Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Google Tracks Our Phones and is a Dragnet for Law Enforcement

April 18, 2019

The New York Times (sub.req.) reported on April 13th on a single compelling story which spilled over into many possible similar stories.

Detectives in a Phoenix suburb arrested a warehouse worker in a murder investigation last December and they credited a new technique with breaking open the case after other leads went cold.

The police told the suspect, Jorge Molina, they had data tracking his phone to the site where a man was shot nine months earlier. They had made the discovery after obtaining a search warrant that required Google to provide information on all devices it recorded near the killing, potentially capturing the whereabouts of anyone in the area.

Investigators also had other circumstantial evidence, including security video of someone firing a gun from a white Honda Civic, the same model that Mr. Molina owned, though they could not see the license plate or attacker.

But after he spent nearly a week in jail, the case against Mr. Molina collapsed as investigators learned new information and released him. Last month, the police arrested another man: his mother’s ex-boyfriend, who had sometimes used Mr. Molina’s car. The charges against Mr. Molina were dismissed.

Warrants draw on an enormous Google database employees call Sensorvault, and turn the business of tracking cellphone users’ locations into a digital dragnet for law enforcement. In an era of ubiquitous data gathering by tech companies, it is just the latest example of how personal information — where you go, who your friends are, what you read, eat and watch, and when you do it — is being used for purposes many people never expected and tech companies have come under intensifying scrutiny over their data collection practices.

The Arizona case demonstrates the promise and perils of the new investigative technique, whose use has risen sharply in the past six months, according to Google employees familiar with the requests. It can help solve crimes. That much is certain. But it can also snare innocent people.

Technology companies have for years responded to court orders for specific users’ information. The new warrants go further, suggesting possible suspects and witnesses in the absence of other clues. Often, Google employees said, the company responds to a single warrant with location information on dozens or hundreds of devices.

Now that is, from a privacy standpoint, pretty scary.

It is unclear how often these search requests have led to arrests or convictions, because many of the investigations are still open and judges frequently seal the warrants. The practice was first used by federal agents in 2016, according to Google employees, and first publicly reported last year in North Carolina. It has since spread to local departments across the country, including in California, Florida, Minnesota and Washington. This year, one Google employee said, the company received as many as 180 requests in one week. Google declined to confirm precise numbers.

The technique illustrates a phenomenon privacy advocates have long referred to as the “if you build it, they will come” principle — anytime a technology company creates a system that could be used in surveillance, law enforcement inevitably comes knocking. Sensorvault, according to Google employees, includes detailed location records involving at least hundreds of millions of devices worldwide and dating back nearly a decade.

The new orders, sometimes called “geofence” warrants, specify an area and a time period, and Google gathers information from Sensorvault about the devices that were there. It labels them with anonymous ID numbers, and detectives look at locations and movement patterns to see if any appear relevant to the crime. Once they narrow the field to a few devices they think belong to suspects or witnesses, Google reveals the users’ names and other information.

Investigators who spoke with The New York Times said they had not sent geofence warrants to companies other than Google, and Apple said it did not have the ability to perform those searches. Google would not provide details on Sensorvault, but Aaron Edens, an intelligence analyst with the sheriff’s office in San Mateo County, CA, who has examined data from hundreds of phones, said most Android devices and some iPhones he had seen had this data available from Google.

In a statement, Richard Salgado, Google’s director of law enforcement and information security, said that the company tried to “vigorously protect the privacy of our users while supporting the important work of law enforcement.” He added that it handed over identifying information only “where legally required.”

Mr. Molina, 24, said he was shocked when the police told him they suspected him of murder, and he was surprised at their ability to arrest him based largely on data. “I just kept thinking, You’re innocent, so you’re going to get out,” he said, but he added that he worried that it could take months or years to be exonerated. “I was scared,” he said.

According to several current and former Google employees, the Sensorvault database was not designed for the needs of law enforcement, raising questions about its accuracy in some situations. Though Google’s data cache is enormous, it doesn’t sweep up every phone, said Mr. Edens, the California intelligence analyst. And even if a location is recorded every few minutes, that may not coincide with a shooting or an assault.

Google often doesn’t provide information right away, investigators said. The Google unit handling the requests has struggled to keep up, so it can take weeks or months for a response. In the Arizona investigation, police received data six months after sending the warrant. In a different Minnesota case this fall, it came in four weeks.

But despite the drawbacks, detectives noted how precise the data was and how it was collected even when people weren’t making calls or using apps — both improvements over tracking that relies on cell towers.

Location data is a lucrative business — and Google is by far the biggest player, propelled largely by its Android phones. It uses the data to power advertising tailored to a person’s location, part of a more than $20 billion market for location-based ads last year.

In 2009, the company introduced Location History, a feature for users who wanted to see where they had been. Sensorvault stores information on anyone who has opted in, allowing regular collection of data from GPS signals, cellphone towers, nearby Wi-Fi devices and Bluetooth beacons.

People who turn on the feature can see a timeline of their activity and get recommendations based on it. Google apps prompt users to enable Location History for things like traffic alerts. Information in the database is held indefinitely, unless the user deletes it.

Well, you now have an excellent reason not to turn on this feature!

Current and former Google employees said they were surprised by the warrants. Brian McClendon, who led the development of Google Maps and related products until 2015, said he and other engineers had assumed the police would seek data only on specific people. The new technique, he said, “seems like a fishing expedition.”

The practice raises novel legal issues, according to Orin Kerr, a law professor at the University of Southern California and an expert on criminal law in the digital age.

One concern: the privacy of innocent people scooped up in these searches. Several law enforcement officials said the information remained sealed in their jurisdictions but not in every state.

In Minnesota, for example, the name of an innocent man was released to a local journalist after it became part of the police record. Investigators had his information because he was within 170 feet of a burglary. Reached by a reporter, the man said he was surp
r
ised about the release of his data and thought he might have appeared because he was a cabdriver. “I drive everywhere,” he said.

These searches also raise constitutional questions. The Fourth Amendment says a warrant must request a limited search and establish probable cause that evidence related to a crime will be found. Warrants reviewed by The Times frequently established probable cause by explaining that most Americans owned cellphones and that Google held location data on many of these phones.

Last year, the Supreme Court ruled that a warrant was required for historical data about a person’s cellphone location over weeks, but the court has not ruled on anything like geofence searches, including a technique that pulls information on all phones registered to a cell tower.

Google’s legal staff decided even before the 2018 ruling that the company would require warrants for location inquiries, and it crafted the procedure that first reveals only anonymous data.

“Normally we think of the judiciary as being the overseer, but as the technology has gotten more complex, courts have had a harder and harder time playing that role,” said Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union. “We’re depending on companies to be the intermediary between people and the government.”

In several cases reviewed by The Times, a judge approved the entire procedure in a single warrant, relying on investigators’ assurances that they would seek data for only the most relevant devices. Google responds to those orders, but Mr. Kerr said it was unclear whether multistep warrants should pass legal muster.

Some jurisdictions require investigators to return to a judge and obtain a second warrant before getting identifying information. With another warrant, investigators can obtain more extensive data, including months of location patterns and even emails.

This kind of tool is a double-edged sword. It can certainly help in an investigation, but it is obviously not infallible. As to what that does to our privacy, it certainly clear that it imperils it. It's the old, old line: "Just because you can do something doesn't mean you should."

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Google Tracks Our Phones and is a Dragnet for Law Enforcement

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer