Government agencies make requests to Google companies seeking information about Google users accounts or products. In this report, we are generally revealing statistics about demands in criminal investigations. In some cases we may not be able to tell if the demand is for a criminal investigation as opposed to some other purpose. In those situations, we try to include the request in these statistics.
No. While we have tried to report as accurate a number as possible, the statistics are not 100% comprehensive or accurate. For example, we have not included statistics for countries where we've received fewer than 30 requests for user data in criminal cases during the reporting period. Where the numbers of requests are relatively low from a particular country, revealing the statistics could place important investigations at risk and interfere with public safety efforts of the authorities.
As with many other Google products, we like to launch and iterate. The Transparency Report is no different. As we've worked on this project, we've figured out the best way to disclose more information. For example, starting with the July–December 2010 reporting period, we began to disclose the percentages of user data requests we comply with in whole or in part. And starting with the January–June 2011 reporting period, we began to disclose the number of users or accounts about which data was requested.
No, the statistics primarily cover requests in criminal matters. We can't always be sure that a request necessarily relates to a criminal investigation, however, so there are likely a small number of requests that fall outside of this category. For example, we would include in the statistics an emergency request from a government public safety agency seeking information to save the life of a person who is in peril even though there is not necessarily a criminal investigation involved. As we improve our tracking, we may add more categories.
Like other technology and communications companies, we regularly receive user data requests, which may specify any users or accounts used to store or provide information on our services. We are by no means unique when it comes to receiving these requests.
No, the statistics primarily cover requests in criminal matters. We can't always be sure that a request necessarily relates to a criminal investigation, however, so there are likely a small number of requests that fall outside of this category. That said, there are several reasons why the numbers of "users/accounts specified" by user data requests may be over-inclusive or under-inclusive. For example, in some instances the same Gmail account may be specified in several different requests for user data. Each distinct request that we receive would be added to the total, as we have not figured out a satisfactory method for de-duplicating account or user names when tracking requests. On the other hand, we might also receive a request for a user or account that doesn't exist at all. In that case, we would still add both the request and the non-existent account to the total.
The "user data requests" numbers reflect the number of requests we received about the users of our services and products from government agencies like local and federal police and, from July 2010 onward, the number of requests to which we responded in whole or in part. When we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request. We may refuse to produce information or try to narrow the request in some cases. Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.
We would like to be able to share more information, but it's not an easy matter. The requests we receive for user data come from a variety of government agencies with different legal authorities and different forms of requests. They don't follow a standard format or necessarily seek the same kinds of information. A single request may ask for several types of data but be valid only for one type and not for another; in those cases, we disclose only the information we believe we are legally required to share. Given all this complexity, it's a difficult task to categorize and quantify these requests in a way that adds meaningful transparency, but we may do so in the future.
These observations on user data requests highlight some trends that we've seen in the data during each reporting period, and are by no means exhaustive.
It’s a request for information that the Federal Bureau of Investigation (FBI) can make when they or other agencies in the Executive Branch of the U.S. government are conducting national security investigations. An NSL can’t be used in ordinary criminal, civil or administrative matters.
You can read more about NSLs in this publication by the Congressional Research Service. The FBI is required to report how they use NSLs to Congress biannually. The U.S. Department of Justice also regularly audits how the FBI uses NSLs.
Under the Electronic Communications Privacy Act (ECPA) 18 U.S.C. section 2709, the FBI can seek “the name, address, length of service, and local and long distance toll billing records” of a subscriber to a wire or electronic communications service. The FBI can’t use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses.
The Director of the FBI or a senior FBI designee must provide a written certification that demonstrates the information requested is “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.” The FBI is not required to get court approval to issue an NSL.
It's Google’s practice to notify users about legal demands when appropriate, unless prohibited by law or court order. The FBI has the power to prohibit the recipient of an NSL from disclosing the fact that it has received an NSL, by certifying that disclosure may result in “a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.”
Many governments may have legal processes similar to NSLs that allow them to obtain information for national security reasons. When Google receives these user data requests, we include them in the numbers we report biannually in our Transparency Report.