Google Gives Cops Your Search Terms – Let the Frog-Boiling Commence

Google stands accused of agreeing to overly broad search warrants, which might violate the Fourth Amendment. Federal law enforcement asked Google to tell them who searched for a particular address within certain dates.

Privacy advocates are up in arms. Imagine the risk of false positives, where innocent citizens get caught up in a dragnet operation.

DevOps Connect:DevSecOps @ RSAC 2022

Google claims it fights any fishing expeditions. In today’s SB Blogwatch, we’re not sure we trust la GOOG no more.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bzz.

I Believe I Can Fly

It started with a tweet. Here’s Robert Snell—@robertsnellnews—with what “a newly unsealed search warrant affidavit” says:

 In June … someone torched an SUV parked outside the home of a government witness in the federal racketeering case against singer R. Kelly. … So federal agents got a search warrant requiring Google to identify “users who had searched the address of the Residence close in time to the arson.”

The warrant revealed a search from one IP address in Georgia in the days and hours before the arson fire. The IP address [was] linked to a Georgia man … a relative of singer R. Kelly’s publicist.

Agents analyzed phone numbers that used cell towers near the home where the SUV was set on fire. … The phone linked to … that Georgia man … used one of those towers at the time of the arson fire.

Agents then got a search warrant for the phone. [It] took quite a road trip, with one stop being near site of the arson fire.

Doesn’t that sound overly broad to you? Alfred Ng reports—“Google is giving data to police based on search keywords, court docs show”:

 There are few things as revealing as a person’s search history, and police typically need a warrant on a known suspect to demand that sensitive information. But a recently unsealed court document found that investigators can request such data in reverse order by asking Google to disclose everyone who searched a keyword rather than for information on a known suspect.

Police arrested Michael Williams, an associate of singer and accused sex offender R. Kelly, for allegedly setting fire to a witness’ car in Florida. Investigators linked Williams to the arson, as well as witness tampering, after sending a search warrant to Google.

The original warrant sent to Google is still sealed, but the report provides another example of a growing trend of data requests … in which investigators demand data on a large group of users rather than a specific request. … The rise in reverse requests from police have troubled Google staffers, according to internal emails.

Reverse search warrants … are being challenged across the US for violating civil rights. Lawmakers in New York have proposed legislation to make these searches illegal, while in Illinois, a federal judge found that the practice violated the Fourth Amendment.

Todd Spodek, the attorney representing Williams, said he plans to challenge the legality of the keyword warrant. [He] said he intends to argue that it violated Williams’ rights. [And he] said he’s seen more of these types of warrants being issued in criminal investigations and worries it could lead to wrongful accusations, [calling] the practice unconstitutional.

Well, he would say that, wouldn’t he? Shaun Nichols sarcastically calms you down—“Don’t worry, says the internet giant, this doesn’t happen too often”:

 While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google [says] the warrants are a very rare occurrence, and its team fights overly broad or vague requests. … In this particular tale, the query was rather narrow, and Google insists it challenges overly broad warrants.

“We vigorously protect the privacy of our users while supporting the important work of law enforcement,” [said] Google’s director of law enforcement and information security Richard Salgado. … “We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate. … These data demands represent less than 1 percent of total warrants and a small fraction of the overall legal demands for user data that we currently receive.”

Not on my watch, says ytene:

 The real challenge comes when you think about this as a form of “dragnet-based” policing. In a court room – and technically in the eyes of the law at all times – individuals are “innocent until proven guilty.” But when the police are granted permission to perform dragnet searches of this nature, they are in essence treating a … significant part of the population as suspects.

Although, sadly, this might not get much news coverage, this is the sort of case that needs to have a much more public debate about it. Without public visibility, scrutiny and approval, this sort of practice can quickly become a “de-facto” operational technique.

It most definitely moves the needle on the “innocent until proven guilty” gauge. And not in the right direction.

And Kevin Johnston agrees, stirring the amphibian’s pot on a low flame:

 Hmmm. This is one of those ‘good intentions’ stories isn’t it? Clearly phrased requests, with a very narrow focus, produced a very small pool of results, leading to a clear and appropriate suspect.

This is then the supporting evidence for the next request, which may not be quite so precise, but it still looks OK, etc., etc.

What about the court of public opinion? blakesterz readz the runez: [You’re fired—Ed.]

 Most people think, “Why do I care? I search Google for sourdough recipes.” … And then they read … he looked up phrases like, “Where can i buy a .50 custom machine gun.”

And they’ll say, “See, see! This works, this should be legal, it catches bad people.”

Enough people think like that, and there’s no pressure to make this practice illegal, no pressure from the public to get laws passed. Because, while some people look at this practice and see their lives being made worse, many people look at this and see themselves being protected from bad guys.

Wait. Pause. ComputerGeek01 points to the alleged perp:

 I have no sympathy for someone this blatantly stupid. … Googling the … address 10 mins before … demonstrates the kind of intelligence that I honestly want removed from the genepool.

Carrying your personal tracking device while committing a crime … should be grounds for neutering. Go to a bar. Have a drink. Leave your phone at the bar. Commit your crime. Come back to the bar looking for your phone.

Witnesses saw you there “around X o’clock” and your phone shows you there so unless you’re already the prime suspect, they will start digging elsewhere. I must be a … criminal mastermind after all.

But u/Sapotis blames Google, not the Feds:

 This shouldn’t be a surprise for anyone who has been paying attention recently. Google’s essential objective is data-mining these days. It’s no different from Facebook as a spying company.

As does pessimizer:

 Maybe we need librarians to run our search engines, rather than advertising companies with no moral center.

Meanwhile, zephvark snarks it up:

 ”Do No Evil” was a bit wordy, so they dropped a word. It’s nicely pithy, now.

And Finally:

Cephalized musca domestica

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce:
Flavio Gasperini
(via Unsplash)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 381 posts and counting.See all posts by richi