Whilst visiting Bavaria for the Munich Security Conference, Rachel Whetstone, Senior Vice President Communications and Public Policy at Google, gave a speech at the Bavarian Parliament about Google’s views on surveillance, security and privacy. The following is the full text of her speech.
Thank you for inviting me here today. It’s a great honor to be with you this afternoon: in a state with such a long history of invention–Siemens, Audi, BMW, Adidas; and in a city that has been such a wonderful partner to Google.
Just down the road, we signed our first major books digitization project with the Bavarian State Library. The village of Oberstaufen was our first Street View launch in Germany. Minister-President Seehofer was the first German politician to do a live interview on YouTube. Even the model locomotive in your Stone Hall represents a shared love of technology and excitement about the future.
Happily, it’s a future with more investment in Munich. Our new engineering center here will be home to several hundred employees–in addition to the three hundred who already live here. It happens to be located, appropriately enough, next to the Hacker Bridge–though, we don’t plan to hire any additional security.
Now I must admit to being a little bit nervous. US tech companies are front and center of the European political debate today: not always for the right reasons. And frankly some of the criticism is fair. As an industry we have sometimes been a little too high on our own success.
With that as my starting point, I wanted to talk about three important issues facing us all today:
- First, government surveillance and the role technology companies have in the fight against crime and terrorism;
- Second, the growing need to keep people’s information safe and secure online; and
- And third, privacy in the digital age.
One of the most basic duties of any government is to protect its citizens. It’s always been true that technology can be used for good, and bad. Since humankind discovered fire, there’s been arson. And today, the technologies we all use to find information or chat with loved ones, are also being co-opted by the criminal minority for their own purposes.
It’s why companies like Google have a responsibility to work with law enforcement. And we do–regularly providing account details, as well as the contents of private communications, like email, to the authorities as they investigate crime and terrorism.
For example, in the first six months of 2010, Google received almost 15,000 government requests for user data. By 2014, that number had risen to just under 35,000. We look carefully at every request and provide information in the majority of these cases–over 65 percent.
Why, you may ask, didn’t we comply in every case? Well, we have a duty to our users, as well. When people sign-up for an email account, they trust Google to keep that information private. So we need to be certain law enforcement requests are legitimate–not targeted at political activists or incredibly broad in their scope. In these cases we always push back. And we never let governments just help themselves to our users’ data. No government–including the US government–has backdoor access to Google or surveillance equipment on our networks.
This is why encryption is also important–because it requires governments to go through the proper legal channels. There’s simply no other way for them to get encrypted data, save hacking into our systems or by targeting individual users–issues I’ll touch on later. In fact, Gmail was the first email service to be encrypted by default, and we now encrypt Google Search, Maps, and Drive (our cloud-based storage service).
In the last few months, a number of governments have voiced their concern about the time it takes to process requests for user data when investigating crime, encryption and the storage of data, as well as the use of the Internet by terrorists. These concerns are entirely understandable, especially after last month’s horrific attacks in Paris and the barbaric murders of hostages by ISIS. So let me address each one in turn, starting with the time taken to process requests for user data.
When it’s a threat to life situation, Google is able to provide information to the authorities within hours–this is incredibly important given the increased terrorist threat many governments face today. But in most other situations, law enforcement requests–especially for private communications, such as Gmail–must be made through diplomatic channels, typically Mutual Legal Assistance Treaties, or MLATs for short. For example, if the US Government wants user information from a company based in Germany–say GMX or Xing–it works through the German government. It’s the same when the German government wants information from a US company, like Google. This creates checks and balances, preventing potential abuse.
That said, the MLAT process is too slow, too complicated and in need of reform. It’s why we’ve pressed to increase funding for the US Department of Justice so they can hire more people to process more requests, more quickly. And there’s good news here. For the first time, they’ve dedicated 90 staff and $20 million to process MLAT requests, and President Obama’s latest budget proposal asks for more.
When it comes to reform, it would save time if we moved beyond paper, fax machines and diplomatic pouches to web forms that are quick and easy to process. Europe is leading the way here. We now need the US to follow suit.
However, even with reform, some intergovernmental oversight will always be necessary. If government X wants information on its own citizens, that’s one thing. But when it’s asking for information about country Y’s citizens, surely that country should have a say in the decision as well. This process will always take some time.
Next: government concerns about encryption and the storage of data. Encryption helps prevent hackers from getting access to sensitive information like bank details–keeping the web safe and secure for everyone. It’s the same with the deletion of data. Snapchat, for example, automatically deletes photos and videos. It’s the ultimate right to be forgotten for the millions of young people using the service everyday. Given most people use the Internet for the reasons it was intended, we shouldn’t weaken security and privacy protections for the majority to deal with the minority who don’t.
Finally, terrorism. All of us have been horrified by ISIS and their use of the media to spread propaganda. At YouTube, the world’s most popular video sharing platform, we’re acutely aware of our responsibilities.
- Last year alone we removed 14 million videos because they broke YouTube’s policies prohibiting gratuitous violence, incitement to violence and hate speech.
- We automatically terminate the accounts of any terror group, and hand over the account information to the authorities.
- We allow law enforcement, for example the UK Home Office, to flag videos containing terrorist content, which we review and remove as a priority. We hope to work with law enforcement in other countries on similar efforts.
- And, we work with dozens of non-governmental organizations on counter speech–helping provide an alternative viewpoint to vulnerable young people.
Of course there is always more to be done and we welcome your ideas.
Over the last three years, first with Edward Snowden and now ISIS, we’ve seen the political debate about government access to information swing from one end of the spectrum to the other. Indeed, the race to encrypt was driven in large part by Snowden’s revelations, which uncovered some pretty outrageous behavior on the part of the US Government. The emergence of ISIS is now leading some governments to question encryption entirely, as well as to call for increased data retention. The solution, we believe, lies in a principled yet practical approach: one that restricts indiscriminate surveillance and supports valid law enforcement efforts while also protecting people’s privacy.
Privacy and security of personal information
Which brings me to my next subject: keeping people’s information safe and secure. In many ways, privacy and security are two sides of the same coin–if your data is not secure it’s not private, as last year’s celebrity hacks showed. While the target that time was Hollywood, it could just as easily have been you or me. So it’s not surprising that a recent Gallup poll showed people are more concerned with theft online than having their house broken into.
In the last four years, we’ve been able to cut in half the number of Google accounts that are hijacked. For example, we block suspicious attempts to log into accounts–perhaps because they come from an unusual device or location. If you’ve ever traveled abroad and got an email questioning a recent login, that’s Google working to keep you safe. And we also offer two-factor authentication so people are no longer rely only on their passwords for protection. Instead people confirm their identity not just with a password but also a code generated by their phone. If you’re at this conference and you’re not using two-factor authentication, you really should be–please talk to Wieland afterwards!
Now, we’re under a lot of scrutiny in Europe because of our size. But it is precisely our size that enables us to invest a lot in security, which helps our users as well as the wider web. For example, our Safe Browsing technology identifies sites that steal passwords or contain malware. If you’re using Chrome, we show very visible warnings–20 million per week–when you try to visit a malicious webpage. And because we make this data publicly available, Apple’s Safari and Mozilla’s Firefox browsers can use it as well. This helps protect over one billion people all around the world. We can also help move things forward in other ways: for instance, we now rank encrypted websites slightly higher in our search results, encouraging everyone to encrypt their services. And any company can take advantage of Google’s security expertise by using our corporate versions of Gmail and Drive. The fact that we employ 500 security and privacy experts means they don’t have to.
Corporate attacks are on the increase–and they highlight the interconnected nature of the web. The Sony hack, for example, not only exposed their own employees, but also the business plans of a high-profile tech CEO. In fact, the hack affected more than just egos–it hit the studio’s bottom line, too, when cinemas decided not to show The Interview. (Luckily, we were able to stand up for creative expression while helping Sony recoup some of that lost revenue by releasing the movie on YouTube and Google Play.)
These kinds of complexities are why security should be a team effort–companies working together, and governments working with companies. In 2010, Google disclosed that we had been subject to a significant cyberattack from China. At the time we were surprised that so few of the other companies targeted were willing to talk publicly. They were understandably afraid that doing so would frighten customers, provoke lawsuits, or worry investors. This is still the case for many companies today.
When individual companies keep attacks under wraps, it can make it harder for other companies to improve our defenses. It’s why we should all be to share best practices and the threats we see. We also believe that governments could be more forthcoming about the cybersecurity intelligence they have, so everyone can better protect themselves. This information often seeps out slowly, not least because it tends to get over-classified. We’re all stronger when security is a shared responsibility.
Privacy and trust
Finally, let me turn to privacy. I want to start by making clear Google hasn’t always got this right. It’s not just about the errors we have made–with products like Buzz or the mistaken collection of WiFi data–but about our attitude too. These have been lessons learned the hard way. But as our swift implementation of the Right to be Forgotten has shown, they are indeed lessons we have learned.
Now privacy means different things for different people, in different situations. For example, I may share photos only with my loved ones–others may feel comfortable posting them on the web. I may be happy for my friends to keep my shared photos forever–others may want them to disappear soon after. In the end, privacy is closely tied to our sense of personal identity: it’s not “one size fits all”. That’s why people want to be in control of the information they share and have real choices about the services they use. And that’s what we focus on at Google.
Keeping a record of what people search for can improve the quality of their results over time. But if you want to search without your queries being stored, turn off Search History. It’s really easy. Cookies help Google remember people’s preferences, like the language they use, for example. But if you want to browse the web and have your cookies disappear, use Chrome’s Incognito mode. If Google has someone’s location, we can give directions without them having to type in their start point each time. That’s useful for people like me with fat fingers on a mobile phone. But you can always turn that off too.
In addition, you can see all the information stored by Google and access all your privacy settings from one place, your Dashboard–which by the way was developed right here in Munich by our German engineers. People are using these tools and understand the choices they make. Ten million people check out their Account History settings each week–and make over 2.5 million changes. These are split evenly between people turning settings off and turning them on.
We also take pride in letting people leave Google easily. Data portability matters. So we’ve built a Takeout tool that enables you remove data stored by Google and put it elsewhere. We want people using our services because they love them, not because we hold their data hostage.
Now some of you are doubtless thinking: wait a minute–Google still collects all that information to serve me ads. Well actually no. Most of the data we collect is used to provide and improve our services. For example we store hundreds of billions of emails because hundreds of millions of people globally want unlimited storage. Gmail has become their digital filing cabinet. In fact, our Google search ads–the core of our business–actually require very little personal information. If you type flowers into Google search–the chances are you want … well … flowers! It doesn’t take a rocket scientist or a ton of data to work that one out.
Of course it is true that most of our services today are supported by advertising. But we view that as a positive because ads enable us to offer our products for free to everyone. Without ads, the poorest would not have access to the same search results, the same maps, the same translation tools, the same email service as the richest people on earth. And it’s important to remember that even though we are in the advertising business, Google does not sell your information–nor do we share it without your permission except in very limited circumstances, like government requests for data.
Now some people argue that Google’s collection of data is no different than government surveillance. “Google has the data so why shouldn’t we” is an argument used by many intelligence services in the press. But we believe there is a significant difference. Government surveillance uses data that was collected for an entirely separate purpose; it’s conducted in secret; its targets are unaware their data is being collected, and they are unable to stop or control it. Google, by contrast, collects data to provide and improve our products. And we give our users the ability to control or stop the collection of their data, or leave entirely.
The potential of science and technology
I was reading about the history of this building. I was amazed to see how long the project took: King Maximilian first started construction in 1857. It wasn’t completed until 1874, 17 years later. They actually had to change the style of architecture, mid-build, to keep up with the times.
In those 17 years, though, we saw the invention of the gasoline engine, the sewing machine, dynamite, and the typewriter. Darwin wrote the Origin of Species, and Mendeleev created the periodic table. That’s a pretty good 17 years. Technology was moving fast–probably faster than people wanted it to.
Similarly, just 17 years ago, you couldn’t instantly share photos of your children with friends… or talk to anyone, wherever they are in the world. The idea of not having a landline telephone seemed absurd.
The point is, just as in the 1850s, technology is moving fast. It’s changing the way we live. It’s raising new questions all the time. And, just as in the past, it’ll take many of us coming together to come up with the right answers. We look forward to working with all of you on that. Because this building was constructed from a profound optimism about the potential for science and technology to improve lives. That optimism is in your history. It’s in your DNA. And it’s an optimism that Google shares with you.
Posted by Al Verney, Corporate Communications Continua a leggere