Google Reporting on Which Countries Ask For Data About Users
Citizens have long wondered how often their governments ask online service providers for data about users, and how often governments ask providers to take down content. Today Google took a significant step on this issue, unveiling a site reporting numbers on a country-by-country basis.
It’s important to understand what is and isn’t included in the data on the Google site. First, according to Google, the data excludes child porn, which Google tries to block proactively, worldwide.
Second, the site reports requests made by government, not by private individuals. (Court orders arising from private lawsuits are included, because the court issuing the order is an arm of government.) Because private requests are excluded, the number of removal requests is lower than you might expect — presumably removal requests from governments are much less common than those from private parties such as copyright owners.
Third, Google is reporting the number of requests received, and not the number of users affected. A single request might affect many users; or several requests might focus on a single user. So we can’t use this data to estimate the number of citizens affected in any particular country.
Another caveat is that Google reports the country whose government submitted the request to Google, but this may not always be the government that originated the request. Under Mutual Legal Assistance Treaties, signatory countries agree to pass on law enforcement data requests for other signatories under some circumstances. This might account for some of the United States data requests, for example, if other countries asked the U.S. government to make data requests to Google. We would expect there to be some such proxy requests, but we can’t tell from the reported data how many there were. (It’s not clear whether Google would always be able to distinguish these proxy requests from direct requests.)
With these caveats in mind, let’s look at the numbers. Notably, Brazil tops both the data-requests list and the takedown-requests list. The likely cause is the popularity of Orkut, Google’s social network product, in Brazil. India, where Orkut is also somewhat popular, appears relatively high on the list as well. Social networks often breed disputes about impersonation and defamation, which could lead a government to order release of information about who is using a particular account.
The U.S. ranks second on the data-requests list but is lower on the takedown-requests list. This is consistent with the current U.S. trend toward broader data gathering by law enforcement, along with the relatively strong protection of free speech in the U.S.
Finally, China is a big question mark. According to Google, the Chinese government claims that the relevant data is a state secret, so Google cannot release it. The Chinese government stands conspicuously alone in this respect, choosing to deny its citizens even this basic information about their government’s activities.
There’s a lot more information I’d like to see about government requests. How many citizens are affected? How many requests does Google comply with? What kinds of data do governments seek about Google users? And so on.
Despite its limitations, Google’s site is a valuable step toward transparency about governments’ attempts to observe and control their citizens’ online activities. I hope other companies will follow suit, and that Google will keep pushing on this issue.
[thanks to epheterson and ed felten via cc]
Google Stops Censoring Chinese Search Engine Results
Google announced that it would cease (well, phase out) censoring the results in google.cn, the Chinese-language version of its famed search engine. It’s a pretty stunning move, both in its fact and in its execution. First, the announcement of “A new approach to China” may appear to have buried the lede. The lion’s share of the post is devoted to describing a series of coordinated attacks on the accounts of human rights activists, including those who use Google:
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.
It includes a link to the amazing story of GhostNet, discovered by fellow ONI researchers when the Dalai Lama gave them his oddly-acting laptop to examine:
This study reveals the existence and operational reach of a malware-based cyber espionage network that we call GhostNet. Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community. The GhostNet system directs infected computers to download a Trojan known as gh0st RAT that allows attackers to gain complete, real-time control. These instances of gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan, People’s Republic of China.Our investigation reveals that GhostNet is capable of taking full control of infected computers, including searching and downloading specifc fles, and covertly operating attached devices, including microphones and web cameras.
Companies rarely share information about the cyberattacks they experience — conventional wisdom has it that it makes the company appear vulnerable, and drives customers away. Here Google is open about the attacks, while of course assuring readers that it had tightened security as a result. Google then links these attacks to a lessening of enthusiasm for doing business in China. Eliminating censorship in google.cn is only mentioned after that.
Suppose the Chinese government acts as expected and tells Google that it may no longer operate in China. Google.cn might vanish as a domain name, since it’s hosted under the Chinese country-code TLD of .cn, ultimately controllable by the Chinese government. But the search engine found there could of course keep operating from a different location, like cn.google.com. Suppose then that China attempts to filter out traffic to and from that new location — and to and from google.com for good measure, as it has done from time to time, especially before the advent of google.cn and its agreement to censor. (We’ll be watching for such moves at herdict.org, a site where users can report Web blockages.)
What next? My hope, and expectation, is that Google engineers who might have been a bit halfhearted about implementing censorship mandates in google.cn could be full-throttle in coming up with ways for Google to be viewed despite any network interruptions between site and user. There are lots of unexplored options here. They’re unexplored not because they’re infeasible, but because most sites would rather not provoke a government that filters. So they don’t undertake to get information out in ways that might evade blockages. Here, Google would have nothing more to lose, so could pioneer some new approaches. Circumvention of filtering (or other blockages, for that matter) tends to happen on the user side of things, seeking out proxies like the Tor network, or anonymizer.com.
To be sure, many of the larger benefits of operating in China originally cited by Google four years ago — exposing the citizenry to services beyond those locally grown and monitored; engaging them beyond the “China Wide Web” to which some government officials aspire to limit them; and gaining market share that can create momentum and support for later loosening of restrictions — may attenuate. Google.cn is less known and used than, say, the local Baidu search engine, which boasts about 60% market share. That share is about to get even bigger.
But drawing a line is both the right move and a brilliant one. It helps realign Google’s business with its ethos, and masterfully recasts the firm in a place it will feel more comfortable: supporting the free and open dissemination of information rather than metering it out according to undesirable (and capricious) government standards.
[thanks to myuibe and futureoftheinternet via cc]
