Please Review for Legal Purposes

by Colin Berkshire

Beware this phrase: “Shall only be used for legal purposes”

This phrase is starting to pop up in privacy policies and terms of use. It may be worded slightly differently, but it will be something like the above text.

This phrase is not what you think. Most people think it will only be used as part of a legal proceeding with the order of a judge. To further deceive users the phrase may be buried in a paragraph like this:

We may disclose your data for legal purposes. We may disclose data when required as part of a legal proceeding such as if a search warrant is issued. We may disclose your data to third parties that have a need to know, such as billing companies…

What the phrase “only for legal purposes” means is that it can be used for anything that is not illegal. The company may sell the data, may disclose it freely, and can pretty much do anything they want with it.

I was close to purchasing a Google Nest Fire Alarm for my home. Then, I read that it has a microphone inside of it. Ostensibly, the microphone is used to listen to the alarm siren to verify that it is working. But think about it: These smoke detectors have a microphone inside of them. This microphone can listen and the device communicates over the internet.

So I drilled down into the Google Nest privacy statement. It went to a seemly simple document and there were links to a second document, and then finally to a third document. And, there it was: “Data may be used only for legal purposes.”

This means that google can activate the microphone, send the audio to their servers, can do voice recognition on it, create a transcription, and sell that to the US government for a price. And, it is all legal and you have consented to it!

A was talking with a friend about this, and he objected, stating that the government would require a search warrant. He is wrong.

If the government demanded the data and Google didn’t wish to provide it then they would need a search warrant. But if Google simply offered the data to the government as a product, and got paid a price for doing this, then it is a perfectly legal transaction. Google is selling transcripts of everything happening in your bedroom only for legal purposes, that is, it is perfectly legal for them to do this because you consented to the privacy statement and terms of service.

Many years ago a friend of mine casually mentioned that Google’s largest customer was the US Government. The story was that the government paid Google a lot of money for what he called the “firehose”. Every search anybody submitted, along with their IP address, was transmitted to the US Government for a price. Your searches were a commodity being sold. In this case, all that is necessary is for Google to reasonably believe that doing so will protect the public from harm to the public. The operate phrase is “as required or permitted by law.” Being required is one thing, being permitted is quite another.

Here are some highlights from the Nest Privacy Policy: (

  1. You consent to international data transfers. This means that when your data is sent outside the United States you no longer have constitutional protection or privacy, and your legal rights in the US are forfeit. You have to admit that you were warned, as Google states: “Please be aware that the privacy protections and legal requirements, including the rights of authorities to access your personal information, in some of these countries may not be equivalent to those in your country.”
  2. “We collect data from several sensors built into the Nest Learning Thermostat.” They then go on to mention temperature, etc, but that enumeration doesn’t in any way exclude use of the microphone for any purpose.
  3. OK, here they get right down to the dirty: “Nest Protect 2nd generation also contains a microphone, which enables Nest Protect to deliver certain enhanced features.” How much more in your face can they put it?
  4. If you have a Nest Cam this applies: “we may record and process video and/or audio recordings from the device” and “we will capture, process and retain video and audio data recordings from your device” and this gem: “we will process face images and underlying face prints for the purpose of enabling your device to recognize familiar faces”. So, basically, everybody in your home can be identified and Google can provide this information,ationt to he US Government or any other party.
  5. The key thing to remember when reading a privacy policy is that the examples are often a good way to obfuscate the more nefarious possibilities. For example, if they say “We will only use your information for legal purposes, such as if required by law” they are NOT saying that they will ONLY disclose it if required by law.

Either Google’s privacy policies pretty clearly allow the selling of your data to the US Government, or the transport of the data outside of the US where they then can do anything they wish with it, or else they have one very sloppily worded legal document. My bet is that they have good lawyers.