Tech Tips

July 08, 2013

Could your service provider participate in government data collection? Check their Privacy Policy

We've all clicked Yes on a Privacy Policy without reading it. But you should really know what's in that policy...especially when it allows a provider to share your data with the government. Here's what 5 such providers say about government data sharing.
If a service provider shares customer data with other entities, they must notify you in their Privacy Policy, or Terms of Service. This way they have “informed” you of their intentions to share data with the government (such as for the NSA's PRISM surveillance).

The problem is, such notifications are often buried amid long paragraphs of legalese. And they are written in such a way that it's hard to tell what they actually mean.

We read through the Privacy Policies of several major service providers, to see if they included a notification for government data collection. What we found – every one of the providers said they would share your data with government if asked.

Here are direct quotes from each provider’s policy on cooperating with government.

Amazon Web Services: Protection of and Others –
"We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property, or safety of, our users, or others."

Facebook: Responding to legal requests and preventing harm – Facebook Data Use Policy
"We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so."

Google Docs/Drive: Information We Share (for Legal Reasons) –
"We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
  • meet any applicable law, regulation, legal process or enforceable governmental request."
Microsoft Office 365: Sharing or Disclosing Personal Information – Privacy Statements
"We also may share or disclose personal information, including the content of your communications:
  • To comply with the law or respond to legal process or lawful requests, including from law enforcement and government agencies."
Rackspace: Disclosure of Personal Information – Privacy Statement
"In particular, we may release the information we collect to third parties when we believe it is appropriate to comply with the law, to enforce our legal rights, to protect the rights and safety of others, or to assist with industry efforts to control fraud, spam or other undesirable conduct."

If you want to check your own provider, here’s how: Locate their Privacy Policy page (or Terms of Service if they don't have one). Search for text related to "legal process," "compliance with law" or similar language. If you aren't sure, email the provider's Customer Service department and ask.

Most businesses will cooperate with law enforcement in the course of a criminal investigation. These efforts require a warrant and are supervised. That’s not what this Tech Tip is about.

This is about whether your data is safe from government surveillance when using public cloud providers. According to their own terms & policies…it's not.