The identity fraud went down like this: in January, a man who identified himself as the customer of a Minnesota bank called to ask for a wire transfer of $28,500 from a line of credit to another bank.
To verify his identity, he gave the bank his name, date of birth, and taxpayer ID. The purported customer also faxed in a copy of what looked like his passport.
It wasn’t. It was fake, and the transfer was fraudulent. The crook had faxed it over with a phone number spoofed to masquerade as the victim’s phone number.
The image wasn’t actually of the victim, but it was of an individual close to the victim’s age. Police in Edina, Minnesota, searched for the image online, but they couldn’t find it via Yahoo or Bing searches. They did however find it on Google, so they hypothesized that the fraudster must have used Google to search for the image subject’s name when making the fake passport.
Thus were they led to seek a warrant with a massive scope: one that sought “any/all user or subscriber information” related to searches on the victim’s name for a period of five weeks.
The warrant, which Edina police applied for in February, was signed off on by Hennepin county judge Gary Larson. Here’s how broad the document was: the warrant sought the specific times and dates of the searches, along with names, addresses, telephone number(s), dates of birth, social security (taxpayer) numbers, email addresses, payment information, account information, IP addresses, and MAC addresses of any and all persons who ran a search on a handful of variations on the victim’s name between December 1 and January 7.
The warrant application was discovered and published by Tony Webster, who calls himself a web engineer, public records researcher and policy nerd. He’s put up a version of the document on his site, with the victim’s full name redacted so as to protect his privacy.
Webster told Ars Technica’s David Kravets that language in the warrant that says “located in city or township of Edina, County of Hennepin, State of Minnesota” is standard, pro forma language, often contained in the county’s warrants. The language doesn’t mean that the warrant’s limited to those who searched the victim’s name from within the city limits of Edina.
But the warrant goes far beyond Edina. In fact, it’s a sweeping dragnet looking for details about an untold number of people on a global scale, the vast majority of whom are assuredly innocent of any wrongdoing.
Webster likens it to taking out a warrant for anybody who bought a pressure cooker on Amazon a month before the Boston bombing. He also questions how police access to those people’s personal details might play out:
Could this type of search warrant be used to wrongly ensnare innocent people? If Google were to provide personal information on anyone who Googled the victim’s name, would Edina Police raid their homes, or would they first do further investigative work? The question is: what comes next?
He also compared it to tower dumps: a warrantless, large-scale interception of mobile phone data that gives police the identity, activity and location of any phone that connects to targeted phone towers, generally within one or two hours.
For those, law enforcement agents use stingrays: suitcase-sized cell site simulators that they use to mimic a cell tower and trick nearby phones (as in everybody’s phones, not just crooks’) into connecting and giving up their identifying information and location.
The warrant for the people who searched on the wire fraud victim’s name is similar to tower dumps in that both entail police sweeping up a vast amount of non-public data on people who aren’t wanted for any crime. As Webster noted, it represents “an opportunity for police to arrest or convict the wrong person through a flurry of circumstantial evidence”.
Andrew Crocker, a staff attorney for the Electronic Frontier Foundation (EFF), called out the warrant as unconstitutional on Twitter:
— Andrew Crocker (@agcrocker) March 16, 2017
According to the warrant application, Edina authorities had first sent Google an administrative subpoena “requesting subscriber information for anyone who had performed a Google search” for the victim’s name. Google refused to comply with that administrative subpoena, which is similar to a search warrant but without a judge’s signature.
Officer David Lindman wrote in the warrant application that he was after the judge-signed warrant to save time:
Though Google’s rejection of the administrative subpoena is arguable, your affiant is applying for this warrant so that the investigation of this case does not stall.
Google hinted, in an email to Ars, that it plans to fight the warrant:
We aren’t able to comment on specific cases, but we will always push back when we receive excessively broad requests for data about our users.