Washington: It was a case that gave a new meaning to the phrase “Google search.”
Earlier this year, a judge in the US signed a search warrant for a windfall of private information to help find the robber responsible for a string of crimes in southern Maine. Authorities were seeking a large amount of sensitive user data — including names, addresses and location — of anyone who had been in the vicinity of at least two of the nine robbery locations, within 30 minutes of the crime.
The Associated Press reports Google apps can collect data even when users have turned off location services on their phones, so the potential number of people covered by the warrant was vast. Still, without knowing whom the warrant was looking for or whether the suspect even used a Google device, a judge signed the warrant on March 30.
The warrant ordered Google to turn over all sought data, whether a user was carrying an Android phone or running a Google app at the time, a move that has alarmed some privacy and Fourth Amendment experts worried that warrants with very broad scopes will become a new norm for police investigations.
“Where big data policing and data trails are available it becomes tempting, and maybe too tempting, to take shortcuts with process that should be used as a last resort,” Andrew Ferguson, author of “The Rise of Big Data Policing: Surveillance, Race, and the Future of Law Enforcement” said. He pointed to all the people bound to be swept up in such dragnet searches.
The warrant was written by the US attorney’s office in the District of Maine to assist in catching the perpetrator, according to the document: “[I]nformation stored in connection with an email account may provide crucial evidence of the “who, what, why, when, where, and how” of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or alternatively, to exclude the innocent from further suspicion.”
According to Ferguson, the facts of each robbery, laid out by officials in the warrant application, did not make clear what they were looking for. The suspect had committed seven successful armed robberies and botched two attempts, targeting local gas stations, convenience stores and Chinese restaurants.
The perpetrator was usually, though not consistently, described as white, wearing a dark hoodie and covering the lower half of his face. All of the mentioned crimes spanned late March.
“It’s like they were trying to lump them all together and draw threads using digital trails,” Ferguson said.
Google’s first court-ordered deadline arrived on April 23, but the US attorney’s office had not received anything. It asked for an extension to afford the company more time, Assistant US Attorney Michael Conley said. Five months and three extensions later, his office gave up. “We were pursuing every possible angle,” Conley said.
By that point, though, Conley didn’t need Google’s assistance. The suspect, Travis Card, had been arrested months earlier in an armed robbery of a country gas station.
It is unclear whether Google failed to respond to the warrant in an attempt to thwart law enforcement and protect user privacy or because it couldn’t locate the information. But the incident appears to be an example of corporations struggling with how to position themselves in relation to law enforcement.
In an age where virtually everyone carries a phone at nearly every moment of the day, devices have a trove of data for law enforcement to look to — map applications, WiFi hotspots, cell-tower triangulations, images with embedded locations.
People should not have to rely on tech companies to make discretionary decisions about whether to protect such personal data, said Nathan Freed Wessler, a staff attorney at the ACLU Speech, Privacy, and Technology Project. Instead, he said, sensitive information should be protected by strong laws and judges’ strong enforcement of the Constitution.
“The only real way we’re going to avoid unnecessary dragnet searches is to have protections in place. It may be appropriate in exceptional circumstances or where other avenues are exhausted, but there are lots of other ways to build leads and find suspects,” said Wessler, drawing a comparison to wiretaps, which are also not the first option in criminal investigations. Courts require a showing that they are, in fact, a necessary tactic.
The same, he said, should be true of data searches that can sweep up other people.
Some technology companies have tried to argue these requests are fishing expeditions, though as service providers they often have little ground to stand on in court. Facebook fought New York prosecutors, losing the battle to block bulk search warrants in 2017. Last year, Amazon.com was ordered to turn over any data collected during an alleged murder.
Though the company satisfied part of the warrant, it filed a motion to void the rest, calling the warrant excessive. Like Card’s case, Amazon’s compliance eventually became moot.
Apple famously fought a court order to assist federal investigators in developing software to break the PIN code of San Bernardino shooter Syed Rizwan Farook’s iPhone.
Many corporations have updated guidelines to inform users when they receive court orders for information. To counter this, law enforcement has been tacking gag orders onto warrants that forbid the named company from disclosing their existence.
Google could not disclose there was a warrant for 180 days.
Although Conley would not comment on how often the federal government uses data-driven warrants in criminal investigations, some experts are convinced it’s already happening regularly.
“One of the things that isn’t getting enough attention is that this is going to be the new norm for police investigations. We need to educate police, prosecutors, judges and defendants about how to appropriately request the digital trails,” Ferguson said.
— Washington Post
