Government Sticks Its Fingers Deeper into Your Data Pie

By Lisa Vaas  |  Posted 2006-01-25

Government Sticks Its Fingers Deeper into Your Data Pie

Its an intense time for skirmishes between government and corporate America.

The Senate will take up the question of renewing the Patriot Act during the week of Jan. 30, and Google is fighting tooth and nail to keep search terms and search results out of the hands of the government.

For the private sector, the governments desire to fiddle with data raises a few questions: Just how much control does the government have over grabbing your data, and how onerous is that for business?

Regarding their effect on enterprises, the Patriot Act and the governments squeeze on Google are two different beasts.

According to Orin Kerr, an associate professor of law at the George Washington Law School who worked on legislation that eventually became the Patriot Act, the difference lies in the fact that the Patriot Act tweaked pre-existing laws—the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act.

Conversely, the governments move on search companies doesnt implicate pre-existing law, since its a simple subpoena.

The distinction isnt making business leaders relax, though—rather, theyre tensing up as governments requests for information grow ever more obtrusive.

"Some of the stuff thats been of greatest concern to businesses with the Patriot Act request has been the increasing likelihood that the information requested would be open-ended and increasingly onerous," said Susan Hackett, senior vice president and general counsel of the Association of Corporate Counsel, in an interview with eWEEK.

Googles skirmish with the government hasnt directly affected enterprises, beyond a general sense of unease that the government wont stop with anonymous search data but will instead gain insight into what should be private research.

For example: Dr. M. Lewis Temares, vice president of IT for the University of Miami, noted that on a corporate level, hes been led to believe that the nature of his searches wont spill out into public or government discourse, given that there are things he searches for that could potentially reveal trade secrets.

"Im [hypothetically] negotiating with Bell South with regards to their practices in terms of a future contract," Temares said.

"I use the search engine to find out what competitors are doing. All of a sudden Ive got people saying personal things about their experiences, their cellular experiences, that maybe they dont want to be made public.

"The government can see weve talked about various things in regards to competitiveness," Temares said.

"That may affect on a corporate basis everything you can say with regards to private conversations. Maybe the Federal Trade Commission [would get involved], maybe somebody said something about the governments interference. Maybe government takes it to another level: If hes saying something about the government…"

The search results and terms turned over by search companies thus far have reportedly been stripped of anything that would allow them to be traced back to users, as per government agreement.

The obtrusiveness of government if it succeeds in its Google subpoena is at this point hypothetical.

The effects of the Patriot Act are not. They are hard to gauge, though, given that the Patriot Act inflicted a gag order on those it hit up for information.

"Its difficult to get a good sense of what theyve been asked for, because theyre under a gag order," Hackett said.

"But with conversations with folks whove shared general thoughts on this, theyve drawn a distinction between requests for Mr. Smiths transactions with you from March 20 to June 30 of this year. Thats reasonably defined, easy to find in your systems."

Contrast that with what increasingly concerns businesses, though, Hackett said: namely, the government coming to a corporation and requesting a large and nebulous cloud of information—requesting, say, all information on customers and transactions done in hotspot Middle Eastern countries.

"These huge, open-ended, [You] dont know what [were] investigating but were putting you in charge of giving us information that we dont know if you have investigations" are what worry businesses about the governments Google move, she said.

Next Page: Governments slippery slope.

Governments Slippery Slope

Government on Slippery Slope with Google

Indeed, the governments request for information from Google has been large and impossibly vague, as Google has itself protested in its fight.

Google on Jan. 19 revealed that it is resisting a subpoena, first issued in August 2005, from the U.S. Department of Justice to review Google customer search habits.

The DOJ has already secured similar material from MSN, Yahoo and AOL as it seeks to prove the ineffectiveness of commercially available Web content filters to filter porn and thus defend the COPA (Child Online Protection Act) from an ACLU, et al., lawsuit that deemed it unconstitutional.

In essence, the government is hoping to build a simulated Web to illustrate how often Google and other search users encounter porn.

As it is, the government has scaled back its original demands. In its August version, it subpoenaed any and all URLs that could be produced through a query on Googles search engine, along with two months worth of queries entered into Google search between June 1 and July 31, 2005.

After negotiations with Google, the U.S. Attorney General scaled back the subpoena to a random sampling of 1 million URLs from Googles then-current database, along with a random sampling of 1 million search queries submitted on a given day.

How easy would it be for a business to comply with such a request?

For starters, randomness is easy to screw up.

"At times, randomness is more complicated than you think it is," said Richard E. Mackey Jr., a principal at security firm SystemExperts, in an interview with eWEEK.

"You scramble it, but the sample you took was actually from a particular day over a longer period. So I always wonder, What does it mean to be random?

"Thats what gets me about these questions," he said. "They ask these questions, and as soon as you know something about the data, you can say something about what randomizing means. By data center? By time? We want the distribution to look uniform, of queries over a certain amount of time. Or do you want the result like a histogram, showing more frequent instances of [searches] made more frequently?"

In other words, you need to have a good sense of the entire data set in order to create a random subset. To wit: Google protested that the governments consultant, UC Berkeleys Professor Philip Stark, would need knowledge of the upper limit of stored URLs on each server, as well as the total number of search queries run on the relevant day.

That information, however, is considered of competitive value in the cutthroat world of search engines, spurring Google to dig in its heels on what it called an "overbroad, unduly burdensome, vague" request intended to harass. In the process, the request would result in Google giving away trade secrets, it claimed.

Not only that, Google claimed, but the information a) wasnt relevant to the underlying child pornography lawsuit, and b) was available publicly anyway.

The broad question, Kerr said, boils down to what law protects, or should protect: businesses family jewels. In other words, what law protects data?

"The subpoena is the general default used to protect data," Kerr said. "Its mostly designed to protect a defendants stuff, not a third partys. So here you have Google being asked to turn over information that belonged to people who used the search terms. So the ultimate question is, Do you need a law protecting this information beyond a subpoena?

Check out eWEEK.coms for the latest database news, reviews and analysis.

Rocket Fuel