According to the AP:
Google Inc. is rebuffing the Bush administration’s demand for a peek at what millions of people have been looking up on the Internet’s leading search engine — a request that underscores the potential for online databases to become tools for government surveillance.
Mountain View-based Google has refused to comply with a White House subpoena first issued last summer, prompting U.S. Attorney General Alberto Gonzales this week to ask a federal judge in San Jose for an order to hand over the requested records.
The government wants a list all requests entered into Google’s search engine during an unspecified single week — a breakdown that could conceivably span tens of millions of queries. In addition, it seeks 1 million randomly selected Web addresses from various Google databases.
The government is seeking in its motion to have the court direct Google to comply with a subpoena for “the text of each search string entered onto Google’s search engine over a one-week period (absent any information identifying the person who entered such query).” Originally, the government had asked for “[a]ll queries that have been entered on your company’s serch engine between June 1, 2005, and July 31, 2005, inclusive.” According to the government’s motion, the government narrowed its request to the text of search strings after extensive negotiations with Google.
The government’s request strikes me as tremendously inappropriate and proof that we need more protections against government access to personal data. I have written extensively on this issue and will address it in other posts.
I was struck by the resemblance of this case to another case back in 2004 where the Bush Administration attempted to subpoena records in its attempt to defend the constitutionality of a law. That case is Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 963 (7th Cir. 2004). In Northwestern Memorial Hospital, the government subpoenead 45 records on partial birth abortions in order to gather information to defend the constitutionality of the Partial-Birth Abortion Ban Act of 2003.
The hospital opposed the subpoena. Under Federal Rule of Civil Procedure 45(c)(3)(A)(iv), if the burden of compliance with a subpoena exceeds the benefit of production of the material sought, then the subpoena is quashed. Writing for the Seventh Circuit Court of Appeals, Judge Richard Posner concluded that the government’s subpoena for the partial birth abortion records should be nullified (“quashed” in legal lingo).
Posner’s reason for nullifying the subpoena turned on the privacy implications of the subpoena to the people whose records were involved. In analyzing the burdens of complying with the subpoena, Posner noted, courts must not only focus on the hardship to the companies or organizations producing the records (how expensive or tedious it will be for them to produce them), but also the effects that the production of the records will have on the people to whom the records pertain:
What is true is that the administrative hardship of compliance would be modest. But it is not the only or the main hardship. The natural sensitivity that people feel about the disclosure of their medical records–the sensitivity that lies behind HIPAA–is amplified when the records are of a procedure that Congress has now declared to be a crime.
In the Google case, however, the government claims that it is not interfering with the privacy of people using Google because: “The subpoena specifically directs Google to produce only the text of the random sample of serach strings, without any additional information that would identify the person who entered any individual search string.”
But in Northwestern Memorial Hospital, the government was also seeking records without names or identifiers. Nevertheless, Posner concluded that the women had a legitimate fear that “when their redacted records are made a part of the trial record in New York, persons of their acquaintence, or skillful ‘Googlers,’ sifting the information contained in the medical records concerning each patient’s medical and sex history, will put two and two together, ‘out’ the 45 women, and thereby expose them to threats, humiliation, and obloquy.” In other words, Posner noted, it can be very difficult to completely scrub away all traces of identification from a particular record.
But what is particularly germane to the Google case is that Posner went even further:
[E]ven if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy. Imagine if nude pictures of a woman, uploaded to the Internet without her consent though without identifying her by name, were downloaded in a foreign country by people who will never meet her. She would still feel that her privacy had been invaded.
This is a rather bold holding — that even de-identified records can create a privacy invasion. It would thus seem to me that if the federal district court looks to the Seventh Circuit’s decision as persuasive authority (it’s not bound to follow it since it is in a different federal circuit), the goverment’s subpoena will likely be nullified.
Even to the extent that the district court doesn’t totally agree with Posner’s reasoning, there’s another reason why revealing to the government even de-identified search queries might pose a privacy problem — the act of complying might chill people in the future from conducting searches on Google. Why? Because it may be possible later on for the identities to be reattached. Thus, if the goverment obtains the search records, isolates certain searches as “troubling” and then issues another subpoena to Google for the IP addresses connected to those searches, there’s a chance that the searches can be identified. In other words, the government’s subpoena now need not be the final step in the dance. More subpeonas may follow. And knowing this, people may be chilled in their searches.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.