internet’s future is in all of our hands.