Tracking phones, Google is a dragnet for the police

When detectives in a Phoenix suburb arrested a warehouse worker in a homicide investigation last December, they credited a new technique with breaking open the case after other leads went cold.

The police told the suspect, Jorge Molina, they had data tracking his phone to the site where a man was shot nine months earlier. They had made the discovery after obtaining a search warrant that required Google to provide information on all devices it recorded near the killing, potentially capturing the whereabouts of anyone in the area.

Investigators also had other circumstantial evidence, including security video of someone firing a gun from a white Honda Civic, the same model that Molina owned, though they could not see the license plate or attacker.

But after he spent nearly a week in jail, the case against Molina fell apart as investigators learned new information and released him. Last month, the police arrested another man: his mother’s ex-boyfriend, who had sometimes used Molina’s car.

The warrants, which draw on an enormous Google database employees call Sensorvault, turn the business of tracking mobile phone users’ locations into a digital dragnet for law enforcement. In an era of ubiquitous data gathering by tech companies, it is just the latest example of how personal information — where you go, who your friends are, what you read, eat and watch, and when you do it — is being used for purposes many people never expected. As privacy concerns have mounted among consumers, policymakers and regulators, tech companies have come under intensifying scrutiny over their data collection practices.

The Arizona case demonstrates the promise and perils of the new investigative technique, whose use has risen sharply in the past six months, according to Google employees familiar with the requests. It can help solve crimes. But it can also snare innocent people.

Google records people’s locations worldwide. Now, investigators are using it to find suspects and witnesses near crimes, running the risk of snaring the innocent. (The New York Times)

Technology companies have for years responded to court orders for specific users’ information. The new warrants go further, suggesting possible suspects and witnesses in the absence of other clues. Often, Google employees said, the company responds to a single warrant with location information on dozens or hundreds of devices.

Law enforcement officials described the method as exciting, but cautioned that it was just one tool.

“It doesn’t pop out the answer like a ticker tape, saying this guy’s guilty,” said Gary Ernsdorff, a senior prosecutor in Washington state who has worked on several cases involving these warrants. Potential suspects must still be fully investigated, he added. “We’re not going to charge anybody just because Google said they were there.”

It is unclear how often these search requests have led to arrests or convictions, because many of the investigations are still open and judges frequently seal the warrants. The practice was first used by federal agents in 2016, according to Google employees, and first publicly reported last year in North Carolina. It has since spread to local departments across the country, including in California, Florida, Minnesota and Washington. This year, one Google employee said, the company received as many as 180 requests in one week. Google declined to confirm precise numbers.

The technique illustrates a phenomenon privacy advocates have long referred to as the “if you build it, they will come” principle — anytime a technology company creates a system that could be used in surveillance, law enforcement inevitably comes knocking. Sensorvault, according to Google employees, includes detailed location records involving at least hundreds of millions of devices worldwide and dating back nearly a decade.

The new orders, sometimes called “geofence” warrants, specify an area and a time period, and Google gathers information from Sensorvault about the devices that were there. It labels them with anonymous ID numbers, and detectives look at locations and movement patterns to see if any appear relevant to the crime. Once they narrow the field to a few devices they think belong to suspects or witnesses, Google reveals the users’ names and other information.

‘‘There are privacy concerns that we all have with our phones being tracked — and when those kinds of issues are relevant in a criminal case, that should give everybody serious pause,” said Catherine Turner, a Minnesota defence lawyer who is handling a case involving the technique.

Investigators who spoke with The New York Times said they had not sent geofence warrants to companies other than Google, and Apple said it did not have the ability to perform those searches. Google would not provide details on Sensorvault, but Aaron Edens, an intelligence analyst with the sheriff’s office in San Mateo County, California, who has examined data from hundreds of phones, said most Android devices and some iPhones he had seen had this data available from Google.

In a statement, Richard Salgado, Google’s director of law enforcement and information security, said that the company tried to “vigorously protect the privacy of our users while supporting the important work of law enforcement.” He added that it handed over identifying information only “where legally required.”

Molina, 24, said he was shocked when the police told him they suspected him of murder, and he was surprised at their ability to arrest him based largely on data.

“I just kept thinking, You’re innocent, so you’re going to get out,” he said, but he added that he worried that it could take months or years to be exonerated. “I was scared,” he said.

A NOVEL APPROACH

Detectives have used the warrants for help with robberies, sexual assaults, arsons and murders. Last year, federal agents requested the data to investigate a string of bombings around Austin, Texas.

Austin investigators obtained another warrant after a fourth bomb exploded. But the suspect killed himself three days after that bomb, as they were closing in. Officials at the time said surveillance video and receipts for suspicious purchases helped identify him.

An FBI spokeswoman declined to comment on whether the response from Google was helpful or timely, saying any question about the technique “touches on areas we don’t discuss.”

Officers who have used the warrants said they showed promise in finding suspects as well as witnesses who may have been near the crime without realising it. The searches may also be valuable in cold cases. A warrant last year in Florida, for example, sought information on a homicide from 2016. A Florida Department of Law Enforcement spokeswoman declined to comment on whether the data was helpful.

The approach has yielded useful information even if it wasn’t what broke the case open, investigators said. In a home invasion in Minnesota, for example, Google data showed a phone taking the path of the likely intruder, according to a news report and police documents. But detectives also cited other leads, including a confidential informant, in developing suspects. Four people were charged in federal court.

A TROVE OF DATA

Location data is a lucrative business — and Google is by far the biggest player, propelled largely by its Android phones. It uses the data to power advertising tailored to a person’s location, part of a more than $20 billion market for location-based ads last year.

Current and former Google employees said they were surprised by the warrants. Brian McClendon, who led the development of Google Maps and related products until 2015, said he and other engineers had assumed the police would seek data only on specific people. The new technique, he said, “seems like a fishing expedition.”

UNCHARTED LEGAL TERRITORY

The practice raises novel legal issues, according to Orin Kerr, a law professor at the University of Southern California and an expert on criminal law in the digital age.

One concern: the privacy of innocent people scooped up in these searches. Several law enforcement officials said the information remained sealed in their jurisdictions but not in every state.

In Minnesota, for example, the name of an innocent man was released to a local journalist after it became part of the police record. Investigators had his information because he was within 170 feet of a burglary. Reached by a reporter, the man said he was surprised about the release of his data and thought he might have appeared because he was a cabdriver. “I drive everywhere,” he said.

These searches also raise constitutional questions. The Fourth Amendment says a warrant must request a limited search and establish probable cause that evidence related to a crime will be found.

Warrants reviewed by The Times frequently established probable cause by explaining that most Americans owned mobile phones and that Google held location data on many of these phones. The areas they targeted ranged from single buildings to multiple blocks, and most sought data over a few hours. In the Austin case, warrants covered several dozen houses around each bombing location, for times ranging from 12 hours to a week. It wasn’t clear whether Google responded to all the requests, and multiple officials said they had seen the company push back on broad searches.

Last year, the Supreme Court ruled that a warrant was required for historical data about a person’s mobile phone location over weeks, but the court has not ruled on anything like geofence searches, including a technique that pulls information on all phones registered to a cell tower.

Google’s legal staff decided even before the 2018 ruling that the company would require warrants for location inquiries, and it crafted the procedure that first reveals only anonymous data.

“Normally we think of the judiciary as being the overseer, but as the technology has gotten more complex, courts have had a harder and harder time playing that role,” said Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union. “We’re depending on companies to be the intermediary between people and the government.”