The ACLU and eight federal public defenders are asking the Fourth Circuit Court of Appeals to exclude cellphone location data obtained from Google through a so-called geofence warrant that helped law enforcement catch a bank robbery suspect.
geofence, the first civil rights case to reach a federal appeals court, raises serious Fourth Amendment concerns about the warrantless search and seizure of mobile device users’ location and personal data.
Geofence guarantees are basically given to Google to transmit data about each mobile phone or other mobile device within a certain geographic region and for a certain period of time. The problem. the location data of every person carrying a mobile device in that area is collected on a wide network and their data is transmitted en masse to law enforcement.
“These safeguards are clearly unconstitutional,” said Tom McBrien, a lawyer at the Washington, D.C.-based nonprofit Electronic Privacy Information Center (EPIC). “They look at the history of everyone in that geographic area to see where they were at that time.”
Geofence warrants violate the Fourth Amendment to the US Constitution in several ways, McBrien argued. First, the amendment requires evidentiary certificates to meet a “particularity requirement”, meaning police must be clear about what and who they are looking to find with the data. The warrants cannot be turned into “fishing expeditions,” McBrien said.
Second, probable cause requires law enforcement to link a specific person or persons to the crime. Only then does the law allow the invasion of privacy associated with access to geofence data.
“Google has a rich database of user information,” McBrien said. “You either have a Google phone or use a Google service. Google has made it very difficult to opt out of location tracking. Even after turning off a specific feature on your mobile phone, Google can still track you through another phone [service or app]…like Google Maps.”
Additionally, Schneier noted that Google isn’t the only one that has access to geolocation via a cell phone ping from a cell tower. Mobile network providers and mobile phone companies also have this data.
“They collect the data and you can’t opt out because that’s how cell phones work,” Schneier said.
McBrien agreed that cell phone companies and other network services can track users, but he has yet to see a geofence warrant issued for any company other than Google, which just happens to have most of the data for agriculture.
“Apple may know where users are, but there are also a lot of Android users who don’t use Apple iPhones, but someone with an iPhone or Android phone can use Google Maps,” he said. McBrien.
From one suspect to thousands.
The problem with geofence safeguards goes beyond access to copious amounts of location data on mobile users, which may or may not have anything to do with crime. Every year, thousands of innocent people are effectively turned into suspects in criminal investigations through the use of warrants, according to a Harvard Law Review article.
“While traditional court orders allow searches of known suspects, warrants are issued specifically because the suspect cannot be identified,” notes the Harvard Law Review.
The use of geofencing safeguards has snowballed over the past seven years. Since the first one was served on Google in 2016, the number of warrants has increased by more than 1,000% each year, according to EPIC.
Google received 982 geofence orders in 2018, 8,396 a year later, and 11,554 in 2020, according to the latest data released by the company. The vast majority of warrants have been issued by courts to state and local law enforcement agencies. Geofence warrants issued to federal authorities accounted for just 4% of those served at Google.
In 2021, Google revealed that a quarter of all warrants it received from US authorities, both state and federal, related to geo-infringement requests.
“It’s obvious why these safeguards are useful. They have the potential to identify more suspects,” McBrien said. “I can understand why the courts are initially hesitant to take this powerful tool away from the police.”
What happens to the data?
Bruce Schneier, a security consultant at Counterpane Systems, said that in addition to potential government overreach, there’s no way to know if law enforcement will use the location data dump for other purposes.
“The thing about the abuse in these cases is that it’s hidden,” Schneier said. “If there’s abuse, you won’t know because of parallel construction, which illegally obtained data is laundered and not used in court.” , but the data obtained from that data is used.”
For example, the National Security Agency (NSA) could take out a specific warrant for a suspected criminal and then forward all the data to the FBI to alert the agency that something suspicious might be going on at that location.
“I’m sure that happens a lot when the NSA passes on FBI data,” Schneier said. “NSA tells FBI. “This thing happens on a street corner” and the FBI just has one officer there, and the NSA’s involvement is never mentioned. And of course, if the FBI has this kind of data, they’re likely to use it on anyone. [want]”.
Last Friday, the ACLU and public defenders issued a friend-of-the-court brief asking that mobile device location data obtained from Google be excluded from evidence, while noting that geolocation warrants are becoming increasingly common.
“They raise serious questions under the Fourth Amendment because they are usually issued without the police having reason to believe that all the people who have the devices have been involved in a crime,” the ACLU said in a statement.
US v. Chhatri
The civil rights case at issue is United States v. Chhatri. Okello Chatri, 27, was convicted and sentenced to 12 years in prison for using Google Sensorvault data obtained by Virginia law enforcement through a geofence warrant. Sensorvault is a Google database that contains records of users’ historical geographic information.
The appeal comes after a federal judge in Virginia ruled that the warrant in the Chhatri case was too broad and lacked probable cause for much of the data obtained by police. The warrant sought information on all Google devices or app users believed to be in the 17.5-acre area surrounding the scene of the bank robbery in Virginia.
“It’s important to note that Google is at the center of this,” McBrien said. “We’ve seen examples of Google pushing back on these guarantees. Google says they are really too broad. “You capture many urban neighborhoods, including churches, schools, and apartments,” and Google says it doesn’t pass the smell test.
Last week, Google explained in a blog post how it hopes to better protect users’ privacy with thousands of geofence enforcements every year.
First, the tech company said it will continue to advocate for laws such as the US Electronic Communications Privacy Act to be updated to reflect the same protections that apply to citizens’ personal documents.
Google also said that when government agencies request users’ personal information, such as what a person provides when signing up for a Google Account or the content of an email, its policy requires several things:
- “We thoroughly review the request to ensure it complies with the law and our policies. In order for us to consider compliance, it must usually be in writing, signed by an authorized official of the requesting agency, and issued under applicable law.
- “We appreciate the scope of the inquiry. If it is too broad, we may refuse to provide the information or seek to narrow the request. We do this frequently.
- “We notify users of legal claims when appropriate so they can contact the requesting entity or consult with an attorney. Sometimes we can’t do this because we’re prohibited by law (in which case we sometimes seek to cancel orders or unseal.” search warrants) or we don’t have their verified contact information.”
Google also said it plans to do more to inform users about warranty requests and has created a new section for its Transparency Report to answer user questions.
The ACLU clarifies its concerns
In a U.S. brief, the ACLU and public defenders argued that warrants can inadvertently reveal “a wealth of information about the secret associations of individuals who have penetrated their network, from meeting a reporter and a source to attending church.”
In its statement, the ACLU said that law enforcement agencies have taken advantage of this “information stockpile” to create geo-security warrants that seek location data for each user in a specific area.
According to EPIC’s McBrien, there is a relative dearth of case law dealing with tort warranties. “Currently, law enforcement agencies are only monitored by the courts, and when they can, they push the envelope,” he said.
“I’m currently aware of only seven federal cases that have come out [of geofence warrants]. Cases at the state level are more difficult to track. It’s a new problem,” McBrien said. “Every year more come. There will likely be a lot of case law on this as the use of these warrants explodes.”
Schneier isn’t so sure the courts will be quick to address the issue, and said citizens should demand that lawmakers use legislation to limit the availability of trespass warrants. And citizens must push Congress to solve the problem.
“The laws need to change,” Schneier said. “There’s nothing magical you can do on your phone to protect it. These are systemic problems that need systemic solutions. So make this a political issue.”
McBrien believes the courts will eventually catch up with the technology and ultimately place limits on companies’ power to collect and share geo-security data with law enforcement. At the same time, he agreed with Schneier. a two-pronged approach that uses both laws and courts is the best approach to ensure constitutional privacy rights.
For example, the New York State Legislature is currently considering the Reverse Location Search Ban Act, which would prohibit searching for a group of people’s geolocation and keyword data without a warrant or without suspicion of a crime;
“Part of it is to make the public aware of the problem,” McBrien said.
Copyright © 2023 IDG Communications, Inc.