Don’t (Geo)Fence Me In: Courts Order Google To Give Up Location Data

The danger in forcing companies with location-tracking apps to hand over the data to help solve crimes

When you install a “Black Friday” app on your cellphone, you aren’t really expecting it to be used to identify you as a suspect or a witness to a crime—particularly one unrelated to your shopping activities. However, thousands of apps collect and store location data, including news sites, weather, traffic, shopping, travel and others. While there is some user control over which sites collect location data, most users simply install the apps. As a result, users have provided hundreds of companies with information about their precise location, whether they are shopping for a new large screen TV, checking on their flight home for Thanksgiving or simply catching up on the news. While these sites have differing policies on how they will store, track, sell or use your location data, they are all subject to search and seizure by the government. So the government can find your location not only by tracking your cellphone and getting warrants to the cell companies but also by serving similar warrants on any company that tracks location—primarily to Google. And these warrants aren’t just looking for one person’s location; increasingly, they are looking for data on everyone.

En Garde

Law enforcement agencies use what are called “geofencing” warrants to seek the names of people who are “in the neighborhood” of a crime they are investigating. The warrant is served on any entity that has collected location data and calls for information about any devices that were near a specific location at a particular time. The vast majority of these warrants are served on entities such as Google, whose Google Maps and other apps are installed on many devices and which, by default and design, are perennially collecting such information.

The geofence warrant is similar to, but in many ways more intrusive than its cousin, a cell tower “dump” warrant. A tower dump warrant is served on a cellphone provider (or all cellphone providers) for information about a particular time and tower or series of towers. The government had, for years taken the position that the cell tower information belonged to the cellphone company, and was merely its own records of who had used its services—information that it could share with law enforcement without a search warrant. The U.S. Supreme Court in 2018 disagreed, and while permitting such “tower dump” cases to proceed, ruled that a warrant was required to compel the production of data from the cell company.

What makes both tower dump and geofence warrants legally suspect is not the fact that there aren’t times when the data that results from them is not important to investigating and even potentially preventing crimes—even serious crimes. What makes this tool suspect is the fact that it is designed to, and in fact does, capture sensitive information about hundreds or thousands of people who have done nothing more than being near someone who may have done something wrong.

In a recent case out of central Virginia, a man accused of bank robbery challenged a “geofence” warrant served on Google for data related to users of Google’s location services near the location and time of the robberies in question. The Commonwealth of Virginia argued that the geofence warrant was reasonable because the suspect “opted in” to the Google location service. As described in a news report:

Google first provided location data, but no identifying information, for 19 devices in a 150-meter radius around the bank for a one-hour period that included the robbery. Police then picked out nine of those devices for more information, and Google gave location data on those devices covering two hours. Finally, police asked for — and received — subscriber information for three devices, including one that was in the bank during the robbery, left immediately after it, and followed a path matched by witness sightings. That information gave police [the defendant’s] email address and told them he used an Android phone and Google Location History, which tracks users’ movements (and is viewable in Google Timeline).

So what’s the problem? The police had a warrant, issued by a judge, limited by date and time (and location) and found the suspect with very limited intrusion. No muss, no fuss, right?

Start with the idea that the police actually had Google search its entire database of billions of users to “find” the 19 devices that were near the robbed bank. So everyone who has ever used the Google location service had their records at least examined if only to have them rejected as not covered by the warrant. Then, Google provided location data about 18 people who had done nothing more than carry a phone with a Google app on it. Sure, they “opted in” to location services—mostly so that they could find out where they were, not so that Google could provide that data to others. When I turn on the GPS in my car, I am tracking myself using passive time signals from satellites. Absent some transmission back to someone, only I know where I am and were. When I use Apple Maps or Google Maps, I am constantly getting new maps showing my location from Apple or Google, so that they (in addition to the phone company) know where I am.

The article says that the police then selected nine phones from the 19 for additional information. Based on what? Was there an additional warrant issued by the court? Did the police show “probable cause” to believe that those nine people had committed a crime? What “crime” was it more likely than not that the other eight people committed? Likely the police searched criminal history databases, mug shots, arrest reports and maybe credit reports or background checks on these people whose only offense was to have a phone. The police then essentially did retroactive surveillance of these people, finding out not only that they were at or near the bank, but also where they were hours before the robbery and hours afterward. All because they had “opted in” to Google’s location service.

The Constitution provides that a warrant must be specific—it must specify the “place to be searched and the thing to be seized.” In this case, the “place to be searched” is Google and the “thing to be seized” is “all subscriber records of anyone near the scene of the crime.” Unlike the normal warrant, for which we have a suspect and believe they have evidence so we search, a geofence warrant is used against a massive database—we have no suspect and want to find one. It searches information mostly about innocent people and provides it to law enforcement. It’s a tower dump by a factor of 10. And the records it seeks are collected and stored indefinitely. It can be used to solve murders, rapes and bank robberies, but equally for speeding, parking or other “violations.” As with the NSA “bulk data” collection program, the government can—with a warrant—obtain records not just about a specific crime scene but all location records to use later to solve crimes. If you have a suspect, you can use location data and geofencing to find out who they met with and when (and where).

Did I mention that we are essentially carrying surveillance devices with us at all times?

As a law enforcement official, this is a gold mine. We could use this technology to establish location in virtually every criminal or administrative offense. Murder suspect? Check! Terrorist? Check! Parking in a bus zone? Check! While Google and some other companies take the position that their information may only be obtained with a “warrant”—a court order supported by probable cause—you can expect that enterprising divorce attorneys would love to have this information to spy on cheating spouses, merger and acquisition attorneys could use this data to figure out which executives were meeting with potential takeover targets, and criminal defense lawyers could use the same kind of data to investigate witnesses, police and potentially establish alibi defenses.

So “geofence” warrants, in addition to revealing sensitive information, reveal information about many people who have done nothing wrong—and who then run the risk of becoming suspects (or worse, defendants) because they (or their devices) were in the neighborhood. In addition, they can be used instead of warrants to install GPS devices on phones to monitor the location of devices in real-time without the bother of having to physically install a device. No muss, no fuss!

To date, there are no reported cases on the legality or scope of geofence warrants, particularly to non-phone companies, although news reports show anecdotal evidence of their increasing use. We don’t know how courts would interpret the “specificity” requirement of the Fourth Amendment to these fenced-in warrants. We don’t know if the government could get prospective warrants (data on people who will be in a specified location in the future). We don’t know if criminal defendants, under the Sixth Amendment, will be able to compel producing location data about witnesses or alibi information. The general rule about evidence has been (absent a specific law or privilege), If the record exists, its production can be compelled. And, in the modern age, more and more records exist. And more sensitive information. In more places. And for a longer time. The law will need to adapt. Until then, you might consider turning off your phone, powering it down, wrapping it (and yourself) in tin foil and then throwing the device away.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark