Google and the Federal Subpoena
Google wasn't the only company that Justice subpoenaed. It appears that Yahoo and Microsoft complied with the requests. By fighting the subpoena, Google got some good press for the first time in a while. The companies that gave up records looked lame in comparison. Protecting privacy can be good for a company's image.
The most noteworthy aspect is that the request was, at least nominally, for non-personally identifiable information. The Justice Department didn't ask who made the requests. It is trying to learn about the nature of search requests to support its litigation over a law designed to limit access to porn by children. So why did this story attract so much attention for its privacy implications? I have three answers.
First, I see a trend toward considering the potential privacy interest in non-identifiable information. In an abortion records case that I wrote about here last year, a court found that privacy still mattered even if the records at issue were wholly non-identifiable. Some disclosures are offensive even if identity is shielded. How would you feel, for example, if someone posted on the Internet a nude but non-identifiable picture of you or your spouse?
Second, what does it mean that information is non-identifiable? Data lacking in overt identifiers still may be associated with a particular individual. Non-unique data elements can allow identification of individuals. For example, 87 percent of individuals can be uniquely identified by gender, date of birth and five-digit ZIP code.
Many search requests may not be identifiable or cannot be associated with a particular user, but the content of a request may provide a clue. The more that you know about someone, the greater the chance that you can find that someone's search request.
The third issue is the most important. Personal information in the hands of third parties has little, if any, inherent privacy protection when the government wants the information. The Supreme Court decided this in 1976 in a case called U.S. v. Miller. That decision involved bank records, and Congress overturned it in part in the Right to Financial Privacy Act. However, that act is one of the weakest privacy laws ever enacted, and it did little to enhance the privacy of personal records held by third parties.
Other statutes protect some records against government access, but the scope of government powers to demand records from third parties is broad. And the USA Patriot Act, originally passed in the aftermath of 9/11, expanded those powers.
When the government seeks a copy of a personal record held by a third party, the record subject typically will not know of the request or have a chance to fight it. Contrast that with what happens when you have the record. The government must deal with you directly. If it uses a subpoena, you have notice and can fight the demand. Even if the government seizes the record using a search warrant, at least you know the record was taken.
Here's the major concern. Most of the details of our lives sit in the files of third parties. Your doctor, insurer, supermarket, bank, ISP and others have tons of information about you. Your privacy rights in that information vis-à-vis the government are minor.
The Google story resonated so much in the Net community and elsewhere because Internet companies want to maintain even more information about users: Store your files on a Net storage facility. Keep your address book on the Net. Index all your data files on the Net. Register your stock portfolio on a Web site. Do all your searching through a personal account at a Web site. Keep all your e-mail forever on a server. Write and store your documents on Web-based software.
As more personal information migrates to the Net, where it has little privacy protection against government demands, the implications for consumers and companies could be huge. Privacy-sensitive consumers may reject new Net services that produce identifiable records. Companies could lose a percentage of their potential market, and a few highly publicized incidents could ruin a business plan.
The Google subpoena fight raises other issues, but these are the highlights for privacy. If we broaden our focus, we can see that the same issues about third-party records could arise with offline marketing records, even files about what color skirt Aunt Minnie ordered.
Don't think a request for those records is far fetched. Collecting all types of consumer data was at the heart of the Department of Defense's Total Information Awareness program designed to identify terrorists. Congress killed the TIA program, but it has gone underground and is being researched in the classified bowels of DOD.
We are moving toward the point where we will have to confront the privacy interests in third-party records more directly. For once, consumers and businesses will be on the same side, resisting sweeping government access powers. At least I hope they will. n