Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Google's data minefield
Mark Rasch, 2006-01-30

The U.S. government's broad subpoena to search engines effectively seeks to mine the data of the Internet. While Google has resisted the subpoena, there may be little they can do to protect our privacy from many prying eyes.

In an effort to protect children from being able to see indecent materials (technically, materials that are "harmful to minors"), Congress passed the Children's Online Protection Act, or COPA. This act, a response to the U.S. Supreme Court's rejection of a similar but more restrictive law, the Communications Decency Act, made it unlawful to sell anywhere on the Internet any materials that any court in the United States deemed to be "harmful" to minors.

A lawsuit challenging this statute of First Amendment free expression and speech grounds ensued, and the U.S. Court of Appeals essentially told the U.S. government to prove that other means - like web filters, white lists, black lists, and others - that were less restrictive on free speech. However, this could not achieve the same governmental objectives of protecting children without reducing all of the Internet to pabulum.

To do this, the Department of Justice decided that it had to know virtually everything that virtually everyone was doing online - at least for a representative period of time. As a result, the government recently subpoenaed records from all of the major ISP's and search engines. Not surprisingly, almost all of these companies complied with the subpoenas. Only Google objected. As a result of attempting to protect both its trade secrets and the public perception of privacy, Google was rewarded by an immediate drop in its stock price.

The case has much broader implications than the subpoena itself - it raises the continuing question of the ability of the government or others to essentially usurp massive commercial databases. The immediate problem is that both Google and others may find their efforts to quash such subpoenas thwarted by the courts. The real problem is not that the records can be subpoenaed - of course they can. The problem is that these massive databases exist - or more accurately persist - at all.

The Question of COPA

The issue in the COPA litigation is whether it's better to make it a crime to sell things to your average 4 year old instead of giving parents the ability to filter that stuff out. The government argues that no filtering technology keeps out all the things that parents might not want their kids to see, and therefore, we have to make sure that nobody can ever sell that kind of stuff without some effective means of verifying that the recipient is not a kid - even to a 17 year old kid with mom or dad's credit card. The argument suggests we have to make it a crime because filters aren't 100% effective. Sure. And by the way, drugs have been illegal for years. How is that working out in reducing their use and availability?

This entire debate would be academic, except for the means the government has decided to employ to attempt to prove its case. A civil subpoena for, well, the Internet.

What the government subpoenaed from Google, and presumably from all the other search engines was "[a]ll URLs that are available to be located through a query on your computer's search engine as of July 31, 2005" and further demanded production of "[a]ll queries that have been entered on [Google's] search engine between June 1, 2005 and July 31, 2005, inclusive." Although the government ultimately narrowed the scope of the subpoena somewhat after negotiations with Google's lawyers, both the original and modified requests are startlingly broad in scope and remarkably irrelevant to the underlying litigation.

Privacy and trade secrets

When you get a subpoena from the government, you have relatively few grounds in the law to object. First, you can assert some kind of privilege - attorney-client, priest-penitent, or doctor-patient (but not journalist-source so much anymore.) While doctors, lawyers, clergy and journalists all use the Internet and search engines to find information relevant to research for clients, patients, and the like, a broad subpoena for general information is not likely to significantly impact these privileges. This does not mean that the privilege doesn't apply, or that everything you do online is "public" and therefore entitled to no privilege.

Say a client goes to a lawyer about an arcane area of the law. The lawyer hops on Google to do research (with Lexis and Westlaw being too expensive for this solo practitioner). The terms searched for by themselves would reveal the nature of the research, the privileged communications, and the legal strategy. The fact that it occurs in the "public" Internet is no more relevant than having opposing counsel following a lawyer in the law library to see what books and pages he or she is reading. It's just not kosher. So Google's objection to the broad subpoena on privilege grounds is less than fanciful, but hardly compelling.

Another ground for objecting to the production of documents is that compliance would be unreasonable and oppressive. If the demand for documents is so extensive, and so difficult to amass, the subpoena can be quashed or modified by the court. There is little doubt that this Google subpoena is broad - probably excessively so. But Google prides itself on being able to search for and deliver targeted search results for - well, a Google of information in about 3.24 seconds.

In response to Google's concerns about compliance, a Berkeley statistics professor essentially said that it can't be too burdensome because Yahoo! complied. Of course, this is much like when my eight year old demands a later bedtime because of the later bedtime of his older brother - particularly when there is no indication in the record that Yahoo ever complained or attempted to quash ITS subpoena. Moreover, I probably missed the part of my college statistics class where the statistics professor was deemed an expert on the difficulty of compliance with a subpoena. In fact, the statistics professor also claims to be an expert on the privacy implications of compliance with the subpoena to Google, glibly stating under oath that Google has no legitimate privacy concerns because "[o]ther vendors have been able to produce samples of queries with all information that might identify a user removed." Hmmm… see what happens when you fall asleep in statistics class? You miss that part about the need to protect privacy.

The problem with subpoenaing search engines

So what about Google's argument about privacy? Certainly the government hasn't subpoenaed what I personally am searching for. They state that what they seek to do is to "characterize sites that can be found using search engines and what people see in practice when they use search engines." If no specific searches are sought, just trend data, then what is the big problem? The answer is, plenty.

First of all, there is no reason to believe that any of this is even remotely relevant to the issue in the underlying litigation - whether electronic filters for children work. Let's assume that the Google subpoena shows that there is tons of pornography and smut out there and that people are actively looking for it - and actually finding it. Ooh. So what? This is like trying to determine the effectiveness of the "V chip" by subpoenaing the Neilson or Arbitron aggregate records of popular television shows, and TV Guide's records of everything broadcast. While the government eschews Google's argument that they are attempting to see "what is out there" on the Internet, effectively this is exactly what they are trying to do.

Story continued on Page 2 



Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Google's data minefield 2006-01-30
Matthew Murphy
Google's data minefield 2006-01-30
Anonymous (1 replies)
Re: Google's data minefield 2006-01-30
Google has an ethical obligation (3 replies)
Re: Re: Google's data minefield 2006-02-01
Anonymous
Yeah, let's legislate good parenting! 2006-02-03
Anonymous (1 replies)
Re: Yeah, let's legislate good parenting! 2006-02-03
Google has an ethical obligation
Re: Re: Google's data minefield 2006-02-08
Anonymous
Google's data minefield 2006-01-30
Google has an ethical obligation (3 replies)
Google's Ethical Obligation 2006-01-30
Mark D. Rasch (1 replies)
Re: Google's Ethical Obligation 2006-01-30
Google's Ethical Obligation (1 replies)
Re: Google's Ethical Obligation 2006-02-01
Jeff H, UK
Re: Google's data minefield 2006-01-31
Eric H. (1 replies)
Re: Re: Google's data minefield 2006-02-01
Google's Ethical Obligation
Re: Google's data minefield 2006-02-02
Anonymous (1 replies)
Re: Re: Google's data minefield 2006-02-03
Anonymous
Google's data minefield 2006-01-30
Anonymous
Google's data minefield 2006-01-31
Anonymous (1 replies)
Government tackle the problem 2006-01-31
Mark D. Rasch (1 replies)
Re: Government tackle the problem 2006-01-31
Anonymous
American society is so hypocritical! 2006-02-02
Jeremy Young (2 replies)
Re: American society is so hypocritical! 2006-02-03
Anonymous (1 replies)
Re: Re: American society is so hypocritical! 2006-02-04
Anonymous (1 replies)
Re: Re: Re: American society is so hypocritical! 2006-02-06
Google has an ethical obligation
Google's data minefield 2006-02-02
Anonymous (1 replies)
Re: Google's data minefield 2006-02-04
Google has an ethical obligation (2 replies)
Re: Re: Google's data minefield 2006-02-05
Anonymous
Re: Re: Google's data minefield 2006-02-08
Anonymous
The Grabbing Hands... 2006-02-08
Alexey Vesnin


 

Privacy Statement
Copyright 2010, SecurityFocus