Google Transparency Report raises concern, praised
Privacy advocates say more companies should follow search giant's example
November 21, 2012 — CSO — One way to view search giant Google's biannual Transparency Report is to be alarmed that the company is increasingly allowing governments to monitor their citizens' online activities and to censor the Web by demanding the removal of certain content.
But another way to view it is that Google regularly goes public with the number of requests it receives from governments, and includes its rate of compliance with those requests.
For that alone, it gets a gold star, even from an organization like the Electronic Frontier Foundation (EFF), a vocal advocate for Internet privacy protections. "Whenever people read stories about report, their reaction tends to be, 'Oh, my God, Google gives up information to the government, or government is asking Google for information,'" said Eva Galperin, international freedom of expression coordinator for EFF.
"But the point is that government does it to all Internet companies. We have no idea how many are giving out information. At least Google is telling us what it does," she said.
Pierluigi Paganini, writing about the Google report on Infosec Island, said, "governments are increasing their control over social media and on internet ... using surveillance systems (and) court orders."
However, in an interview with CSO Online, he said he believes the company "is doing excellent work, despite the incredible pressures of governments."
The latest report shows government requests worldwide for user data steadily increasing, from 12,539 in the second half of 2009 to 20,938 in the first six months of this year. Requests to remove data remained relatively flat at an average of about 1,040 during the same time period, until the most recent six months, when it spiked to 1,791.
[See related: Government surveillance on rise in murky legal environment]
Galperin said a few companies provide transparency reports -- including Twitter, Wikipedia, Sonic.net, Dropbox and LinkedIn. She said the number has increased since EFF launched a campaign called "Who Has Your Back," which "encourages companies to be good corporate citizens, and one of the criteria for that was a transparency report."
But she said EFF believes that all companies that handle user data should make such reports regularly. She said the social networking giant Facebook "has been telling us that they will do something, but they've been telling us that for a while."
She also said it is not a cause for concern that the number of user data requests from the U.S. government, at 7,969, involving 16,281 users and/or accounts, were more than three times the number sought by second-place India, at 2,319 and 3,467.
Most countries listed in the report made less than 1,000. The compliance rate for U.S. government requests was 90%. The next-highest compliance rate was for Japan, at 86%, but that country made only 104 requests.
That, she said, is partially because Google is a U.S.-based company and partially because U.S. authorities are making those requests or demands properly.
Galperin said she expects requests from other companies to increase. "I think some of them are just catching on that they can do it, and how to do it," she said.
Marc Zwillinger, an attorney and privacy expert at ZwillGen, said it is also important to keep the numbers in context. Something over 16,000 users sounds like a lot," he said, "but Google probably has hundreds of millions of users."
Zwillinger also said the 90% compliance rate means "government is using the right legal process most of the time."
Chris Calabrese, legislative counsel for the American Civil Liberties Unio (ACLU), compliments Google for its transparency, but said the 90% compliance rate was not a comfort to him. "I'm fascinated as a citizen that 10% of these requests are wrong in some way -- they don't meet the legal standard," he said. "Multiply that by all the providers who are out there [who are not issuing reports], and it makes you wonder how many of those requests may be getting through when they shouldn't."
He also said even if the number of government requests is small, relative to the number of users, the trend is worrying. "These records didn't exist 10 or 20 years ago. That's the big story here," Calabrese said.
Regarding the recent spike in content-removal requests, Rebecca Herold, CEO of The Privacy Professor, noted, that alot of the cases had to do with defamation or copyright infringement. "While I believe in freedom of speech, I also believe that people must be held accountable for their statements, and should not be able to post damaging fabrications about others online," she said, noting that Google did not comply with a number of requests.
Herold said the increased requests for user data in the U.S. points to the need for comprehensive cybersecurity legislation. "Currently there are no effective legal protections for online data," she said. "This trend of increasing collection of data should be a bellwether call to enact comprehensive laws to for not only security, but also privacy."
She said all Internet users should be concerned about vulnerabilities in data collection. As is the case in cyber attacks, attribution can be a problem. "Just because they are finding information online that appears to be from specific individuals does not mean that the information actually is associated with them," she said. "It is very easy to spoof activities and data to make it look like it came from others."
Herold also said privacy advocates should be concerned about how the information is being used and shared. The Google report, she noted, "doesn't really go into enough details to answer this."
Finally, she noted an omission from the list of countries making user data requests: "What I find particularly interesting is that Google does not provide any statistics for China, or other countries where they have modified their practices because of the associated governments' pressure on them. Those would be some interesting statistics," she said.
Read more about data privacy in CSOonline's Data Privacy section.
Other stories by Taylor Armerding