Geofence Warrants and Google’s Sensorvault
- March 15, 2022
- Clayton Rice, K.C.
The cellphone dragnet called a geofence warrant harvests the location history generated by users of electronic devices that is stored by Google in a vast repository known as Sensorvault. Access to the storehouse by law enforcement continues to generate controversy because these warrants vacuum the location data of people who have no connection with a suspected crime. Fourth Amendment lawyers, digital rights advocates and many scholars engaged in the controversy have argued that geofence warrants violate the constitutional requirement of particularized probable cause. In a landmark ruling, a federal judge in Virginia agreed.
On May 20, 2019, an armed robbery occurred at the Call Federal Credit Union in Midlothian, Virginia. The suspect made off with $195,000. During the investigation, the police obtained a geofence warrant requiring Google to produce location information which led them to Okello Chatrie. He was eventually charged with two crimes related to the robbery and filed a motion to suppress. On March 3, 2022, Judge M. Hannah Lauck of the United States District Court, Eastern District of Virginia, released the opinion in United States v. Okello T. Chatrie on the application of Fourth Amendment jurisprudence to geofence warrants. (here) In denying the defendant’s motion for good faith reasons, Judge Lauck held that a search warrant used to identify all devices in the area of the bank robbery “plainly violates” the Fourth Amendment. The case is important for both the nature of the investigative technique and whether these warrants involve a Fourth Amendment search at all. I will focus in this post on aspects of Judge Lauck’s opinion that deal with the issue of particularized probable cause.
2. What is Location Data?
Location history can be a powerful source of information for law enforcement. It has the potential to draw from Global Positioning System (GPS) information, Bluetooth beacons, cell phone location information from cellular towers, Internet Protocol (IP) address information, and the signal strength of nearby Wi-Fi networks. The evidence on the Chatrie motion established that Google’s location history logs a device’s location, on average, every two minutes. It even allows Google to “estimat[e]…where a device is in terms of elevation.” This capability helps to determine if someone is on the second floor of a building if the Google maps directory is launched to help a user navigate indoors. A geofence warrant is used to compel Google to disclose anonymized location records for any device in a certain geographical area during a specified time period. It is distinct from traditional search warrants in that it works backwards. As I discussed in a previous post to On The Wire (here), a geofence warrant authorizes the search of everyone in order to identify someone.
3. Google’s Sensorvault
The location data stored in Google’s Sensorvault associates each data point with a unique user account. The Sensorvault assigns each device a unique device ID, as opposed to a personally identifiable Google ID, and receives and stores all location history in the Sensorvault to be used in ads marketing. Google then builds aggregate models within the Sensorvault with data that is transformed so that it no longer looks like user data, and then uses the data to, for instance, assist decision-making in Google Maps. To identify users within the relevant timeframe of a geofence warrant, Google has to compare all the data in the Sensorvault in order to identify users within the relevant timeframe of the warrant. Although location history is turned off by default, once a user opts in, Google is “always collecting” data and storing it in Sensorvault even “if the person is not doing anything at all with [his or her] phone.”
The parties in Chatrie “pursued a thorough and deep record” that is informative for any lawyer engaged in electronic search and seizure cases. Google filed an amicus brief and provided in-person testimony regarding the company’s acquisition, retention and use of users’ location data. Expert witnesses included a defence expert in “digital forensic examinations”. An FBI agent with the cellular analysis survey team (CAST) was called by the government. The extensive evidentiary foundation confirmed much of what was already known about Google’s location history feature, begun in 2009, involving Android and Apple devices. In a leading story for The New York Times in 2019 (here) investigative reporter Jennifer Valentino-DeVries described Sensorvault as “a trove of detailed location records involving at least hundreds of millions of devices worldwide” that included location information gathered when users “conduct searches or use Google apps that have location enabled.”
4. How Google Responds to a Geofence Warrant
In 2018 Google entered into discussions with law enforcement agencies and the U.S. Department of Justice on how to respond to geofence warrants because the early warrants it was receiving were too broad. Google has now instituted a policy of objecting to any warrant that fails to include “de[-]identification and narrowing measures.” The protocol entails a three-step process.
- Step 1. Law enforcement obtains a warrant requiring Google to disclose a de-identified list of all Google users whose location history data indicates were within the geofence during a specified timeframe. Google then provides the “responsive user records” identified in Sensorvault. Google deems a record to be “responsive” if a user’s estimated location (i.e., the stored coordinates of the phone in Location History) falls within the boundaries of the geofence.
- Step 2. Law enforcement reviews the de-identified data to determine the Sensorvault device numbers of interest. If law enforcement needs additional de-identified location information for a certain device, to determine whether that device is actually relevant to the investigation, law enforcement can compel Google to provide additional location coordinates beyond the time and geographic scope of the original request. These additional location points can assist in the elimination of devices that were not in the target location long enough to be of interest or were moving through the target location in a manner inconsistent with other evidence. Google imposes “no geographical limits” on Step 2 data. Therefore, if a user’s location fell within the geofence at Step 1, law enforcement can obtain all location points for identified users over an expanded timeframe at Step 2. No geographic barrier confines the information searched at Step 2.
- Step 3. Drawing from the de-identified data produced, law enforcement can compel Google to provide account-identifying information for the users determined to be relevant to the investigation. This account-identifying information includes the name and email address associated with the account. Although Google prefers that law enforcement request Step 3 data on fewer users than requested in Step 2, it is possible that Google would approve a Step 3 request that is not narrowed after Step 2 at all. (at pp. 17-22)
The warrant in Chatrie drew a geofence of a 150-metre radius with a diametre of 300 metres – longer than three football fields – in an urban environment that encompassed 17.5 acres. It required Google to disclose information on every device within the area of the robbery during a one-hour period. The geofence included a church, a Ruby Tuesday restaurant, a Hampton Inn hotel, several units of an apartment complex, a self-storage business, a senior living facility and two busy streets. Google’s initial search identified nineteen devices with a total of 210 individual location points. Google assigned anonymized identifiers to each device and the locations to the police. Following the three-step protocol, the police expanded the time period to two hours to obtain additional information for one of the devices. Ultimately, the police obtained subscriber information for three devices. One of them belonged to the defendant.
5. The Fourth Amendment Violation
Judge Lauck questioned whether a geofence warrant “may ever satisfy” the strictures of the Fourth Amendment and rejected the government’s “inverted probable cause argument” that law enforcement may seek information based on the assertion that “some unknown person committed an offense, and therefore search every person present nearby.” That argument rested on the “mere propinquity to others” rationale rejected in Ybarra v. Illinois (here) where the Supreme Court of the United States held that, “[w]here the standard is probable cause, a search or seizure of a person must be supported by probable cause particularized with respect to that person” and a “person’s mere propinquity to others independently suspected of criminal activity does not, without more, give rise to probable cause to search that person.”
Judge Lauck further held that Google’s three-step protocol did not cure the warrant’s defects. First, the narrowing process could not independently buttress the warrant because of its “clear lack of particularity”. A search warrant must particularly describe the place to be searched and the persons or things to be seized. Steps 2 and 3 of the warrant left the executing officer with”unbridled discretion and lacked any semblance of objective criteria to guide how officers would narrow the lists of users.” Second, the warrant did not provide “objective guardrails” by which officers could determine which accounts would be subject to further scrutiny and gave law enforcement “unchecked discretion” to seize more intrusive data with each round of requests “without ever needing to return to a neutral and detached magistrate for approval.”
The core of the Chatrie ruling, then, is that the geofence warrant failed to establish particularized probable cause to search every Google user within the geofence. As Judge Lauck concluded, when stripped of the complexities of novel technology, the warrant “lacked any semblance of such particularized probable cause to search each of its nineteen targets, and the magistrate lacked a substantial basis to conclude that the requisite probable cause existed.”
6. Good Faith Exception
The exclusionary rule in Fourth Amendment jurisprudence is designed to compel respect for constitutional rights and not to redress injury caused by an unconstitutional search. Generally, a search warrant issued by a judicial officer “suffices to establish” that a law enforcement officer “acted in good faith in conducting the search.” Therefore, searches carried out pursuant to a warrant “rarely require any deep inquiry into reasonableness.” Judge Lauck thus concluded that the good faith exception shielded the evidence from suppression despite the warrant failing Fourth Amendment scrutiny. Although the warrant lacked particularized probable cause, it was not “so lacking in indicia of probable cause as to render official belief in its existence entirely unreasonable.”
The vast trove of location history data amassed by Google is more precise, and thus more intrusive, than cell site location information and allows Google, in some circumstances, to estimate a device’s location, and by inference its user, to within three metres. In a post to the Electronic Frontier Foundation’s blog (here) Surveillance Litigation Director, Jennifer Lynch, emphasized that this precision allows Google to infer “where a user has been, what they were doing at the time, and the path they took to get there.” Judge Lauck made a similar observation when she described location history as “the most sweeping, granular, and comprehensive tool” for collecting and storing location data. I will leave you, then, with this comment by attorney Mark Rasch in a post to JD Supra (here) titled Don’t [geo]fence Me In: “[U]nless you are both technically sophisticated and particularly diligent, the odds are pretty good that Google knows where you are. Right now.”