News, Developments, and Insights

high-tech technology background with eyes on computer display

Google Subpoena and Privacy Case

New York Times editorial observes:

At a North Carolina strangulation-murder trial this month, prosecutors announced an unusual piece of evidence: Google searches allegedly done by the defendant that included the words “neck” and “snap.” The data were taken from the defendant’s computer, prosecutors say. But it might have come directly from Google, which – unbeknownst to many users – keeps records of every search on its site, in ways that can be traced back to individuals.

This is an interesting fact — Google keeps records of every search in a way that can be traceable to individuals. The op-ed goes on to say:

Google has been aggressive about collecting information about its users’ activities online. It stores their search data, possibly forever, and puts “cookies” on their computers that make it possible to track those searches in a personally identifiable way – cookies that do not expire until 2038. Its e-mail system, Gmail, scans the content of e-mail messages so relevant ads can be posted. Google’s written privacy policy reserves the right to pool what it learns about users from their searches with what it learns from their e-mail messages, though Google says it won’t do so. . . .

The government can gain access to Google’s data storehouse simply by presenting a valid warrant or subpoena. . . .

This is an important point. No matter what Google’s privacy policy says, the fact that it maintains information about people’s search activity enables the government to gather that data, often with a mere subpoena, which provides virtually no protection to privacy — and sometimes without even a subpoena. In my book, The Digital Person, and in an earlier paper, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. Cal. L. Rev. 1083 (2002), I argued that today an increasing amount of detailed personal data is being maintained by various companies, merchants, and organizations. The Supreme Court has held that the Fourth Amendment does not protect against the government accessing records maintained by third parties. In United States v. Miller, 425 U.S. 435 (1976), for example, the Supreme Court held that people lack a reasonable expectation of privacy in their bank records because “[a]ll of the documents obtained, including financial statements and deposit slips, contain only information voluntarily conveyed to banks and exposed to their employees in the ordinary course of business.”

The New York Times op-ed goes on to criticize Google for not being a leader in protecting privacy:

It is hard to believe most Google users know they have a cookie that expires in 2038, or have thought much about the government’s ability to read their search history and stored e-mail messages without them knowing it. . . .

Google should develop an overarching privacy theory that is as bold as its mission to make the world’s information accessible – one that can become a model for the online world. Google is not necessarily worse than other Internet companies when it comes to privacy. But it should be doing better.

I agree with the op-ed, but I also think that businesses should use their power to push for greater legislative protections of personal information from government access. It is here were Google’s interests and the privacy interests of its users coincide. Right now, the government is inadequately regulated when it comes to accessing personal data maintained by third parties. If the businesses maintaining the data lobbied Congress for greater protections, this would help to address one of the major privacy threats that their maintaining the information poses. It wouldn’t solve all of the problems, but it would address a big one.

Thanks to Chris Hoofnagle and Steve Charnovitz for pointing me to this op-ed.

Originally posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
LinkedIn Influencer blog

TeachPrivacy Ad Privacy Training Security Training 01