more on Subpoena for 1 million random web searches

[David Farber <dave () farber net>]

Begin forwarded message:

From: Jim McCoy <mccoy () mad-scientist com>
Date: January 20, 2006 4:24:24 PM EST
To: dave () farber net
Cc: ip () v2 listbox com
Subject: Re: [IP] more on Subpoena for 1 million random web searches


On Jan 20, 2006, Steven Hertzberg <stevenstevensteven () yahoo com> wrote:
> I understand that the government requested random web search data  
> from four
> companies, and that three have already provided the requested  
> information.
> Did these other companies research the legal merits of the  
> government's
> request before complying, or did they simply acquiesce?

The other companies mentioned do have corporate counsels, so it is a  
rather bold insinuation to suggest that the others merely rolled over  
when asked.  A more likely possibility is that they examined the  
request, found it to be a valid subpoena, asked around in the  
engineering group to make sure they could comply without subverting  
user privacy, and complied as they are legally required to do.

Are trade secrets really all they are trying to protect (the multi- 
stage filtering suggested in the additional request detailed in  
online copies of sworn statements made by the person doing the work  
for the government suggests this is not the case) or are they unable  
to comply with the request due to privacy issues.  The google privacy  
policy directly states that they will sell aggregated non-personal  
information to third-parties, are they just trying to get the  
government to pay up like everyone else they sell info to?  The  
Google privacy policy also suggests that they will provide the  
information (including detailed, privacy-compromising information it  
seems) to "satisfy any applicable law, regulation, legal process or  
enforceable governmental request" in addition to TOS violations,  
security issues, and public safety.  Is the subpoena not a legal  
process or enforceable governement request?  Perhaps the "trade  
secret" that would be revealed is that Google doesn't disentangle the  
private information from the aggregated user requests.

> If the latter, then should we not also be discussing corporate  
> complicity and the merits of
> continuing to utilize the services of these other three companies?

And if the former, perhaps what should be asked is why Google is  
unable to provide this information without revealing personal data  
about the users who sent in the requests.

Is their internal database unable to maintain any separation between  
the request that hits the google servers and detailed information  
about the user that sends the request?  If they do not maintain a  
separate "opaque" database that would enable them to easily fulfill  
the warrant that was served then perhaps it is time to start asking  
serious questions about internal data security at Google.  How well  
protected is this information?  Is the next big "employee leaks  
confidential user information" story going to detail how some low- 
level employee shoulder-surfed his way to access he should not have  
had and resold the google user database? How deeply does the internal  
linking between request, transitory user info (ip address, time,  
etc.), and permanent cookie and/or financial information extend?

Jim


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/