Legal process for user data requests FAQs

A variety of laws allow government agencies to investigate regulatory violations or criminal activity. Google receives requests for user data from government agencies investigating criminal activity, administrative agencies, courts and others.

We require that requests for user data be sent to Google directly and not through any sort of "back door" direct access by the government.  Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process.  We have taken the lead in being as transparent as possible about government requests for user information.

Respect for the privacy and security of data you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google's policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we'll seek to narrow it.

You can find the numbers right in this report, including a table of requests by country.

Yes, we often successfully narrow the scope of requests. For example, in 2006 Google was the only major search company that refused a U.S. government request to hand over two months' of user search queries. We objected to the subpoena, and eventually a court denied the government's request. In some cases we receive a request for all information associated with a Google account, and we may ask the requesting agency to limit it to a specific product or service.

You can. We provide tools that allow you to download your content from many of our services using Google Takeout. Google, however, requires valid legal process before we will produce data in response to a request from a government agency (even if the request is being made on your behalf), absent an emergency situation.

Google empowers our users to view and control their own data. Using Takeout, users can export or create an archive of their Google data. Using the Inactive Account Manager, users can decide what should happen to their data in the event that they have been inactive for a certain period of time. We highly encourage our users to try these tools to manage data and digital legacy.

The government needs legal process—such as a subpoena, court order or search warrant—to force Google to disclose user information. Exceptions can be made in certain emergency cases, though even then the government can't force Google to disclose.

Sometimes we voluntarily disclose user information to government agencies when we believe that doing so is necessary to prevent death or serious physical harm to someone. The law allows us to make these exceptions, such as in cases involving kidnapping or bomb threats. Emergency requests must contain a description of the emergency and an explanation of how the information requested might prevent the harm. Any information we provide in response to the request is limited to what we believe would help prevent the harm.

Law Enforcement authorities can submit data requests to Google Inc. in person, via fax, regular mail, email, or through Google’s online Law Enforcement Request System (LERS). Acceptance of legal process by any of these means does not waive any objections.

LERS is a system in which a verified law enforcement agent can securely submit a legal request for user data, view the status of the submitted request, and download the response submitted by Google.

It’s served over HTTPS, so LERS is encrypted. Each law enforcement agent accessing the system has a unique user account (provisioned by Google) and is required to login with 2-step authentication.

No. LERS does not provide governments with direct access to our systems or our users’ data. LERS is an interface through which approved government authorities can submit legal requests. Google reviews each government request and uses LERS to respond appropriately in accordance with applicable laws. The same legal standards apply to LERS submitted process as apply to legal process submitted to Google via other methods.

By far the most common is the subpoena, followed by search warrants. A federal statute called the Electronic Communications Privacy Act, known as ECPA, regulates how a government agency can use these types of legal process to compel companies like Google to disclose information about users. This law was passed in 1986, before the web as we know it today even existed. It has failed to keep pace with how people use the Internet today. That's why we've been working with many advocacy groups, companies and others, through the Digital Due Process Coalition, to seek updates to this important law so it guarantees the level of privacy that you should reasonably expect when using our services.

It's complex, but here's a summary of the different forms of legal process covered by ECPA:

Subpoena

Of the three types of ECPA legal process for stored information, the subpoena has the lowest threshold for a government agency to obtain. In many jurisdictions, including the federal system, there is no requirement that a judge or magistrate review a subpoena before the government can issue it. A government agency can use a subpoena to compel Google to disclose only specific types of information listed in the statute. For example, a valid subpoena for your Gmail address could compel us to disclose the name that you listed when creating the account, and the IP addresses from which you created the account and signed in and signed out (with dates and times). Subpoenas can be used by the government in both criminal and civil cases.

On its face, ECPA seems to allow a government agency to compel a communications provider to disclose the content of certain types of emails and other content with a subpoena or an ECPA court order (described below). But Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure.

ECPA Court Order

Unlike an ECPA subpoena, obtaining an ECPA court order requires judicial review. To receive an ECPA court order, a government agency must present specific facts to a judge or magistrate demonstrating that the requested information is relevant and material to an ongoing criminal investigation.

With such a court order, a government agency can obtain the same information as a subpoena, plus more detailed information about the use of the account. This could include the IP address associated with a particular email sent from that account or used to change the account password (with dates and times), and the non-content portion of email headers such as the "from," "to" and "date" fields. An ECPA court order is available only for criminal investigations.

Search Warrant

The threshold is higher still for an ECPA search warrant. To obtain one, a government agency must make a request to a judge or magistrate and meet a relatively high burden of proof: demonstrating "probable cause" to believe that contraband or certain information related to a crime is presently in the specific place to be searched. A warrant must specify the place to be searched and the things being sought. It can be used to compel the disclosure of the same information as an ECPA subpoena or court order—but also a user's search query information and private content stored in a Google Account, such as Gmail messages, documents, photos and YouTube videos. An ECPA search warrant is available only in criminal investigations. The video below provides an overview of how we review and respond to ECPA search warrants.

Way of a Warrant

What are Wiretap, Pen Register and Trap and Trace Orders, and How Do They Differ from Other ECPA Legal Process?

If Google receives ECPA legal process for a user's account, it's our policy to notify the user via email before any information is disclosed unless such notification is prohibited by law.  We will provide delayed notice to users after a legal prohibition is lifted, such as when a statutory or court ordered gag period has expired.  We might not give notice when, in our sole discretion, we believe that notice would be counterproductive or exceptional circumstances exist involving danger of death or serious physical injury to any person.  In such cases, we will provide delayed notice if we later determine that those circumstances no longer exist.  In cases where the account in question is an enterprise hosted account, notice may go to the domain administrator, or the end user, or both.

 

We review each request we receive before responding to make sure it satisfies applicable legal requirements and Google's policies. In certain cases we'll push back regardless of whether the user decides to challenge it legally.   If the request appears to be legally valid, we will endeavor to make a copy of the requested information before we notify the user.

It means we've received a legal request to disclose information that's either stored in your Google account or associated with it. Just because we receive a request doesn't necessarily mean that we did—or will—disclose any of the requested information. We have a rigorous process for reviewing these requests against legal requirements and Google's policies.

In these emails, Google will not ask you to provide any personal information such as a password or social security number. If you get an email purportedly from Google that asks for this type of information, don't provide it. The email is probably a scam, so please report it to us.

You may wish to consult a lawyer to discuss your options. In our notice to you, we will provide information so that you can contact the requesting party with questions about the legal process. We will also provide a copy of the legal process upon request, although we may have to redact some information before sending it to you. We can’t give you legal advice or discuss the substance of the request.

Unless you take action, like filing an objection with the court, we may have to produce information responsive to the request. Typically, the amount of time you’ll have to file an objection will be 7 calendar days, though that can vary from case to case. Be sure to send us a copy of any objection filed with the court so we know about it, and make sure that copy has the court’s stamp on it showing it was actually filed. It is not enough to just ask us not to disclose the information because we may be required to produce data unless a court tells us otherwise.

To answer that, let's look at four services from which government agencies in the U.S. commonly request information: Gmail, YouTube, Google Voice and Blogger. Here are examples of the types of data we may be compelled to disclose, depending on the ECPA legal process, the scope of the request, and what is requested and available. If we believe a request is overly broad, we will seek to narrow it.

 

Products	Subpoena	Court Order	Search Warrant
Gmail	Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number) Sign-in IP addresses and associated time stamps	Non-content information (such as non-content email header information) Information obtainable with a subpoena	Email content Information obtainable with a subpoena or court order
YouTube	Subscriber registration information Sign-in IP addresses and associated time stamps	Video upload IP address and associated time stamp Information obtainable with a subpoena	Copy of a private video and associated video information Private message content Information obtainable with a subpoena or court order
Google Voice	Subscriber registration information Sign-up IP address and associated time stamp Telephone connection records Billing information	Forwarding number Information obtainable with a subpoena	Stored text message content Stored voicemail content Information obtainable with a subpoena or court order
Blogger	Blog registration page Blog owner subscriber information	IP address and associated time stamp related to a specified blog post IP address and associated time stamp related to a specified post comment Information obtainable with a subpoena	Private blog post and comment content Information obtainable with a subpoena or court order

 

Google provides a written certificate of authentication with the information it discloses in response to legal process. This is typically sufficient to allow for admissibility in a court proceeding. Google does not provide expert testimony.

Using Mutual Legal Assistance Treaties (MLATs) and other diplomatic and cooperative arrangements, non-U.S. agencies can work through the U.S. Department of Justice to gather evidence for legitimate investigations. In some cases, the U.S. Federal Trade Commission may be able to provide assistance.

If U.S. law is implicated in the investigation, a U.S. agency may open its own investigation and provide non-U.S. investigators with evidence gathered. Google may also disclose data in response to emergency disclosure requests when we believe that doing so is necessary to prevent death or serious physical harm to someone.

On a voluntary basis, we may provide user data in response to valid legal process from non-U.S. government agencies, if those requests are consistent with international norms, U.S. law, Google's policies and the law of the requesting country.

If a non-U.S. agency goes through a diplomatic process like MLAT to obtain a U.S.-issued ECPA subpoena, court order or search warrant, Google would produce the same information as if the request originated directly from a U.S. agency. In cases where Google honors legal process issued directly from the non-U.S. agency, the information disclosed could include, for example, Google or YouTube account registration information (name, account creation information and associated email addresses) and recent sign-in IP addresses and associated time stamps.

An MLAT is a treaty between the U.S. and another country that defines how each country will help each other in legal matters such as criminal investigations. Through an MLAT, a foreign government can ask the U.S. government for help in obtaining evidence from entities in the U.S., including companies like Google. If the U.S. government approves the request, Google would respond to it.

The MLAT process is fairly simple. Here's a hypothetical example: A police officer in London is investigating a case of identity theft and has evidence that the culprit has a particular Gmail account. To continue her investigation, the officer needs to know who the user is. Since there is an MLAT between the U.K. and the U.S., the officer can ask the U.K. Home Office to request information from the Office of International Affairs in the U.S. Department of Justice. The U.S. Department of Justice hands the request to the appropriate U.S. Attorney's office, which works through U.S. legal process and serves the user data request to Google. If the request satisfies the law and Google's policies, we would provide the information to the U.S. Attorney's office, and from there it would find its way to the officer in the U.K.

No. There are many ways that other countries can obtain information from companies like Google outside of the MLAT process, including joint investigations between U.S. and local law enforcement, emergency disclosure requests and others.