Google complied with 5525 of 6335 requests from Australian authorities to disclose user information relating to 7183 accounts last year.
The latest instalment of Google’s biannual transparency reports – user information disclosures – follows data released earlier in the year on government content removal requests, which revealed that action by the eSafety Commissioner led to thousands of sites being de-indexed from the search engine in 2022.
The tech giant is more transparent about which government agencies are behind the take-downs than which are requesting user data and for what purpose.
Meta and TikTok’s transparency reports are the same; although Meta revealed that it complied with 3563 Australian agencies’ requests last year and TikTok complied with 91, during the period – little is known about who made them.
The scraps of information available about which agencies are obtaining end-user information from the platforms come from the agencies themselves; some authorities publish the number of requests that they make for end-user information to service providers when the Acts used for the requests require them to.
For example, according to the eSafety Commissioner’s 2021-2022 annual reports, it used the Online Safety Act to obtain end-user identity information or contact details four times during the period as part of investigations into crimes involving non-consensually shared images.
The Australian Federal Police’s account-takeover powers were used twice to investigate child abuse during the 2021-22 financial year, according to its annual report.
Thirty (30) technical assistance requests were sent to industry during the 2021-2022 period, including four from the Australian Criminal Intelligence Commission, two from the AFP, three from Victoria Police and 21 from NSW Police
However, neither eSafety’s annual reports, nor reports issued by law enforcement, offer a breakdown of actions taken against digital services providers by company when it comes to requests for their users’ data.
In the US, Google and Meta have come under increasing scrutiny for their compliance with authorities’ requests for user data.
The FBI issued geofence warrants to Google to obtain the locations of 5723 people during its investigations into the 2021 January 6 riots, and since the overhaul of Roe V. Wade, Facebook messages have been used to convict women in states where abortions have become illegal.
And the requests are not just for citizens’ data; Google’s latest transparency report reveals that one of the Australian requests that it received during the period related to an enterprise cloud customer, however, the report did not disclose the organisation’s name.
Google received 62 ‘emergency requests’ related to Australia in 2022, which do not have to be processed with the same safeguards as regular requests.
Normally Google will inform a user of a request from authorities to access their account data unless there is a “statutory or court-ordered gag period”, however, Google “might not give notice in the case of emergencies, such as threats to a child’s safety or threats to someone’s life,” Google’s policies on information requests state.
“In which case we’ll provide notice if we learn that the emergency has passed…We still consider these requests in light of applicable laws and our policies.”
Australia made seven diplomatic legal requests to the US for information related to Google in 2022.
Currently, these requests have to be processed through Mutual Legal Assistance Treaties (MLATs).
However, when the CLOUD Act treaty is ratified, formal requests for data will be able to be approved by US-based companies without going through the MLAT process when it relates to serious crimes like ransomware attacks.