Bulk Suspicion: Typo In Geofence Warrant Created Two-Mile Long Dragnet
We've expressed our displeasure with geofence warrants multiple times. I've often referred to them as reverse" warrants, a term that implies how these warrants invert probable cause. Those in the business of protecting rights (ACLU, EFF) aren't fans of that term, but it is useful shorthand. Rather than show a court probable cause exists to search a place for evidence of a crime because investigators have found suspects worth searching, investigators simply tell courts they have probable cause to believe Google (and it's almost always Google) holds the cell site location data sought by law enforcement.
Geofence warrants aren't new. They've been around for years. The pushback, however, is more recent. As criminal defendants have slowly been made aware this is how investigators are compiling lists of suspects, they've been challenging this evidence in court.
As for the courts, the issue is nowhere near settled. Some view massive demands for geolocation data to be nothing more than a reasonable extension of the Third Party Doctrine. Others have expressed concern that law enforcement, with a single warrant, can force Google to search the data of all of its users to find the limited (by time and place) information sought by investigators.
This is only the tip of the problematic iceberg. Most courts don't vet these warrant requests closely, allowing investigators to create dragnets that force Google to cough up data on dozens or hundreds of innocent people while maintaining the pretense cops are smart enough to parse this data dump correctly.
Those requesting warrants are often hesitant to provide courts with overhead shots of the area being subjected to this dragnet, allowing courts to assume this is a good faith effort to narrow the data demand while working with nothing more than geographic coordinates that convey limited information about the area (and entities) covered by the request.
Then there's the human error problem. Cops frequently screw up addresses when seeking warrants to search a single location. When cops screw up coordinates on a geofence warrant, this singular problem becomes a bulk collection problem - something highlighted in a recent post by the ACLU covering its examination of several geofence warrants. (h/t Zack Whittaker at TechCrunch)
Geofence warrants, like all other warrants, are not error-proof. During our investigation, we discovered one warrant that apparently contained an alarming error.
The error (perhaps the result of a typo) resulted in a warrant stretching nearly two miles across San Francisco and permitted law enforcement to capture information about people across the United Nations Building, Asian Art Museum, Civic Center Courthouse, State of California Building, Rosa Parks Senior Center, and Fire Station 5. Many private homes were also captured in the massive sweep.
Perhaps if the court had seen a visual representation of the proposed search, it might have decided to deny this request. Because this very definitely doesn't look like something someone meant to do. And if they did mean to do this, there's no way it's permissible under the Fourth Amendment.
That's a two-mile stretch of unrelated businesses, public buildings, and homes being subjected to a Google search just because someone fat-fingered the coordinates. And this surely can't be the only time this sort of error has happened. It raises a host of questions, none of which have been answered to this point. How often does this sort of mistake happen? How often do courts grant these erroneous requests? And, most importantly, how often do law enforcement agencies avail themselves of data they mistakenly obtained via a typo?
Even non-erroneous requests tend to create massive dragnets. The ACLU's report displays the results of a couple of other granted geofence warrants - ones that cover multi-family housing, public buildings, places of worship, and shopping centers. Every one of these is capable of giving cops permission to gather more data - if not actually arrest - people who did nothing more than exist in the areas covered by these geographic coordinates.
The Fourth Amendment demands specificity on top of probable cause. Even if it can be argued there's probable cause to believe Google retains this data, each warrant forces Google to search its entire data repository for responsive records. That's definitely not specific. Just because this is the only way Google can fulfill these requests shouldn't be taken by courts to mean this search method is justified.
Then there are the areas sought. When they cover areas where dozens or hundreds of innocent people might be present, the potential for false positives (and false arrests) expands exponentially.
This method may increase law enforcement efficiency by allowing it to generate a list of leads without ever leaving the desk, but the Constitution isn't there to ensure cops can operate with optimum efficiency. In fact, the Fourth Amendment can be read to state the opposite: rights are to be respected, even if they make it more difficult for investigators to do their job.
What's on display here is the opposite: dragnets are cast and cops are the direct beneficiaries of unsettled law. The Fourth Amendment says people should be free from unreasonable searches, but geofence warrants - at least those deployed in the San Francisco area - are anything but reasonable. The ACLU's examination of these warrants shows 82 apartment complexes, 84 businesses, 32 bars and restaurants, and 12 places of worship have been swept up in geofence dragnets.
So, where do we go from here? Well, there's Senator Ron Wyden's bill, which would create a warrant requirement for obtaining location data from third party data brokers, who collect this data from iOS and Android apps. At this point, geofence warrants served to Google would be unaffected because Google isn't (under the terms of the proposed law) a data broker and, more importantly, Google is actually being served with warrants rather than selling access to data to government agencies.
But that may change now that Google has stated most location data will be stored locally on users' devices, rather than by Google itself. If that's the case, investigators may turn to third parties to obtain location data - something they can currently do without showing reasonable suspicion, much less probable cause.
For the time being, the most important work is being done by those challenging these warrants. Google has, at least, proven willing to challenge overly broad requests, resulting in rewritten warrants or rejections of data demands by magistrate judges. Our rights mostly rely on those accused of crimes, something that has almost always been the case in terms of the Fourth Amendment. That these challengers are often unsympathetic protagonists doesn't mean they're wrong. It just means they're unlikely to receive mainstream support from legislators and the general public.
These warrants always create dragnets, even when they're done correctly. The courts need to step up and tell cops it's just not enough to claim Google houses location data. The Fourth Amendment requires more than cops with hunches telling courts they think they know where they can find a whole lot of data.