Hot Topics
Application Security Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Mobile Security Security Boulevard (Original) Spotlight 

Federal Court Strikes Down Warrant for Google Location Data

Avatar photo by Mark Rasch on March 11, 2022

On May 20, 2019, at approximately 4:52 p.m., a man walked into the Call Federal Credit Union outside Richmond, Virginia, pointed a firearm at the tellers and threatened to kill them and their families unless he was given at least $100,000. He ultimately took almost $200,000 from the bank.

To learn the identity of the robber, the FBI obtained a geofence warrant from a federal judge. This is a warrant served on a phone provider—or, in this case, on Google—compelling them to produce the location of and personal data about all users during a period of time (from a few minutes to a few hours) within a specific radius (the geofence.) As a practical matter, it is similar to what is called a “tower dump” where phone companies are compelled to produce records of all cell phones that were near a particular cell tower (or series of cell towers) at or near a particular point in time. The warrant called for production of location records that covered not only the bank but an adjacent church, a hotel and a residential neighborhood as well for a one-hour time period around the time of the robbery.

In essence, both the tower dump and the geofence warrant compel production of intimate information over which users have only limited control—their location data. They also compel production of a potentially large volume of data regarding completely innocent individuals in an effort to find the one person (or persons) for whom the Court has found probable cause. More nefariously, geofence warrants can be used to, for example, identify individuals who attend a particular church, synagogue or mosque, go to a protest rally, frequent an AIDS clinic or an AA meeting. In fact, as long as the government can demonstrate probable cause with respect to any one person near the questioned location, they can get a warrant to get information on everyone at that location—at least for some discrete period of time.

Many of these geofence warrants are directed to Google because Google collects—through various means—location data on a massive number of individuals. While the collection techniques, anonymity and specificity of data may be different, Google can collect location data on individuals based on their use of Android phones, their use of Google Maps, or their use of a wide variety of Google-related apps including photos. Deleting apps or turning off location services is, at best, an imperfect way to protect identity and location, and for some services—like driving apps (Google Maps or Waze)—location services are essential for the app to work. Suffice it to say that, unless you are both technically sophisticated and particularly diligent, the odds are pretty good that Google knows where you are. Right now. And last week. And a year and a half ago. It also knows who you were with and for how long. It can probably infer what you were talking about and certainly can infer what you might want to buy. That’s the whole point.

Location data reveals an awful lot about people—and even anonymous data collection can usually be reversed. If I know that an anonymous user was at the “Good Times” strip club from 11:00 p.m. to 2:00 a.m. and then drove to 123 Main Street (where they go every night) it’s not a stretch to infer that the owner or renter of 123 Main Street was the one at the strip joint. Add additional data (attending college classes, etc.) and we get a portrait of a Google user. What Google does not seem to have is the ability for users to specify the purpose for which Google can use the collected location data (e.g., only to get me from point A to point B) and for real-time “right to be forgotten”—e.g., when I get to point B, delete the location data. As a result, Google has a trove of location data averaging 120 data points per person per day.

Google has a phased method of replying to geofence warrants; first providing law enforcement with anonymized data about everyone who is—or could have been—within the geofence within the specified time period. After that, the police provide a more detailed warrant focusing on a more narrow number of hits or targets and, finally, on the person or persons about whom they actually have probable cause. The cops link the geofence data with other databases to identify the target.

The fact that we can determine identity from location is best illustrated by the fact that the FBI, using the geofence warrant on the bank location, narrowed the number of suspects from 19 people within the fence and then quickly identified Okello Chatrie as the robber.

Pretty cool.

Even though the first geofence warrant was served on Google in 2016, law enforcement agencies quickly learned that Google was a great repository for location data that could be used in a wide variety of criminal cases. From 2017 to 2018, the number of geofence warrants served to Google increased by more than 1,500 times; the following year, an additional 500% increase. In fact, a quarter of all warrants served on Google are geofence warrants.

Don’t [Geo]Fence Me In

On March 3, 2022, a federal district court in Richmond, Virginia considered the legality of such geofence warrants.

Geofence warrants reveal a lot of information about a lot of people who did nothing wrong. They track people outside in public, inside in public buildings (like a bank) and also track their movements inside their homes, churches and hotel rooms. In previous cases, the U.S. Supreme Court refused to allow the police to use infrared sensors to track suspected marijuana growers’ movements within their house or use a beeper to track a bottle of “precursor” chemicals’ movements within a building. Geofence data also includes both false-positive data (erroneously placing a person inside the geofence when they are not) and false-negative data (erroneously placing a person who is inside the fence on the outside). In fact, in the Richmond bank case, data points on individuals (identified as Mr. Blue, Mr. Green and Ms. Yellow—with no obvious nod to the movie Reservoir Dogs) popped into and out of the zone apparently at random. The police sought to justify the overreach of identifying persons who had no relationship to the criminal activity on the ground by claiming that, because of their location, they might be victims or witnesses. But that’s not a justification to intrude on their privacy.

At its core, the federal court noted, the problem with the geofence warrant was that “warrants, like this one, that authorize the search of every person within a particular area must establish probable cause to search every one of those persons. Here, however, the warrant lacked any semblance of such particularized probable cause to search each of its nineteen targets, and the magistrate thus lacked a substantial basis to conclude that the requisite probable cause existed …” The warrant was thus overbroad, lacked the requisite specificity required under the Fourth Amendment, and the results of the warrant needed to be suppressed.

No Probable Cause

While the police may have had probable cause to get the location data of the robber, they certainly didn’t have probable cause to get the location data of the parishioner at the church, the resident of the home across the street, or the hotel within the radius of the geofence.

But in a real sense, the normal rules of “search” and “seizure” and expectations of privacy established over the past 231 years since the ratification of the Fourth Amendment are difficult to apply to internet-based and remotely collected and stored databases. While a person certainly has a reasonable expectation of privacy with respect to their movements within their home, does the fact that they are broadcasting these movements (either deliberately or inadvertently) to a third party impact whether the court should consider that privacy interest “reasonable?” I think so, but other courts might not. As to the question of whether the warrant was “specific” (warrants must both be supported by probable cause and specify the place to be searched and the thing to be seized), does specificity mean simply that the warrant describes that which it seeks (e.g., all information related to persons who entered the geofence) or does it mean that it must call only for the production of records for which probable cause has been established? Most courts would agree on the latter. As a practical matter, could the police have narrowed the warrant in a meaningful way to get what they needed without getting extraneous data? And does Okello Chatrie have standing to challenge the search of the parishioner’s location?

The federal court concluded that the geofence warrant was overbroad, lacked specificity and lacked probable cause. Specifically, however, the court noted “that it declines to consider today whether a geofence warrant may ever satisfy the Fourth Amendment’s strictures,” suggesting that additional privacy protections—including anonymity and minimization procedures to protect location data of those not involved in criminal activity—might save a future geofence warrant. This is not the first time a court has struggled with the legality of a geofence warrant (or a related tower dump), and it certainly won’t be the last. So, next time you plan your armed bank robbery, here’s a tip to the wise: Leave your Samsung Galaxy at home.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark

Secure Guardrails