GBS: EFF Digs In on Privacy

Yesterday, the EFF released a news update boiling the privacy questions down to a single issue they see as overriding: government surveillance. Bookstores and libraries have fought hard for the principle that government can’t demand to know what books you’ve read without a search warrant. The EFF and its partner organizations want Google to make a similar commitment:

Given this backdrop, we asked Google to promise that it would fight for those same standards to be applied to its Google Book Search product. We want Google to promise that it will demand more than a subpoena (which is written by a lawyer and not approved by a judge) or some other legal process that a judge has not approved before turning over your book records. In essence, we asked Google to tell whoever came to them demanding reader information: “Come back with a warrant.”

The settlement, of course, is largely silent on privacy. Google’s position has been that it will apply the same standards to books as it does to web search, which can also be highly sensitive. Google’s current privacy policy provides:

We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

The EFF, unhappy with the degree of discretion built into this standard, is now preparing to ask the court to order that a “Get a warrant or go home” standard be written into the settlement. Compared with the EFF’s original letter to Google, the frustrated tone of yesterday’s note is quite notable:

Honestly, we thought it would be an easy thing for Google to do.

Unfortunately, Google has refused. It is insisting on keeping broad discretion to decide when and where it will actually stand up for user privacy, and saying that we should just trust the company to do so. So, if Bob looks like a good guy, maybe they’ll stand up for him. But if standing up for Alice could make Google look bad, complicate things for the company, or seem ill-advised for some other reason, then Google insists on having the leeway to simply hand over her reading list after a subpoena or some lesser legal process. As Google Book Search grows, the pressure on Google to compromise readers’ privacy will likely grow too, whether from government entities that have to approve mergers or investigate antitrust complaints, or subpoenas from companies where Google has a business relationship, or for some other reason that emerges over time.

We need more than “just trust us” here. EFF has spent the last three years suing AT&T because that company decided, for reasons we still don’t know, that it would not stand up for user privacy when the government came knocking.

In in the past Google (unlike some other large search companies, *cough*cough*) has actually gone to court to fight governmental demands for search queries. In that case, though, Google’s arguments were longer on the trade-secret angle and shorter on the user-privacy angle. (Google did argue that if users felt their privacy was being violated they’d be less likely to trust Google, which is a kind of second-order privacy claim.)

Google’s attitude strikes me as interestingly Christian. Their corporate ethos—captured in the “Don’t Be Evil” slogan—is strongly committed to the idea that there is an objective right and wrong and that the company has a duty to do good. But they’re also committed to the idea that they should be bound by God’s laws, not by man’s. When faced with a moral dilemma, the Googlers withdraw to their cave for prayer and fasting to consult their inner lights, then emerge with the confidence of one through whom God has spoken. Where positive law and divine law conflict, the positive law must be the wrong one. Google will live with it, as a dutiful believer must, but will never accept its moral legitimacy. Indeed, to wrap Google in too many laws is to deprive it of the free will necessary for its moral choices to do good to have true meaning.

Maybe that’s a stretch. But I do have a sense that the EFF/Google rift here is about something slightly less clearly cut-and-dried than the usual public-interest/private-corporation divide. The EFF’s post sees Google as in constant danger of lapsing into sin, a view that is nearly incomprehensible within Google’s quasi-messianic narrative of itself.

Enough armchair psychoanalysis. Back to the docket and the clippings …

Interesting thoughts.

I find Google’s privacy narrative at this point divorced from reality.

True, by repeatedly referring to this one US case, Google has quite successfully imprinted the idea that they fought for search user privacy against the government.

But generally, Google seems to respond to any kind of valid legal request for search data, including subpoenas, and does not even provide data on the amount of requests it receives.

Chris Soghoian has recently written about the issue here:

“[Google] has between 1-20 employees working full time to respond to requests for private customer information from law enforcement.”


Google fought the DOJ’s request for deidentified search records one time… and has milked every drop of it for PR ever since.

How many requests does Google get from law enforcement agencies per day? We don’t know.

Has Google ever said no to a law enforcement request for identifiable customer records? We don’t know.

If it has said no, how many times has it done so? We don’t know.

If law enforcement officers claim exigent circumstances, how often does Google disclose identifiable customer data without even requiring a subpoena? We don’t know

Do you see a pattern yet?

The one time that Google lawyered up and fought a DOJ request, the company shouted about it to anyone within earshot.

However, when it comes to Google’s willingness to cooperate with the (likely) thousands of requests it gets per year from law enforcement agencies, the company says nothing. “As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google.”(Source: CNET)

Should Google’s customers worry about their privacy, and be fearful that Google will hand over data to the feds without a fight? Don’t worry — I am sure that Google has made sure that the head of its legal compliance department is a strong believer in civil liberties — perhaps even a former EFF or ACLU litigator.

Whoops — scratch that. The head of Google’s legal compliance team is Richard Salgado, who used to work in the Department of Justice’s Computer Crime division.

Would you trust a former DOJ prosecutor to vigorously protect your email from his former friends and colleagues in law enforcement? I don’t.

Chris, I agree with you that “yes, you can trust us” and “no, you can’t see what we’re doing” don’t sit well together for Google. But I’d much rather judge Salgado by what Google does under his watch than by his former employers. Being a computer-crime prosecutor can give you deep experience with the statutes and more credibility in convincing the feds to back off quietly. Would you say that Paul Ohm couldn’t be trusted?

Legal compliance/ECPA stuff happens in such secrecy, and the companies are given such a huge amount of leeway w/regard to “exigent” requests without subpoenas, that former prosecutors should not be given the benefit of the doubt by being allowed to work in this job.

IMHO, once you have worked as a federal prosecutor, you simply should not be allowed to work in (what should be) an “adversarial” position where you are tasked with saying no to those former friends and colleagues in order to protect the privacy of your customers.

I deeply respect Professor Ohm and his stellar academic work. He also happens to be a very nice guy.

However, I still wouldn’t trust him with my private encryption keys.

The same goes for Orin Kerr — even after he took on other federal prosecutors by providing pro bono assistance to Lori Drew.

When it comes to this hugely important task: It should be one strike (at DOJ) and you’re out.

I had coffee recently with a friend who has done pro bono defense-side cybercrime work and, in a few years, will be an obvious choice for staff attorney at EFF or someplace similar. He’s about to go to work for a stint with his state DA’s office.

If your automatic-disqualification rule were in place, I bet he’d think twice before going to work for the prosecutors. That would mean that there’d be one less person in that office who had any idea about how computers really work—and the DA’s office would be that much more inclined to overreach. The more lines of communication with the government we cut off, the less likely it is that it’ll ever learn.

The problem is the secrecy, and that’s where the concern should be focused.

BTW, “not allowed”—by whom?

I felt my ears burning.

Chris, I think you’re clinging to an argument you know, deep inside, you’ve already taken a step too far.

Do you really think a person is forever incapable of being an independent-thinking, socially-responsible person just because they’ve agreed to work for a particular employer at one point in the past?

Haven’t I heard you say on several occasions that you’d love a government job in national intelligence—one that didn’t require a security clearance at least—to try to effect change from the inside? If you could some day secure that job, does this mean that after you leave that job, we should no longer trust your ability to make decisions that further any other goals aside from those of the intelligence community’s?

You are who you are before you get a particular job; while you have that job; and after you have that job. Each job helps you see things from different points of view and gives you access to different facts, and these influences might inform your future decisions, but please, give us a bit more credit as independently minded people.


I am obviously biased in this issue, given my own ahem past experiences with the FBI and DOJ.

However, as long as the legal compliance function happens in the dark, I simply do not trust former Feds to take a strict pro-privacy position.

If Google, Yahoo, Microsoft and the others were to conduct their legal compliance offices with some transparency — by providing aggregate statistics on the number of requests they get, the number of times they disclose info w/o a subpoena, and the number they fight, then I might be more willing to trust a former Fed to say no to his buddies.

James — with regard to your friend, I see no reason why he can’t work for the ACLU or EFF after he has worked at the DA’s office. Since, the ACLU and EFF are both extremely transparent about what they do.

I am not saying that former prosecutors should be barred from working for civil liberties groups — I am saying that they shouldn’t be working in the legal compliance departments at ISPs — at least while those groups do their jobs in such complete secrecy.

This isn’t about giving people the benefit of the doubt as independent minded people. If these firms are going to do their business in total secrecy, then their staff need to have no possible conflict of interest.