Google Data and Geofence Warrant Process

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Introduction

We all know that Google is tracking us. But what does that actually mean? What exact data are they “tracking,” how are they doing it, and for those of us who are representing clients in federal court, how is law enforcement getting that data from Google and using it in their prosecutions?

This blog post will try to give you some answers to these questions. The purpose of this post is threefold: first, to provide a primer on how Google collects location data; second, to explain the three-step warrant process used by law enforcement to obtain these records; and third, to give an example of how the data is collected and used by law enforcement. Note this guidance is based on publicly available information, including recent court opinions. To date, there has not been an opportunity for defense attorneys to seek discovery from Google or to question a qualified representative from Google about their methods of collecting location data. 

What Can Google Do?

Google began collecting location data in order to provide location-based advertisements to its users. Location data is tracked by Google from users, including from consumers who use Android telephones and those who use Google’s vast array of available apps on other devices, including Apple iPhones. For Android devices, Google is constantly tracking devices whenever the permission settings on the device are set to allow for the use of Google Location Accuracy. For iOS users, location information is only collected when a user is using a Google product, such as Google Maps.[i]

Google can determine the approximate location of a device based on GPS chips in the device, as well as the device’s proximity to Wi-Fi hotspots, Bluetooth beacons, and cell sites.[ii] For Wi-Fi and Bluetooth, Google already knows the location of hotspots and Bluetooth beacons. When a device detects an available Wi-Fi network, for instance, it records and sends the unique serial number to Google.  Since Google has previously connected the physical location of many such hotspots with the unique identifier, Google assumes that if you are in range of a Wi-Fi hotspot, you should be sent advertisements for businesses in that area.

How Google tracks this data depends on the type of device (Android v. Apple) and an individual user’s privacy settings.[iii] Google cannot determine the exact location of a device, and as such, location records contain an “uncertainty value” which is expressed in meters. This service, called Sensorvault, was designed by Google to sell location-based advertisements.

Maps Display Radius

Although Google does not know a device’s precise location, it often has an idea where the device is located, which is represented by one or more spheres, or what Google calls the Maps Display Radius.

For example, in this picture, the dark blue circle in the middle is Google’s best guess about the actual location of a device. According to Google, its “goal is that there will be an estimated 68% chance that the user is actually within” spherical representation.[iv] 

But Google is not always sure the user is actually in the small blue circle; the area indicated by a larger sphere, outlined in white in this example, represents Google’s guess as to where the user may actually be. 

This makes sense considering the goal of Sensorvault is to provide location-based advertisements.  For this purpose, if a user is within several blocks of a location, the location-based advertisement succeeds.  This becomes relevant because the government claims it is the same procedure used in producing location data to law enforcement.[v]

It is useful to see how Google determines the approximate location of a device by looking at the Location History of a Google account. In this example, according to Google, the blue line indicates the path of travel; the orange dots represent the source of the location data; and the grey sphere next to the blue arrow is the estimated range of the location source. Google determines the line of travel based on the proximity to the sources of location data.

Generally, the location information source has the biggest impact on the Maps Display Radius. Among GPS chips in phones, Bluetooth beacons, Wi-Fi hotspots, and Cell Sites, GPS provides the smallest sphere whereas Cell Sites are generally the largest. In other words, GPS location is generally the most accurate of the major location information sources, and Cell Sites are the least accurate. For example, the map display radius for GPS is often only a few meters, while locations based on cell sites routinely have radiuses of over 1000 meters.

Use of Google’s Tools by Law Enforcement – Three-Step Warrant Process

Although the original intent of Google’s Sensorvault technology was to sell location-based advertising more effectively, over the past few years this data has been sought by law enforcement to determine who was present in a specific geographical area at a particular time, such as when a crime has been committed. These warrants are often called “geofence warrants” because officers seek information regarding devices which were contained with a geographic area at a certain time.

Google currently requires law enforcement to obtain three separate warrants to access the information.[vi] The first two warrants seek an anonymized list of devices within specific coordinates at specific times. The specific locations are defined as a radius or a polygon. The third warrant provides information about the owner of the accounts associated with a specific device.

First and Second StepsExample

In response to the first warrant, Google provides the following data: (1) anonymized user identifiers; (2) date and time the device was in the geofence; (3) approximate latitude and longitude of the device; (4) what Google deems its map display radius; and (5) the source of the location data. The warrant returns warn that the Maps Display Radius field reflects an estimated uncertainty value regarding the reported coordinates with the range depending on numerous factors and that the location approximation is intended for the product’s use.[vii]

As for the second step, after reviewing responses to the first warrant, “[i]f additional deidentified location information for a device in the production is necessary to eliminate false positives or otherwise determine whether that device is actually relevant to the investigation, law enforcement can compel Google to provide additional contextual location coordinates beyond the time and geographic scope of the original request….”[viii] 

For example, In the Matter of the Search of information that is stored at premises controlled by Google, 1600 Amphitheatre Parkway, Mountain View, California 94043, 18MJ191-DEJ (EDWI 2018), law enforcement officers investigating a bank robbery sought information about “all Google accounts” located within a 30 meters radius around 43.110877, -88.337330 on October 13, 2018 from 8:50 a.m. to 9:20 a.m. CST.  The red radius in the following example shows boundaries of the geofence warrant.

Another example is In the Matter of the Search of Information Regarding Accounts Associated with Certain Location and Date Information, Maintained on Computer Servers Controlled by Google, Inc., 18MJ169-ML (WDTX 2018).Law enforcement officers investigating a series of bombings sought location information for “all Google accounts” for a 12-hour period between March 1 and 2, 2018 in a “[g]eographical box” around 1112 Haverford Drive, Austin, Texas, 78753 containing the following coordinates: (1) 30.405511, -97.650988; (2) 30.407107, -97.649445; (3) 30.405590, -97.646322; and (4) 30.404329, -97.647983.  The boundaries of the geofence in the following picture are highlighted in blue.

Third Step

The third step involves compelling Google “to provide account-identifying information for the device numbers in the production that the government determines are relevant to the investigation. In response, Google provides account subscriber information such as the email address associated with the account and the name entered by the user on the account.”[ix]

Starting from the Beginning – How the Process Works

For example, a crime occurs in the parking lot of a strip mall.

Because the crime happens in the middle of a parking lot, law enforcement would create a geofence, which would include storefronts since that would increase the chances a suspect’s device would interact with a Wi-Fi hotspot or Bluetooth beacon; it also means many more people unconnected to the offense would have their information captured.

Although the above geofence appears to impact only people who are present in the parking lot or surrounding businesses, it would likely capture the personal data of people living in the nearby apartments and those driving on the surrounding streets.  The list of deice identifiers and location points for such a geofence warrant would likely be extensive; the following is an example of a warrant return, with a more limited dataset:

Device IDDateTimeLatitudeLongitudeSourceMaps Display Radius (m)
12345678912/20/2015:08:45(-8:00)32.752667-117.2168GPS5
98765432112/20/2015:08:55(-8:00)32.751569-117.216647Wi-Fi25
14785236912/20/2015:08:58(-8:00)32.752022-117.216369Cell1000
12345678912/20/2015:09:47(-8:00)32.752025-117.216369Cell800
98765432112/20/2015:09:55(-8:00)32.752023-117.216379Wi-Fi15
12345678912/20/2015:10:03(-8:00)32.752067-117.216368Wi-Fi25
98765432112/20/2015:10:45(-8:00)32.752020-117.216359Cell450
98765432112/20/2015:10:55(-8:00)32.752032117.216349Wi-Fi40
12345678912/20/2015:10:58(-8:00)32.752012117.216379Cell300

For Stage One and Two returns, the Device ID field contains an anonymized user identification number.  In a stage three warrant, law enforcement officers seek to user’s actual name.  The Date and Time fields reflect when a device was within the geofence.  The Latitude and Longitude fields reflect the coordinates of a device within the geofence.  The Source field indicates if the location data is based on GPS, Wi-Fi, or Cell.[x] Finally, the Maps Display Radius (m) field reflects the uncertainty of the location data represented in a sphere measured in meters.

In this example, Device ID 123456789 is Suspect One, Device ID 987654321 is Suspect Two, and Device ID 147852369 is Suspect Three.  For this example, only one location for each device is shown.

At first blush, it would appear as if the Geofence has located three possible suspects.  But this image does not tell the full story. The blue bubbles for Suspect One and Suspect Two show a Maps Display Radius of 5 and 25 meters respectfully.

Suspect Three’s location was derived from a Cell Site, with a Maps Display Radius of 1000 meters.

Thus, although Google believes that Suspect Three’s device was near the scene of the crime, it is possible it was located anywhere within the larger sphere, and maybe the device was not within either sphere.

Conclusion

As technology and privacy concerns of consumers continue to evolve, so will the ability of law enforcement to obtain location data of users. Using Google geofence warrants implicates several Fourth Amendment issues; future posts will explore the legal implications surrounding the overbreadth of these warrants.[xi] But beyond the legal challenges, those encountering Google location warrants should remain mindful of the limitations of the data and the absence of concrete answers from Google regarding their methodology for determining location data.


[i] The exception is for a user who has turned location services to always on, has a Google product open on a device, and has allowed for background app refresh. That means that is likely that Google knows far more about the location history of android users than iPhone users. That’s important because approximately 52 percent of devices on mobile networks are iOS devices. https://www.statista.com/statistics/266572/market-share-held-by-smartphone-platforms-in-the-united-states/.

[ii] https://policies.google.com/technologies/location-data (“On most Android devices, Google, as the network location provider, provides a location service called Google Location Services (GLS), known in Android 9 and above as Google Location Accuracy. This service aims to provide a more accurate device location and generally improve location accuracy. Most mobile phones are equipped with GPS, which uses signals from satellites to determine a device’s location – however, with Google Location Services, additional information from nearby Wi-Fi, mobile networks, and device sensors can be collected to determine your device’s location. It does this by periodically collecting location data from your device and using it in an anonymous way to improve location accuracy.”)

[iii] https://support.google.com/nexus/answer/3467281?hl=en

[iv] See United States v. Chartrie, 19cr00130-MHL (EDVA 2020), ECF 1009 [Declaration of Marlo McGriff] (“A value of 100 meters, for example, reflects Google’s estimation that the user is likely located within a 100-meter radius of the saved coordinates based on a goal to generate a location radius that accurately captures roughly 68% of users. In other words, if a user opens Google Maps and looks at the blue dot indicating Google’s estimate of his or her location, Google’s goal is that there will be an estimated 68% chance that the user is actually within the shaded circle surrounding that blue dot.”)

[v] See Id. at 10 (“[I]f a user’s estimated location (i.e., the stored coordinates in LH) falls within the radius of the geofence request, then Google treats that user as falling within the scope of the request, even if the shaded circle defined by the 68% confidence interval falls partly outside the radius of the geofence request. As a result, it is possible that when Google is compelled to return data in response to a geofence request, some of the users whose locations are estimated to be within the radius described in the warrant (and whose data is therefore included in a data production) were in fact located outside the radius. To provide information about that, Google includes in the production to the government a radius (expressed as a value in meters) around a user’s estimated location that shows the range of location points around the stored LH coordinates that are believed to contain, with 68% probability, the user’s actual location.

[vi] Over the years, this practice has changed.  At one point, law enforcement only submitted one warrant requesting the three-step process.  In more recent cases, it appears as if Google requires a separate warrant. 

[vii] Id. at 4 (“After that search is completed, LIS assembles the stored LH records responsive to the request without any account-identifying information. This deidentified ‘production version’ of the data includes a device number, the latitude/longitude coordinates and timestamp of the stored LH information, the map’s display radius, and the source of the stored LH information (that is, whether the location was generated via Wi-Fi, GPS, or a cell tower)”).

[viii] Id. at 17

[ix] Id.

[x] Google has the unique identifier for Wi-Fi hotspots and Cell sites.  If this information was included in warrant returns, it would assist in verifying that the location information provided in the returns is accurate.

[xi] In the Matter of the Search of: Information Stored at Premises Controlled by Google, 20mc00392-GAF (NDIL 2020) provides a great overview of the Fourth Amendment issues relating to Google Geofence warrants.  See also https://www.eff.org/deeplinks/2020/07/eff-files-amicus-brief-arguing-geofence-warrants-violate-fourth-amendment

Leave a Reply