The Google Transparency Project Transparency Project 50
-
Does "the letter and spirit of the law" refer to U.S. law, or the law in the country from which law enforcement sends the request? Presumably if a user in China or Saudi Arabia were using their Google account to send messages that criticized their own government, in violation of local "laws," Google would not turn over that user's information to that country's law enforcement on demand. That should be an easy call, since China and Saudi Arabia are dictatorships. But what about democratic countries like Canada and Germany, which nonetheless have anti-hate-speech laws that are inconsistent with American free speech guarantees? If German law enforcement demanded the identity of a German account holder who was publishing Nazi propaganda (which would be legal in the U.S., but is illegal in Germany), what would Google do?
-
What if foreign law enforcement claims that a Google account holder is doing something which would be illegal even in the U.S. — but the request comes from a country where law enforcement is known to be corrupt? And what if the claim is such that Google can't verify the veracity of the claim by simply looking at the account contents? (For example, if law enforcement claims that a criminal gave the police a gmail.com address as a Dropbox for them to respond to a ransom demand, Google can't verify that claim just by looking at the contents of the inbox.) In such cases, does Google respond to the request anyway, even if the police might be lying in order to unmask a Google account holder who hasn't done anything illegal?
-
Does the answer to either #1 or #2 above depend on whether Google has offices in the country making the request, and can be more easily pressured to comply with their demands?
With regard to governmental requests to remove content, Google has also not explicitly stated whether they use local laws or U.S. laws as a guideline. However, based on the incidents in the Notes section, the rule seems to be: Google will remove content only if it violates Google's own terms of service, but if content violates local laws in a given country, Google may block access to that content from that country, even if the content doesn't violate Google's policies. For example, Google restricted users in Thailand from viewing YouTube videos that offended the Thai monarch, and restricted Turkish users from viewing two videos that criticized Atatürk. As insulting as this is to the free speech rights of the people of those nations, Google could argue that if they hadn't restricted those videos, the entire YouTube site would have been blocked in those countries (which it has been in the past, in both Thailand and Turkey). And at least having your YouTube videos blocked in your home country won't put you in physical danger.
On the other hand, having your identity unmasked and turned over to your government could put you at risk of arrest and a long prison sentence, as happened to Shi Tao after Yahoo disgracefully turned his information over to Chinese officials. So it's a good thing that Google's compliance rate with user data requests is much lower. But given the higher stakes, it's all the more important for Google to clarify when they will comply with such requests.
I sent a message to Google's press office asking about their policy of following the "letter and spirit of the law" in complying with data requests, and whether that referred to U.S. law or the law in the country whose government made the demand. I got back a response copied and pasted from the user data requests FAQ:
Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.
I immediately wrote back:
But when you say you make sure a request "meets both the letter and spirit of the law", whose law are you talking about — U.S. law, or the law of the country where the request originated?
If Saudi Arabia has laws on the books against criticizing the King, and the Saudi police use that as the pretext to demand that you turn over a subscriber's identity because that user criticized the government, I presume you don't comply with requests like that. But does that mean that you only turn over subscriber identities if the foreign law enforcement can show that the subscriber did something that would be illegal under U.S. law?
(It's always a bit awkward trying to turn a cut-and-paste job into a real conversation.) Google's PR said they had nothing more to add, but I've asked some mid-to-highly-placed friends at the company to see if they could get someone to comment in more detail, and I'll follow up if they get back to me.
The question came up when I was at a conference talking with some activists from Latin America, who were asking about the safest way to email a sensitive message or document out of the country over an encrypted connection, to a contact person in the U.S. I said that even though they had already heard about solutions like Tor and PGP, the simplest solution in their case would just be to use Gmail to send the message or the file, since their connection to Google's Gmail servers in the U.S. would be encrypted over https://. (Once the message is sent out from Gmail's servers to its recipient, it would be transmitted unencrypted, but by that point the law enforcement in the sender's home country would no longer be able to intercept it.) Another techie pointed out that Google had long been complying with many foreign governments' requests for user data, as documented on their Transparency Project page, and said that should be taken into account before recommending for anyone to use Google products in a hostile country.
But if you look at the Transparency Project chart for user data requests, it looks like Google does not regularly hand out user data to regimes that are major human rights violators (the only two such countries appearing on the list are Russia and Turkey, and Google has apparently complied with exactly 0% of their requests). I'm not a fan of everything that every other country on that list has done, but they're mostly democratic nations that are probably not abusing the data request process as much as, say, Venezuela would.
So even without specific assurances from Google, I still think that Gmail is safer than PGP for the purpose of sending an encrypted message out of a hostile country without attracting attention to yourself. Remember, if you send a message to someone encrypted with PGP, and a third party intercepts the message, the interceptor can still see that the encrypted portion is bookended with the words "BEGIN PGP ENCRYPTED MESSAGE" and "END PGP ENCRYPTED MESSAGE" — so even if they can't tell what you said, they still know that you went out of your way to send an encrypted email. (Similarly, if you're using Tor, an eavesdropper can't tell what you did over your encrypted Tor connection, but they could still detect that you're using Tor, either by studying the traffic patterns or by keeping a list of known Tor servers and watching to see if you connect to one of them.) By contrast, everyone who connects to Gmail, connects automatically over an encrypted https:// connection, so an eavesdropper would not detect anything unusual about your usage of Gmail that might tip them off that you were trying to hide something. Gmail is the safest of the major mail providers in this regard; Hotmail serves your messages over an encrypted connection only if you opt in to that feature, and Yahoo Mail doesn't provide that option at all. So it's precisely because Gmail is an almost-perfect secure communications solution, that I'd really like to be able to trust it even more, by getting a clearer statement from Google about when exactly it would turn over a subscriber's identity to a government.
Google seems like they're trying to do the right thing in response to demands from foreign countries with less-than-stellar human rights records. With regard to user data requests, Google must be following some internal rule, and the right thing to do would be to tell us what the rule is.
The obvious: (Score:5, Interesting)
Google deserves respect nevertheless, others not. (Score:5, Interesting)
Re:Google deserves respect nevertheless, others no (Score:4, Insightful)
yep. Leading the way as usual. It's not like you'll ever hear of this from any other large technology focused companies - that's for certain. Whether it's manufacturers or software developers or any other aspect of technology, all you get is a general lack of transparency.
Re:Nothing makes americans paranoid like the word. (Score:5, Interesting)
Re:Nothing makes americans paranoid like the word. (Score:4, Insightful)
I know, random examples and you don't really mean aything by it, but I felt I had to expand / defend. I totally agree with you in that "US Law" is not the same thing as "international law" and I do find it disgusting that our government tries to enforce it outside our borders and such.
1: Executing citizens: very controversial and is not legal in many states. Is hardly used at a whim, and when it is used there is strong deliberation in the court whether to use it or go with something like life imprisonment. Again, this is only used against people like murderers.
2: Jaywalking: makes sense in a place like new york, where people randomly crossing the street is not only dangerious but fucks up traffic. Most places people look before they cross and are curtious enough to not interrupt traffic, but at such high populations we can't rely on people being nice. Enforcement of this outside of major population centers is practically non-existant.
3: We've had a bloody birth. The lack of checks is because of paranoia that the government can use the collected data to take them away from us. These guns are one of the few things keeping our government from outright fucking us all. Sure, there are some vocal nuts who make it seem like we just like guns, but that's not how it really is.
Re: (Score:3)
Re: (Score:2)
We're supposed to have both. The right to bear arms came around back in the days where there was no difference between the gear the armed forces had and that which was available to the citizens. The gap has been getting wider yes, but wouldn't it be better to try, than to just give up?
Re: (Score:3)
Re: (Score:3)
Well between those very same sort pea shoots and IEDs the various groups in Afghanistan have kept our so powerful military bogged down for ten years.
No I don't think it would be possible to organize civilians with typical consumer fire arms and lead a siege of Washington that is opposed by the military. I do think the guns being out there make our government a bit concerned that riots might be uncontrollable and stops them from doing anything to unpopular.
I also think the prospect of doing something that
Re: (Score:2)
So if the military side with the government they'll be swamped in a asymmetric campaign against "the terrorists". If there are enough "terrorists" and/or enough "terrorist sympathisers" who refuse to pay taxes then the army will be defeated by withdrawing their funding. If there aren't enough then there will be something on a spectrum from "local uprisings" to full blown civil war. You've essentially got the same situation as Syria is currently
Re: (Score:2)
That's good idea, lets amend the Constitution to give the president 60 days to use the armed forces. That way an immediate response can be made if we are attacked or there is some other crisis. After that rather than Congress authorizing war, lets make it a popular vote.
Re: (Score:3)
Well, the reason for the 2nd amendment was because of what the British armies were doing to the colonies. Think entering homes and killing and all sorts of other things. Hence the right to bear arms was meant to be able to rep
Re: (Score:2)
You need to read more of the writings of Thomas Jefferson. Much of what he wrote about government vs. the governed is EXACTLY what the right to bear arms centered around. It's about the right of the people to defend themselves from any oppressor, foreign or domestic. This specifically includes the government.
Re: (Score:2)
As long as the number of gun owners is more than 50 times the number of soldiers, high tech weapons dont matter. Remember almost half the households have guns, and the guns are spread out all across the country.
Re: (Score:2)
As long as the number of gun owners is more than 50 times the number of soldiers, high tech weapons dont matter. Remember almost half the households have guns, and the guns are spread out all across the country.
You also have to keep in mind that soldiers are not automata. If citizens have sufficient ability to resist and if there are enough resisting that it's necessary to deploy military forces to stop them, then many of the soldiers will be at least somewhat on the side of the resisters, and many more will be unwilling to fire on their countrymen.
As for what guerrilla forces who can hide among the populace and engage in hit-and-run tactics can achieve, even with vastly inferior weapons, see history.
When you
Re: (Score:2)
Yeah, I was all with him until he got to #3. Here's my version of the third point:
America has a whole lot of rural areas where fathers teach their sons to hunt. This is something that is passed down, generation from generation, since in a lot of cases one of their ancestors settled in the area and hunted to stay alive. Not only is this so ingrained in our culture that it's not going to go anywhere anytime soon, it's also necessary because with the currently low proportion of predators to deer, deer are so o
Re: (Score:2)
Some states have too high a concentration of ignorant, violent people, with too few civilized people to balance them out.
thats right and they are getting rid of those violent people via execution
Re: (Score:3)
well, that's the thing - if they really did so then turkish requests for records of turkish activities done in turkey would go through(obviously it's legal for them to demand such info from google, even if they haven't made it illegal enough for google to not comply - afaik google isn't banned & fined in turkey).
if they did adhere to local law always then they would be helping iranian authorities to eavesdrop, they would be helping isrealis tap on palestenian communications and so forth- though it seems
Google Transparency Project Transparency Project (Score:5, Funny)
From the Department of Redundancy Department
Re: (Score:2)
Re: (Score:1)
local "laws"? (Score:2)
Are they not real laws?
Re: (Score:1)
Finally someone who gets the real issue (Score:5, Interesting)
At the bottom of the article/summary, it notes that just encryption is not good enough against a real enemy (and not the made up ones by the tin foil hat crowd in the west) who will just beat your encryption key out of you. For a WW2 reference, you can have the most fancy code for your radio message but if the nazi's found you is possession of a radio, whether the message was encrypted or not, harmless or not, did not matter. No broadcasting!
Same in North Korea, hard to send any message out if you don't have a computer and the few computers that do have access are completely monitored. In Iran, all ISP's are state owned and controlled and so any signal that doesn't signal 100% innocent WILL be investigated and they won't take your word for it that you lost your key for PGP either.
It is what makes "darknet" programs such silly little kiddy toys. They only work in the west where your ISP doesn't give a shit what traffic goes over which port. But if a government wants to monitor all traffic, all they got to do is filter out any traffic that doesn't fit pre-determined patterns. How would you disguise encrypted traffic to non-standard destinations? Back to radio, the fact that you are sending a signal is what alert the authorities, not the signal being received. Connect to some Tor node and that itself will be cause for investigation. And no, they don't need to have a list for all Tor node, they just need a list of "legit" destinations and then notice that yours isn't on that list.
No freedom sucks, it isn't that visiting "154.32.55.32" is illegal, it is that visiting anything but yahoo.com is illegal.
That is why ordinary film rolls are still used to get information out of North Korea with flesh and blood messengers. Sure, it is possible to use a cellphone near the border... but just the receiving of such a cellphone, just having an adapter to charge it, is a crime. And they don't need evidence.
Thank [insert object of worship] that 99% of us never have to deal with true repression. Real repression is your finger nails being torn out because someone near you at one point might have done something someone didn't like and you don't even have a clue and nobody cares.
Fiddle around with your PGP and Tor all you want, it only works because in the west, because the state operates under rules which don't allow them to simply let you disappear because they thought you might have done something someone didn't like.
Re: (Score:1)
Heh, you got that right. Anybody who thinks the internet is safe and anonymous is delusional. Coded messages in the classified ads is the only secure way to communicate.
Re: (Score:2)
Re: (Score:2)
The Tor project is designing ways to pass Tor in what looks like regular https traffic. It won't help North Koreans, but it does help (right now) Chinese people.
In an environment where its use can be dictated, DPISSL defeats this.
Re: (Score:1)
Re: (Score:2)
How would you disguise encrypted traffic to non-standard destinations?
Stenography?
Re: (Score:2)
Even with the trouble I have reading shorthand, I think steganography might be a better choice here.
After CISPA passes they don't have any choice (Score:2)
The question doesn't matter. The new bill *requires* the ISPs and websites like google turn-over customer data and web history to the Dept. of Homeland Insecurity (you feel insecure because you never know when they will harass you). Even if google wanted to turn down a request, they cannot.
TL;DR (Score:1)
In all honesty however, this is quite interesting.
You're asking the wrong crowd (Score:3)
Most people here will respond as if the United States is the greatest villain, not realizing that there actually is real tyranny and oppression in the world.
Re: (Score:3)
Are you talking about the RNC?
Re: (Score:2)
>>>as if the United States is the greatest villain, not realizing that there actually is real tyranny
Yeah we're only # 15 on the list. C'mon Congress! If you try harder you can be in the top 5! (Maybe suck the money from education so the masses don't realize what "tyranny" means. Or "constitution".)
Re: (Score:2)
Just beacuse there's tyranny and oppression in other parts of the world does not mean that there isn't tyranny and oppression in the U.S., or that the U.S. is not headed in that direction.
And, if indeed there is tyranny and oppression in the U.S., then there's even less of a moral standing to point to tyranny and oppression in other countries. I think the saying is: If your house isn't perfect, you've no business telling others how to fix theirs (or the in case of the U.S., "fixing" it for them).
free speech (Score:2)
Derailing.....
"But what about democratic countries like Canada and Germany, which nonetheless have anti-hate-speech laws that are inconsistent with American free speech guarantees?"
What exactly are these free speech guarantees you speak of? It almost seems like you are implying that the US has free speech with zero or no restrictions???
Re: (Score:1)
I've been known... (Score:2)
Article = Trolling (Score:2)
Author is asking for simple answers to complex questions.
Google has entire legal departments devoted to making these decisions on a case by case basis.
In order to do business in a jurisdiction, a business must agree to abide by their laws. Google cannot stat outright that they will not obey legal requests, or they would not be allowed to operate. They have lawyers to decide when they can get away with not complying, when they can obfuscate, when they can delay, and when they should capitulate.
Due to the f