Alphabet (GOOG) proxy: investors request report on cloud & AI data risks
Rhea-AI Filing Summary
Alphabet Inc. proxy filing asks the Board to publish a public report assessing risks from gaps in policies, controls, and oversight of customer and user data across Google Services and Google Cloud. The proposal cites litigation, regulator actions (including a $50 million GDPR fine and a $425.7 million jury award), and a 2025 update to the Company's AI Principles as context for growing investor concern.
The requested report would evaluate whether governance, contractual terms, escalation pathways, and enforcement mechanisms are operationally effective — particularly for high‑risk government, military, and jurisdictional deployments (examples: Project Maven, Project Nimbus, and expansion in Saudi Arabia). The filing seeks disclosure that enables investors to assess enforceability of safeguards, downstream visibility into end uses, and Board oversight alignment with evolving risk exposure.
Positive
- None.
Negative
- None.
Insights
Proxy asks for disclosure on whether Board oversight maps to high-risk cloud and AI deployments.
Alphabet's proposal requests evidence that escalation criteria, committee review triggers, and post-deployment enforcement exist and operate in practice. The text notes limited public clarity on whether the Audit and Compliance Committee charter or Board processes explicitly cover AI and cloud deployment risks.
Absent company-provided, deployment‑specific oversight metrics, investors cannot assess whether governance attention scales with exposure; subsequent proxy disclosures or committee charters would be the concrete place to look for alignment.
Filing highlights downstream visibility and operational exposure where cloud/AI systems enter high‑risk environments.
The brief documents examples—Project Maven, Project Nimbus, and Saudi Arabia expansion—to show how contractual, jurisdictional, and integration factors can limit a provider's ability to detect or intervene in end uses. It references reported regulatory and litigation outcomes as precedents for material exposure.
Key dependencies include contractual revocation rights, audit and logging access, and contingency planning tied to conflict or high‑risk jurisdictions; the filing asks for disclosure that would let investors evaluate these controls.
Key Figures
Key Terms
Project Nimbus technical
Project Maven technical
AI Principles regulatory
downstream use operational
DATA GOVERNANCE AND RISK OVERSIGHTAlphabet Inc. Annual General Meeting 2026 INVESTOR BRIEFING
2SUMMARYThis proposal requests that Alphabet publish a report assessing risks arising from gaps in its policies, controls, and oversight of customer and user data processed through Google Services and Google Cloud.WHY THIS MATTERS NOW? Growing legal and regulatory scrutiny: Alphabet faces litigation, regulatory enforcement, and increasing scrutiny over privacy, data governance, and AI deployment practices.? Limited visibility into enforceability: Investors lack clarity on whether Alphabet can meaningfully enforce safeguards once technologies are deployed in customer or government environments.? Expansion into higher-risk deployments: Alphabet increasingly provides cloud and AI services in military, security, and other conflict-affected or rights-sensitive contexts.? Material downstream consequences: Where safeguards fail, these deployments may expose Alphabet to legal, operational, reputational, and geopolitical risk.SUMMARY OF RISKS AND HARMS? Surveillance, profiling, and targeting: Technologies may be used to identify, monitor, profile, or target individ-uals or groups.? High-risk government and security uses: Data and cloud services may support law enforcement, military, intelligence, or security operations in sensitive contexts.? Limited post-deployment oversight: Alphabet may have limited visibility into downstream use or ability to intervene after deployment.? Potential for real-world harm: Where safeguards fail, misuse may contribute to harmful surveillance, targeting, censorship, or other adverse impacts. FINANCIAL, LEGAL, AND REGULATORY EXPOSURE? ?50 million GDPR fine: French regulator CNIL fined Google for inadequate transparency and consent practices.? $425.7 million in damages on privacy violations: Jury in Rodriguez et al. v. Google LLC (N.D. Cal.) awarded ~$426 million after finding Google unlawfully collected user data despite users disabling tracking settings.? Incognito mode litigation / settlement: Google settled Brown et al. v. Google LLC (N.D. Cal.), agreeing to delete billions of browsing records and revise disclosures regarding Chrome's "Incognito" mode.? A UN Special Rapporteur identified Alphabet in findings before the Human Rights Council, calling on them to cease providing technology facilitating violations of international humanitarian law in the occupied territories.1? Broader exposure risk: These precedents demonstrate that data governance failures can result in litigation, fines, remediation costs, and operational restrictions.2
3INTRODUCTIONSPECIFICALLY, THE PROPOSAL PROVIDES:RESOLVED: Shareholders request the Board of Directors issue public reporting, prepared at reasonable cost and omitting proprietary information, assessing operational, reputational, regulatory, and legal risks to Al-phabet, Inc. arising from gaps in the Company's policies, controls, and oversight systems of customer and user data processed through Google Services and Google Cloud. The report should evaluate how governance gaps could lead Google's products, infrastructure, or cloud services to facilitate surveillance, censorship, profiling, and targeting in contexts of governmental overreach and recommend risk-mitigation measures.This request focuses on whether Alphabet's governance systems are operationally effective and enforceable in practice, particularly in higher-risk deployments.This proposal is supported by a group of institutional investors representing significant assets under management, reflecting growing concern regarding Alphabet's governance, contractual controls, and oversight of data and cloud deployments in high-risk contexts. For investors, the central question is whether Alphabet retains sufficient control, contractual authority, and over-sight mechanisms to manage risks when its technologies and data are used by customers or accessed by govern-ment actors.
41. LIMITED CONTROL IN HIGH-RISK DEPLOYMENTSAlphabet provides technologies that underpin modern data-driven targeting, surveillance, and intelligence systems. These capabilities are increasingly deployed in military and security contexts, including by the U.S. Department of Defense, Israeli government entities, and other government customers in higher-risk jurisdictions, where their use may directly affect decisions involving civilian populations and protected infrastructure.Alphabet's government customers include agencies engaged in active or recent military operations, including the U.S. Department of Defense (Project Maven)2 and Israeli government entities (Project Nimbus), as well as expansion into jurisdictions such as Saudi Arabia, where legal and governance constraints may limit oversight. These deploy-ments involve dual-use technologies that enable large-scale data integration, pattern recognition, and operational decision-making.Project Nimbus illustrates how large-scale government cloud contracts may limit a provider's ability to enforce its own policies in high-risk environments.Alphabet provides cloud and AI infrastructure to the Israeli government under Project Nimbus, which includes support for government ministries and the defense system.3 These deployments place the Company's technologies within a high-risk operational context, where data processing and AI capabilities may support security, intelligence, and operational decision-making.Alphabet's expansion of cloud infrastructure in Saudi Arabia highlights a governance challenge driven not by con-tract structure alone, but by jurisdictional constraints that may limit oversight, transparency, and enforcement of company policies.These examples illustrate the types of high-risk environments in which Alphabet's technologies are deployed.These deployments occur in environments where significant allegations and reporting of civilian harm, damage to civilian infrastructure, and broader concerns regarding compliance with international humanitarian and human rights norms have arisen. In June 2025, the UN Special Rapporteur on human rights in the occupied Palestinian territories directly identified Alphabet in findings submitted to the Human Rights Council, concluding that Project Nimbus provided critical cloud and AI infrastructure to Israel's military. The report calls on states and companies to cease conduct that may facili-tate violations, including the provision of technology enabling surveillance, targeting, and military operations in the occupied territories.4Recent reporting on military operations in the Middle East has documented significant civilian harm and damage to civilian infrastructure, including strikes affecting schools, transportation systems, and other non-military sites,
5in some cases linked to incomplete or outdated targeting intelligence and execution in densely populated areas.5 Public statements and expert analysis have also raised concerns regarding potential targeting of infrastructure that may be protected under international humanitarian law, as well as broader questions about the adequacy of target-ing safeguards in modern military operations.6In Saudi Arabia and similar jurisdictions, risks arise not only from conflict exposure but from the foreseeable use of cloud and AI systems in surveillance, censorship, and repression in environments with expansive state access pow-ers and limited legal recourse.While Alphabet is not reported to be directly involved in specific operations, these developments represent clear risk signals associated with the end-use environments of its technologies. Where customers operate in contexts that have been associated with allegations of violations of international humanitarian norms, or where concerns have been raised regarding targeting practices and civilian harm mitigation, the need for effective, enforceable safe-guards becomes materially more significant.Analysis from policy and national security experts has identified systemic weaknesses in target identification and collateral damage assessment processes, particularly in environments characterized by compressed decision time-lines, reliance on probabilistic data, and high operational tempo. These conditions may increase the likelihood that errors in data, model outputs, or analytical processes translate into real-world harm.7THE PROPOSAL SEEKS DISCLOSURE THAT WOULD ENABLE INVESTORS TO ASSESS WHETHER ALPHABET'S GOVERNANCE AND OVERSIGHT SYSTEMS ARE ADEQUATE TO MANAGE THESE RISKS IN PRACTICE.While the existence of high-risk deployments heightens the importance of safeguards, investors also face limited visibility into how Alphabet monitors and governs downstream use once technologies are operational.
62. LIMITED VISIBILITY INTO CLIENTS' END USE OF TECHNOLOGY KEY END-USE RISKS ? Surveillance and profilingData and analytics tools may be used to identify, monitor, or profile individuals or groups at scale.? Targeting and enforcementCloud and AI systems may support decisions involving law enforcement, military targeting, or operational prioritization.? Government access beyond expectationsUser or enterprise data may be accessed, shared, or compelled by authorities in ways inconsistent with user expectations or stated safeguards.? Limited ability to audit or interveneOnce deployed, providers may have limited visibility into downstream use or practical ability to restrict misuse.Alphabet's technologies are dual-use, highly scalable, and often difficult to monitor after deployment. These characteristics increase the importance of establishing robust safeguards prior to deployment, yet investors have limited visibility into how such safeguards are defined, monitored, and enforced.Public records and reporting indicate that Google Cloud is part of broader U.S. federal cloud infrastructure procurement, including Department of Homeland Security (DHS) contracting vehicles.8In addition, an Immigration and Customs Enforcement (ICE) cloud initiative has been authorized to use Google Cloud services through a contractor, placing Alphabet's infrastructure within a domestic enforcement and surveillance context.9 Independent research has documented that ICE has developed extensive data-driven surveillance capabilities, including access to large-scale personal data systems used for immigration enforcement, often with limited transparency or public oversight.10 Employee and public scrutiny further underscore these risks. Google employees have previously called on the company to avoid providing technology services to agencies such as DHS and ICE, citing concerns about surveillance and civil liberties.11Alphabet's work with the U.S. Department of Defense through Project Maven illustrates how commercial AI systems can be integrated into military targeting and intelligence workflows. Project Maven was designed to apply machine learning to drone and satellite imagery, enabling automated identification of objects and accelerating battlefield analysis.12In such contexts, providers may have limited visibility into how technologies are used once integrated into operational workflows.6
7These risks extend beyond enterprise deployments to Alphabet's role as a processor and controller of user data. The Company collects and processes large volumes of personal data across its services, and investors have limited insight into how it governs data collection, responds to government access requests, and manages risks associated with the use of data in surveillance or enforcement contexts. Where data may be used to identify, track, or target individuals, questions arise regarding the adequacy of safeguards, oversight, and accountability mechanisms.These visibility constraints are particularly relevant in military, intelligence, and government deployments, where downstream operational use may be difficult to audit once systems are integrated into customer workflows.THE PROPOSAL SEEKS DISCLOSURE THAT WOULD ENABLE INVESTORS TO ASSESS WHETHER ALPHABET'S GOVERNANCE AND OVERSIGHT SYSTEMS ARE SUFFICIENT TO ENSURE THAT FORESEEABLE END-USE RISKS ARE IDENTIFIED, MONITORED, AND MITIGATED WHERE TECHNOLOGIES OR DATA MAY BE USED IN SURVEIL-LANCE, TARGETING, OR ENFORCEMENT CONTEXTS.These visibility limitations may also increase operational and geopolitical risks where Alphabet's infrastructure is deployed in conflict-affected or politically sensitive environments.3. GEOPOLITICAL AND OPERATIONAL RISK Alphabet's infrastructure and personnel as potential military targetsAlphabet's infrastructure is increasingly deployed in geopolitically sensitive environments, particularly in the Middle East, as set out above in relation to US military operations in the Gulf and with Israel and Saudi Arabia. This creates exposure to a range of operational risks, including infrastructure targeting, cyber threats, service disruption, and risks to personnel. Reporting has indicated that major U.S. technology companies, including providers of cloud and AI infrastructure, have been identified in public statements and threat assessments as potential targets in regional escalation scenarios, particularly where their services are associated with government or security-related operations.13Where technologies are linked to military, intelligence, or security functions, companies may face heightened expo-sure to retaliation, disruption, or reputational harm. In addition to infrastructure risks, this may extend to physical and operational risks affecting facilities, contractors, and employees in the region, particularly in the event of esca-lation or conflict spillover.These risks are relevant to investors insofar as they may affect operational continuity, asset security, and the Com-pany's ability to manage risks associated with higher-risk deployments. Alphabet provides limited disclosure regard-ing how it assesses and mitigates these risks, including whether conflict-sensitive risk assessments, contingency planning, and operational safeguards are in place to protect personnel and ensure continuity of services.
8THE PROPOSAL SEEKS DISCLOSURE THAT WOULD ENABLE INVESTORS TO ASSESS WHETHER ALPHABET'S GOVERNANCE, OVERSIGHT, AND OPERATIONAL RISK-MANAGEMENT SYSTEMS ARE SUFFICIENT TO IDENTIFY, ESCALATE, AND MITIGATE GEOPOLITICAL, OPERATIONAL, AND DEPLOYMENT-RELATED RISKS IN HIGH-RISK ENVIRONMENTS.These operational risks further underscore the importance of whether Alphabet's governance and enforcement sys-tems function effectively in practice.4. UNCLEAR IF ALPHABET'S POLICIES ARE ENFORCEDWHY ALPHABET'S EXISTING GOVERNANCE DOES NOT RESOLVE THE PROPOSAL'S CORE CONCERNAlphabet maintains that its AI Principles, acceptable use policies, and multi-layered governance systems are suf-ficient to manage data and AI risks. However, available evidence suggests these frameworks may not operate as enforceable constraints in high-risk deployments:? Policies depend on enforceability that may not exist in practice:While Google Cloud's acceptable use policies prohibit harmful or rights-violating uses, reporting indicates that contractual structures?particularly in large-scale government agreements?may limit Alphabet's ability to re-strict, suspend, or terminate services once deployed.? Limited visibility into downstream use constrains oversight:Alphabet's cloud model means the Company often cannot fully monitor how customers use its infrastructure after deployment, reducing its ability to detect misuse or intervene before harm occurs.? Escalation does not consistently result in operational change:Public reporting and employee actions indicate that internal concerns regarding high-risk contracts have not consistently led to suspension, modification, or reevaluation of deployments, raising questions about the effec-tiveness of escalation pathways.? Policy standards have been revised toward discretion rather than prohibition:Alphabet's 2025 update to its AI Principles removed explicit restrictions on certain high-risk uses, shifting to-ward a risk-based framework that relies more heavily on internal judgment and less on binding constraints.? Jurisdictional and contractual constraints may override internal safeguards:In higher-risk markets, including those with expansive government access powers or limited legal recourse, Alphabet may face constraints in enforcing its own standards, particularly where contracts or local laws limit intervention.8
9Taken together, these factors suggest that Alphabet's governance framework may describe intended safeguards, but does not provide investors with sufficient evidence that those safeguards are enforceable in practice.These constraints vary by context but reflect a consistent pattern across deployments:CONTEXTCONSTRAINT TYPEGOVERNANCE CONCERNProject NimbusContractualMay limit ability to restrict/suspend servicesProject MavenOperationalLimited control over downstream targeting useSaudi ArabiaJurisdictionalLocal law may override internal safeguardsDHS / ICEPolitical / InstitutionalPressure may limit resistance to surveillance usesInvestigative reporting suggests that certain contract structures may further constrain provider discretion. Agree-ments associated with Project Nimbus may include terms that limit the ability to revoke or restrict access to cloud services, even where use may raise concerns under company policies.14 Available reporting also indicates that cloud providers may have limited visibility into how sovereign customers use infrastructure, reducing their ability to detect misuse or intervene.15 In addition, some reporting highlights mechanisms that may reduce external visibility into data access in certain legal contexts, raising further questions about oversight and accountability.16These constraints are not limited to contractual terms but may also arise from operational integration: recent reporting indicates that Maven-derived systems have evolved well beyond imagery labeling and that Maven Smart System has become core to U.S. military operations, pooling data so AI can help identify targets.17 Reuters has reported that the Pentagon has pushed major AI companies to make their tools available on classified networks without many of the standard restrictions the companies apply to users, and that U.S. officials have argued some contract restrictions could interfere with real-time combat operations.18These conditions may compress decision timelines, rely on probabilistic data, and increase dependence on automat-ed outputs, raising the likelihood that errors translate into real-world harm.Alphabet has announced cloud and AI investments in Saudi Arabia as part of its global infrastructure expansion, including partnerships to support the Kingdom's digital transformation and AI ambitions.19 Independent assessments of Saudi Arabia's digital environment have documented extensive government surveillance powers and limited pro-tections for user data and expression, including constraints on transparency, oversight, and avenues for redress.20In such jurisdictions, companies may face legal obligations to provide data access, limited oversight mechanisms, and constraints on challenging government requests. These conditions create a structural tension between Alpha-9
10bet's stated commitments to user rights and the realities of operating in environments where government authority may supersede company policy.These examples illustrate that the relevant governance challenge is not simply whether policies exist, but whether Alphabet retains practical authority to enforce them across materially different deployment contexts. Alphabet has developed AI technologies for the U.S. Department of Defense through Project Maven, which applies machine learning to drone imagery to assist military analysis.21 The Company also provides large-scale cloud and AI infrastructure to government customers through Project Nimbus and is expanding cloud infrastructure in Saudi Arabia, where data governance risks are heightened by jurisdiction-specific legal and regulatory constraints. Project Nimbus in Israel enables large-scale data integration and AI capabilities across Israeli government systems, and re-porting and expert analysis have raised questions regarding whether providers retain the ability to monitor, restrict, or intervene in downstream uses once systems are deployed.22 Alphabet's expansion in Saudi Arabia raises addition-al concerns regarding compelled government access to data, limited legal recourse, and constraints on enforcing safeguards in practice. At the same time, Alphabet's acceptable use policies prohibit uses that may cause harm, violate legal rights, or enable harmful surveillance or targeting. However, reporting indicates that in large-scale government deployments, providers may have limited ability to monitor downstream use or intervene once systems are operational, particular-ly where contractual structures or jurisdictional constraints limit enforcement.23Alphabet has publicly committed to responsible AI and to respecting human rights, but investors have limited visi-bility into whether these commitments are consistently operationalized in high-risk contexts. In 2025, Alphabet re-vised its AI Principles, removing explicit prohibitions on certain high-risk uses and shifting toward a more discretion-ary, risk-based framework.24 As a result, investors must rely more heavily on the Company's contractual safeguards, escalation mechanisms, and governance structures to assess how risks are managed in practice, including whether mitigation measures are defined, implemented, and effective.These dynamics raise a central governance question: Whether Alphabet retains sufficient control and enforcement capability to ensure that its technologies are used in accordance with its own policies in high-risk, high-harm con-texts.THE PROPOSAL SEEKS DISCLOSURE THAT WOULD ENABLE INVESTORS TO ASSESS WHETHER ALPHABET'S GOVERNANCE, ESCALATION, AND ENFORCEMENT MECHANISMS ARE SUFFICIENT TO ENSURE THAT ITS STAT-ED POLICIES ARE IMPLEMENTED CONSISTENTLY AND EFFECTIVELY IN PRACTICE.10
115. BOARD OVERSIGHT MAY NOT MATCH RISK EXPOSUREWHY BOARD OVERSIGHT MAY BE MISALIGNED WITH RISK EXPOSURELimited clarity on approval and escalation of high-risk deploymentsLimited evidence that Board oversight translates into enforceable controlsUnclear alignment between Board governance structures and AI/cloud risk exposureAlphabet states in its Opposition Statement that oversight of AI-related risks is addressed at the Board and Audit and Compliance Committee levels. However, public disclosures provide limited clarity on how governance structures are aligned with the Company's expanding exposure to high-risk AI and cloud deployments.For example, Alphabet does not disclose how high-risk contracts are escalated for Board or committee review, what criteria trigger heightened review or intervention, whether directors review deployment-specific risk assessments, or how the Board monitors whether mitigation measures are implemented and effective in practice.Further, the Audit and Compliance Committee charter does not explicitly reference AI governance, despite AI being a core driver of business growth and risk exposure.Investors currently lack sufficient evidence to assess whether Alphabet's governance systems are effective in practice, identifying high-risk deployments, maintaining enforceable controls, monitoring downstream use, and re-sponding appropriately to escalation signals. Under widely recognized frameworks such as the United Nations Guid-ing Principles on Business and Human Rights, companies are expected to conduct due diligence that is ongoing, risk-based, and integrated into decision-making processes. Where companies lack the ability to enforce safeguards in practice, this may indicate a material governance gap.THE PROPOSAL SEEKS DISCLOSURE THAT WOULD ENABLE INVESTORS TO ASSESS WHETHER ALPHABET'S GOVERNANCE SYSTEMS ARE APPROPRIATELY STRUCTURED AND ALIGNED WITH THE COMPANY'S STATED POLICIES AND EVOLVING RISK EXPOSURE.
12GOVERNANCE AND SHAREHOLDER VALUEFailures in governance and control may expose Alphabet to material legal, regulatory, operational, and reputational risks, with direct implications for financial performance and valuation.Recent litigation, regulatory enforcement, and settlements demonstrate that data governance failures can result in material financial penalties, mandated remediation and operational constraints.Institutional investors increasingly rely on norms-based screening and third-party data providers to assess ex-posure to severe or systemic risks. Where companies are unable to demonstrate effective control, mitigation, and oversight, investors may escalate engagement or reassess exposure.25Improved transparency into whether Alphabet's controls are enforceable in practice would enable investors to better assess risk, governance effectiveness, and long-term value implications.CONCLUSIONThe central question for investors is whether Alphabet retains enforceable safeguards in high-risk deployments.While the Company maintains that policies and governance frameworks are in place, available evidence raises questions about whether those safeguards are consistently operationalized and enforceable in practice, particularly in large-scale government, military, and high-risk jurisdictional contexts.This proposal does not seek to prescribe operational decisions. Rather, it requests disclosure sufficient for investors to assess whether Alphabet's governance, oversight, and control systems function effectively when risks materialize.A VOTE FOR THIS PROPOSAL SUPPORTS IMPROVED TRANSPARENCY AND ENABLES INVESTORS TO EVALUATE WHETHER ALPHABET'S GOVERNANCE SYSTEMS ARE ADEQUATELY ALIGNED WITH ITS RISK EXPOSURE AND FIDUCIARY RESPONSIBILITIES.12
131 United Nations Human Rights Council, (July 2, 2025). From Economy of Occupation to Economy of Genocide (A/HRC/59/23) Report of the Special Rapporteur to Human Rights Council Fifty-ninth session. https://www.ohchr.org/en/documents/country-reports/ahrc5923-economy-occupation-econo-my-genocide-report-special-rapporteur2 The New York Times, ?The Business of War': Google Employees Protest Work for the Pentagon" (April 4, 2018).https://www.nytimes.com/2018/04/04/technology/google-letter-ceo-pentagon-project.html 3 Reuters, "Israel picks Amazon's AWS, Google for flagship cloud project" (Apr. 21, 2021),https://www.reuters.com/world/middle-east/israel-picks-amazons-aws-google-flagship-cloud-project-2021-04-21/4 United Nations Human Rights Council, (July 2, 2025), ibid.5 Reuters, "U.S. may have struck Iranian girls' school after using outdated targeting data" (March 11, 2026), https://www.reuters.com/world/middle-east/us-may-have-struck-iranian-girls-school-after-using-outdated-targeting-data-2026-03-11/; Reuters, "How many people have been killed in the U.S.-Israel war with Iran?" (March 31, 2026), https://www.reuters.com/world/middle-east/how-many-people-have-been-killed-us-israel-war-iran-2026-03-31/.6 Reuters, "Trump, on Easter, threatens ?hell' on Iran's infrastructure if Strait remains blocked" (April 5, 2026), https://www.reuters.com/world/middle-east/trump-says-us-will-target-irans-infrastructure-tuesday-2026-04-05/; Reuters, "Trump threatens to strike Iran's bridges and electric power plants" (April 3, 2026),7 Center for American Progress, Loss of Innocents: The U.S. Strike on an Iranian School and Implications for America at War (YouTube, March 18, 2024). 8 U.S. General Services Administration (GSA) / SAM.gov, "DHS Cumulus Cloud Contract Vehicle" (contract listing),https://sam.gov/workspace/contract/opp/0c6af7d89e5a4959a84e88f106a55178/view9 Georgetown Law Center on Privacy & Technology, "American Dragnet: Data-Driven Deportation in the 21st Century" (2022), https://www.law.georgetown.edu/privacy-technology-center/publications/american-dragnet-data-driven-deportation-in-the-21st-century/10 Georgetown Law Center on Privacy & Technology, "American Dragnet: Data-Driven Deportation in the 21st Century", ibid.11 KQED, "Google employees call for pledge not to work with ICE" (2019),https://www.kqed.org/news/11767929/google-employees-call-for-pledge-not-to-work-with-ice12 Deputy Secretary of Defense., (April 26, 2017). Memo: Establishment of an Algorithmic Warfare Cross-Functional Team (Project Maven), Department of Defense. https://dodcio.defense.gov/Portals/0/Documents/Project%20Maven%20DSD%20Memo%2020170425.pdf. 13 Euronews, (Mar. 12, 2026). "Iran says it will attack 17 American tech companies in Middle East by April 1". https://www.euronews.com/next/2026/04/01/enemy-technology-infrastructure-iran-threatens-amazon-google-and-microsoft-assets-in-middl; BBC News, "Remote work, offices shut as tech firms respond to escalating Middle East tensions" (2026), https://www.bbc.com/news/articles/c99jjr7d40yo 14 The Guardian, "Revealed: Google and Amazon's secret code for Israel contract" (2025),https://www.theguardian.com/us-news/2025/oct/29/google-amazon-israel-contract-secret-code 15 TIME, "Exclusive: Google Contract Shows Deal With Israel Defense Ministry" (2024),https://time.com/6966102/google-contract-israel-defense-ministry-gaza-war/ 16 The Guardian, "Revealed: Israel demanded Google and Amazon use secret ?wink' to sidestep legal orders" (2025), https://www.theguardian.com/us-news/2025/oct/29/google-amazon-israel-contract-secret-code 17 Reuters, "The elusive AI bill that the White House wants to land" (Mar. 25, 2026),https://www.reuters.com/technology/artificial-intelligence/artificial-intelligencer-white-house-pushes-first-big-federal-ai-law-this-year-2026-03-25/ DISCLAIMEREk?, Center for Monitored and Ethical Investment, and Racial Justice Investing are not investment or financial advisors, and do not make any representation regarding the advisability of investing in any particular company or investment fund or vehicle. A decision to invest in any such investment fund or entity should not be made in reliance on any of the statements set forth in this briefing. While CMEI, RJI and Ek? have obtained information believed to be reliable, they shall not be liable for any claims or losses of any nature in connection with information contained in this document, including but not limited to, lost profits or punitive or consequential damages. This publication should not be viewed as a comprehensive guide of all questions an investor should ask an institution, but rather as a starting point for questions specifically related to the issues presented in this publication. The opinions expressed in this publication are based on the documents specified in the endnotes. We encourage readers to read those documents.CONTACT DETAILSTo connect with the authors of this report, please email rewan@eko.org and courtney@cmei.org.
1418 Reuters, "Pentagon pushing AI companies to expand on classified networks, sources say" (Feb. 12, 2026),https://www.reuters.com/business/pentagon-pushing-ai-companies-expand-classified-networks-sources-say-2026-02-12/; Reuters, "AI contract restric-tions could threaten military missions, U.S. official says" (Mar. 3, 2026),https://www.reuters.com/business/ai-contract-restrictions-could-threaten-military-missions-us-official-says-2026-03-03/ 19 Google Cloud, "Google Cloud and PIF advance AI hub in Saudi Arabia" (May 2025),https://www.googlecloudpresscorner.com/2025-05-13-Google-Cloud-and-PIF-Advance-AI-Hub-in-Saudi-Arabia 20 Freedom House, "Freedom on the Net 2024: Saudi Arabia," https://freedomhouse.org/country/saudi-arabia/freedom-net/2024 21 The New York Times, (April 4, 2018), ibid. 22 TIME, "Exclusive: Google Workers Revolt Over $1.2 Billion Contract With Israel" (2024), https://time.com/6964364/exclusive-no-tech-for-apartheid-goo-gle-workers-protest-project-nimbus-1-2-billion-contract-with-israel/; WIRED, "The Hidden Ties Between Google and Amazon's Project Nimbus and Israel's Military" (2024), https://www.wired.com/story/amazon-google-project-nimbus-israel-idf/; Reuters, "Google terminates 28 employees after protest of Israeli cloud contract" (Apr. 18, 2024), https://www.reuters.com/technology/google-terminates-28-employees-protest-israeli-cloud-contract-2024-04-18/; The Verge, "Nine Google employees arrested after sit-in protest over Project Nimbus" (Apr. 17, 2024), https://www.theverge.com/2024/4/17/24133056/google-protests-project-nimbus-no-tech-for-aparthe. 23 WIRED, "The Hidden Ties Between Google and Amazon's Project Nimbus and Israel's Military" (2024), ibid.24 Google, "AI Principles" (updated February 4, 2025), https://ai.google/principles/; The Washington Post, "Google drops pledge not to use AI for weapons or surveillance" (Feb. 4, 2025), https://www.washingtonpost.com/technology/2025/02/04/google-ai-policies-weapons-harm/; The Guardian, "Google owner drops promise not to use AI for weapons" (Feb. 5, 2025), https://www.theguardian.com/technology/2025/feb/05/google-owner-drops-promise-not-to-use-ai-for-weapons. 25 Church of England. (2025, September). Investor Initiative on Human Rights Data (II-HRD) Report: Strengthening Human Rights Data and Due Diligence Alignment. London: Church Commissioners for England and Bank of England. https://www.churchofengland.org/sites/default/files/2025-09/ii-hrd-re-port-september-2025.pdf