As Google’s senior law enforcement and security counsel, Nicole Acton Jones, JD ’03, often finds herself treading carefully between rocks and hard places. On one side, critics say that Google is too quick to disclose its users’ personal information to third parties, including law enforcement agencies. Others claim that the internet search giant is not doing enough to help governments worldwide uphold the rule of law and keep people safe.
Fortunately, Jones says, her training at Stanford Law School in the early 2000s prepared her well for such challenging legal terrain. “I started when Professor Larry Lessig was founding the Stanford Center for Internet and Society and Jennifer Granick was launching the cyberlaw clinic,” she recalls, sitting in an airy conference room at Google’s new Mountain View headquarters, overlooking Moffett Field. “The timing was perfect.”
A former federal prosecutor, Jones provides counsel on all matters relating to law enforcement at Google, including tens of thousands of user data requests that flood into the company each year from around the world. While most turn out to be lawful government queries relating to criminal investigations and public safety, all have to be scrutinized carefully and many must be challenged. The company regularly wages legal battles against gag orders that prevent users from knowing their data is being requested.
“It doesn’t matter if you’ve got a celebrity handle or you’re Joe Schmo on the street; if litigation is required to limit, quash, or modify the legal process, Google goes into court and does it,” notes Albert Gidari, who frequently worked with Jones as an outside counsel and now serves as director of privacy at the Stanford Center for Internet and Society. “Nicole is a great example of someone who fights really hard to make sure that the only information going out the door is what the government is entitled to—and nothing more.”
In addition to providing counsel on how to respond to user data requests, Jones works closely with security engineers and investigators to manage significant fraud, abuse, and security issues on Google.com—the most visited website in the world. If a law enforcement issue touches any of the company’s 60,000-plus employees worldwide, her team is on it. She also provides counsel relating to the rollout of Google products and services and frequently represents Google at government forums related to cybersecurity and cybercrime. In December 2015, for example, after the terror attack in San Bernardino, California, she spoke at a closed-door industry briefing before the House Judiciary Committee, arguing against mandated “backdoors” that would allow law enforcement to get around device encryption.
It’s a job that requires long hours and frequent travel, not to mention a strong backbone: Jones is a woman, and an attorney, in a working environment dominated by male engineers and law enforcement personnel. “I have had some experiences, particularly with non-U.S. officials, where the people I met with clearly preferred to be dealing with a man,” she notes. Fortunately, she adds, “I have benefited immensely from working with strong and supportive female role models throughout my career.”
Jones’ interest in information technology law dates back to her childhood in Whitefish, Montana, a resort town not far from Glacier National Park. Her father, a city employee, was a self-taught computer whiz who went on to become the municipality’s unofficial IT person. After earning her business degree at Montana State University-Bozeman, she moved to the Bay Area to take a job in the tech industry. When she subsequently began applying to law schools, Stanford wasn’t even on her radar—until a supportive co-worker at Oracle offered to spot her the $60 application fee. “I reluctantly agreed to fill out yet another law school application and, much to my surprise, I got in,” Jones recalls, smiling. “At the time, I thought I wanted to do intellectual property law and patent litigation. I didn’t know that cyberlaw even existed.”
At Stanford, Jones was active in the formation of the Stanford Law and Technology Association and worked for the Stanford Technology Law Review, as well as the then-new cyberlaw clinic. One of her cases there concerned an ex-Ampex employee who had written disparaging things about the electronics company, anonymously, on a Yahoo message board. When Ampex sued to unmask the defendant, Jones and her fellow law students filed a motion arguing that his message board comments were protected by the First Amendment. (Eventually he won back his legal fees.)
After graduation, Jones clerked and worked briefly as a litigation associate; then she took a job as a federal prosecutor in San Diego, ultimately serving as a computer hacking and intellectual property attorney in the National Security and Cybercrimes Section. “I became responsible for training the rest of the people in the office on how you legally ask companies like Google for data,” she says. “That really set me on the path to be where I am today.”
Jones was hired for her current position in 2011 by another former federal prosecutor, Richard Salgado, now Google’s director of law enforcement and information security. Under his leadership, Google became the first company to publish online transparency reports disclosing the types and quantities of government user data requests. Today, the numbers contained in those biannual reports are staggering: 76,000 requests in 2015 alone, compared with about 28,000 in 2010. In about two-thirds of those cases, Jones and her team produced at least some of the desired information; the remaining requests were denied on legal grounds.
“It used to be that only people looking into cybercrime needed the type of electronic evidence that can be held by companies like Google, but now any case can raise these types of issues,” she says. “The volume of user data requests has gone through the roof, and the complexity is very different from what it was just a few years ago.”
Outdated government regulations don’t help, she adds. “Much of the current technology law was drawn from analogies to physical property, which is often an inapt comparison,” she notes. “Google has been fighting to update surveillance laws to reflect how technology and reasonable expectations of privacy have changed since the time when most of the operative laws were passed and court decisions were issued.”
Jones says data requests from foreign countries can be particularly challenging because international law enforcement agencies don’t always accept or understand requirements, outlined in mutual legal assistance treaties, for subpoenas, court orders, and search warrants. Sometimes foreign powers become so frustrated with Google’s insistence on legal safeguards that they try to intercept suspect communications covertly or block Google service in their country altogether. They’ve also been known to pay uncomfortable “visits” to Google’s overseas employees, applying pressure to release the desired information.
Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, has followed Jones’ career closely and frequently discusses Google’s challenges in her Stanford Law School classes on internet law and policy. She, for one, is impressed by how Jones is handling the job, despite the challenges. She’s delighted that one of her former students has found her footing in the ever-changing landscape of cyberlaw. And, Granick says, “I’m delighted for the users of Google—of which I am one.”
Theresa Johnston (BA ’83) is a freelance journalist and frequent contributor to Stanford Magazine and Stanford Lawyer.