Google apps
Main menu

Legal process for user data requests FAQs

General

Why might a government agency request my data?

A variety of laws allow government agencies to investigate regulatory violations or criminal activity. Google receives requests for user data from government agencies investigating criminal activity, administrative agencies, courts and others.

Does Google give governments direct access to user data?

We require that requests for user data be sent to Google directly and not through any sort of "back door" direct access by the government.  Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process.  We have taken the lead in being as transparent as possible about government requests for user information.

What does Google do when it receives a legal request for user data?

Respect for the privacy and security of data you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google's policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we'll seek to narrow it.

How many of these requests result in Google producing some data?

You can find the numbers right in this report, including a table of requests by country.

Has Google successfully narrowed requests before?

Yes, we often successfully narrow the scope of requests. For example, in 2006 Google was the only major search company that refused a U.S. government request to hand over two months' of user search queries. We objected to the subpoena, and eventually a court denied the government's request. In some cases we receive a request for all information associated with a Google account, and we may ask the requesting agency to limit it to a specific product or service.

What if I want to give law enforcement my Google account records?

You can. We provide tools that allow you to download your content from many of our services using Google Takeout. Google, however, requires valid legal process before we will produce data in response to a request from a government agency (even if the request is being made on your behalf), absent an emergency situation.

In light of the types of legal requests covered in the Transparency Report, what can a user do to view their own data and also make plans for the future?

Google empowers our users to view and control their own data. Using Takeout, users can export or create an archive of their Google data. Using the Inactive Account Manager, users can decide what should happen to their data in the event that they have been inactive for a certain period of time. We highly encourage our users to try these tools to manage data and digital legacy.

 

Requests from inside the United States

Does a law enforcement agency in the U.S. have to use legal process to compel Google to provide user data or will a phone call be enough?

The government needs legal process—such as a subpoena, court order or search warrant—to force Google to disclose user information. Exceptions can be made in certain emergency cases, though even then the government can't force Google to disclose.

What kinds of emergency cases?

Sometimes we voluntarily disclose user information to government agencies when we believe that doing so is necessary to prevent death or serious physical harm to someone. The law allows us to make these exceptions, such as in cases involving kidnapping or bomb threats. Emergency requests must contain a description of the emergency and an explanation of how the information requested might prevent the harm. Any information we provide in response to the request is limited to what we believe would help prevent the harm.

How can law enforcement send legal requests to Google?

Law Enforcement authorities can submit data requests to Google Inc. in person, via fax, regular mail, email, or through Google’s online Law Enforcement Request System (LERS). Acceptance of legal process by any of these means does not waive any objections.

What is Google’s online Law Enforcement Request System (LERS)?

LERS is a system in which a verified law enforcement agent can securely submit a legal request for user data, view the status of the submitted request, and download the response submitted by Google.

Is the system secure?

It’s served over HTTPS, so LERS is encrypted. Each law enforcement agent accessing the system has a unique user account (provisioned by Google) and is required to login with 2-step authentication.

Doesn’t this make it much easier for governments to be able to get user data?

No. LERS does not provide governments with direct access to our systems or our users’ data. LERS is an interface through which approved government authorities can submit legal requests. Google reviews each government request and uses LERS to respond appropriately in accordance with applicable laws. The same legal standards apply to LERS submitted process as apply to legal process submitted to Google via other methods.

What types of legal requests does Google receive from U.S. government agencies?

By far the most common is the subpoena, followed by search warrants. A federal statute called the Electronic Communications Privacy Act, known as ECPA, regulates how a government agency can use these types of legal process to compel companies like Google to disclose information about users. This law was passed in 1986, before the web as we know it today even existed. It has failed to keep pace with how people use the Internet today. That's why we've been working with many advocacy groups, companies and others, through the Digital Due Process Coalition, to seek updates to this important law so it guarantees the level of privacy that you should reasonably expect when using our services.

What's the difference between a subpoena, a search warrant and a court order under ECPA? What information can a government agency get from Google with each?

It's complex, but here's a summary of the different forms of legal process covered by ECPA:
Subpoena
Of the three types of ECPA legal process for stored information, the subpoena has the lowest threshold for a government agency to obtain. In many jurisdictions, including the federal system, there is no requirement that a judge or magistrate review a subpoena before the government can issue it. A government agency can use a subpoena to compel Google to disclose only specific types of information listed in the statute. For example, a valid subpoena for your Gmail address could compel us to disclose the name that you listed when creating the account, and the IP addresses from which you created the account and signed in and signed out (with dates and times). Subpoenas can be used by the government in both criminal and civil cases.

On its face, ECPA seems to allow a government agency to compel a communications provider to disclose the content of certain types of emails and other content with a subpoena or an ECPA court order (described below). But Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure.

ECPA Court Order
Unlike an ECPA subpoena, obtaining an ECPA court order requires judicial review. To receive an ECPA court order, a government agency must present specific facts to a judge or magistrate demonstrating that the requested information is relevant and material to an ongoing criminal investigation.

With such a court order, a government agency can obtain the same information as a subpoena, plus more detailed information about the use of the account. This could include the IP address associated with a particular email sent from that account or used to change the account password (with dates and times), and the non-content portion of email headers such as the "from," "to" and "date" fields. An ECPA court order is available only for criminal investigations.

Search Warrant
The threshold is higher still for an ECPA search warrant. To obtain one, a government agency must make a request to a judge or magistrate and meet a relatively high burden of proof: demonstrating "probable cause" to believe that contraband or certain information related to a crime is presently in the specific place to be searched. A warrant must specify the place to be searched and the things being sought. It can be used to compel the disclosure of the same information as an ECPA subpoena or court order—but also a user's search query information and private content stored in a Google Account, such as Gmail messages, documents, photos and YouTube videos. An ECPA search warrant is available only in criminal investigations. The video below provides an overview of how we review and respond to ECPA search warrants.
Way of a Warrant

What are Wiretap, Pen Register and Trap and Trace Orders, and How Do They Differ from Other ECPA Legal Process?

What are Wiretap, Pen Register and Trap and Trace Orders, and How Do They Differ from Other ECPA Legal Process?

Some US federal and local government agencies can ask courts to require companies to disclose user information in real-time. In contrast to subpoenas or search warrants, which are used to obtain information created in the past, these types of court orders look to collect information that doesn’t exist yet. They fall into two categories: wiretaps and pen register and trap and trace orders.
Wiretap
A wiretap order requires a company to hand over information that includes the content of communications in real-time. Of all the government requests than can be issued under ECPA, wiretap orders are the hardest to obtain. To satisfy legal requirements, a government agency must demonstrate that: a) someone is committing a crime listed in the Wiretap Act, b) the wiretap will collect information about that crime, and c) the crime involves the telephone number or account that will be tapped. The court must also find that ‘normal’ ways to investigate crime have failed (or probably would fail), or are too dangerous to attempt in the first place. There are limits on how long a wiretap can run and requirements to notify users who have been tapped.

Statistics about federal and state wiretaps are available here.

Pen Register, and Trap and Trace
A pen register or trap and trace order requires a company to hand over information about a user’s communications (excluding the content of communications themselves) in real-time. With such an order, a government can obtain “dialing, routing, addressing and signaling information.” This could include the numbers you dial on your phone to reach someone or an IP address issued by an ISP to a subscriber.

It’s easier for a government agency to get a pen register or trap and trace order than a wiretap orders or search warrant. To obtain one, the requesting agent has to certify that information likely to be obtained will be “relevant to an ongoing criminal investigation.” Google believes this standard is too low, and has been working with the Digital Due Process coalition to make sure the court has a meaningful role in determining when these orders are issued.

If you receive a legal request concerning my account, will you tell me about it?

If Google receives ECPA legal process for a user's account, it's our policy to notify the user via email before any information is disclosed unless such notification is prohibited by law.  We will provide delayed notice to users after a legal prohibition is lifted, such as when a statutory or court ordered gag period has expired.  We might not give notice when, in our sole discretion, we believe that notice would be counterproductive or exceptional circumstances exist involving danger of death or serious physical injury to any person.  In such cases, we will provide delayed notice if we later determine that those circumstances no longer exist.  In cases where the account in question is an enterprise hosted account, notice may go to the domain administrator, or the end user, or both.

 

We review each request we receive before responding to make sure it satisfies applicable legal requirements and Google's policies. In certain cases we'll push back regardless of whether the user decides to challenge it legally.   If the request appears to be legally valid, we will endeavor to make a copy of the requested information before we notify the user.

I received an email from Google saying that someone has requested information related to my account. What does this mean?

It means we've received a legal request to disclose information that's either stored in your Google account or associated with it. Just because we receive a request doesn't necessarily mean that we did—or will—disclose any of the requested information. We have a rigorous process for reviewing these requests against legal requirements and Google's policies.

In these emails, Google will not ask you to provide any personal information such as a password or social security number. If you get an email purportedly from Google that asks for this type of information, don't provide it. The email is probably a scam, so please report it to us.

What can I do about a request like this?

You may wish to consult a lawyer to discuss your options. In our notice to you, we will provide information so that you can contact the requesting party with questions about the legal process. We will also provide a copy of the legal process upon request, although we may have to redact some information before sending it to you. We can’t give you legal advice or discuss the substance of the request.

Unless you take action, like filing an objection with the court, we may have to produce information responsive to the request. Typically, the amount of time you’ll have to file an objection will be 7 calendar days, though that can vary from case to case. Be sure to send us a copy of any objection filed with the court so we know about it, and make sure that copy has the court’s stamp on it showing it was actually filed. It is not enough to just ask us not to disclose the information because we may be required to produce data unless a court tells us otherwise.

What kinds of data do you disclose for different products?

To answer that, let's look at four services from which government agencies in the U.S. commonly request information: Gmail, YouTube, Google Voice and Blogger. Here are examples of the types of data we may be compelled to disclose, depending on the ECPA legal process, the scope of the request, and what is requested and available. If we believe a request is overly broad, we will seek to narrow it.
 
Products Subpoena Court Order Search Warrant
Gmail
  • Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)
  • Sign-in IP addresses and associated time stamps
  • Non-content information (such as non-content email header information)
  • Information obtainable with a subpoena
  • Email content
  • Information obtainable with a subpoena or court order
YouTube
  • Subscriber registration information
  • Sign-in IP addresses and associated time stamps
  • Video upload IP address and associated time stamp
  • Information obtainable with a subpoena
  • Copy of a private video and associated video information
  • Private message content
  • Information obtainable with a subpoena or court order
Google Voice
  • Subscriber registration information
  • Sign-up IP address and associated time stamp
  • Telephone connection records
  • Billing information
  • Forwarding number
  • Information obtainable with a subpoena
  • Stored text message content
  • Stored voicemail content
  • Information obtainable with a subpoena or court order
Blogger
  • Blog registration page
  • Blog owner subscriber information
  • IP address and associated time stamp related to a specified blog post
  • IP address and associated time stamp related to a specified post comment
  • Information obtainable with a subpoena
  • Private blog post and comment content
  • Information obtainable with a subpoena or court order

 

Are Google records admissible in court without testimony?

Google provides a written certificate of authentication with the information it discloses in response to legal process. This is typically sufficient to allow for admissibility in a court proceeding. Google does not provide expert testimony.

 

Requests from outside the United States

How does Google respond to requests from government agencies outside the United States?

Using Mutual Legal Assistance Treaties (MLATs) and other diplomatic and cooperative arrangements, non-U.S. agencies can work through the U.S. Department of Justice to gather evidence for legitimate investigations. In some cases, the U.S. Federal Trade Commission may be able to provide assistance.

If U.S. law is implicated in the investigation, a U.S. agency may open its own investigation and provide non-U.S. investigators with evidence gathered. Google may also disclose data in response to emergency disclosure requests when we believe that doing so is necessary to prevent death or serious physical harm to someone.

On a voluntary basis, we may provide user data in response to valid legal process from non-U.S. government agencies, if those requests are consistent with international norms, U.S. law, Google's policies and the law of the requesting country.

What information might a government agency outside of the United States get from Google with various legal processes?

If a non-U.S. agency goes through a diplomatic process like MLAT to obtain a U.S.-issued ECPA subpoena, court order or search warrant, Google would produce the same information as if the request originated directly from a U.S. agency. In cases where Google honors legal process issued directly from the non-U.S. agency, the information disclosed could include, for example, Google or YouTube account registration information (name, account creation information and associated email addresses) and recent sign-in IP addresses and associated time stamps.

What is a mutual legal assistance treaty (MLAT)?

An MLAT is a treaty between the U.S. and another country that defines how each country will help each other in legal matters such as criminal investigations. Through an MLAT, a foreign government can ask the U.S. government for help in obtaining evidence from entities in the U.S., including companies like Google. If the U.S. government approves the request, Google would respond to it.

How does MLAT work?

The MLAT process is fairly simple. Here's a hypothetical example: A police officer in London is investigating a case of identity theft and has evidence that the culprit has a particular Gmail account. To continue her investigation, the officer needs to know who the user is. Since there is an MLAT between the U.K. and the U.S., the officer can ask the U.K. Home Office to request information from the Office of International Affairs in the U.S. Department of Justice. The U.S. Department of Justice hands the request to the appropriate U.S. Attorney's office, which works through U.S. legal process and serves the user data request to Google. If the request satisfies the law and Google's policies, we would provide the information to the U.S. Attorney's office, and from there it would find its way to the officer in the U.K.

Is the MLAT the only way for governments outside the U.S. to get information from U.S. companies?

No. There are many ways that other countries can obtain information from companies like Google outside of the MLAT process, including joint investigations between U.S. and local law enforcement, emergency disclosure requests and others.