Google today released its latest transparency report, covering the first half of 2013. The number of requests went up fairly dramatically over the second half of 2012, which only emphasizes the importance of stronger and simpler rules of the road in the Electronic Communications Privacy Act. We continue to call on Congress to pass a clean version of the Leahy-Lee bill in the Senate and the Yoder-Graves bill in the House. In addition to that drastic increase, Google for the first time broke out the number of emergency requests that they received. These are requests for data made under 18 U.S.C. 2702(b)(8) in which death or physical injury may occur if the information is not turned over, and in which the government does not have time to obtain a warrant from a magistrate.
Right now the law gives the service provider discretion over whether to turn the information over to the government. Because these requests have not been looked at by any independent body such as a judge, and because the companies are required by law and out of a duty to their users to protect the information entrusted to them, it makes sense to give some discretion to those companies. As part of the push to reform ECPA, however, some in the law enforcement community have called for the law to force companies to comply when faced with a demand, claiming that “[i]n some cases, providers make a decision never to provide records in the absence of legal process, no matter the circumstances.”
Up until now there has been only anecdotes around which to discuss this allegation, but with Google’s latest report we finally have numbers. So, what do they show? Google, with its 425 million Gmail users (as of last year, the latest report I could find), received a grand total of 119 emergency requests affecting 175 different users in the first six months of 2013. Google, like most of the large web service providers, has a team that looks closely at all of the government demands they receive and push back when something is out of order. In the case of emergency requests, Google granted 81% either in part or in full.
These numbers show us a few things. First, that emergency requests are, as they should be, used incredibly rarely. Second, that a vast majority of the requests made are responded to with at least some of the information sought. Finally, that there are a small but not negligible number (about 23 over six months from all the federal, state, and local law enforcement agencies across the country) of requests that do not meet the threshold set out by the statute and that are therefore rejected by Google’s team. (Those that are rejected can also either be taken to a judge for a normal warrant or modified and resubmitted to address whatever deficiency caused the initial rejection. Note to Google: I’d love to see some data on how often that happens next time around!)
What does this tell us overall? The biggest thing that it appears to emphasize is that the current system works. The majority of the small number of requests are complied with, a small number that don’t meet the threshold are sent back. I can’t think of a better outcome given the constraints. This is just another reason why Congress should proceed with a clean version of the Leahy-Lee bill in the Senate and the Yoder-Graves bill in the House that would create a warrant standard for Americans’ data, no matter where it lives.