User data requests FAQs


What is a user data request?

Government agencies make requests to Google companies seeking information about Google users' accounts or products. In this report, we are revealing statistics about those demands.

What is a preservation request?

At times, a government entity may ask a provider to set aside a copy of specified information while the agency goes through the process of seeking legal process to compel the disclosure of that information. An agency may want a provider to preserve a record when, for example, the agency is concerned that the record may be lost or destroyed before the agency can secure the legal process. Preservation requests only apply to information that Google has at the time of the request, not information that may be generated in the future. We do not include preservation requests in request totals for each country because we do not disclose data in these cases. If a government agency does come back with a legal order to disclose and we provide data in response, we account for those disclosures in the appropriate legal process category.

Is this data comprehensive?

Our goal is to present a comprehensive data set encompassing all demands that we receive from government agencies for user information, including all criminal and national security requests. The data may exclude matters that were received during the reporting period, but remain pending and not yet completed. We're continuously working to improve our internal processes so that our reports will be accurate and timely.

Why do some of the older reporting periods have fewer data than newer reporting periods?

As with many other Google products, we like to launch and iterate. The Transparency Report is no different. As we've worked on this project, we've discovered the best way to disclose more information. For example, starting with the July – December 2010 reporting period, we began to disclose the percentages of user data requests where we produce some data. And starting with the January – June 2011 reporting period, we began to disclose the number of users or accounts about which data was requested. Since then we've added more and more information about US national security requests.

Do your statistics cover all categories of data requests from governments?

Yes, our goal is to include in our statistics all demands that we received from government entities unless we must delay reporting, such as with certain FISA requests. That is what we're doing in this report. We're always looking to improve how we track requests internally so that we can be as comprehensive and accurate as possible.

Who are the 'users/accounts' being specified by user data requests, and is Google the only company that governments ask for user data?

Like other technology and communications companies, we regularly receive requests from government agencies to disclose information about users of Google services. We are by no means unique when it comes to receiving these requests.

Is the number of 'users/accounts' a comprehensive count of the total number of users about whom governments have requested data?

No, it's not the total number of unique users that have been the subject of a request to Google. There are several reasons why the numbers of 'users/accounts' in user information requests may be over-inclusive. For example, the same Gmail account may be specified in several different requests for user information, perhaps once in a subpoena and then later in a search warrant. We add both instances to the 'user/accounts' total even though it's the same account. Similarly, we might receive a request for a user or account that doesn't exist at all. In that case, we would still add both the request and the non-existent account to the total. We've taken efforts to reduce over-inclusiveness, but have decided it is better to err on the side of a greater number.

How many of these requests result in Google producing some data?

We report percentages for criminal requests from July 2010 onward. Those percentages reflect the number of requests that we responded to by producing some information.

When we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request. The privacy and security of the data that users store with Google is central to our approach. Before producing data in response to a government request, we make sure that it follows the law and Google's policies. We notify users about legal demands when appropriate, unless prohibited by law or court order. And if we believe a request is overly broad, we seek to narrow it – like when we persuaded a court to drastically limit a US government request for two months' of user search queries.

Are the observations that you make about the data comprehensive and do they all relate to the same topics?

These observations on user data requests highlight some trends that we've seen in the data during each reporting period, and are by no means exhaustive.


National Security Letters

What is a National Security Letter (NSL)?

It’s a request for information that the Federal Bureau of Investigation (FBI) can make when they or other agencies in the Executive Branch of the US government are conducting national security investigations. An NSL can’t be used in ordinary criminal, civil or administrative matters.

You can read more about NSLs in this publication by the Congressional Research Service. The FBI is required to report how they use NSLs to Congress biannually. The US Department of Justice also regularly audits how the FBI uses NSLs.

What does an NSL compel Google to disclose?

Under the Electronic Communications Privacy Act (ECPA) 18 U.S.C. section 2709, the FBI can seek 'the name, address, length of service and local and long distance toll billing records' of a subscriber to a wire or electronic communications service. The FBI can’t use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses.

What process must the FBI follow to issue an NSL?

The Director of the FBI or a senior FBI designee must provide a written certification that demonstrates that the information requested is 'relevant to an authorised investigation to protect against international terrorism or clandestine intelligence activities'. The FBI is not required to get court approval to issue an NSL.

Can non-US governments obtain information through investigative processes and laws similar to NSLs and FISA?

Many governments may have legal processes similar to NSLs that allow them to obtain information for national security reasons. Many also have national security authorities that are in some ways like FISA. When Google receives these user data requests, we include them in the numbers that we report biannually in our Transparency Report for each country.


Foreign Intelligence Surveillance Act 

What is the Foreign Intelligence Surveillance Act (FISA)?

The Foreign Intelligence Surveillance Act is a US law, originally enacted in 1978, to govern how the US government collects foreign intelligence for national security. This Act created the Foreign Intelligence Surveillance Court, which consists of 11 federal district court judges who review government applications for electronic surveillance and other types of intelligence collection. It also created the Foreign Intelligence Court of Review, to which appeals from the FISC can be made. These courts have the power to require companies or other private organisations to hand over information in foreign intelligence investigations.

The Department of Justice oversees the agencies involved in carrying out FISA-authorised activities. FISA requires these agencies to brief Congress on a regular basis and present all pertinent FISA court documents. You can read more about FISA in these publications by the Congressional Research Service: 15 February 2007 CRS Report7 July 2008 CRS Report.

What does a FISA request compel Google to disclose?

Under the Foreign Intelligence Surveillance Act (FISA), the government may apply for court orders from the FISA Court to, among other actions, require US companies to hand over users’ personal information and the content of their communications.

The FISA Amendments Act, passed in 2008, authorises the government to require US companies to provide information and content of communications associated with accounts of non-US citizens or non-lawful permanent residents who are located outside the United States. You can read more about the FISA Amendments Act in this publication by the Congressional Research Service: 8 April 2013 CRS Report.

If Google were to receive a FISA request, what would it do?

Google’s general approach to government requests for information is the same: Before producing data in response to a government request, we make sure that it follows the law and Google's policies. And if we believe a request is overly broad, we seek to narrow it.

What are the reporting delays imposed by the US Department of Justice?

The US Department of Justice has imposed two delays. First, providers must wait six months before publishing statistics about FISA requests so that, for example, the report published 1 January 2015 will reflect requests received between 1 January and 1 July 2014. Second, providers must wait two years to publish statistics reflecting 'New Capability Orders'.

If you receive an NSL or a FISA request concerning my account, will you tell me about it?

If Google receives an NSL or FISA request for a user's account, we would apply the same policy that we use when responding to ECPA legal process.

In the case of NSLs, the FBI has the power, under 18 USC. section 2709(c)(1), to prohibit the recipient of an NSL from disclosing the fact that it has received an NSL, by certifying that disclosure may result in 'a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations or danger to the life or physical safety of any person'. In the case of FISA requests, current law prohibits recipients of FISA requests from disclosing the existence of the request.