Here's US Homeland Security collaring a suspected arsonist after asking Google for the IP addresses of folks who made a specific search
Don't worry, says the internet giant, this doesn't happen too often
An unsealed warrant in a case involving alleged pedophile R&B star R. Kelly has shown how the Feds can get Google to hand over the details of people who make specific web search queries.
It raises a mild concern that if Uncle Sam's request is too broad, and Google can't or won't resist the order, you could be swept up into an investigation simply by searching for the wrong thing at the wrong time. We note, though, that in this particular tale, the query was rather narrow, and Google insists it challenges overly broad warrants.
In June, a rented SUV was torched outside the home of a witness involved in the ongoing US prosecution of R. Kelly, who was been charged with 18 counts ranging from possession of child sex abuse material to kidnapping and forced labor. In August, Homeland Security agents collared a guy called Michael Williams, accused him of setting fire to the witness's vehicle, and charged him with attempting to use intimidation and threats.
Fast forward to this week, and Robert Snell of Detroit News uncovered the aforementioned search warrant [PDF] showing how Homeland Security investigators in June enlisted Google and Verizon Wireless to connect Williams, who lives in the state of Georgia, to the scene of the crime in Florida.
Homeland Security special agent Sylvette Reynoso testified that her team began by asking Google to produce a list of public IP addresses used to google the home of the victim in the run-up to the arson. The Chocolate Factory complied with the warrant, and gave the investigators the list. As Reynoso put it:
On June 15, 2020, the Honorable Ramon E. Reyes, Jr., United States Magistrate Judge for the Eastern District of New York, authorized a search warrant to Google for users who had searched the address of the Residence close in time to the arson.
The records indicated two IPv6 addresses had been used to search for the address three times: one the day before the SUV was set on fire, and the other two about an hour before the attack. The IPv6 addresses were traced to Verizon Wireless, which told the investigators that the addresses were in use by an account belonging to Williams. The agents noted Williams is a relative of a former publicist of R. Kelly.
To catch a thief, go to Google with a geofence warrant – and it will give you all the detailsREAD MORE
After that, the team got another search warrant and went to the mobile carriers who operated the cell towers surrounding the street address where the arson happened. Sure enough, Williams's smartphone connected to those towers at around the time the SUV was set ablaze, after also having connected to towers near his home several hours prior, the Feds say.
On top of all that, surveillance cameras showed a truck, matching one registered to Williams, speeding away from the scene immediately after the vehicle was consumed by flames. Following Williams's arrest, it was revealed [PDF] Google had also directly connected the searches to Williams' Gmail account.
Williams's individual case, which looks to be part of a larger investigation, has since been terminated and sealed.
While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google told The Register the warrants are a very rare occurrence, and its team fights overly broad or vague requests.
"We vigorously protect the privacy of our users while supporting the important work of law enforcement," Google's director of law enforcement and information security Richard Salgado told us. "We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate.
"These data demands represent less than one per cent of total warrants and a small fraction of the overall legal demands for user data that we currently receive." ®