Government agencies make requests to Google companies seeking information about Google users accounts or products. In this report, we are revealing statistics about those demands.
Our goal is to present a comprehensive data set encompassing all demands we receive from government agencies for user information, including all criminal and national security requests. We can't guarantee the data will always be error-free, but we're continuously working to improve our internal processes so our reports will be timely and accurate.
As with many other Google products, we like to launch and iterate. The Transparency Report is no different. As we've worked on this project, we've figured out the best way to disclose more information. For example, starting with the July–December 2010 reporting period, we began to disclose the percentages of user data requests we comply with in whole or in part. And starting with the January–June 2011 reporting period, we began to disclose the number of users or accounts about which data was requested. Since then we've added more and more information about U.S. national security requests.
Yes, our goal is to include in our statistics all demands we received from government entities unless we must delay reporting, such as with certain FISA requests. That is what we're doing in this report. We're always looking to improve how we track requests internally so that we can be as comprehensive and accurate as possible.
Like other technology and communications companies, we regularly receive requests from government agencies to disclose information about users of Google services. We are by no means unique when it comes to receiving these requests.
No, it's not the total number of users that have been the subject of a request to Google. There are several reasons why the numbers of "users/accounts" in user information requests may be over-inclusive. For example, the same Gmail account may be specified in several different requests for user information, perhaps once in a subpoena and then later in a search warrant. We add both instances to the "user/accounts" total even though it's the same account. Similarly, we might receive a request for a user or account that doesn't exist at all. In that case, we would still add both the request and the non-existent account to the totals. We've taken efforts to reduce over-inclusiveness, but have decided it is better to error on the side of a greater number.
We report compliance percentages for criminal requests from July 2010 onward. Those percentages reflect the number of requests we responded to by producing some information.When we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request. The privacy and security of the data that users store with Google is central to our approach. Before complying with a government request, we make sure it follows the law and Google's policies. We notify users about legal demands when appropriate, unless prohibited by law or court order. And if we believe a request is overly broad, we seek to narrow it -- like when we persuaded a court to drastically limit a U.S. government request for two months' of user search queries.
These observations on user data requests highlight some trends that we've seen in the data during each reporting period, and are by no means exhaustive.
It’s a request for information that the Federal Bureau of Investigation (FBI) can make when they or other agencies in the Executive Branch of the U.S. government are conducting national security investigations. An NSL can’t be used in ordinary criminal, civil or administrative matters.
You can read more about NSLs in this publication by the Congressional Research Service. The FBI is required to report how they use NSLs to Congress biannually. The U.S. Department of Justice also regularly audits how the FBI uses NSLs.
Under the Electronic Communications Privacy Act (ECPA) 18 U.S.C. section 2709, the FBI can seek “the name, address, length of service, and local and long distance toll billing records” of a subscriber to a wire or electronic communications service. The FBI can’t use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses.
The Director of the FBI or a senior FBI designee must provide a written certification that demonstrates the information requested is “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.” The FBI is not required to get court approval to issue an NSL.
It's Google’s practice to notify users about legal demands when appropriate, unless prohibited by law or court order. The FBI has the power to prohibit the recipient of an NSL from disclosing the fact that it has received an NSL, by certifying that disclosure may result in “a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.”
Many governments may have legal processes similar to NSLs that allow them to obtain information for national security reasons. Many also have national security authorities that are in some ways like FISA. When Google receives these user data requests, we include them in the numbers we report biannually in our Transparency Report for each country.
The Foreign Intelligence Surveillance Act is a U.S. law, originally enacted in 1978 to govern how the U.S. government collects foreign intelligence for national security. This Act created the Foreign Intelligence Surveillance Court, which consists of 11 federal district court judges who review government applications for electronic surveillance and other types of intelligence collection. It also created the Foreign Intelligence Court of Review, to which appeals from the FISC can be made. These courts have the power to require companies or other private organizations to hand over information in foreign intelligence investigations.
The Department of Justice oversees the agencies involved in carrying out FISA-authorized activities. FISA requires these agencies to brief Congress on a regular basis and present all pertinent FISA court documents. You can read more about FISA in these publications by the Congressional Research Service: February 15, 2007 CRS Report, July 7, 2008 CRS Report.
Under the Foreign Intelligence Surveillance Act (FISA), the government may apply for court orders from the FISA Court to, among other actions, require U.S. companies to hand over users’ personal information and the content of their communications.
The FISA Amendments Act, passed in 2008, authorizes the government to require U.S. companies to provide information and the content of communications associated with the accounts of non-U.S. citizens or non-lawful permanent residents who are located outside the United States. You can read more about the FISA Amendments Act in this publication by the Congressional Research Service: April 8, 2013 CRS Report.
Google’s general approach to government requests for information is the same: Before complying with a government request, we make sure it follows the law and Google's policies. And if we believe a request is overly broad, we seek to narrow it.
Organizations like Google that receive FISA requests are prohibited from notifying users.
The U.S. Department of Justice has imposed two delays. First, providers must wait six months before publishing statistics about FISA requests so that, for example, the report published January 1, 2015 will reflect requests received between January 1 and July 1, 2014. Second, providers must wait two years to publish statistics reflecting “New Capability Orders."