Search giant Google has agreed to retain an independent compliance monitor and provide the federal government updates on how it’s managing data for purposes of legal compliance as part of an agreement with the Department of Justice announced this week.
The deal stems from a years-long tussle between the two over Google’s compliance with a 2016 search warrant that DOJ issued to get data that the company was storing on BTC-E, a crypto exchange.
Google only provided the government BTC-E data that it could confirm was being stored on its U.S. servers because it interpreted a recent court decision as saying only U.S.-based data was subject to a warrant under the Stored Communications Act.
Based on that interpretation of its obligations, the company invested millions of dollars in developing tools to help it identify and manage the preservation of data based on where it was being stored. Identifying where data was at any given time wasn’t a straight-forward matter because Google uses a system in which data doesn’t stay in one place but moves seamlessly to storage locations around the world based on what’s most efficient and reliable.
“Google could not always determine the country in which certain data was stored at a given time,” DOJ said.
Identifying and managing the preservation of data based on where it was stored was particularly difficult for images, according to DOJ, requiring Google to up its investment to solve engineering problems after it learned its tracking tools were not capturing that kind of data.
“Tooling that allowed preservation without repatriation had not been developed for photographs as of that time,” DOJ said.
Meanwhile, another court decision, along with passage of the federal Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018, made clear the Stored Communications Act applied to data no matter where it’s stored, but by then Google had discovered it had lost some of the data that DOJ was seeking, in part because an employee had inadvertently deleted it.
“Due to issues with designing and implementing Google’s tools intended to preserve data without repatriating the data, some data had been deleted by a user, and therefore was no longer available,” DOJ said.
Throughout the back-and-forth, Google remained protective of the data being stored abroad in an effort to protect the confidentiality of its users’ data to the extent it lawfully could.
“Google … did not produce data unless compelled by law, consistent with Google’s policies of protecting users’ privacy,” DOJ said.
DOJ said it agreed to settle the matter given the company’s effort to improve its data management system for legal compliance, which included its investment of some $90 million to engineer new tools and beef up its systems and processes for the purpose.
“Google undertook improvements to its program for complying with legal process, including increasing the size of its law enforcement compliance unit, decreasing the average response times for legal process, creating a dedicated email address for law enforcement to request expedited responses, and improving its engineering efforts to respond to legal process,” DOJ said.
The agreement lets Google pick its independent compliance monitor with DOJ’s approval. There’s no reason the monitor can’t be someone who has worked with the company before as long as no conflict is identified. Google will pay the costs of the monitor and any people brought on to assist.
After three years, if DOJ is satisfied with the process Google has put in place based on the compliance monitor’s reports, the deal is done. If it’s not, it can seek to extend the monitor for two more years.
In its statement on the agreement, DOJ called it a first-of-its-kind resolution. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders,” said Stephanie Hinds, the U.S. attorney for the Northern District of California.
