DOJ Fishes for Search Records, and Google Fights Back–Gonzales v. Google

By Eric Goldman

Gonzales v. Google, Inc., No. 5:06-mc-80006-JW (N.D. Cal. motion to compel filed Jan. 18, 2006)

This event is a collateral consequence of Congress’ obsessive and relentless campaign against Internet pornography. In Summer 2004, the US Supreme Court upheld a preliminary injunction of the 1998 Child Online Protection Act (COPA) and remanded the case for trial. In preparing its defense of the law, the DOJ sought to prove that COPA would be more effective at blocking children’s access to harmful-to-minor materials than technological filtering.

But how could the DOJ get supporting data? Well, no one knows more about the comings-and-goings of Netizens than search engines. If only the DOJ could get its hands on their server logs….

So the DOJ sent a subpoena to several search engines. In Google’s case, the DOJ initially asked for:

• “All URL’s that are available to be located through a query on your company’s search engine as of July 31, 2005”

• “All queries that have been entered on your company’s search engine between June 1, 2005 and July 31, 2005, inclusive”

Google resisted this request, and after some discussions, the DOJ scaled back its requests to ask for:

• “a multi-stage random sample of one million URL’s from Google’s database, i.e., a random sample of the various databases in which those URL’s are stored, and a random sample of the URL’s held within those databases.”

• “the text of each search string entered onto Google’s search engine over a one-week period (absent any information identifying the person who entered such query)”

Google is still resisting this amended request, so the DOJ has asked a federal district court to compel Google to comply with the DOJ’s request.

From my perspective, there are five essential points to take away from this event:

1) This is a Big Deal. This is not the usual Cyberlaw flare-up that has a short shelf life (see, e.g., AutoLink). Instead, I think this will become a classic Cyberlaw moment we’ll be discussing for years. It’s got all the right indicia–hubris, privacy and porn. Regardless of how the courts rule on the DOJ’s request, I think this event will have lasting effects. This is a Big Deal.

2) The DOJ’s Initial Request Was Way Out-of-Bounds. The DOJ’s initial request was jaw-droppingly broad. How could the DOJ ask for so much? And how could some search engines give it to them without a fight?

I think the DOJ’s initial request is very typical of government investigative requests. I’ve been on the receiving end of a few such requests myself. In my experience, government investigators typically make broad initial requests because such requests are costless to the government. If the government does not bear the costs of producing the data, then it’s rational for government investigators to ask for any data that might have any possible benefit to them. (This is like a negative externality—the government overconsumes data because it doesn’t bear the true social costs of its production).

In my experience, however, government investigators will craft a more tailored request when someone resists the initial overbroad request. Basically, the resistance raises the government investigator’s cost, so often the investigator’s path of least resistance is to submit a narrower request reflecting exactly what the investigator really needs.

However, recipients of government investigative requests rarely push back for entirely logical reasons. Principally, recipients do not want to become the investigator’s next target. Government investigators can make someone’s life very miserable, so annoying them has a non-trivial risk of inviting suspicion or even outright retaliation.

Or, in Microsoft’s case, recall that the DOJ enforces Microsoft’s consent decree. Microsoft may have been legitimately concerned that resisting the DOJ’s request could have adverse consequences for the DOJ’s assessment of Microsoft’s compliance with the consent decree. If I work at Microsoft and the DOJ wants some data, I’m going to give it to the DOJ with a smile on my face—no questions asked. (MSN claims that they did push back a little).

One more consideration to explain why other search engines complied with the DOJ’s initial request without much fuss. I don’t have empirical evidence to back this up, but I suspect that large search engines like Google, Yahoo and Microsoft get dozens or even hundreds of government investigative requests a month—most or all of which the search engines dutifully fulfill. This DOJ request was just yet another government request—perhaps a little broader than normal, but not that different from the dozens or hundreds of recent requests the search engines had complied with.

3) Our Government is the Biggest Threat to Our Internet Privacy. Concerns about search engines and privacy are hardly new (this is an evergreen topic for this blog; see here and here). Not surprisingly, some privacy advocates are opportunistically using this event to complain yet again that we shouldn’t trust Google (see, e.g., Leslie Walker’s Washington Post story and Rep. Markey’s ill-conceived and opportunistic legislative proposal). This is a completely misdirected concern, especially in this case. We have no new or additional reasons to fear Google’s misuse of data about us. But, as this event points out, we have every reason to fear our government’s rapacious desire for information about its citizens.

Though we try to ignore it, deep down we know that our government is the biggest data slut around (it’s not even close). Consider some news from the last few months: Bush’s administration is engaged in domestic surveillance, the NSA and other agencies illegally use tracking cookies and even members of Congress breach their own voluntarily-adopted privacy policies. We don’t need tighter restrictions on search engine’s data management practices. Instead, we desperately need MUCH tighter restrictions on government data requests.

4) This Event May Backfire on the DOJ. The DOJ picked the wrong company to challenge publicly. I know that public attitudes towards Google are volatile (many of us have a love/hate relationship with Google). Despite that, Google has a great brand, and many people remain very passionate about Google. Go ahead, DOJ, mess with Yahoo or MSN or even Amazon and you won’t hear much public uproar. But targeting Google…well, that’s a fight that has a high risk of losing both the fight and popular support.

As a result, I expect that the DOJ will get unwanted public scrutiny about the propriety of its data requests. If the DOJ can’t convincingly defend its request, the DOJ’s gluttony could instigate public support for efforts to restrict government data-collection activities. Normally, in light of the USA Patriot Act and prevailing anti-terrorism/anti-porn rhetoric, such a suggestion would be laughable. But the DOJ picked on Google, one of the most cherished companies of our time. Bad move.

5) Google’s Motive May Not Be Entirely Pro-Consumer. Sure, Google’s resistance to the DOJ gives Google a chance to redeem its privacy standing after Gmail. However, I suspect Google’s principal motivations may have little to do with consumer privacy. Even as amended, the DOJ’s request would take valuable engineering time and would potentially expose some Google trade secrets to competitors or black-hat SEOs. We can laud Google for its pro-privacy stance all we want, but if the DOJ’s request required zero engineering time and did not expose any Google trade secrets, I’m convinced that Google would have quietly fulfilled the DOJ’s request a long time ago.

There’s been a lot of commentary on this event, and I won’t try to recap it here. However, a few pages I recommend:

* Danny Sullivan’s level-headed and insightful post

* Dan Solove’s insightful commentary on the applicable law that governs government’s requests to third parties for data

UPDATE: As predicted, Sen. Leahy is asking the DOJ to explain what they are doing and why.

UPDATE 2: Google’s response to the government’s motion.