You’ve assuredly heard this before about ubiquitous surveillance, or perhaps even said it yourself: “If you have nothing to hide, and you’ve done nothing wrong, why should you worry?”
Zachary McCoy, of Florida, offers this answer:
If you’re innocent, that doesn’t mean you can’t be in the wrong place at the wrong time, like going on a bike ride in which your GPS puts you in a position where police suspect you of a crime you didn’t commit.
As NBC News reports, McCoy, an avid cyclist, got an email from Google in January.
It was from Google’s legal investigations support team. They were writing to let the 30-year-old know that local police had demanded information related to his Google account. He had seven days in which to appear in court if he wanted to block the release of that data, Google told him.
He was, understandably, terrified, in spite of being one of those innocent people who should have nothing to hide. NBC News quotes him:
I was hit with a really deep fear.
I didn’t know what it was about, but I knew the police wanted to get something from me. I was afraid I was going to get charged with something, I don’t know what.
How is it that McCoy didn’t know what police were inquiring about? Because his Android phone had been swept up in a surveillance dragnet called a geofence warrant – a type of warrant done in secret.
McCoy’s device had been located near the scene of a burglary that had taken place near the route he takes to bicycle to his job. Investigators had used the geofence warrant to try to suss out the identity of people whose devices are located near the scene of a crime around the time it occurred.
As NBC News reports, police hadn’t discovered his identity. The first stage of data collection doesn’t return identifying information – only data about devices that might be of interest. It’s during the next stage, when police sift through the data looking for suspicious devices, that they turn to Google to ask that it identify users.
Like many of us, McCoy had an Android phone that was linked to his Google account, and he used plenty of apps that store location data: Gmail, YouTube, and an exercise-tracking app called RunKeeper that feeds off of Google location data and which helps users to track their workouts.
You can look up your location history to find out exactly what Google knows about you, by date. On the day of the burglary – 29 March 2019 – Google knew that McCoy had passed the scene of the crime three times within an hour as he looped through his neighborhood during his workout.
It was a “nightmare scenario,” McCoy said:
I was using an app to see how many miles I rode my bike and now it was putting me at the scene of the crime. And I was the lead suspect.
How McCoy fought his way out of the dragnet
When it receives a request about a user from a government agency, Google’s general policy is to email that user before disclosing information.
There wasn’t much of anything in that notice about why police were asking about him, McCoy said. However, there was one clue: a case number.
McCoy ran a search for that case number on the Gainesville, Florida, police department’s website. What he found was a one-page investigation report on the burglary of an elderly woman’s home 10 months earlier. She lived less than a mile from where McCoy was living.
He knew he had nothing to do with the break-in, but he had very little time – seven days – in which to prove it. So McCoy hired a lawyer, Caleb Kenyon, who did some research and learned that Google’s notice had been prompted by a geofence warrant: one that swept up the GPS, Bluetooth, Wi-Fi and cellular connections of everyone nearby.
After they figured out why police were trying to track McCoy down, Kenyon told NBC News that he called the detective on the case and told him, “You’re looking at the wrong guy.”
On 31 January, Kenyon filed a motion in civil court to render the warrant “null and void” and to block the release of any further information about McCoy, identifying him only as “John Doe.” If he hadn’t done so, Google would have turned over data that would have identified McCoy. In his motion, Kenyon argued that the warrant was unconstitutional because it allowed police to conduct sweeping searches of phone data from untold numbers of people in order to find a single suspect.
Kenyon’s motion gave investigators pause. Kenyon told NBC News that not long after he filed it, a lawyer in the state attorney’s office assigned to represent the Gainesville Police Department told him there were details in the motion that led them to believe that his client wasn’t the culprit. The state attorney’s office withdrew the warrant, saying in a court filing that it was no longer necessary.
Even after police acknowledged that McCoy wasn’t a suspect anymore, Kenyon wanted to make sure they wouldn’t harbor suspicions about his client, whom they still only knew as “John Doe.” So the lawyer met with the detective in order to show him screenshots of McCoy’s Google location history, including data recorded by RunKeeper. The maps showed months of bike rides past the burglarized home, NBC News reports.
McCoy was lucky. He and his family are also a bit poorer because of the incident. If his parents hadn’t helped him out by giving him thousands of dollars to hire a lawyer, things could have turned out differently, he says.
I’m definitely sorry [the burglary] happened to her, and I’m glad police were trying to solve it. But it just seems like a really broad net for them to cast. What’s the cost-benefit? How many innocent people do we have to harass?
Geolocation data: It’s hit or miss
Geolocation data sometimes gets it right when it comes to tracking down criminals. For example, last year, a homicidal cycling and running fanatic known for his meticulous nature in tracking his victims was undone by location data from his Garmin GPS watch.
Other convictions based on location data have included the pivotal Carpenter v. United States, which concerned a Radio Shack robbery – the legal arguments from this case have gone on to inform subsequent decisions, including one from January 2019 in which a judge ruled that in the US, the Feds can’t force you to unlock your phone with biometrics.
Geofence warrants, however, are a whole other thing.
Privacy and civil liberties advocates have voiced concerns about the warrants potentially violating constitutional protections against unreasonable search. Police have countered by insisting that they don’t charge somebody with a crime unless they have evidence to go on besides a device being co-located with a crime scene.
These searches are becoming increasingly widespread, however. In December 2019, Forbes reported that Google had complied with geofence warrants that, at that time, had resulted in what the magazine called an unprecedented data haul for law enforcement.
Google had combed through its gargantuan Sensorvault database to find 1,494 device identifiers for phones in the vicinities of multiple crimes. Sensorvault is where Google stores location data that flows from all its applications. If you’ve got the Location History setting turned on in your Google account, you’re feeding this ocean of data, which is stuffed with detailed location records from what The New York Times reports to be at least hundreds of millions of devices worldwide.
To investigators, this is gold: a geofence demand enables them to pore through location records as they seek devices that may be of interest to an investigation.
Geofence data demands are also known as ‘reverse location searches’. Investigators stipulate a timeframe and an area on Google Maps and ask Google to give them the record of each and every Google user who was in the area at the time.
When police find devices of interest, they’ll ask Google for more personal information about the device owner, such as name, address, when they signed up for Google services and which services – such as Google Maps – they used.
Google’s location history data is routinely shared with police. Detectives have used these warrants as they investigate a variety of crimes, including bank robberies, sexual assaults, arsons, murders, and bombings.
And it’s not just Google. As Fast Company reported last month, recently discovered court documents confirm that prosecutors have issued geofence warrants for data stored by Apple, Uber, Lyft, and Snapchat.
Fast Company reported that it didn’t know what data, if any, the companies had handed over (Apple, for one, has said that it doesn’t have the ability to perform these kind of searches). All it knows was that the warrants had been served.
How to turn off Google’s location history
If you don’t like the notion of Google being able to track your every movement, you can turn off location history.
To do so, sign into your Google account, click on your profile picture and the Google account button. From there, go to Data & personalization, and select Pause next to Location History. To turn off location tracking altogether, you have to do the same for Web & App activity in the same section.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
6 comments on “Google data puts innocent man at the scene of a crime”
Detective looking for people is by chances / conditions in the older days; like asking witnesses. But geofence warrants are looking at “big data” and detective decides who to look for. Even your “dogs” (if they wear GPS device) could be in their radar.
The difference is the method that you were known and approached. In older days, you were “spotted” by witnesses (3rd parties). In modern days, you were spotted by your own data which you could claim your privacy and security on it.
In addition, how’s the “attitude” the police / detective approaching you? How easy you deal with this situation (without hiring a lawyer)? Could you decide on what data (a sub-set of data) to prove yourself? And many procedural and non-disclose agreements needed.
i.e. help police to protect us and help our data protected
“how’s the “attitude” the police / detective approaching you?”
I agree. I don’t mind is the police are looking for criminals and my name comes up, if I can talk with them like I was a potential witness. This might help reduce crime. But if that assume that the phone location proves that I committed the crime, that is a different kind of problem.
It’s not just that your location is hovered up in the investigation. It’s also that sometimes it’s just wrong about where you have been. I live in the UK and on a number of occasions Google maps timeline has placed me in a location several miles from where I actually was. On some days I know I was at home but the timeline showed me taking a trip to an area several miles away. Probably due to it erroneously pinging mobile phone masts as part of triangulating location?
Either way it’s inaccurate and it occured to me at the time how reliance on such data is dodgy and could have serious ramifications for individuals and by implication the wider justice system.
Location based on IP data is sometimes almost absurdly inaccurate. Google’s mapping website and the ads o get on mainstream media sites have put me variously in London (I am about 100km away), Brighton, and sometimes even in Wales or Scotland. All this from a static IP tied to a specific phone line going through the same fibre cabinet every time…
I am assuming that in this case the data was GPS-based. GPS data can be absurdly accurate at cycling speeds – to the point that you can often see when you changed lanes or deviated to get past a supermarket delivery can stopped in an unsuitable place.
Well I have a static IP address and a fixed land line.
Today google.co.uk thinks I’m in: Argyll and Bute Council – From your Internet address – Use precise location – Learn more
Actually I live near Cambridge City in the UK.
I experience this too – I have turned up in every country of the UK except for Northern Ireland. All the computing power of the global internet often thinks I’m from London, very often from Scotland and sometimes from Wales. The locations are so variable but wrong that I imagine if I were to map everywhere I apparently didn’t live I’d get a more accurate answer. OTOH, the mobile phone company knows where I am pretty much all the time, and the tiny GPS I have on my bicycle is precise enough to pick out things such as overtaking a bus or riding in a contraflow bike lane (where you appear to be on the wrong side of the road).
In this case, of course, the person *was* where the data claimed, so neither its accuracy nor its precision was in question, but the amount one might fairly infer from it certainly was.