Location data taken in aggregate can power useful features, with Google leveraging that history for traffic updates, recommendations, and ads. A new report today reveals how U.S. law enforcement is increasingly requesting that data as part of criminal investigations. While useful, privacy advocates argue that such overbroad practices risk “snaring the innocent.”
What’s happening technically?
The New York Times today published a deep dive on the Location History feature that Google introduced in 2009. It “saves where you go with your devices, even when you aren’t using a specific Google service.” That latter part essentially means that tracking and recording of where you are occurs in the background, even when users don’t actively have a location app (like Google Maps) open on their phone.
Google notes that Location History allows for “benefits” like “personalized maps, recommendations based on places you’ve visited, help finding your phone, real-time traffic updates about your commute, and more useful ads.”
This feature is “off by default for your Google Account” and has to be manually enabled. Users can see the feature in action on their Google Maps Timeline, with the ability to edit and delete individual entries. Location History can also be turned off on a device-by-device basis. Google over the past year has set out to make it easier for users to understand these settings:
- Google is making it easier to control and delete your data, starting with Search
- Redesigned ‘Google Account’ interface officially launches w/ enhanced control and privacy
It’s important to note that Location History differs from Web & App Activity, which is used by Google Assistant. While it does include location data, it is more tuned towards what users are doing on their phones, rather than the physical place.
How law enforcement is using it?
Location History — and not Web & App Activity — is stored in a Google database known as Sensorvault. These records span back a decade and include hundreds of millions of devices worldwide, according to the NYT.
When a crime occurs in an area, police are increasingly requesting a warrant for Google to “provide information on all devices it recorded near the killing, potentially capturing the whereabouts of anyone in the area.”
This year, one Google employee said, the company received as many as 180 requests in one week. Google declined to confirm precise numbers.
Speaking to the New York Times, Googlers have noted a sharp rise in warrants over the past six months. The practice was first used in 2016 by federal agents, but local police forces have caught on in California, Washington, Minnesota, and Florida.
The warrant process
- Law enforcement will request a “geofence warrant” for a specific time and area from a judge.
- Google complies with judicial requests and queries Sensorvault for devices in the area. At this stage, Google only labels information with “anonymous ID numbers.”
- Police use this data to find “locations and movement patterns” relevant to the crime.
- Another request is sent to Google for the devices that belong to possible suspects and witnesses, with the company then revealing usernames and other information.
The NYT article features an interactive infographic of the entire process that’s worth a view. Google itself created and abides by this two-step process of first only handing over anonymous data.
Meanwhile, this data isn’t a silver bullet for detectives — which some in law enforcement recognize — given that the underlying system was not meant to provide this level of accuracy. Google has a backlog given the increasing requests, with the company sometimes not being able to deliver for weeks and months.
Though Google’s data cache is enormous, it doesn’t sweep up every phone, said Mr. Edens, the California intelligence analyst. And even if a location is recorded every few minutes, that may not coincide with a shooting or an assault.
Why it’s problematic
The technique has been proven to work, but at the same time there are already cases captured by the NYT that show how police have used this data to accuse innocent people given the broad nature of requests and data.
Technology companies have for years responded to court orders for specific users’ information. The new warrants go further, suggesting possible suspects and witnesses in the absence of other clues. Often, Google employees said, the company responds to a single warrant with location information on dozens or hundreds of devices.
In terms of safeguards, the Supreme Court ruled that warrants — per Google’s existing practice — are required for historical location data from devices. However, it is a patchwork across the country, with some areas having more stringent requirements:
Some jurisdictions require investigators to return to a judge and obtain a second warrant before getting identifying information. With another warrant, investigators can obtain more extensive data, including months of location patterns and even emails.
The full New York Times piece is worth a read for all the examples of these warrants in action.