Zachary McCoy went for a bike ride on a Friday in March 2019. The avid biker would do loops around his Gainesville, Fla., neighborhood and track his rides with a fitness app on his Android phone. McCoy didn’t think anything unusual had happened that day. But months later, in January of this year, McCoy got an email from Google saying that his data was going to be released to local police. He’d become a potential suspect in a local burglary—and had no idea why.
“There was absolutely nothing that tied Zack to this at all, other than Google saying he was there on the street,” McCoy’s lawyer, Caleb Kenyon, said.
Police pegged McCoy as a potential suspect without security camera footage, eye-witness accounts, or any sort of forensic evidence because his device had shown up as near the burglary site. The Gainesville Police Department had gotten something called a geofence warrant granted by the Alachua County court.
Geofence warrants, or reverse-location warrants, are a fairly new concept.
With permission from a judge, they allow law enforcement to obtain anonymized data from Google from almost any device that was in a certain geographic area at a specific time. Police can then go back to Google for more specific user information on anyone they deem a suspect.
In McCoy’s case, he was tracking his bike ride using Runkeeper, which makes use of Google’s location services, just as many apps do. (Check your settings in your Google account—if “location history” is on, then Google has data on your movements.) He hired an attorney to fight the warrant before his personal information was released, and police ended up not pursuing the case. (The Gainesville Police Department declined to comment, except to say that there has not yet been an arrest in the burglary.)
Google is the only tech company publicly known to release this kind of information to law enforcement specifically in response to geofence warrants. It is not clear how many other companies do the same.
Microsoft assistant general counsel Hasan Ali, in an email response to The Markup’s request for comment, said “Microsoft does not and would not be in a position to comply with any warrants seeking such information.”
Apple and Facebook declined to comment on the record regarding the warrants and whether they have any similar data and do or do not provide it to law enforcement.
There’s no centralized database or oversight of geofence warrants, so it’s hard to measure exactly how often they’re used and for what sorts of crimes. Criminal cases springing from such warrants have largely involved robberies, burglaries, and murders—but there’s growing speculation that police may use them to gather information on people who attend protests.
According to The New York Times, federal law enforcement first used the warrants in 2016. Since then, local police departments have adopted the tool—and its use is growing rapidly.
In a court filing late last year, Google said law enforcement requests for geofenced location history data in its trove went up 1,500 percent between 2017 and 2018, and at least 500 percent between 2018 and 2019. Google has yet to release any exact figures, but reportedly they have received as many as 180 requests in a single week.
In an email response to The Markup’s request for comment, Google’s Director of Law Enforcement and Information Security, Richard Salgado, said, “We vigorously protect the privacy of our users while supporting the important work of law enforcement. We developed a process specifically for these requests that is designed to honor our legal obligations while narrowing the scope of data disclosed.”
Civil liberties groups—and increasingly politicians and judges as well—are watching the rise in geofence warrants with concern. There are cases around the country challenging the constitutionality of such warrants, proposed legislation in New York to limit their use, and at least one member of Congress who believes the federal government should get involved.
“I think they’re incredibly dangerous, particularly if there are not significant guardrails put in place,” Rep. Kelly Armstrong (R-ND) told The Markup.
So what exactly do police get through these warrants?
A traditional search warrant for a car or a house or a laptop typically targets a specific person police have probable cause to suspect of a crime.
Geofence warrants allow law enforcement officers to search when they don’t have a potential suspect.
Geofencing itself simply means drawing a virtual border around a predefined geographical area. Data can then be gathered on users who enter that area.
Geofencing is often used by marketers trying to reach specific audiences. A conservative political organization called CatholicVote has used geofencing technology to identify Catholic church-goers and send targeted political ads to their devices. Clothing retailer Gap used the technology to send virtual ads to users within a certain distance of their physical ads. An NBC News report from late last year found that the University of North Carolina was using geofencing to monitor the location and social media activity of protesters on campus. And the American Civil Liberties Union found in 2016 that law enforcement was using a social media monitoring service called Geofeedia to track Black Lives Matter protesters.
(In response to the ACLU’s report, Facebook, Twitter, and Instagram announced they would no longer provide their users’ data to Geofeedia.)
While it’s unclear exactly how deep police can dive into user data they obtain from geofence warrants, current cases where the warrants are being challenged are revelatory.
In an armed robbery case in Richmond, Va., police were able to use such a warrant to not only identify the accused but also access his location history from that day and personal information like his email address. That case is in federal court in the Eastern District of Virginia. In a burglary case in state court in San Francisco, a man was identified through a geofence warrant through which police also acquired two email addresses of his, a complete list of Google-associated applications he’d used, and the IP address of at least one of his devices.
(Defendants in both cases, which are wending their ways through court, argue that the warrants were unconstitutional.)
In a court filing in the Virginia case, Google said that in addition to location history, geofence warrants can include “account-identifying information” and “account subscriber information such as the Gmail address associated with the account and the first and last name entered by the user on the account.”
Are these warrants constitutional?
Civil liberties groups say the issue with geofence warrants is just how much information from innocent individuals law enforcement can get their hands on.
The claim is that they violate the Fourth Amendment, which protects Americans against “unreasonable searches and seizures” and stipulates that warrants only be issued with probable cause “particularly describing the place to be searched, and the persons or things to be seized.” The problem with geofence warrants is that the persons and place to be searched are rarely particular, and there’s no limit to how many innocent people are included if they happen to be in law enforcement’s search boundaries.
Police, on the other hand, generally argue that such warrants aren’t so different from other types of surveillance—from using security camera footage to sifting through data from cell towers to see which devices passed through the area.
Google has not taken a public position on whether it believes the warrants are constitutional but says it does provide data when presented with a warrant. The company has outlined its process in court filings and said that it considers executing geofence warrants “a broad and intrusive search” that’s significantly different from cellphone tower dumps.
The constitutional question is largely unsettled—no case involving a geofence warrant has made its way to a high-level court. But on Aug. 24, Magistrate Judge Gabriel A. Fuentes of the U.S. District Court for the Northern District of Illinois issued what is believed to be the first federal court opinion on the Fourth Amendment’s relationship to geofence warrants.
Investigators in the state requested a geofence warrant three times in hopes of finding a suspect who allegedly stole prescription drugs. Despite repeatedly narrowing their request, Judge Fuentes declined to grant the warrant.
While geofence warrants are not in themselves “categorically unconstitutional,” he wrote, investigators lacked probable cause to scoop up vast location data from cellphones of people who obviously had no connection to a crime but happened to be nearby when it was committed.
“The potential to use Google‘s capabilities to identify a wrongdoer by identifying everyone (or nearly everyone) at the time and place of a crime may be tempting,” Fuentes wrote. “But if the government can identify that wrongdoer only by sifting through the identities of unknown innocent persons without probable cause and in a manner that allows officials to ‘rummage where they please in order to see what turns up,’ ” then courts should not permit the practice.
There are political efforts to rein them in
On April 8, state senator Zellnor Myrie introduced the Reverse Location Search Prohibition Act in New York.
The bill would prohibit “the search, with or without a warrant, of geolocation data of a group of people who are under no individual suspicion of having committed a crime, but rather are defined by having been at a given location at a given time.”
If the bill passes, New York would become the first state where geofence warrants are banned.
“We can either create boundaries on what kinds of data companies can collect—only to be outpaced by new advances in technology—or we can put limits on how law enforcement can obtain and use that data,” Myrie said in an email.
Armstrong, the North Dakota congressman, has also confronted Google about its compliance with geofence warrants.
“People would be terrified to know that law enforcement could grab general warrants and get everyone’s information everywhere,” Armstrong said in the hearing. “It requires Congress to act, and it requires everybody that is a witness in this hearing to be willing to work too, because it is the single most important issue.”
Pichai responded by saying Google thinks “it’s an important area for Congress to have oversight” and that the company recently began automatically deleting location activity after “a certain period of time.”
“I don’t blame the tech companies solely for this,” Armstrong told The Markup. “Congress’s failure to act on this is going to become more and more of an issue.”