Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Google's data minefield
Mark Rasch, 2006-01-30

Story continued from Page 1


If the statistics show that people aren't using Google to search for porn, the government will simply argue that porn is available on un-indexed sites, and therefore COPA is necessary. We also don't know what percentage of the Google users subpoenaed are children, or adults. Were they using Google's safe image search? Were the sites sought active, and were the URL's available? Was anything delivered to the user? Did the user have any filters on the machines that would block delivery of the URL? Were those filters configured properly? Indeed, while the government agreed to allow Google to produce a random sample of URLs delivered, Google's counsel correctly pointed out that the government's statistician would still need access to the entire database in order to ensure that the sample was statistically random.

Moreover, the government subpoena makes Google and other search engines or ISPs the source of first resort for any information about what people's preferences are, what they like or dislike, what they do and don't do, what they read and don't read.

I remember years ago finding an article in an obscure medical journal that was relevant to a case I was litigating. I asked the publisher for a copy of the publication, and he explained that I would have to buy a subscription - for several thousand dollars. So I reached into my desk drawer and pulled out a subpoena - cheaper by far than actually buying the data. Copyright, smopyright. Indeed, having subpoenaed the data, I could now introduce it into the public record at trial - and with today's electronic filing, even make the entire thing available online.

Subpoenaing the world's information

One can imagine thousands of cases where aggregate or even specific Google information might be useful to one party or another in litigation. Did my publisher act in good faith in promoting my book? Let's subpoena Amazon to see how it sold over time and compared to comparable books. Did my advertising agency meet its contractual obligations? Let's subpoena Yahoo. Indeed, as long as a plausible claim can be made not that the information is relevant to the litigation, but that it may lead to the discovery of relevant information, it is subject to subpoena. As Google's counsel pointed out, "Google objects to [the government's] view of [its] highly proprietary search database - the primary reason for the company's success - as a free resource that [the government] can access and use, some levels removed, to formulate its own defense." In other words government, if you want this data from Google, buy it from Google.

Now the government's statistician has eschewed the need for identifying information. But as I just noted, without this kind of information, the relevance of the data to the COPA litigation is seriously diminished. So once they obtain the general information, there is little to stop the government from asking, "Oh, and by the way, what else do you know about those Google users?" What were their IP addresses? What time of day did they perform their searches (during school hours, or between 3 and 8 PM local time?) Did the same people search for kids sites (like Disney or Nickelodeon) and then search for smut? What sites were actually delivered up as a result of these searches? What information does Google keep cached? Oh, and of course, how does Google collect, store, and collate this information in the first place?

The last one is a real kicker. One of Google's principal objections to the subpoena is that compliance will reveal its trade secrets - what it called its "crown jewels." Google argued that it would require Google to disclose the approximate number of URLs in its database, and some details about how it maintains crawled URLs, such as the number of servers, server distribution, and how often Google crawls the world-wide web. This information, according to Google, would be highly valuable to competitors, or miscreants seeking to do harm. What Google didn't mention was the fact that, because Google's competitors have already turned over their versions of this information, even with the protective order in place, it would become public which of the major search engines delivers the most or most accurate results based upon an enormous database in the government's hands. This could hurt Google's advertising revenues.

Finally, there is the matter of public perception about privacy. Not actual privacy. Indeed, Google's own privacy policy expressly states that Google "may share aggregated non-personal information with third parties outside of Google." This means exactly the kind of information that the government has subpoenaed. Indeed, in its objection to the subpoena, Google argued that compliance would "suggest that Google is willing to reveal information about those who use its services." Damn straight. That's exactly what Google's privacy policy says it will do - not revealing directly who is using its services, but revealing information about the aggregate people who do. The American public has strange attitudes about privacy. It seems to be OK for Google to collect, store and maintain this massive database, sell it, lease it, or let other companies have access to it, charge advertising revenues based on it, but heaven forbid it should fall in the hands of the government.

Indeed, the Google privacy policy goes on to ask the rhetorical question "What protections do I have against intrusions by the government into my use of Google services?" It answers this by saying, "Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. These same processes apply to all law-abiding companies. As has always been the case, the primary protections you have against intrusions by the government are the laws that apply to where you live." This is pretty standard fare. What is different in this case is that Google is actually challenging the validity of a subpoena - a rare event for any company that gets paid little if anything from the people about whom it collects data. The more general practice is for the government to send over a copy of a subpoena or search warrant, and the ISP or search company to send over the documents - sometimes not even in that order. Indeed, there is no requirement that the entity retaining your personal records notify you about the legal process to allow you to challenge it at your own expense - and often the government requests, demands, or passes a law prohibiting the recipient from ever telling you about it - even if the underlying subpoena is itself invalid. Indeed, there have been several reported cases where law enforcement officials have created "fake" subpoenas or court orders for ISP information, and even then the courts have held that the information was OK to use, because it didn't belong to the data subject.

The Google subpoena fight isn't really about the anonymous data at issue here today. It is really about the way the government can "deputize" unwilling private companies who collect and maintain massive databases to act as their agents in the future. Want someone's credit report? Don't subscribe to Experian and subject yourself to the Fair Credit Reporting Act, just whip out a subpoena. Want to engage in massive warrantless domestic surveillance of e-mail communications? Don't mess with FISA, Title III, ECPA, or even any Presidential inherent authority. Just pass a law (like the ones just passed in Europe) mandating that ISPs and phone companies retain such data, and then subpoena not just one person's emails, but everyone's - as long as it is relevant to some issue in some litigation somewhere. Let's just create a single massive database of what everyone is doing all the time, and let anyone "dip" into it whenever it is deemed to be relevant to settling some dispute.

It seems Orwell was off by about 22 years.


Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:
Google's data minefield 2006-01-30
Matthew Murphy
Google's data minefield 2006-01-30
Anonymous (1 replies)
Re: Google's data minefield 2006-01-30
Google has an ethical obligation (3 replies)
Re: Re: Google's data minefield 2006-02-01
Anonymous
Yeah, let's legislate good parenting! 2006-02-03
Anonymous (1 replies)
Re: Yeah, let's legislate good parenting! 2006-02-03
Google has an ethical obligation
Re: Re: Google's data minefield 2006-02-08
Anonymous
Google's data minefield 2006-01-30
Google has an ethical obligation (3 replies)
Google's Ethical Obligation 2006-01-30
Mark D. Rasch (1 replies)
Re: Google's Ethical Obligation 2006-01-30
Google's Ethical Obligation (1 replies)
Re: Google's Ethical Obligation 2006-02-01
Jeff H, UK
Re: Google's data minefield 2006-01-31
Eric H. (1 replies)
Re: Re: Google's data minefield 2006-02-01
Google's Ethical Obligation
Re: Google's data minefield 2006-02-02
Anonymous (1 replies)
Re: Re: Google's data minefield 2006-02-03
Anonymous
Google's data minefield 2006-01-30
Anonymous
Google's data minefield 2006-01-31
Anonymous (1 replies)
Government tackle the problem 2006-01-31
Mark D. Rasch (1 replies)
Re: Government tackle the problem 2006-01-31
Anonymous
American society is so hypocritical! 2006-02-02
Jeremy Young (2 replies)
Re: American society is so hypocritical! 2006-02-03
Anonymous (1 replies)
Re: Re: American society is so hypocritical! 2006-02-04
Anonymous (1 replies)
Re: Re: Re: American society is so hypocritical! 2006-02-06
Google has an ethical obligation
Google's data minefield 2006-02-02
Anonymous (1 replies)
Re: Google's data minefield 2006-02-04
Google has an ethical obligation (2 replies)
Re: Re: Google's data minefield 2006-02-05
Anonymous
Re: Re: Google's data minefield 2006-02-08
Anonymous
The Grabbing Hands... 2006-02-08
Alexey Vesnin


 

Privacy Statement
Copyright 2010, SecurityFocus