Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Google Provided Location Data for More Than 5,000 Devices in Attack on the Capitol

December 1, 2022

WIRED reported on November 28 that Google initially identified 5,723 devices as being in or near the US Capitol during the January 6 riot. But only approximately 900 people have thus far been charged with offenses relating to the siege.

The filing suggests that dozens of phones that were in airplane mode during the riot, or otherwise out of cell service, were located by Google. Nor could users erase their digital trails later. In fact, 37 people who attempted to delete their location data following the attacks were marked by the FBI for greater scrutiny.

Geofence search warrants are intended to locate anyone in a given area using digital services. Because Google’s Location History system is both powerful and widely used, the company is served about 10,000 geofence warrants in the US each year. Location History leverages GPS, Wi-Fi, and Bluetooth signals to pinpoint a phone to within a few yards. Although the final location is still subject to some uncertainty, it is usually much more precise than triangulating signals from cell towers. Location History is turned off by default, but approximately a third of Google users switch it on, enabling services like real-time traffic prediction.

The geofence warrants served on Google shortly after the riot are still sealed. But lawyers for David Rhine, a Washington man accused of various federal crimes on January 6, recently filed a motion to suppress the geofence evidence.

In a statement, a Google spokesperson defended the company’s handling of geofence warrants.

“We have a rigorous process for geofence warrants that is designed to protect the privacy of our users while supporting the important work of law enforcement,” the company said. “When Google receives legal demands, we examine them closely for legal validity and constitutional concerns, including overbreadth, consistent with developing case law. If a request asks for too much information, we work to narrow it. We routinely push back on overbroad demands, including overbroad geofence demands, and in some cases, we object to producing any information at all.”

Google requires a three-step process for geofence warrants to narrow their scope to only those most likely to be guilty of a crime. In the first and broadest step, the FBI asked Google to identify all devices in a 4-acre area, including the Capitol and its immediate surroundings, between 2 pm and 6:30 pm on January 6. Google initially found 5,653 active devices that “were or could have been” within the geofence at that time. When Google added in data from devices that only connected to its servers later that day, or the next, the number increased to 5,723. (this is because Location History works in airplane mode because phones can continue to receive GPS satellite signals.)

In the second step, the FBI asked Google for a list of devices that were present at the Capitol from 12 pm to 12:15 pm on January 6, and from 9 pm to 9:15 pm. As there were no rioters in the Capitol during those times, these devices likely belonged to congressional members or staff, police, and other people authorized to be there. Over 200 such phones were excluded from the initial list, reducing its total to 5,518.

For the final step, the government sought subscriber information, including phone numbers, Google accounts, and email addresses, for two groups of users. The first was for devices that appeared to have been entirely within the geofence, to about a 70 percent probability. The second was any devices for which the Location History was deleted between January 6 and January 13.

From these three steps, in early May 2021, the FBI received identifying details for 1,535 users, as well as detailed maps showing how their phones moved through the Capitol and its grounds. Geofence evidence has so far been cited in over 100 charging documents from January 6. In nearly 50 cases, geofence data appears to have provided the initial identification of suspected rioters.

Rhine was first identified to the FBI by tipsters who had heard that he had been inside the Capitol. But investigators only identified him in surveillance footage after they matched it against the precise geofence coordinates of his phone. His lawyer is now trying to get the geofence evidence thrown out on multiple grounds, including that it was overly broad in who it rounded up, and that Rhine had a constitutional expectation of privacy in his Google data.

“The government enlisted Google to search untold millions of unknown accounts in a massive fishing expedition,” the attorneys wrote. “Just a small amount of Location History can identify individuals … engaged in personal and protected activities (such as exercising their rights under the First Amendment). And as a result, a geofence warrant almost always involves intrusion into constitutionally protected areas.”

If the judge agrees and dismisses the geofence evidence in the Rhine case, there is a chance that he and other suspects identified using it could walk free.

Matthew Tokson, a law professor and Fourth Amendment expert at the University of Utah, says there remains a high level of uncertainty around the whole idea of geofence warrants: “Some courts have said they are valid. Some have said they are overbroad and sweep up too many innocent people. We are still in the very early stages of this.”

Despite the unprecedented number of individuals swept up in the January 6 search warrant and some strong arguments from Rhine’s lawyer, Tokson thinks the chance of his motion succeeding is very low. “Unlike a geofence warrant for a bank robbery, the people in this location are all likely to be engaged in at least a low-level criminal trespass and in some cases worse,” he says. “There’s a stronger than usual probable cause argument in favor of the government here.”

Andrew Ferguson, a professor of law at American University, agrees. “And that worries me because the January 6 cases are going to be used to build a doctrine that will essentially enable police to find almost anyone with a cellphone or a smart device in ways that we, as a society, haven’t quite grasped yet,” he says. “That is going to undermine the work of journalists, it’s going to undermine political dissenters, and it’s going to harm women who are trying to get abortion services.”

The judge is expected to rule on Rhine’s motion in December, with his trial scheduled for late January 2023. While that will decide Rhine’s fate, it is unlikely to settle the question of geofence warrants more broadly. “This very likely will be appealed one way or the other,” says Tokson. “It’s going to be a very high-level, high-profile case likely to generate a major precedent out of the appeals court, if not the Supreme Court.”

I wholly agree with Tokson.

Hat tip to Dave Ries. And a note from Dave:

“Geofence search warrants are intended to locate anyone in a given area using digital services. Because Google’s Location History system is both powerful and widely used, the company is served about 10,000 geofence warrants in the US each year. Location History leverages GPS, Wi-Fi, and Bluetooth signals to pinpoint a phone within a few yards.” Thanks Dave!

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson