Google hopes to end tsunami of data dragnet warrants with Location History shakeup
Android giant follows Apple's lead, will store whereabouts on device and delete info earlier by default
Google has announced changes to its handling of Location History data that are expected to limit the internet giant's ability to respond to so-called geofence warrants.
Geofence warrants are demands for information from police and other authorities about all network-connected devices in a given area during a specific period of time. These warrants, presented to outfits like Google, therefore do not seek information on specific people, but anyone who passed through a particular area at a given time. It's used by law enforcement in the US to get a list of potential suspects based on their proximity to some crime or other.
The Electronic Frontier Foundation and others have argued these data demands are unconstitutional in America based on the Fourth Amendment, because they amount to searches without the need to actually demonstrate suspicion.
"They threaten privacy and liberty because they not only provide police with sensitive data on individuals, they could turn innocent people into suspects," EFF general counsel Jennifer Lynch wrote on Wednesday. "Further, they have been used during political protests and threaten free speech and our ability to speak anonymously, without fear of government repercussions."
The US Fourth Circuit Court of Appeals earlier this month heard arguments in United States v. Chatrie, the first geofence case to reach the appellate level. Meanwhile, there have been law bills proposed in New York and California to ban them that haven't gone anywhere.
Despite the lack of legal clarity, geofence dragnets have been widely used in recent years, by the FBI and police in multiple US states, such as Arizona, North Carolina, California, Florida, Minnesota, Maine, and Washington. And according to Orin Kerr, a law professor at the University of California, Berkeley, they've helped solve cases that lacked other leads.
Google has become a popular source for such data – generated by GPS signals, cell towers, Wi-Fi, and Bluetooth, and captured through Android and iOS devices via various apps like Google Maps – because the corporation stores much of it in a repository called Sensorvault.
Maintaining that repository has made Google an appealing resource for law enforcement organizations. As the company noted [PDF] in conjunction with its 2021 Transparency Report, "Since the start of 2018, we have seen a rise in the number of search warrants in the United States that order Google to identify users, based on their Location History information, who may have been in a given area within a certain timeframe."
Google reports that it received 11,554 geofence warrants in 2020, up from 982 in 2018.
Apple, as a point of comparison, this year said it had received just 13 geofence warrants in the first six months of 2022. The reason it receives so few is simply that it has no data to offer. As the iPhone giant states in its Transparency Report [PDF], "Apple does not have any data to provide in response to geofence requests."
- Should Google location data be a tool for cops?
- Revealed: US telcos admit to storing, handing over location data
- Secret Service, ICE break the law over and over with fake cell tower spying
- Cops gain access to phone location data
Google evidently aims to get out of the data dispensary business. The web goliath said this week it is changing the way it handles Location History data: It will store such data on-device rather than on its own servers; it will reduce the default data retention period – via the auto-delete setting – to three months, down from 18 months currently; and, for those who backup their data to the cloud, "we'll automatically encrypt your backed-up data so no one can read it, including Google," Marlo McGriff, Google Maps' product director, said.
The anticipated result – as these changes get implemented over the next few months – is that Google, like Apple, will have nothing to offer those who drop by for a geodata fishing expedition.
Why bother with warrants when cops can buy location data for under $10k?MEANWHILE
Indeed, Google confirmed to The Register the search titan will no longer be able to respond to new geofence warrants once these changes are put in place because it won’t have access to the relevant data. In other words, the changes were explicitly designed to put an end to dragnet searches of location data.
That said, we reckon Google won't be able to fully extricate itself from the surveillance business any time soon. As the EFF points out, Google collects location data in other contexts outside of its Location History timeline, like its Web & App Activity setting, which may be sought by authorities through lawful demands. And of course, authorities can be expected to continue to seek associated information like IP addresses – which may lead to a location – through individually-tailored warrants based on reasonable suspicion.
Even if Google reduces its role as a witness for the prosecution, authorities will have other options, like AT&T, which lets the Feds conduct phone record searches via its Hemisphere project. EFF Surveillance Litigation Director Andrew Crocker told The Register in an email that while the foundation is not aware of geofence warrants directed at telecom companies, those firms "respond to tower dumps, which share some similarities to geofence warrants."
But if geofence warrants become less useful, that's a noteworthy privacy improvement. ®