Google Report Spotlights Controversial ‘Geofence Warrants’ by Police | Threatpost

Newly released data by Google sheds light on a controversial practice called “geofence warrants”, which describes the practice of law enforcement requesting mobile phone data of users within close proximity of a crime.

Google said, in an August report, the number of geofence warrants the company received from law enforcement agencies jumped from 982 in 2018 to 11,554 in 2020.

The warrants allow law enforcement to demand data from phones used within the vicinity of a crime. The tactic allows investigators to identify potential suspects or witnesses to illegal activity.Infosec Insiders Newsletter

“Since the start of 2018, we have seen a rise in the number of search warrants in the United States that order Google to identify users, based on their Location History information, who may have been in a given area within a certain time,” Google said.

GPS Police: Probable Cause Casualty  

In some instances, Google has alerted users that police requested their data. For example, in 2020 Zachary McCoy received an email from Google notifying him that police investigators had demanded his location data for a specific date as part of a geofence warrant. McCoy later, with the help of a lawyer, found out his location data put him in the vicinity of a burglary. According to reports, he had been using an app to track how many miles he was biking. Data found through the warrant process made him the lead suspect in the investigation.

After other evidence reportedly emerged exonerating McCoy, the geofence warrant was withdrawn and McCoy soon after dropped his legal challenge, according to a report by NBC News.

Google responded to a Threatpost request for comment with a single statement: “As with all law enforcement requests, we have a rigorous process that is designed to protect the privacy of our users while supporting the important work of law enforcement. We developed a process specifically for these requests that is designed to honor our legal obligations while narrowing the scope of data disclosed.” 

Google Mostly Mum

For its part, Google has said little about the company’s compliance with geofence warrants, beyond releasing the raw numbers, according to the Electronic Frontier Foundation’s Stanton Fellow Mukund Rathi.

“After years of pressure, they finally published some limited data showing that police have issued at least 20,000 warrants, just over the last three years,” Rathi told Threatpost. “But the vast majority of geofence warrants remain sealed, with no information from Google or law enforcement on their targets, geographic area and length of time, and their purported justifications. As a result, most people have no way of knowing whether they are caught up in one of these dragnets.”

Geofence Warrants and the Fourth Amendment

Geofence warrants are a blatant violation of U.S. Fourth Amendment Constitutional protections against illegal searches and seizures, the EFF asserts.

“These warrants are anathema to the Fourth Amendment’s core guarantee largely because, by design, they sweep up people wholly unconnected to the crime under investigation,” the EFF said.

Over the past several months, multiple judges have weighed in and agree with EFF that geofence warrants violate the Fourth Amendment’s probable cause requirements for legal searchers.

Geofence warrants were issued last summer amid the protests that followed after police shot Jacob Blake in Kenosha, Wis. The Bureau of Alcohol Tobacco and Firearms served Google with at least 12 geofence warrants to hunt down arsonists by randomly sweeping up the data of anyone within a couple hundred yards away, the EFF said.

Rounding up data on people legally protesting isn’t just a potential Fourth Amendment violation, it could also be seen as having an overall chilling effect on legal speech, also running afoul of First Amendment protections.

Privacy Advocates Appeal to Google

The EFF and others want Google to push back against both geofence warrants, as well as warrants for user keyword searches.

A letter addressed to Google CEO Sundar Pichai from the Surveillance Technology Oversight Project (STOP) implores him to do more.

“As a leading recipient of geofence and keyword warrants, Google is uniquely situated to provide public oversight of these abusive practices,” the letter read.  We ask you to do just that by expanding your industry-leading transparency report to provide monthly data on the number of non-traditional court orders received, including granular information on geofence warrants, keyword warrants, and any analogous requests.”

The EFF goes further and told Google the company should resist compliance and do more to protect their users’ privacy.

“As it stands now, Google appears to have set up an internal system that streamlines, systematizes, and encourages law enforcement’s use of geofence warrants,” The EFF added. “Google’s practice of complying with geofence warrants despite their unconstitutionality is inconsistent with its stated promise to protect the privacy of its users by ‘keeping your information safe, treating it responsibly, and putting you in control.’”

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.