Don't be evil
Third party data dangers
What makes the Google documents and spreadsheets even more insidious is the fact that the stored records are not Google's records. You can at least make a plausible argument that my browsing activity, like my bank records, my phone records, my college transcripts, etc., are records of a third party (my bank, my phone company, my college) about me. That doesn't mean these records are personal, private or sensitive. Indeed, in the United States some of these records are entitled to some measure of legal protection from compelled disclosure. My medical records are actually the hospital or physician's records about me, but I have a privacy interest in them. On the other hand, the hospital is required to turn them over if, for example I have extremely drug resistant tuberculosis. What is worse, if the hospital commits a crime or fraud (say, overbills the insurer for my treatment) the government can mandate that the hospital turn over my psychiatric records to be introduced into some court somewhere. Worse still, there is no requirement that the holder of these records about me be compelled to even tell me that they have been asked for or been compelled to produce these records unless they fall within a class of records that has separate legal protection.
But Google Documents is different. These aren't Google's documents about me. They are MY records stored on Google's server. They can be personal like diary entries, they can be privileged attorney-client communications or research. They can be anything, but they are clearly mine. My intellectual property,.my copyright, my thoughts or musings - not Google's. The same is true for my e-mails, voicemails, or the contents of my VOIP calls.
So what happens when Google gets a subpoena or court order for my documents and spreadsheets - whether in a civil or a criminal case? As noted, the law generally requires an entity to produce any "evidence" - including documents and records - within its possession, custody or control. So my records are in the "possession" of Google in the same way that, if I left a smoking gun in your living room, the cops could either search your house for the gun, or get a subpoena compelling you to give up the gun.
But wait. These are personal records. They are "locked" in the sense that they are password protected, and only you have the key. Does the physical location of the virtual information that the documents represent really matter? It seems to. If your records are physically with a third party, they probably have "possession" of them for legal purposes, and therefore can be compelled to produce them, despite the fact that the records are virtual. The concept of location remains important in the law, but not so much in technology. Thus, when a Cablevision, a US cable TV company allowed its customers to digitally record shows for later playback, the court found it critically important that the recorded programs were stored remotely on a hard drive on Cablevision's servers (a copyright infringement) as opposed to being stored locally on a Cablevision hard drive at the customer's home.
Just because the records are personal doesn't necessarily mean that the temporary custodian can't be compelled to produce them. The law has long recognized that by giving up the records to someone else, you are taking the risk that they will be turned over. Thus, the U.S. Supreme Court found that things like cancelled checks and other records can be subpoenaed from a bank without notice to the customer because "the issuance of a subpoena to a third party to obtain the records of that party does not violate the rights of a defendant." Similarly, testing the contents of a package damaged by a private freight company for drugs didn't violate the package owner's rights, because he took the risk that the freight carrier would disclose information to the government. The Supreme Court has also made it clear that the subject or target of an investigation is not required to be notified when their records are subpoenaed or otherwise demanded from a third party, noting that "When a person communicates information to a third party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities."
Now let's make it even more complicated. We already have the issues of physical location, virtual location, ownership, and privacy interests to deal with. To this we can add "ability and authority to access." Is the mere "ability" to access a document or record enough to mean that you have "possession, custody or control" of the record for the purposes of being compelled to produce that record? If I have your Gmail account ID and password, can I be compelled to produce your records? What if I regularly access your GMail documents and spreadsheets account? What if I have the authority to do so? At what point do I take possession of these records? On the other side, if you store your records remotely through Google Documents and Spreadsheets, can you avoid having to produce them pursuant to a subpoena or court order merely be claiming (correctly) that you don't "possess" them inasmuch as they are somewhere else? I don't think so. The issue isn't "ownership" either, as you can be compelled to produce ANY records or objects in your possession custody or control - not just ones you own. Confused? Wait... there's more.
Add to this mix the issues related to sovereignty, jurisdiction and venue. Different countries have different privacy laws, and different laws related to compelled production of information or documents in both civil and criminal cases. Can a US court order the production of records of a foreign company merely because they are stored on a server in Menlo Park, California? Can they reach over to compel production of records in a foreign country merely because a terminal in the U.S. can be used to "log in" to get them? Can an affiliate be compelled to produce records of a foreign domiciled affiliate merely because it has the ability to obtain those records? While the cases are going to be fact dependent, the general rule the U.S. courts are likely to follow will be, if you can produce, you must produce.
Sponsored: 2016 Cyberthreat defense report