Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Identity & Access Security Boulevard (Original) 

Police Use New Keyword Search Tool in Colorado Arson Investigation

Avatar photo by Mark Rasch on July 25, 2022

In August of 2020, there was a horrific house fire on a quiet suburban street in Denver, Colorado. Several people were killed; others injured. The police sought and obtained more than 23 search warrants for information related to the deadly fire. These included general and specific cell site dumps to see what cell phones might have been in the area where the fire occurred. These searches combed tens of thousands of people’s phone records in the Denver area and returned to police specific information on thousands of persons (and devices) that might have been near the site of the fire.

Search and Seizure

To winnow down the thousands of numbers they had, police then drove through the neighborhood with a Stingray device. This device pretends to be a cell tower and forces phones in the vicinity to connect to it instead of the real phone company tower. The police then collect identifying information about the phones (and their locations) that are pinged. This would tell the Denver police that a person at, say 123 Maple Street had a phone with a specific ID number—not to implicate them in the fire investigation, but to exclude them. A month later, cops drove around the neighborhood at 2:00 a.m. and collected cell information on more than 700 cell phones. The police also obtained two geofence warrants that asked Google to search more than 590 million records of users’ stored location data. The intent was to find any Google-enabled device (with location services turned on) near the site of the fire.

The Denver cops got several geofence warrants for various Denver locations and searched tens of millions of innocent people’s records. They also got a warrant to compel a commercial company to produce records of aggregated location data based on apps and advertising IDs generated by the phones themselves. Once they found devices of interest, the cops could then track where these devices came from or went to. The commercial company in question collects more than 15 billion data points every day related to the location of devices.

None of these warrants—nor the tens of billions of records that were searched pursuant to them—helped find the arsonist or arsonists. So, the police tried a new tactic. Assuming that the person or persons who set the fire used a GPS to locate the home, the cops then sought information on anyone who had ever searched for that address.

It’s important to note that GPS data itself leaves no trace—and, in fact, your smartphone can access its precise GPS location even when its data and cell service is off. The GPS chip in the phone receives time signals from several (at least three) GPS satellites in orbit around the earth. Each satellite is transmitting the precise time. It takes a discrete amount of time for the signal to reach the device from each of these satellites. Calculating the lag time gives you the distance to each satellite—draw three circles and, like a Venn diagram, the place where they intersect is your location. So, your GPS-equipped smartphone knows where it is without transmitting any data to anyone. But when you use a service like Google Maps or Apple Maps or Waze, (or any location-enabled app) the app asks the phone where it is, and the phone transmits the precise data to the app—say, to Google. If you want driving directions to 5312 Truckee Street in Denver, you are essentially conducting a Google search for that address’ longitude and latitude, which Google then uses to generate a map placing your current location (which you just sent them) in the middle of the map and calculating the best route from your location to the destination location. As you drive, you are continuously providing Google (and others) your precise location, and that is represented on the map. For these purposes, the important thing to remember is that it all begins with a query. A search.

And that search is what the cops wanted.

The Denver police obtained a warrant (well, okay, more than one warrant) to compel Google to produce records of every search for the address where the fire was. They made a list of possible variants of the street address (N or North, Blvd or Boulevard, St or Street) to see if anyone Googled that address in the 15 days prior to the fire. Because of the obvious invasiveness of the search, there was a good deal of back-and-forth between Google’s lawyers, the Denver cops and, ultimately, the prosecutors about the scope of the search and what to produce. The cops wanted the names, addresses and billing contact information, DOB, email address and phone number of everyone who searched for any of the variants of the address for the specified period of time. This was too broad for Google. So, the police requested “anonymized” information (at least for the first pass) subject to a more specific warrant for detailed information for a person or persons they were interested in. This included searches that were conducted near the fire location (a geofence). Ultimately, they settled for a search that would produce the IP addresses of anyone who searched for the fire address, which then allowed the cops to subpoena the ISPs associated with these IP addresses to reveal the true identity of the persons who engaged in the search for the address. Once they identified possible suspects, the cops obtained warrants for these suspects’ full Google accounts (email, searches, etc.) as well as their social media accounts (Snapchat, Facebook, Instagram) and iCloud accounts.

Ultimately, the search pointed to a 16-year-old boy. He and two other teenagers were arrested and are being prosecuted.

Reverse Keyword Search

While the Denver case involved a search for a specific address, reverse keyword searches can be much broader. They can seek those who search (or have searched) for terms of interest to investigators—like “bomb” or “IED” or “child pornography” or “CSAM” or even “Where is there an abortion clinic near me?” Whenever you conduct a search—and often even when you do not—the search engine collects and stores the contents of that search, the account from which the search was made and, if not logged in, the IP address, physical location and device information about the device used to conduct that search.

It’s one thing to catch a suspect and then review their search history for relevant data. It is an entirely different kettle of fish to search the entire history of searches of every person on the planet to find anyone who has searched for a term of interest to a law enforcement agency.

The Fourth Amendment requires searches and seizures to be “reasonable” and to specify the place to be searched and the thing to be seized. This is called the requirement of specificity. The law also prohibits what are called “general warrants”—warrants that call for the production of documents or records that are not specific.

One problem with searches for internet-related records is that they can invade the privacy of billions of people to find the record of a single person. By examining billions of IP addresses for one that matches the criteria the police are looking for, the police are “searching” billions of records—conducting a general search. By way of example, police seeking speeders on the highway (and there’s no privacy right on public roadways) capture information about the identity, color, make, etc., of tens of thousands of cars that are doing nothing wrong, just to filter out those that are. To find information about the 61 people who searched for the Denver address, Google collected and searched (on behalf of the police) the records of billions of searches that were not for that address. This is possibly a “general” search.

It’s easy to see how these reverse keyword search warrants could become commonplace. Again, they are typically used not to find information about a specific, known suspect, but to examine information about billions of people who did nothing wrong to find potential suspects. Such reverse keyword searches could be used to find people searching “Where do I buy heroin?” or “How do I storm the U.S. capitol?” or, as noted, searches for abortion clinics, pregnancy counseling centers or transportation across state lines. They can be used to find crime rather than to investigate crime. They may be an effective tool, but they also are a remarkably invasive one. The Colorado case appears to be the first time the technique has been attempted. It certainly will not be the last.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 293 posts and counting.See all posts by mark