Google Tells Cops to Get Warrants for User E-Mail, Cloud Data

Google demands probable-cause, court-issued warrants to divulge the contents of Gmail and other cloud-stored documents to authorities in the United States -- a startling revelation Wednesday that runs counter to federal law that does not always demand warrants.
Image may contain Electronics Computer Server and Hardware
Photo: andrewfhart/Flickr

Google demands probable-cause, court-issued warrants to divulge the contents of Gmail and other cloud-stored documents to authorities in the United States – a startling revelation Wednesday that runs counter to federal law that does not always demand warrants.

The development surfaced as Google publicly announced that more than two-thirds of the user data Google forwards to government agencies across the United States is handed over without a probable-cause warrant.

A Google spokesman told Wired that the media giant demands that government agencies – from the locals to the feds – get a probable-cause warrant for content on its e-mail, Google Drive cloud storage and other platforms – despite the Electronic Communications Privacy Act allowing the government to access such customer data without a warrant if it's stored on Google's servers for more than 180 days.

"Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the Constitution, which prevents unreasonable search and seizure," Chris Gaither, a Google spokesman, said.

Some of the customer data doled out without a warrant include names listed when creating Gmail accounts, the IP address from where the account was created, and where and what time a user signs in and out of an account. What's more, Google hands over without warrants the IP address associated with a particular e-mail sent from a Gmail account or used to change the account password, in addition to the non-content portion of e-mail headers such as the "from," "to" and "date" fields.

It was not immediately known whether other ISPs are traveling Google's path when it comes to demanding probable-cause warrants for all stored content. But Google can seemingly grant more privacy than the four corners of the law allows because there's been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days. The Supreme Court has never weighed in on the topic – and the authorities are seemingly abiding by Google's rules to avoid a high court showdown.

The Electronic Communications Privacy Act of 1986, the relevant law in question, was adopted at a time when e-mail wasn't stored on servers for a long time, but instead was held there briefly on its way to the recipient's inbox. In the 1980s, e-mail more than 6 months old was assumed abandoned, and therefore ripe for the taking without a probable-cause warrant.

That law is still on the books today, even as the advancement of technology has undermined its original theory.

But clearly, changing the law to comport with Google's interpretation has been met with unreceptive members of Congress.

The Senate Judiciary Committee approved a measure last year mirroring Google's interpretation, but the bill died a quiet death. Moves to change the law have been scuttled over and again.

Google's Transparency Report issued January 23, 2013.

For now, under the letter of the ECPA law, the government only needs to show that it has "reasonable grounds to believe" e-mail and other documents stored in the cloud for more than 180 days would be useful to an investigation.

Gaither, the Google spokesman, did not know when Google began demanding warrants. But there were two federal appellate decisions on the topic rendered 2010, one requiring a warrant for content and another saying federal judges had the discretion to demand one.

Meantime, Google released Wednesday its so-called "Transparency Report" shedding light on government requests for data. Globally, the United States again ranked No. 1 in terms of demands for Google customer data. India, France, Germany, the United Kingdom and Brazil were trailing in that order.

The figures for the first time provide a brief outline on whether data was handed over with or without a court warrant – a praiseworthy move we've been agitating for at Threat Level following the report's inception. Google first began releasing its Transparency Report in 2009.

Google offers e-mail, cloud storage, a blogging platform, a phone and texting platform, web search and other services.

The data Google is coughing up to the authorities includes e-mail and text-messaging communications, cloud-stored documents and, among other things, browsing activity, and even IP addresses used to create an account.

In all, agencies across the United States demanded 8,438 times that Google fork over data on some 14,791 accounts for the six-month period ending December 2012. Probable-cause search warrants were issued in 1,896 of the cases. Subpoenas, which require the government to assert that the data is relevant to an investigation, were issued 5,784 times. Google could not quantify the remaining 758.

Google's transparency data is limited as it does not include requests under the Patriot Act, which can include National Security Letters with gag orders attached. Nor do the data include anti-terrorism eavesdropping court orders known as FISA orders or any dragnet surveillance programs legalized in 2008, as those are secret, too. In all those instances, probable-cause warrants generally are not required, even for customer content stored in Google's servers.