Has Google's Privacy Policy Protected Us From Government Surveillance?

The District Court ruling that Google doesn’t have to turn over any search records to the Bush administration isn’t just a victory for Web surfers who don’t like the thought of being tracked by the government. It's a victory for anyone who stores data and doesn’t want to be harassed by lawyers or federal agents.

Google claimed from the start that the case was about privacy rights, citing both its users’ right not to have their searches revealed and Google’s own right to make sure its trade secrets stayed that way. Both of these are important and were enough to win in court. But the implications for both personal and corporate privacy go much further than that.

For individuals, the greatest threat to privacy isn’t so much the search records as what the Bush administration wanted to do with them--that is, bolster its legal argument in favor of the Child Online Protection Act. Despite the name, COPA has nothing to do with protecting children online. Rather, it requires all Web sites that contain potentially sexual content to track visitors and verify that they're over 17. The intent is to censor porn, but sexual content is defined so vaguely that just about every Web site could end up requiring age verification.

According to COPA, Web publishers have the option of two tracking mechanisms. The low-tech solution is to ask all visitors for their credit card details, which makes the law an even greater gift than Internet Explorer to the phishing industry. (Some sites already use the Act as an excuse to demand credit card numbers.) The high-tech one is to have the PC itself provide a digital certificate that identifies the user, probably through a combination of Trusted Computing chips and biometric sensors.

Google’s victory won’t in itself stop COPA, of course. And stopping it might not even be necessary. In 2001, the Supreme Court decided that the law was unconstitutional (see PDF or Google cached HTML) following a challenge from a group of online publishers led by the ACLU. But it left open the possibility that future technological advances could change this.

I don’t quite understand how technology can make censorship and tracking constitutional, let alone how a list of search queries can prove it, but that appears to be the Bush administration’s case. If it's somehow valid, Google’s refusal probably won't make any difference. Microsoft and Yahoo both acquiesced without a fight. AOL also provided some data, so the White House already has much of what it wanted.

However, the legal argument that the District Court relied on in its ruling (PDF only, so far) could help bolster the ACLU’s case, as well as that of other organizations that store data and need to stand up to a subpoena. The Bush administration’s lawyers had argued that it needs Google’s search records because many people use Google to search for porn. District Judge James Ware eventually relied on the same argument, but turned it in favor of Google.

The Judge’s reasoning is that people have a right to keep their porn searches private, even if they might not mind Google sharing some other less embarrassing search terms. (This is contrary to the stated premise of COPA, which is that everyone who surfs for smut needs to be tracked.) Because so much of Google’s business supposedly involves porn, the District Court was concerned that forcing Google to violate its privacy policy could hurt the site’s popularity. So privacy policies aren’t meaningless and unenforceable; they can actually stand up in court, provided that the company that wrote the policy is willing to stand up, too.

Unfortunately, the Court didn’t get a chance to rule on Google’s claims about trade secrets. The Bush administration had already dropped its previous demands (see PDF of the subpoena posted by SearchEngineWatch, or Google cached HTML), which covered details such as how many servers Google has and what each one of them does. But the ruling does show that the Court is concerned about the effect on Google’s business. And the case itself shows that stored data can become a liability, even if it's successfully protected against black-hat hackers, malicious insiders, and all the other traditional security threats.

Google and the other search engines weren't originally involved in the COPA case; it was just between the Bush administration and the ACLU-led group. (Unlike most Web sites, Google wouldn’t even be affected by COPA because it specifically excludes search engines.) But they became involved once the government saw that their vast stores of data might prove useful.

Most organizations don’t store as much information as Google, but their databases could still be tempting, especially with the growing overlap between people's business and personal lives. The riskiest is location data, which both prosecutors and defense attorneys regularly demand from cellular carriers. Businesses that track and store customers’ or employees’ movements (online or offline) could find themselves in a similar position, dragged into both civil and criminal suits.

As Google shows, the best defense is a strong privacy policy, but it needs to be backed up by a strong legal department and a willingness to fight. Without those, businesses may be better off not storing sensitive data at all.