Efforts to track down criminals in the US state of North Carolina have laid bare a dangerous gap in the law over the use of location data.
Raleigh police went to court at least three times last year and got a warrant requiring Google to share the details of any users that were close to crime scenes during specific times and dates.
The first crime was the murder of a cab driver in November 2016, the second an arson attack in March 2017 and the third, sexual battery, in August 2017 – suggesting that the police force is using the approach to discover potentially incriminating evidence for increasingly less serious crimes.
In each case, the cops used GPS coordinates to draw a rough rectangle around the areas of interest – covering nearly 20 acres in the murder case – and asked for the details of any users that entered those areas in time periods of between 60 to 90 minutes e.g. between 1800 and 1930.
The warrants were granted by a judge complete with an order to prevent disclosure so Google was legally prevented from informing impacted users that their details had been shared with law enforcement. Google complied with the warrants.
It is worth noting that the data haul is not limited to users of Google hardware i.e. phones running Android but also any phone that ran Google apps – which encompasses everything from its driving app service to its calendar, browser, predictive keyboard and so on.
Details are only now emerging as those disclosure orders expire, and local TV station WRAL has been digging through public records to see how often and for what these unusual orders have been used by the police.
The approach raises a whole host of privacy concerns, not least because there seem to be no established rules or laws covering the release of such highly personal information.
Although the police clearly feel they have carefully considered Fourth Amendment rights by limiting the size of the search by geography and time, and by asking for limited and anonymized data, the reality is that the police tend to have a much narrower definition of constitutional rights than citizens, particularly when it comes to investigating crimes.
The Raleigh police are not the only police force using the fact that companies like Google store enormous quantities of personally identifiable data on millions of people in a hunt for clues.
A spokesman told WRAL that it had began using the technique after they heard about cops in Orange Country using a similar approach to investigate a crime on their area.
While it is understandable that the police would want to use any method at their disposal to solve crimes - some in favor have argued it is no different to getting a warrant for surveillance footage - the use of location data remains a controversial topic.
Despite efforts to limit the dataset pulled from Google's servers, the requests will have included the details of dozens, potentially hundreds, of innocent people. The arson attack, for example, occurred at an apartment complex in a dense part of the city so the search – which covered anyone in a one block radius between 1930 and 2200 on a Thursday night – will have picked up a lot of ordinary folk doing nothing but going about their lives.
We don't know how many people's details were handed over because neither Google nor the police will say. Likewise, we don't know whether the searches produced information that proved critical to the investigations that couldn't have been acquired through other means.
For example, the man responsible for shooting and killing cab driver Nwabu Efobi in November 2016 was arrested and charged with murder in October 2017 after location data warrants were issued in March and returned in July.
We don't know if those warrants put police on the trail of Tyron Cooper or whether there was other evidence or leads that led to them identifying him. We do know that it was footage from security cameras that led the police to ask for Google location data on the night before the shooting, as well as the night of the shooting itself.
The concern is that the police will increasingly use the approach as a fishing expedition for potential leads – something that the courts have persistently ruled is not an acceptable or constitutional practice.
The lack of notification to people whose movements are shared with law enforcement is also a serious concern.
While there remain no clear laws on the use and provision of mobile phone data, it will fall to the individual judge to make a decision as to what is appropriate. Faced with successful warrant applications, it is also inevitable that police forces will use them more, and increasingly widely, since they will be following lawful process and potentially gathering useful information.
But it is fair to say that the billions of users of mobile phones do not imagine the police will be in a position to track their movements simply because they were close to where a crime was committed.
Despite tech-savvy individuals understanding that phones theoretically allow for such tracking, it is only a matter of time until something like Cambridge Analytica's gathering and misuse of Facebook user data happens with respect to location data.
It is worth noting that Google is only able to provide GPS coordinates if you allow your phone – or Google app – to use your location. At least in theory. ®
Sponsored: Ransomware has gone nuclear