My latest piece for, entitled "Could Future Subpoenas Tie You to 'Britney Spears Nude'?" (their title, not mine), discusses all the information about you being stored by Google, Yahoo, AOL and other Internet intermediaries. Google, for example, has confirmed that if given an IP address, it can produce a list of every Google search query ever sent from it.

All that information is becoming an irresistible target for lawyers wielding subpoenas. The spat between Google and the Department of Justice that came to light a couple weeks ago is just the tip of a much bigger subpoena iceberg. As the New York Times reports today, AOL is receiving more than 1,000 subpoenas each month seeking information about AOL users. Although today the vast majority of those subpoenas are from law enforcement agencies, an increasing number are from civil litigants trying to dig up information about their adversaries.

Complete text of "Could Future Subpoenas Tie You to 'Britney Spears Nude'?" after the jump.

Could Future Subpoenas Tie You to 'Britney Spears Nude'?
DOJ's subpoena of Google may lead to more intrusive examination of Internet users' online records
Fred von Lohmann
Special to

As news circulated of the government's recent effort to force Google to hand over information about what its users are searching for, you could almost hear the collective gasp from Internet users. Wait, Google has been keeping records of all my searches? Including the embarrassing ones ("britney spears nude" was the second most popular "britney" search last month), the incriminating ones (your searches about marijuana cultivation were for research, of course), and the routine ones (from which your professional and recreational interests can easily be deduced)?

Anyone who looked into the story quickly realized that the privacy intrusion was less dire than it first appeared -- the U.S. government is not looking for your personal search history (although Justice Department officials reserved the right to follow up on any interesting information they come across). But before you breathe a sigh of relief, remember that the feds could ask Google for your search history. And so can any private litigant with an axe to grind and a subpoena in hand. If someone does deliver a subpoena to Google for your records, there is no law that requires that you even be notified, much less be afforded an opportunity to object.

The Google subpoena incident is a timely reminder to all Internet users that we are routinely entrusting third parties with an ever-increasing amount of private information about ourselves. We entrust our e-mail to services that encourage us to "never throw anything away," we upload our photos to share with family, and rely on search engines to help us track down virtually everything without a second thought.

Will iron-clad privacy policies protect us? Probably not. After all, every privacy policy includes a carve-out that permits disclosure of your information in response to a valid subpoena. And as any lawyer knows, it is not hard to issue a subpoena to nonparties in connection with pending litigation.

Which brings us back to the tussle between the U.S. government and Google.

For several years, the Department of Justice has been defending the constitutionality of the Child Online Protection Act (COPA), which made it a crime for commercial Web sites to publish material "harmful to minors." The law has been challenged in court on constitutional grounds (my employer, the Electronic Frontier Foundation (EFF), is a plaintiff), and the case is set for trial later this year. In preparing its case, the Justice Department is assembling evidence that it hopes will demonstrate that one, the Internet is awash in porn and two, the filtering technologies available to parents do not adequately protect children from it.

That's where Google comes in. The Justice Department sent a subpoena to Google as a nonparty witness (Google is otherwise not involved in the COPA lawsuit) demanding data to "assist the government in its efforts to understand the behavior of current Web users, to estimate how often Web users encounter harmful-to-minors material in the course of their searches, and to measure the effectiveness of filtering software in screening that material." The initial subpoena was breathtaking in scope -- every Web site address in Google's search index, as well as every search submitted over a two-month period. The government ultimately narrowed the request to a random sample of 1 million Web site addresses and all searches submitted over a one-week period. Google is resisting, arguing that the subpoena is unduly burdensome and could jeopardize its trade secrets, and the Justice Department went to court to compel Google's compliance (MSN, Yahoo and America Online all complied with similar subpoenas after negotiating agreements with the Justice Department).

In other words, the government wants a one-week sample of Google searches in order to figure out what the average Internet user is searching for, surmising that many of the searches might lead to material "harmful to minors" (like that "britney spears nude" search, mentioned above). The government is apparently not interested in who was doing the searching, at least not this time. The subpoena does not seek information that would link the searches back to individual Google users. Nor is the government demanding continual surveillance of Google searches; the Justice Department just wants all the searches performed in a one-week period several months ago.

So this subpoena to Google is not likely to tie you to your "paris hilton video" searches. But what about the next one? Lawyers wielding subpoenas are figuring out that online intermediaries are juicy targets to squeeze for information. One person has already been convicted of murder based in part on his incriminating Google search history (in that case, the evidence was obtained from the defendant's own computer, rather than from Google). The recording industry has already served more than 19,000 subpoenas on Internet service providers (ISPs) seeking the identities of those accused of infringing copyrights by downloading music. And Apple Computer has served subpoenas on ISPs seeking e-mails to unmask anonymous sources relied upon by journalists for rumors about future Apple products. What's to stop local law enforcement authorities from routinely sending subpoenas to search engines in criminal cases? Or divorce attorneys? Or civil litigants?

Of course, the use (and abuse) of nonparty subpoenas is nothing new. What is new is the amount of potentially sensitive information that "nonparties" have about us. Moreover, that information often is concentrated in the hands of a few dominant Internet companies. You may not know which dry cleaner someone uses, but if you guess that she uses Google for searching the Web, your odds of being correct are high.

Where information in the hands of third parties is concerned, the law often does a poor job protecting your privacy. As professor Daniel Solove points out on his Concurring Opinions blog, Supreme Court rulings such as United States v. Miller, 425 U.S. 435 (1976), have led some courts to conclude that you have no reasonable expectation of privacy, and hence no Fourth Amendment protections, with respect to information in the hands of third parties. Moreover, the statutory framework that governs personal information in the hands of third parties is woefully incomplete, protecting some information (banking records, video rental records, medical records) while leaving the rest largely undefended. Finally, when third parties receive a subpoena seeking information about you, generally they are under no legal duty to notify you.

This is a recipe for an online privacy nightmare. And where nonparty subpoenas are concerned, "privacy policies" and "industry self-regulation" are little more than inadequate fig leaves.

So what should be done?

Search engines like Google should stop keeping so much information about us. After all, why does Google need to keep a record of every one of my searches? At a minimum, the information that ties particular searches to me need not be kept indefinitely. Search engine operators often suggest that logging our behavior helps to "improve the services we can provide you." That may be true, but that justification has limits. After all, as Columbia Law School's Professor Tim Wu observes, Starbucks might be able to improve its coffee offerings by recording every conversation that takes place in its cafes ("you know, darling, this macchiato would be better if ..."), but Starbucks customers would properly be apoplectic at the thought.

There is legal precedent for forcing a business to delete your information after a reasonable time. The Video Privacy Protection Act, 18 U.S.C. ?2710, requires that video rental services "destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected." The law also requires that the person whose information is sought be notified prior to disclosure and includes an exclusionary rule barring wrongfully obtained information from any court proceeding. A similar rule has recently been proposed for search engines in legislation introduced by Rep. Edward Markey, D-Mass. Such a rule would go a long way toward protecting our privacy online.

Related Issues