Google Reveals Government Demands For Cloud Data1:43 PM EST Wed. Mar. 06, 2013
The FBI and other agencies demanded data from Google up to 1,000 times in 2012, according to a new Google report that aims to shed light on government access to data stored in the cloud.
Google granted access to up to 2,000 user accounts when government investigators issued a National Security Letter, a document used to circumvent a court order and get ISPs, financial institutions and other businesses to turn over information that investigators deem relevant to an investigation.
Google for the first time included this data in its annual Transparency Report, which details when Google's legal team releases data to investigators and other authorities upon request.
Use of the National Security Letter document was expanded in a provision under the U.S. Patriot Act of 2001, giving the FBI the authority to demand information for investigations impacting national security matters. The FBI's written demands for information using a National Security Letter is subject to a gag order, forbidding businesses from revealing it to the public.
Government demands for data stored in the cloud has had an impact on adoption, according to security experts. It is also influencing the channel. Managed security service providers and resellers oftokenization and encryption technologies have been urging businesses to lock down data stored in the cloud. Keeping the encryption keys stored locally could force investigators seeking the information to request the key from the business and not the cloud provider.
Companies are hesitant to move data on their most critical systems, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary. "Any time you're storing data in an environment that is not your traditional network there's always a concern," Kraus said. "People want to know what the government can request and what the cloud service provider is required to deliver."
In a recent interview with CRN, Jim Reavis, executive director of the Cloud Security Alliance, said many businesses have been steadily migrating systems to the cloud but agreed that most firms are still clinging to their most critical assets out of concern that they could lose control over them to government authorities. The issue has become such a hot topic that the Cloud Security Alliance launched a website to provide research on cloud-related legal issues, Reavis said.
"In a lot of cases, people are making assumptions and we're working to shine a real light on the law itself and not make a lot of judgments about it," Reavis said of the Patriot Act. "It's not so much a new law as it has created modifications to a dozen different U.S. laws, so our aim is to try to take the hype and FUD out of the legal issues."
Google revealed that from July to December 2012 it adhered to more than 5,700 subpoena requests for information on individuals, nearly 1,900 search warrants and 758 court orders issued under the Electronic Communications Privacy Act seeking user data. Google said about 90 percent of the requests it received produced data on individuals.
"Government requests for user data from the United States include those issued by U.S. authorities for U.S. investigations as well as requests made on behalf of other governments pursuant to mutual legal assistance treaties and other diplomatic mechanisms," Google said.
Google said it added requests by the FBI via National Security Letter as part of investigations under the U.S. Patriot Act. It is used, Google said, to obtain identifying information about a subscriber from telephone and Internet companies.
"The FBI has the authority to prohibit companies from talking about these requests. But we've been trying to find a way to provide more information about the NSLs we get -- particularly as people have voiced concerns about the increase in their use since 9/11," wrote Richard Salgado, Google's legal director in a blog post about the newly updated report.
Salgado said the data on FBI requests via National Security Letters is vague, given in numerical ranges rather than exact numbers in order to appease the FBI and Justice Department's concerns that exact numbers could reveal information about investigations.
PUBLISHED MARCH 6, 2013