How the FBI uses the Patriot Act to get info on Google users

Google reveals that the FBI has requested private user data as many as 999 times per year since 2009

In 2012, Google may have received 500 National Security Letters, requests from the FBI for identifying data -- such as name or address -- about one or more Google users. The number of NSLs may have actually been 200, though. Or possibly 950. Or perhaps (but almost certainly not) zero. In fact, all we know is that Google received between zero and 999 NSLs in 2009, as well as 2010, 2011, and 2012. That's not a lot of useful data, but it's more than we knew even one day ago.

Google today announced it's attempting to shed light on how the FBI is using controversial NSLs to obtain information about Google users. In a nutshell, an NSL is a request from the FBI or other federal agencies conducting national security investigations. Agencies can play the NSL card to obtain a communication-service customer's name, address, length of services, or local and long-distance toll billing records through NSLs.

The FBI is not required to get court approval to issue an NSL. According to Google, an NSL can't be used in ordinary criminal, civil, or administrative matters. Additionally, FBI can't use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos, or user IP addresses, according to the company.

"The FBI has the authority to prohibit companies from talking about these requests. But we've been trying to find a way to provide more information about the NSLs we get -- particularly as people have voiced concerns about the increase in their use since 9/11," wrote Richard Salgado, legal director of law enforcement and information security at Google.

To that end, Google has secured the feds' blessing to share strikingly vague data on the NSL requests it has received from the FBI since 2009. "You'll notice that we're reporting numerical ranges rather than exact numbers. This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations," Salgado explained.

Indeed, all Google reveals is that it received between zero and 999 NSLs each year since 2009, and the requests related to between 1,000 and 1,999 users or account in 2009, 2011, and 2012 -- and between 2,000 and 2,999 users or accounts in 2010. Why Google included zero in the ranges is curious, considering there had to be at least one NSL request per year if there was a minimum of 1,000 or 2,000 affected accounts per year.

The data doesn't tell much of a story, beyond the fact that 2010 was a record year for NSL requests insofar as how many accounts or users the FBI wanted to investigate. We don't know if the number of NSL requests in general have gone up for down, what the FBI was requesting, or whether the NSLs ended up yielding any actionable information to capture bad guys.

Google disclosed some information about how it handles NSLs. "When we receive these requests, we scrutinize them carefully to ensure they satisfy the law and our policies; seek to narrow requests that are overly broad; notify users when appropriate so they can contact the entity requesting the information or consult a lawyer; and require that government agencies use a search warrant if they're seeking search query information or private content, like Gmail and documents, stored in a Google Account," wrote Salgado.

Though the NSL data is arguably of limited use, Google's disclosure yields a couple of benefits. First, it's a reminder to privacy advocates that NSLs exist and continue to be used -- and it's a possible wake-up call to those who've never heard of NSLs or didn't realize NSLs could be used to snag user data from Google.

Second, it could mark a critical step toward greater visibility as to how the government and enforcement agencies are collecting and using citizens' online information.

Also, it gives Google a chance to puff up its chest and boast about how important it considers its users' privacy. Critics of the company may scoff at that notion, but at least the company does a credible job in revealing data on requests from governmental agencies and courts every six months in its Transparency Reports.

This article, "How the FBI uses the Patriot Act to get info on Google users," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform