Do No Evil and Perhaps Do Some Good: Google, Privacy, and Business Records
posted by Daniel Solove
Google — whose motto when it went public in 2004 was “do no evil” — contends that submitting to the subpoena would represent a betrayal to its users, even if all personal information is stripped from the search terms sought by the government.
“Google’s acceding to the request would suggest that it is willing to reveal information about those who use its services. This is not a perception that Google can accept,” company attorney Ashok Ramani wrote in a letter included in the government’s filing.
In contrast to Google, other search engine companies such as Yahoo complied with the subpoenas without putting up a fight. Google is to be applauded for taking the effort to rebuff the government’s request.
The government is increasingly interested in gathering personal information maintained by various businesses. As I wrote in my book, The Digital Person:
While life in the Information Age has brough us a dizzying amount of information, it has also placed a profound amount of information in the hands of numerous entities. . . . [T]hese digital dossiers are increasingly becoming digital biographies, a horde of aggregated bits of information combined to reveal a portrait of who we are based upon what we buy, the organizations we belong to, how we navigate the Internet, and which shows and videos we watch. This information is not held by trusted friends or family members, but by large bureaucracies that we do not know very well or sometimes do not even know at all.
I also wrote about the issue in an article available at SSRN.
One enormous problem is that the Supreme Court has established an immensely troubling doctrine in Fourth Amendment law known as the “third party doctrine.” In United States v. Miller, 425 U.S. 435 (1976), the Supreme Court held that people lack a reasonable expectation in their bank records because “[a]ll of the documents obtained, including financial statements and deposit slips, contain only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.” Employing analogous reasoning, in Smith v. Maryland, 442 U.S. 735 (1979), the Supreme Court held that people lack a reasonable expectation of privacy in pen register information (the phone numbers they dial) because people “know that they must convey numerical information to the phone company,” and therefore they cannot “harbor any general expectation that the numbers they dial will remain secret.” When there’s no reasonable expectation of privacy, the Fourth Amendment provides no protection.
The problem with the third party doctrine is that in the Information Age, countless companies maintain detailed records of people’s personal information: Internet Service Providers, merchants, bookstores, phone companies, cable companies, and many more. The third party doctrine thus severely limits Fourth Amendment protection as more of our personal information winds up in the hands of businesses.
In my book and article discussed above, I also explain that in the void left by the Fourth Amendment, Congress has passed a series of statutes that provide some regulation on government access to records of personal information maintained by businesses. The problem is that these statutes are woefully inadequate. As I wrote:
[T]here are gaping holes in the statutory regime of protection, with classes of records not protected at all. Such records include those of merchants, both online and offline. Records held by bookstores, department stores, restaurants, clubs, gyms, employers, and other companies are not protected. Additionally, all the personal information amassed in profiles by database companies is not covered.
Further, the statutes often do not provide for significant-enough standards for the government to access data. In other words, it is still very easy for the government to obtain the data even with the statutes.
I believe that this state of affairs presents problems not just for individual privacy, but for the businesses maintaining personal information as well. The government may gather personal information from businesses notwithstanding their privacy policies. This thwarts the interests of companies that want to encourage people to reveal information by promising strong limitations in its use. It adds an often unstated risk to a consumer’s revealing information to a company. It erodes people’s trust in companies as well.
A while back, I blogged about why businesses should lobby Congress for greater protections against government access to business records involving personal information:
I also think that businesses should use their power to push for greater legislative protections of personal information from government access. It is here were Google’s interests and the privacy interests of its users coincide. Right now, the government is inadequately regulated when it comes to accessing personal data maintained by third parties. If the businesses maintaining the data lobbied Congress for greater protections, this would help to address one of the major privacy threats that their maintaining the information poses. It wouldn’t solve all of the problems, but it would address a big one.
I urge Google and other businesses that gather personal information to push for legislation to better regulate government information gathering from businesses. I applaud the fact that Google is fighting the government’s subpoenas, but I urge them (and others) to go further. It is here where business interests and individual consumer interests are aligned with regard to privacy.