Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Government Crime Google United States Your Rights Online

The Google Transparency Project Transparency Project 50

Regular contributor Bennett Haselton writes "As Google releases more data about their compliance with requests from foreign governments, they should clarify their stance on exactly when they will comply with requests to turn over user data to foreign law enforcement." Bennett expands on that thought below; read on for some details of just why that kind of disclosure matters, in making sense of Google's own efforts to provide transparency.
Google, as part of its ongoing Transparency Project, announced last week the release of its latest data on takedown requests and user account information requests from governments around the world. I'm glad that notorious human rights violators like Turkey are still scoring 0 for 88 in their requests to get Google to turn over information on users allegedly breaking Turkish law. But Google should still clear up some ambiguities in its stated policies about when it will remove content in response to a government request, and (especially) when it will turn over user information to foreign law enforcement. Google's FAQ on user data requests says that "whenever we receive a request we make sure it meets both the letter and spirit of the law before complying." This, however, raises a few questions:
  1. Does "the letter and spirit of the law" refer to U.S. law, or the law in the country from which law enforcement sends the request? Presumably if a user in China or Saudi Arabia were using their Google account to send messages that criticized their own government, in violation of local "laws," Google would not turn over that user's information to that country's law enforcement on demand. That should be an easy call, since China and Saudi Arabia are dictatorships. But what about democratic countries like Canada and Germany, which nonetheless have anti-hate-speech laws that are inconsistent with American free speech guarantees? If German law enforcement demanded the identity of a German account holder who was publishing Nazi propaganda (which would be legal in the U.S., but is illegal in Germany), what would Google do?

  2. What if foreign law enforcement claims that a Google account holder is doing something which would be illegal even in the U.S. — but the request comes from a country where law enforcement is known to be corrupt? And what if the claim is such that Google can't verify the veracity of the claim by simply looking at the account contents? (For example, if law enforcement claims that a criminal gave the police a gmail.com address as a Dropbox for them to respond to a ransom demand, Google can't verify that claim just by looking at the contents of the inbox.) In such cases, does Google respond to the request anyway, even if the police might be lying in order to unmask a Google account holder who hasn't done anything illegal?

  3. Does the answer to either #1 or #2 above depend on whether Google has offices in the country making the request, and can be more easily pressured to comply with their demands?

With regard to governmental requests to remove content, Google has also not explicitly stated whether they use local laws or U.S. laws as a guideline. However, based on the incidents in the Notes section, the rule seems to be: Google will remove content only if it violates Google's own terms of service, but if content violates local laws in a given country, Google may block access to that content from that country, even if the content doesn't violate Google's policies. For example, Google restricted users in Thailand from viewing YouTube videos that offended the Thai monarch, and restricted Turkish users from viewing two videos that criticized Atatürk. As insulting as this is to the free speech rights of the people of those nations, Google could argue that if they hadn't restricted those videos, the entire YouTube site would have been blocked in those countries (which it has been in the past, in both Thailand and Turkey). And at least having your YouTube videos blocked in your home country won't put you in physical danger.

On the other hand, having your identity unmasked and turned over to your government could put you at risk of arrest and a long prison sentence, as happened to Shi Tao after Yahoo disgracefully turned his information over to Chinese officials. So it's a good thing that Google's compliance rate with user data requests is much lower. But given the higher stakes, it's all the more important for Google to clarify when they will comply with such requests.

I sent a message to Google's press office asking about their policy of following the "letter and spirit of the law" in complying with data requests, and whether that referred to U.S. law or the law in the country whose government made the demand. I got back a response copied and pasted from the user data requests FAQ:

Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.

I immediately wrote back:

But when you say you make sure a request "meets both the letter and spirit of the law", whose law are you talking about — U.S. law, or the law of the country where the request originated?

If Saudi Arabia has laws on the books against criticizing the King, and the Saudi police use that as the pretext to demand that you turn over a subscriber's identity because that user criticized the government, I presume you don't comply with requests like that. But does that mean that you only turn over subscriber identities if the foreign law enforcement can show that the subscriber did something that would be illegal under U.S. law?

(It's always a bit awkward trying to turn a cut-and-paste job into a real conversation.) Google's PR said they had nothing more to add, but I've asked some mid-to-highly-placed friends at the company to see if they could get someone to comment in more detail, and I'll follow up if they get back to me.

The question came up when I was at a conference talking with some activists from Latin America, who were asking about the safest way to email a sensitive message or document out of the country over an encrypted connection, to a contact person in the U.S. I said that even though they had already heard about solutions like Tor and PGP, the simplest solution in their case would just be to use Gmail to send the message or the file, since their connection to Google's Gmail servers in the U.S. would be encrypted over https://. (Once the message is sent out from Gmail's servers to its recipient, it would be transmitted unencrypted, but by that point the law enforcement in the sender's home country would no longer be able to intercept it.) Another techie pointed out that Google had long been complying with many foreign governments' requests for user data, as documented on their Transparency Project page, and said that should be taken into account before recommending for anyone to use Google products in a hostile country.

But if you look at the Transparency Project chart for user data requests, it looks like Google does not regularly hand out user data to regimes that are major human rights violators (the only two such countries appearing on the list are Russia and Turkey, and Google has apparently complied with exactly 0% of their requests). I'm not a fan of everything that every other country on that list has done, but they're mostly democratic nations that are probably not abusing the data request process as much as, say, Venezuela would.

So even without specific assurances from Google, I still think that Gmail is safer than PGP for the purpose of sending an encrypted message out of a hostile country without attracting attention to yourself. Remember, if you send a message to someone encrypted with PGP, and a third party intercepts the message, the interceptor can still see that the encrypted portion is bookended with the words "BEGIN PGP ENCRYPTED MESSAGE" and "END PGP ENCRYPTED MESSAGE" — so even if they can't tell what you said, they still know that you went out of your way to send an encrypted email. (Similarly, if you're using Tor, an eavesdropper can't tell what you did over your encrypted Tor connection, but they could still detect that you're using Tor, either by studying the traffic patterns or by keeping a list of known Tor servers and watching to see if you connect to one of them.) By contrast, everyone who connects to Gmail, connects automatically over an encrypted https:// connection, so an eavesdropper would not detect anything unusual about your usage of Gmail that might tip them off that you were trying to hide something. Gmail is the safest of the major mail providers in this regard; Hotmail serves your messages over an encrypted connection only if you opt in to that feature, and Yahoo Mail doesn't provide that option at all. So it's precisely because Gmail is an almost-perfect secure communications solution, that I'd really like to be able to trust it even more, by getting a clearer statement from Google about when exactly it would turn over a subscriber's identity to a government.

Google seems like they're trying to do the right thing in response to demands from foreign countries with less-than-stellar human rights records. With regard to user data requests, Google must be following some internal rule, and the right thing to do would be to tell us what the rule is.

This discussion has been archived. No new comments can be posted.

The Google Transparency Project Transparency Project

Comments Filter:
  • The obvious: (Score:5, Interesting)

    by SuricouRaven ( 1897204 ) on Tuesday June 26, 2012 @11:47AM (#40453153)
    Send your PGP-encrypted message over gmail, of course.
  • by Anonymous Coward on Tuesday June 26, 2012 @11:49AM (#40453185)
    Nevertheless, Google is pioneer on transparency reporting, no other company had gone such extremes to publicize this kind of info. This should always be mentioned when criticizing their Google Transparency Report system. I didn't read the treaty above, but skimmed and saw nothing of sort.
  • by SmallFurryCreature ( 593017 ) on Tuesday June 26, 2012 @12:01PM (#40453317) Journal

    At the bottom of the article/summary, it notes that just encryption is not good enough against a real enemy (and not the made up ones by the tin foil hat crowd in the west) who will just beat your encryption key out of you. For a WW2 reference, you can have the most fancy code for your radio message but if the nazi's found you is possession of a radio, whether the message was encrypted or not, harmless or not, did not matter. No broadcasting!

    Same in North Korea, hard to send any message out if you don't have a computer and the few computers that do have access are completely monitored. In Iran, all ISP's are state owned and controlled and so any signal that doesn't signal 100% innocent WILL be investigated and they won't take your word for it that you lost your key for PGP either.

    It is what makes "darknet" programs such silly little kiddy toys. They only work in the west where your ISP doesn't give a shit what traffic goes over which port. But if a government wants to monitor all traffic, all they got to do is filter out any traffic that doesn't fit pre-determined patterns. How would you disguise encrypted traffic to non-standard destinations? Back to radio, the fact that you are sending a signal is what alert the authorities, not the signal being received. Connect to some Tor node and that itself will be cause for investigation. And no, they don't need to have a list for all Tor node, they just need a list of "legit" destinations and then notice that yours isn't on that list.

    No freedom sucks, it isn't that visiting "" is illegal, it is that visiting anything but yahoo.com is illegal.

    That is why ordinary film rolls are still used to get information out of North Korea with flesh and blood messengers. Sure, it is possible to use a cellphone near the border... but just the receiving of such a cellphone, just having an adapter to charge it, is a crime. And they don't need evidence.

    Thank [insert object of worship] that 99% of us never have to deal with true repression. Real repression is your finger nails being torn out because someone near you at one point might have done something someone didn't like and you don't even have a clue and nobody cares.

    Fiddle around with your PGP and Tor all you want, it only works because in the west, because the state operates under rules which don't allow them to simply let you disappear because they thought you might have done something someone didn't like.

  • by History's Coming To ( 1059484 ) on Tuesday June 26, 2012 @12:41PM (#40453877) Journal
    Americans tend to forget they are foreign to the majority of the world. From a UK perspective the "local laws" of the US appear very different, a country that executes their citizens, prosecutes people who cross the road without state help and allows people to carry firearms with minimal checks. Yes, I'm sure that the UK has some equally strange laws when seen from the outside, but my point is that US law isn't "international law", but far from it. The closest any one country comes to that is Scottish law (different to UK law), and even that varies wildly. I'd assume that Google follows the local law of whichever country it's operating in at the time (which may or may not include other legal codes, eg European legislation in EU countries), so we'll probably see wild variations in how they respond.

Things equal to nothing else are equal to each other.