FAQ: When Google is not your friend

Google's recent legal spat with the U.S. Department of Justice highlights not only what information search engines record about us but also the shortcomings in a federal law that's supposed to protect online privacy.

Video: Google's new toolbar
A look at the latest version of Google's Toolbar

It's only a matter of time before other attorneys realize that a person's entire search history is available for the asking, and the subpoenas begin to fly. This could happen in civil lawsuits or criminal prosecutions.

That type of fishing expedition is not legally permitted for Web mail providers. But because search engines are not fully shielded by the 1986 Electronic Communications Privacy Act--concocted back in the era of CompuServe and bulletin board systems--their users don't enjoy the same level of privacy.

"Back then, providers were very different animals than they are now," says Paul Ohm, a former Justice Department attorney who teaches computer crime law at the University of Colorado at Boulder.

related story
Verbatim: Search firms surveyed on privacy

We ask AOL, Google, Microsoft, and Yahoo what info they could provide in response to a court order. Read their responses.

Two solutions are simple to describe, but not likely to happen. First, search engines could voluntarily--or be required by law to--delete search histories after a few months unless the customer objects. Second, federal law could be amended to make it clear that search engines, which serve as a window to the Internet, are fully protected.

CNET News.com has surveyed Google, Microsoft, Yahoo and AOL to find out their privacy practices, and assembled these answers to frequently asked questions.

Q: Does Google collect and record people's search terms whether they're logged in or not?
Yes. Google confirmed this week that it keeps and collates these results, which means the company can be forced to divulge them under court order. Whether Google does anything else with them is another issue.

Given the Department of Justice's recent subpoena to Google, it's likely the police or even lawyers in civil cases--divorce attorneys, employers in severance disputes--eventually will demand that Google, Microsoft, Yahoo, AOL, and other search engines cough up users' search histories.

Q: Has this happened before?
Almost. A North Carolina man was found guilty of murder in November in part because he Googled the words "neck," "snap," "break" and "hold" before his wife was killed. But those search terms were found on Robert Petrick's computer, not obtained from Google directly.

Also, attorneys have already begun introducing searches conducted on Google, Yahoo and AltaVista as evidence.

Q: When I use search engines, I type in a lot of search terms I consider private. What does this mean?
We go into all the details below. But the short answer is that when private companies collect reams of data all the time on nearly every American, and the government and curious attorneys can get to that with few obstacles, this becomes a problem. Search engines provide a look into people's personal lives, and privacy awareness has not kept pace.

Q: Aren't there any privacy laws that protect us?
Not really. There is a federal law called the Electronic Communications Privacy Act. But it was enacted in 1986, long before politicians knew about the Internet, and the wording doesn't prevent police and attorneys from targeting search engines.

Politicians wrote that law in a way that is technology-specific--one key part revolves around the meaning of the pre-Internet term "processing services"--instead of adopting a more flexible approach that would grow with technology. Some states may have laws that are more applicable.

Expand/Contract window

The fate of search engine privacy, at least in the near future, could hinge on an antique and nearly indecipherable legal term: "processing services."

In general, attorneys can use a subpoena to obtain records from a company if the data would be relevant to a lawsuit. But a 1986 law called the Electronic Communications Privacy Act offers additional protections to users of remote computers that provide "processing services."

Google's language-translation service may do that. But what about the search engine? It's not exactly clear, and the courts have been little help in applying that language to the Internet.

Orin Kerr, a former prosecutor who is now a law professor at George Washington University, said Congress meant for the language to apply to outsourcing.

"Does eBay provide 'processing services' for its customers?" he asks in a 2004 law review article. "I think the better answer is 'no.' The legislative history indicates that 'processing services' refer to outsourcing functions. In the era before spreadsheets, a company might send raw data to a remote computing service and ask the service to crunch numbers to calculate its payroll."

But let's assume for the sake of argument that Google does offer "processing services." Here's what could happen when:

• Prosecutors seek Internet addresses.

An unusual twist in federal law (18 U.S.C. 2703) makes it easier for prosecutors to obtain Internet addresses from search terms than the other way around.

The law is remarkably permissive. It allows a "governmental entity" to demand "information pertaining to" search engine users by firing off a mere administrative subpoena--simply a piece of paper not even reviewed in advance by a judge. Information that can be requested includes name, address, Internet address, when connections were made, and credit card numbers if available.

Prosecutors are allowed to demand such information as long as it is "relevant and material to an ongoing criminal investigation." If the search company objects, however, a judge has the leeway to narrow the request if it is "unusually voluminous in nature or compliance with such order otherwise would cause an undue burden."

• Prosecutors seek search terms.

If the Justice Department already happens to have someone's Internet address and is seeking their search history, a slightly different procedure exists.

In that case, prosecutors must ask a judge in advance for an actual court order and claim that the results are "relevant and material to an ongoing criminal investigation."

In practice, of course, that's not terribly difficult to do.

An aside: This distinction assumes that search terms are "content," which federal law defines as information about the "substance, purport, or meaning of that communication." If they're not, only a subpoena--and no court order--is required.

• Attorneys seek records in civil suits.

A different set of rules applies to attorneys in a civil suit who aren't working for the government.

However, the rules almost certainly do not apply to search engines. They were aimed at preventing e-mail and similar providers (remember, this law was written in the era of CompuServe, BIX, and The Source) from sharing their customers' personal data with third parties.

Translation: A curious divorce attorney simply needs to send a subpoena to Google.

"These laws were written some time ago," says Lee Tien, a staff attorney at digital rights group Electronic Frontier Foundation in San Francisco. "They were careful in some places and not in others."

--Declan McCullagh

Q: Why does Google store that information about me, anyway?
No law requires Google to delete it, and there are some business justifications for keeping it.

For instance, keeping detailed records can help in identifying click fraud (faking clicks on Web ads to drive up a rival's cost), and in optimizing search results for different geographic areas. Compiling a user profile can aid in tailoring search results in products like Google Personalized Search. Also, disk storage is cheap, and engineers tend to prefer to keep data rather than delete it.

[Michael G.]

Aw---I Thought Google was My Best Friend!

Now that I have this information concerning what Google collects, I'll be more careful in my searches to come. All this data collection amounts to is promoting a paranoic and stifling atmosphere in the United States---though I must admit, that Google can only collect what the user enters into it.

Besides advertising and customizing searches, I can't think of a good reason that Google would desire to collect my search information, or that of any other American, other than as a form of spying. There's no good reason for Google to waste the space by keeping these search queries, other than to keep the information "just in case" a legal authority would request information, such as the FBI.

[iqula]

You still have complete privacy by using this...

I found a site that offers a free personal online desktop called http://www.cosmopod.com if you use it for browsing there is no way you can be tracked and it's a great way to tunnel

[samgmcf]

Google's bigger moral issue

Privacy is an important issue, and I am all for Congress passing legislation that will protect the privacy of search records. But Google.cn poses a bigger moral issue, one I hope CNET will continue to pursue.

Google has agreed to censor information on its China website that its government doesn?t want its citizens to see. By doing so, Google has leant legitimacy to the notion that a government has a right to censor its citizens' access to information. Google should have not caved in, which it undoubtedly did for profit, not because of its self-serving excuse that it was wanted to increase the efficiency of Chinese citizens? ability to search the web.

The American government should make it illegal for any American company to assist another country in censoring information, let alone do the censoring itself. Google?s resisting the Justice Department?s subpoena should be applauded, but Google should take a real hammering for its partnering with a dictatorship to censor access to information.

[CNET123]

Search criteria is irrelevant

For Example if i was trying to find this article again and all i could remember is the line "Ways to kill the president" and that's what I put in the Search criteria, I would be flagged for a possible criminal. That's not fair to drag me through the mud and expense of a criminal Investigation when all I was doing was trying to find an article about anything but what my search criteria stated.

[i_made_this]

for Declan: when AOL is not your friend...

...the article twice mentions AOL is unique in only retaining search records for 30 days. But because AOL's default search engine is Google, wouldn't it make it irrelevant how long AOL keeps your search history? I really don't know the answer, but would like to. Declan, if you're listening, can you please shed some light on this tech question about the ISP's and their default search engines?

[Salvalus]

Ways to avoid these problems

A few steps can help you to deal with this:

1.) Do not allow ANY website to log you in "automatically" (Reason: this identifies you / your computer every time you visit the actual website or an affiliated website (e.g. any website that uses Google Adwords etc.))

2.) Get a software that deletes your cookies / cache automatically every X days. (I suggest http://www.zonelabs.com) to avoid tracking with other cookies.

3.) Get a software (http://www.steganos.com/?product=sia2006) that routes your internet traffic over proxy servers and (IMPORTANT) select then only proxy servers in countries where a subpoena would not be effective or where an investigation would be infeasible (e.g. Russia, Slovenia, Netherlands, Sweden etc.) - you can find out where the proxyservers are by tracing their IP on http://www.traceroute.org

OR:

If you are lucky enough to live close to a Hotspot of a Wireless Internet Service Provider (e.g. http://www.boingo.com) then get an account with an American Express "Gift Card" (works online just like a credit card) which you have purchased (IMPORTANT!) with cash. Do not use identifyable data when browsing and BINGO, it is very unlikely that someone would be able to come after you. Oh, throw your wireless network card away when you are in a critical time, the MAC address of it would enable the WISP to provide login info.

However, the most likely point where someone looks is on your computer hard drive, hence delete the temp. internet files and wipe the free space on your HD after that with something like http://www.steganos.com

I am sure this is not complete. You might have other tips you think would help... good for you, post them here, I am eager to learn

I am also sure some people like other software better or find that one of these tips is not effective. I can only say that it has worked for my clients in the past...

[rdersh]

I agree

I've switched to Yahoo as my homepage. Google is an innovative
company and I admire them for building an empire so quickly.
They've got some really cool products like Earth and Maps.. But the
censoring of their Chinese edition is un-American and where I draw
the line. As much as I'm able to, I will use Yahoo instead.

[kimocrossman]

How this relates to Free Municipal WiFi and Anonymous Free Speech

Google created their own problem by collecting this information in the first place....

In an attempt to rollout a Citywide Wireless Internet plan (TechConnect) two major approaches being considered by San Francisco which may significantly encroach on the public's privacy. The two options are a for-profit solution which will finance the solution by monetizing the public's privacy or grants from Homeland Security. This occurs in the context of elected officials and city administrators patting themselves on the back for what the voters approved (2004) in a watch law ordinance that makes Patriot Act requests difficult for the Federal government to pursue in San Francisco.

The targeted advertising solution (google and others) would track all the email and surfing habits of any user. This information could be used as in Gmail and Amazon to send specific advertising. It is of course , also available for National Security Letters and other legal methods which would not be presented within the legal context of San Francisco - avoiding the Watch Law. While networks can be created that do not track a user's private information (no server logs, etc) that is not a method being promoted publically by vendors like Google and in fact is partly the reason the Justice Department and Google are now fighting over production of user's search records - Google can't say they just don't have the information. While there are questions about Privacy in the RFP, they were specifically written as Open Ended rather than as Minimal Standards. Public Advocates and Organizations like ACLU, EFF.org and EPIC.org have all written and some have spoken about their concerns with this approach Before the RFP was created and released - yet no changes were made. Also DTIS has the ability to waive any RFP requirements in the contract negotiation process anyhow.

The other funding concept that is being quietly discussed as a mechanism for the San Francisco Municipal Wireless solution is Homeland Security Grants - the calendar image below is from the city official Chris Vein who is in charge of the RFP process which requires bid submittals by 2006/2/21 - See Below

Washington Post: 2006-01-19 Fed Grants (Homeland Security) for Surveillance Cameras for Small Towns .. this seems related to Municipal Wireless funding efforts as well in San Francisco

http://www.washingtonpost.com/wp-dyn/content/article/2006/01/18/AR2006011802324.html

The Homeland Security funding option: "Motorola?s proposal suggests that the city pitch the project as a public safety issue, and capitalize on grants from government organizations such as the Department of Homeland Security. They suggest that the network would help law enforcement by enabling the SFPD to put wireless cameras across the city cheaply, and that the signal from a particular camera could be routed wirelessly to officers in their cars as they approached the scene." (thanks to www.JacksonWest.com for summary)

for more information blog www.webnetic.net

Combined brief ACLU, EFF.org and Epic.org
http://www.eff.org/deeplinks/archives/004078.php

SF Watch Law Re Patriot Act
http://www.sfgov.org/site/uploadedfiles/bdsupvrs/about/watch_law_program.pdf

Jackson West summary of TechConnect RFI/C submittals (the step before the current RFP process)
http://gigaom.com/2005/10/18/politics-of-san-francisco-wifi-project/

Chris Vein DTIS Acting Director's calendar showing a meeting planned with Motorola (obtained through a Public Record's request)

for more information

[209979377489953107664053243186]

The fine line - again, the 4th Ammendment

Once again, we are talking about the fine line between tracking criminal activity in the name of fighting cybercrime and invading a person's private information by removing yet another facet of the 4th Ammendment. Okay, Google stores browser history, but why is so easy to get them to give it up? Why can a psychiatrist or a priest be protected from divulging private information about a client or confessor, but Google is not? All can be privy to sensitive information that could expose deviant behavior...

[mbucci]

A critical report...

Thank you CNET for this critical article at a critical time. For those of us who suspected such practices by the "darlings" of the internet, we are confirmed on the one hand, and more troubled on the other. Are we no better than China? China limmits free inquiry and speech to suppress; and Goodle cooperates. We invite it in order to lend ourselves to entrapment, self-indictment and prosecution; and Google cooperates. Are we no better than the Chinese?

The American way is to foster self-censorship and that is what we must do now.

Hat's off to you.

Michael T. Bucci, Maine USA

[Stating]

Does Google Search History Cross Country Borders?

Does Google store user search histories done from around the world in a central database repository? For example, if I do a search using www.google.ca (Canada), or www.google.cn (China) do those results end up in Google's U.S. based servers? This raises several issues:

1) Can I help insure my privacy by using Google search sites outside of the U.S., the premise being that DOJ would need to subpeona courts outside U.S. jurisdiction to access the records?

2) Do people that use Google outside of the U.S. , regardless of which google.country site they use have their searches stored in Google's U.S. based servers? I would think that, say, Jacques Chirac, or Prince Charles would not be happy to know that their private searches were ending up in Google's Mountain View search database.

3) What if the prosecutor handling the case of Scooter Libby subpeoned records from Google, i.e. does Google also store search records initiated from .gov or .mil domains? What if those records indicated suspiciuous searches from other Administration officials? Is turnabout fair play?

[X99]

Keep it Non-Partisan Please

> Q: Let's say the Bush administration wanted to
> obtain a list of the names or ...

I'm no fan of Bush, but please, let's not make
this a partisan issue. Republicans and Democrats
(including Clinton) are both equally capable of
abuse.

Don't you people even try to maintain some sense
of impartiallity anymore? Or do you simply not
think?

[thurgoodj187]

Google has more on the line than just free speech

I am not excited about google blocking China's access or possibly keeping my records, but look at it from google's point of view.

China has over 1 billion people, and in the internet advertising market, that equals money. China may even bring in more revenue for google than the US does, who knows. People who complain that this action is restricting information is right to a point, but what happens if google does not comply, they just block them out all together. And yeah it sucks that a country would sensor its people, but they are not US West and we cannot tell them what to do. If the governmenet wants to step in and back some legislation or action against China for these actions, I would be all for that, but it is not google's place to challenge another nation.

As I see it, don't just worry about google, worry about the isp, hosting companies, and email providers. they have just as much information and are probably facing the same rules that google is faced with. Which your search engine, email client, blah blah blah. You might as well lock yourself in a closet. Today everything is always recorded somewhere, even if you don't know it. I am keeping records for 7 years on my own web servers, partially because if I ever need to prove that something occured (or didn;t occur), I can defend myself.

I suggest that the honest people of the world stop being paranoid and live life with integrity. This will most often not lead you in the wrong direction.

Thanks

Steve

[Catgic]

*Full-Proof* Way To Avoid DOJ e-Googling You

My basic personal policy on Web-Trekking is not to go anywhere or write anything on the Web that I would be reluctant to take Me Maw and Me-Bride-For-Life to or say in front of them. This ?Full-Proof? policy has kept the DOJ, and its et al Little Brothers, from following me around with Black Helicopters or giving my family and me a No-Knock ?Wake-Up Call? at Zero-Dark-Thirty. It also has kept Big Bro?s citizen surveillance Snoop-Bots from taking up residence in my ?mini-Cray,? and me out of their cross hairs. Thus, I can freely e-Trek the Web highlands where the view is breath taking and the air is e-Smog free, without looking over my e-shoulder.

Now for those concerned about the issue of DOJ e-Googling them for e-fishing fun and prosecution, Sasha Von Stahl intelligently and informatively commented on first-level practices and measures to limit this problem in ?Ways To Avoid These Problems,? February 3, 2006, 8:38 AM PST, earlier in this thread. Those practices and measures enumerated there are a good first-level step towards minimizing an individual?s exposure to this e-History tracking and snooping problem.

However, never underestimate the intelligence of groups. Remember that A Thousand Dumb People Will Out Smart One Smart Person Every Time. Never forget that the collective many are smarter than the Web Surfing few, especially in today?s global government game of Citizen e-Gotcha. JP

[cagerattler]

What else don't you know? It's not just Google.

You know, it's all fun and games to pick on Google, but they just might be the proverbial 'tip of the iceberg.'

Actually, it may end up that Google has been the better of our friends in the online world. They told the government "NO." Just think what you wouldn't have learned if they said Yes.

[Earl Benser]

I never had any illusions....

Going out on the internet for any reason involves a total
surrender of privacy Anyone can observe you, track you, read
your messages, or anything else they might want. You can't stop
it, you can't prevent it, and you really don't have any right to
complain. Wide open communications are the basis for the
Internet and that means absolutely NO PRIVACY!

So don't get upset with Google tracking your search activities.
Don't get upset with the Government asking Google for search
statistics. Don't get upset with email providers who read your
emails so they can target ads your way. And don't get upset with
people who tailor ads to your search patterns. You surrendered
the right to get upset the moment you went on the internet.

So just ignore the smoke and fog being put out about Google
and the government. You should have seen this one coming a
long way off. The one consolation is that, for the average guy,
he is just an indistinguishable blot on the internet who doesn't
show up on any 'radar screen' except lost in a pile of statistics.
No one really cares about him as an individual internet user.

[X-C3PO]

Not Surprised, It's just business!

Make money is the goal!

[X-C3PO]

Not Surprised, It's just business!

Make money is the goal!

[ogman]

Awwwww...

CNET still having a spat with Google. This article reads like vindictive sour grapes.

European DPA

Years back the European Union enacted a set of laws entitled the Data Protection Act. It grants an European citizens a large degree of control over their own data:

http://www.informationcommissioner.gov.uk/eventual.aspx?id=6789&expmovie=1
offers a very brief, incomplete, outline.

Now, while various exceptions allow security services and law enforcement to see your data, there is also provision under the parts of the act aimed at marketing which control how long personal data on an individual should be held after a given enquiry or transaction has taken place.

I'm no lawyer, but as I understand it (having studied the law and related advice in some detail with relation to identity cards in the past) if Google was a European company then its 'customers' *might* be able to argue that they should decouple the search data from the personal data to which it relates within a reasonable time after the 'transaction' (search) has taken place.

It's worth noting, however, that the DPA laws currently have very little bite, and countless smaller companies violate them. Still - its a start.