Before signing its lucrative and controversial Project Nimbus deal with Israel, Google knew it couldn’t control what the nation and its military would do with the powerful cloud-computing technology, a confidential internal report obtained by The Intercept reveals.

The report makes explicit the extent to which the tech giant understood the risk of providing state-of-the-art cloud and machine learning tools to a nation long accused of systemic human rights violations and wartime atrocities. Not only would Google be unable to fully monitor or prevent Israel from using its software to harm Palestinians, but the report also notes that the contract could obligate Google to stonewall criminal investigations by other nations into Israel’s use of its technology. And it would require close collaboration with the Israeli security establishment — including joint drills and intelligence sharing — that was unprecedented in Google’s deals with other nations.

A third-party consultant Google hired to vet the deal recommended that the company withhold machine learning and artificial intelligence tools from Israel because of these risk factors.

Three international law experts who spoke with The Intercept said that Google’s awareness of the risks and foreknowledge that it could not conduct standard due diligence may pose legal liability for the company. The rarely discussed question of legal culpability has grown in significance as Israel enters the third year of what has widely been acknowledged as a genocide in Gaza — with shareholders pressing the company to conduct due diligence on whether its technology contributes to human rights abuses.

“They’re aware of the risk that their products might be used for rights violations,” said León Castellanos-Jankiewicz, a lawyer with the Asser Institute for International and European Law in The Hague, who reviewed portions of the report. “At the same time, they will have limited ability to identify and ultimately mitigate these risks.”

Google declined to answer any of a list of detailed questions sent by The Intercept about the company’s visibility into Israel’s use of its services or what control it has over Project Nimbus.

Company spokesperson Denise Duffy-Parkes instead responded with a verbatim copy of a statement that Google provided for a different article last year. “We’ve been very clear about the Nimbus contract, what it’s directed to, and the Terms of Service and Acceptable Use Policy that govern it. Nothing has changed.”

Portions of the internal document were first reported by the New York Times, but Google’s acknowledged inability to oversee Israel’s usage of its tools has not previously been disclosed.

In January 2021, just three months before Google won the Nimbus contract alongside Amazon, the company’s cloud computing executives faced a dilemma.

The Project Nimbus contract — then code-named “Selenite” at Google — was a clear moneymaker. According to the report, which provides an assessment of the risks and rewards of this venture, Google estimated a bespoke cloud data center for Israel, subject to Israeli sovereignty and law, could reap $3.3 billion between 2023 and 2027, not only by selling to Israel’s military but also its financial sector and corporations like pharmaceutical giant Teva.

But given decades of transgressions against international law by Israeli military and intelligence forces it was now supplying, the company acknowledged that the deal was not without peril. “Google Cloud Services could be used for, or linked to, the facilitation of human rights violations, including Israeli activity in the West Bank,” resulting in “reputation harm,” the company warned.

In the report, Google acknowledged the urgency of mitigating these risks, both to the human rights of Palestinians and Google’s public image, through due diligence and enforcement of the company’s terms of service, which forbid certain acts of destruction and criminality.

But the report makes clear a profound obstacle to any attempt at oversight: The Project Nimbus contract is written in such a way that Google would be largely kept in the dark about what exactly its customer was up to, and should any abuses ever come to light, obstructed from doing anything about them.

The document lays out the limitations in stark terms.

Google would only be given “very limited visibility” into how its software would be used. The company was “not permitted to restrict the types of services and information that the Government (including the Ministry of Defense and Israeli Security Agency) chooses to migrate” to the cloud.

Attempts to prevent Israeli military or spy agencies from using Google Cloud in ways damaging to Google “may be constrained by the terms of the tender, as Customers are entitled to use services for any reason except violation of applicable law to the Customer,” the document says. A later section of the report notes Project Nimbus would be under the exclusive legal jurisdiction of Israel, which, like the United States, is not a party to the Rome Statute and does not recognize the International Criminal Court.

“Google must not respond to law enforcement disclosure requests without consultation and in some cases approval from the Israeli authorities, which could cause us to breach international legal orders / law.”

Should Project Nimbus fall under legal scrutiny outside of Israel, Google is required to notify the Israeli government as early as possible, and must “Reject, Appeal, and Resist Foreign Government Access Requests.”

Google noted this could put the company at odds with foreign governments should they attempt to investigate Project Nimbus. The contract requires Google to “implement bespoke and strict processes to protect sensitive Government data,” according to a subsequent internal report, also viewed by The Intercept that was drafted after the company won its bid. This obligation would stand even if it means violating the law: “Google must not respond to law enforcement disclosure requests without consultation and in some cases approval from the Israeli authorities, which could cause us to breach international legal orders / law.”

The second report notes another onerous condition of the Nimbus deal: Israel “can extend the contract up to 23 years, with limited ability for Google to walk away.”

The initial report notes that Google Cloud chief Thomas Kurian would personally approve the contract with full understanding and acceptance of these risks before the company submitted its contract proposal. Google did not make Kurian available for comment.

Business for Social Responsibility, a human rights consultancy tapped by Google to vet the deal, recommended the company withhold machine learning and AI technologies specifically from the Israeli military in order to reduce potential harms, the document notes. It’s unclear how the company could have heeded this advice considering the limitations in the contract. The Intercept in 2022 reported that Google Cloud’s full suite of AI tools was made available to Israeli state customers, including the Ministry of Defense.

BSR did not respond to a request for comment.

The first internal Google report makes clear that the company worried how Israel might use its technology. “If Google Cloud moves forward with the tender, we recommend the business secure additional assurances to avoid Google Cloud services being used for, or linked to, the facilitation of human rights violations.”

It’s unclear if such assurances were ever offered.

Google has long defended Project Nimbus by stating that the contract “is not directed at highly sensitive, classified or military workloads relevant to weapons or intelligence services.” The internal materials note that Project Nimbus will entail nonclassified workloads from both the Ministry of Defense and Shin Bet, the country’s rough equivalent of the FBI. Classified workloads, one report states, will be handled by a second, separate contract code-named “Natrolite.” Google did not respond when asked about its involvement in the classified Natrolite project.

Both documents spell out that Project Nimbus entails a deep collaboration between Google and the Israeli security state through the creation of a Classified Team within Google. This team is made up of Israeli nationals within the company with security clearances, designed to “receive information by [Israel] that cannot be shared with [Google].” Google’s Classified Team “will participate in specialized training with government security agencies,” the first report states, as well as “joint drills and scenarios tailored to specific threats.”

The level of cooperation between Google and the Israeli security state appears to have been unprecedented at the time of the report. “The sensitivity of the information shared, and general working model for providing it to a government agency, is not currently provided to any country by GCP,” the first document says.

Whether Google could ever pull the plug on Nimbus for violating the company rules or the law is unclear. The company has claimed to The Intercept and other outlets that Project Nimbus is subject to its standard terms of use, like any other Google Cloud customer. But Israeli government documents contradict this, showing the use of Project Nimbus services is constrained not by Google’s normal terms, but a secret amended policy.

A spokesperson for the Israeli Ministry of Finance confirmed to The Intercept that the amended Project Nimbus terms of use are confidential. Shortly after Google won the Nimbus contract, an attorney from the Israeli Ministry of Finance, which oversaw the deal, was asked by reporters if the company could ever terminate service to the government. “According to the tender requirements, the answer is no,” he replied.

In its statement, Google points to a separate set of rules, its Acceptable Use Policy, that it says Israel must abide by. These rules prohibit actions that “violate or encourage the violation of the legal rights of others.” But the follow-up internal report suggests this Acceptable Use Policy is geared toward blocking illegal content like sexual imagery or computer viruses, not thwarting human rights abuses. Before the government agreed to abide by the AUP, Google wrote there was a “relatively low risk” of Israel violating the policy “as the Israel government should not be posting harmful content itself.” The second internal report also says that “if there is a conflict between Google’s terms” and the government’s requirements, “which are extensive and often ambiguous,” then “they will be interpreted in the way which is the most advantageous to the customer.”

International law is murky when it comes to the liability Google could face for supplying software to a government widely accused of committing a genocide and responsible for the occupation of the West Bank that is near-universally considered illegal.

Legal culpability grows more ambiguous the farther you get from the actual act of killing. Google doesn’t furnish weapons to the military, but it provides computing services that allow the military to function — its ultimate function being, of course, the lethal use of those weapons. Under international law, only countries, not corporations, have binding human rights obligations. But if Project Nimbus were to be tied directly to the facilitation of a war crime or other crime against humanity, Google executives could hypothetically face criminal liability under customary international law or through a body like the ICC, which has jurisdiction in both the West Bank and Gaza.

Civil lawsuits are another option: Castellanos-Jankiewicz imagined a scenario in which a hypothetical plaintiff with access to the U.S. court system could sue Google over Project Nimbus for monetary damages, for example.

Along with its work for the Israeli military, Google through Project Nimbus sells cloud services to Israel Aerospace Industries, the state-owned weapons maker whose munitions have helped devastate Gaza. Another confirmed Project Nimbus customer is the Israel Land Authority, a state agency that among other responsibilities distributes parcels of land in the illegally annexed and occupied West Bank.

An October 2024 judicial opinion issued by the International Court of Justice, which arbitrates disputes between United Nations member states, urged countries to “take all reasonable measures” to prevent corporations from doing anything that might aid the illegal occupation of the West Bank. While nonbinding, “The advisory opinions of the International Court of Justice are generally perceived to be quite authoritative,” Ioannis Kalpouzos, a visiting professor at Harvard Law and expert on human rights law and laws of war, told The Intercept.

“Both the very existence of the document and the language used suggest at least the awareness of the likelihood of violations.”

Establishing Google’s legal culpability in connection with the occupation of the West Bank or ongoing killing in Gaza entails a complex legal calculus, experts explained, hinging on the extent of its knowledge about how its products would be used (or abused), the foreseeability of crimes facilitated by those products, and how directly they contributed to the perpetration of the crimes. “Both the very existence of the document and the language used suggest at least the awareness of the likelihood of violations,” Kalpouzos said.

While there have been a few instances of corporate executives facing local criminal charges in connections with human rights atrocities, liability stemming from a civil lawsuit is more likely, said Castellanos-Jankiewicz. A hypothetical plaintiff might have a case if they could demonstrate that “Google knew or should have known that there was a risk that this software was going to be used or is being used,” he explained, “in the commission of serious human rights violations, war crimes, crimes against humanity, or genocide.”

Getting their date in court before an American judge, however, would be another matter. The 1789 Alien Tort Statute allows federal courts in the United States to take on lawsuits by foreign nationals regarding alleged violations of international law but has been narrowed considerably over the years, and whether U.S. corporations could even be sued under the statute in the first place remains undecided.

History has seen scant few examples of corporate accountability in connection with crimes against humanity. In 2004, IBM Germany donated $4 million to a Holocaust reparations fund in connection with its wartime role supplying computing services to the Third Reich. In the early 2000s, plaintiffs in the U.S. sued dozens of multinational corporations for their work with apartheid South Africa, including the sale of ”essential tools and services,” Castellanos-Jankiewicz told The Intercept, though these suits were thrown out following a 2016 Supreme Court decision. Most recently Lafarge, a French cement company, pleaded guilty in both the U.S. and France following criminal investigations into its business in ISIS-controlled Syria.

There is essentially no legal precedent as to whether the provision of software to a military committing atrocities makes the software company complicit in those acts. For any court potentially reviewing this, an important legal standard, Castellanos-Jankiewicz said, is whether “Google knew or should have known that its equipment that its software was being either used to commit the atrocities or enabling the commission of the atrocities.”

The Nimbus deal was inked before Hamas attacked Israel on October 7, 2023, igniting a war that has killed tens of thousands of civilians and reduced Gaza to rubble. But that doesn’t mean the company wouldn’t face scrutiny for continuing to provide service. “If the risk of misuse of a technology grows over time, the company needs to react accordingly,” said Andreas Schüller, co-director of the international crimes and accountability program at the European Center for Constitutional and Human Rights. “Ignorance and an omission of any form of reaction to an increasing risk in connection with the use of the product leads to a higher liability risk for the company.”

Though corporations are generally exempt from human rights obligations under international frameworks, Google says it adheres to the United Nations Guiding Principles on Business and Human Rights. The document, while voluntary and not legally binding, lays out an array of practices multinational corporations should follow to avoid culpability in human rights violations.

Among these corporate responsibilities is “assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed.”

The board of directors at Alphabet, Google’s parent entity, recently recommended voting against a shareholder proposal to conduct an independent third-party audit of the processes the company uses “to determine whether customers’ use of products and services for surveillance, censorship, and/or military purposes contributes to human rights harms in conflict-affected and high-risk areas.” The proposal cites, among other risk areas, the Project Nimbus contract. In rejecting the proposal, the board touted its existing human rights oversight processes, and cites the U.N. Guiding Principles and Google’s “AI Principles” as reason no further oversight is necessary. In February, Google amended this latter document to remove prohibitions against weapons and surveillance.

“The UN guiding principles, plain and simple, require companies to conduct due diligence,” said Castellanos-Jankiewicz. “Google acknowledging that they will not be able to conduct these screenings periodically flies against the whole idea of due diligence. It sounds like Google is giving the Israeli military a blank check to basically use their technology for whatever they want.”

The post Google Worried It Couldn’t Control How Israel Uses Project Nimbus, Files Reveal appeared first on The Intercept.

This post was originally published on The Intercept.