Don’t [Geo]Fence Me In: Federal Court Invalidates General Warrant for All Google Users Near a Bank Robbery

March 9, 2022

On May 20, 2019, at approximately 4:52 p.m., a man walked into the Call Federal Credit Union outside Richmond, Virginia, pointed a firearm at the tellers, and threatened to kill them and their families unless he was given at least 100K.  He ultimately took almost 200K from the bank.

What is a Geofence Warrant?

To learn the identity of the robber, the FBI obtained from a federal judge a “geofence” warrant.  This is a warrant, served either on a phone provider or, as in this case, on Google, compelling them to produce the location and personal data on all users during a period of time (from a few minutes to a few hours) within a specific radius (the geofence).  As a practical matter, it is similar to what is called a “tower dump” where phone companies are compelled to produce records of all cell phones that were near a particular cell tower or series of cell towers at or near a particular point in time.  The warrant called for Google to produce location records that covered not only the bank, but also an adjacent church, hotel and residential neighborhood for a one-hour time period around the time of the robbery.

In essence, both the tower dump and the geofence warrant compel production of intimate information over which users have only limited control — their location data.  They also compel production of a potentially large volume of data regarding completely innocent individuals in an effort to find the one person (or persons) for whom the Court has found probable cause.  More nefariously, geofence warrants can be used to, for example, identify individuals who attend a particular church, synagogue or mosque, or those who go to a protest rally, frequent an AIDS clinic or an AA meeting.  In fact, as long as the government can demonstrate probable cause, with respect to any one person near the questioned location, they can get a warrant to get information on everyone at that location — at least for some discrete period of time.

Most Geofence Warrants are Directed to Google

Many of these Geofence warrants are directed to Google, because Google collects location data on a massive number of individuals through various means .  While the collection techniques, anonymity, and specificity of data may be different, Google can collect location data on individuals based on their use of Android phones, their use of Google Maps, or their use of a wide variety of Google related apps, including photos.  Deleting apps or turning off location services is, at best, an imperfect way to protect identity and location. However, for some services – like driving apps such as Google Maps or Waze – location services are essential for the app to work.

Suffice it to say, unless you are both technically sophisticated and particularly diligent, the odds are pretty good that Google knows where you are.  Right now.  And last week.  And a year and a half ago. It also knows who you were with, and for how long.  It can probably infer what you were talking about, and certainly can infer what you might want to buy.  That’s the whole point.  Location data reveals an awful lot about people – and even anonymous data collection can usually be reversed.  For instance, if I know that an anonymous user was at the “Good Times” strip club from 11pm to 2am, and then drove to 123 Main Street (where they go every night) it’s not a stretch to infer that the owner or renter of 123 Main Street was the one at the strip joint.  Add additional data (attending college classes, etc.) and we get a portrait of a Google user.  What Google does not seem to have is the ability for users to specify the purpose for which Google can use the collected location data (e.g., ONLY to get me from point A to point B) and for real time “right to be forgotten” (e.g., when I get to point B, delete the location data).  As a result, Google has a trove of location data averaging 120 data points per person per day.

How Does Google Reply to Geofence Warrants?

Google replies to geofence warrants in a staged method — first providing law enforcement with anonymized data about everyone who is – or could have been – within the geofence within the specified time period.  After that, the police provide a more detailed warrant focusing on a narrower number of “hits” or “targets”, and finally a warrant on the person or persons about whom they actually have probable cause.  The cops link the geofence data with other databases to identify the target.

The fact that we can find identity from location is best illustrated by the fact that the FBI was able, using the Geofence warrant on the bank location, to narrow the number of suspects from 19 people within the fence and to quickly identify Okello Chatrie as the robber. Which is, objectively, pretty cool.

Even though the first geofence warrant was served on Google in 2016, law enforcement agencies quickly learned that Google was a great repository for location data that could be used in a wide variety of criminal cases.  From 2017 to 2018, the number of geofence warrants to Google increased by over 1,500 times.  The next year an additional 500% increase.  In fact, a quarter of all warrants served on Google are geofence warrants.

On March 3, 2022, a federal district court in Richmond, Virginia considered the legality of such geofence warrants to Google.

New Wine in Old Bottles

Geofence warrants reveal a lot of information about a lot of people who did nothing wrong.  They track people outside in the public, inside in public buildings (like a bank) but also track their movements inside their homes, churches and hotel rooms.  In previous cases, the U.S. Supreme Court refused to allow the police to use infrared sensors to track suspected marijuana growers movements within their house, or a beeper to track a bottle of “precursor” chemicals movements within a building.  Geofence data also includes both false positive data (erroneously placing a person inside the geofence when they are not) and false negative data (erroneously placing a person who is inside the fence on the outside).  In fact, in the Richmond bank case, data points on individuals – identified as Mr. Blue, Mr. Green, and Ms. Yellow –(with no obvious nod to Reservoir dogs) – popped into and then out of the zone apparently randomly.  The police sought to justify the overbreadth of identifying persons who had no relationship to the criminal activity on the ground that, because of their location, they might be victims or witnesses.  But that’s not a justification to intrude on their privacy.

At its core, the federal court noted that the problem with the geofence warrant was  as follows:

“Warrants, like this one, that authorize the search of every person within a particular area must establish probable cause to search every one of those persons. Here, however, the warrant lacked any semblance of such particularized probable cause to search each of its nineteen targets, and the magistrate thus lacked a substantial basis to conclude that the requisite probable cause existed…”

The warrant was thus overbroad, lacked the requisite specificity required under the Fourth Amendment, and the results of the warrant needed to be suppressed.

While the police may have probable cause to get the location data of the robber, they certainly don’t have probable cause to get the location data of the parishioner at the church, the resident of the home across the street, or the hotel within the radius of the geofence.

Geofence Warrants and the Fourth Amendment

In a real sense, the normal rules of “search” and “seizure” and expectations of privacy, established over the past 231 years since the ratification of the Fourth Amendment, are difficult to apply to internet based and remotely collected and stored databases.  While a person has a reasonable expectation of privacy in their movements within their home, does the fact that they are broadcasting these movements (either deliberately or inadvertently) to a third-party impact whether the Court should consider that privacy interest “reasonable”?  I think so, but other courts might not.

As to the question of whether the warrant was “specific” (warrants must both be supported by probable cause and specify the place to be searched and the thing to be seized), does specificity mean simply that the warrant describes that which it seeks (e.g., all information related to persons who entered the geofence) or does it mean that it must call only for production of records for which probable cause has been established?  Most courts would agree on the latter.  As a practical matter, could the police have narrowed the warrant in a meaningful way to get what they needed without getting extraneous data?  And does Okello Chatrie have reason to challenge the search of the parishioner’s location?

The federal court concluded that the geofence warrant was overbroad, lacked specificity, and lacked probable cause.  Specifically, however, the Court noted “that it declines to consider today whether a geofence warrant may ever satisfy the Fourth Amendment’s strictures” suggesting that additional privacy protections – including anonymity and minimization procedures to protect location data of those not involved in criminal activity – might save a future geofence warrant.  This is not the first time a court has struggled with the legality of a geofence warrant (or a related tower dump), and it certainly won’t be the last.  So, next time you plan your armed bank robbery, here’s a tip to the wise – leave your Samsung Galaxy at home.

If you have questions or would like to discuss further, contact Cyber Security, Data Breach & Privacy Chair Mark Rasch (MDR@kjk.com; 301.547.6925).