Future Tense

Google Knows Where You’ve Been. Should It Tell the Police?

A federal case cracks open how the search giant traces users’ locations—and how much it’s willing to give to law enforcement.

An Android phone radiating sonarlike circles with stick figures in the tightest circle, one of which is a bank robber
Photo illustration by Slate. Photos by Emmi Korhonen/AFP via Getty Images and Getty Images Plus.

On a May afternoon in 2019, someone held up the Call Federal Credit Union in Midlothian, Virginia, fleeing on foot with $195,000 from the bank safe. Police got to work right away. To try and find the thief, they turned to a powerful and increasingly common law enforcement tool: They got a warrant for a geofence.

In this case, they used data from Google to try and identify known cellphone users who might’ve been within 150 meters of the Call Federal Credit Union in the hour before and after the robbery. That physical radius, and the two-hour time window, is the geofence. Data from within it led to the arrest of Okello Chatrie months after the robbery.

Advertisement

In March, federal District Judge Hannah Lauck, in U.S. v. Chatrie, took up the question of whether geofences can be used in criminal investigations. In Chatrie, Lauck ruled the geofence in that case was unconstitutional. Privacy considerations and the limitations of geofence technology combined to make the search illegal.

Advertisement
Advertisement
Advertisement

The Chatrie case offered unusual and important insights into geofence technology. It also highlighted new privacy concerns stemming from the massive collection of data that tech companies compile from our digital lives. Combine that massive data set with the government’s police powers, and the implications for privacy and security are striking.

To understand geofences, you have to know a bit about how your phone works. Modern phones track your physical location in a variety of ways. If you’re connected to a Wi-Fi network, your phone monitors which ones. In the same way, if you’re connected to a cellphone network, the phone knows which cell towers are communicating with the phone. Of course, your phone also has a GPS receiver that tracks the phone’s location.

Advertisement
Advertisement

The geofence warrant process described in Chatrie is fascinating. According to the record in Chatrie, Google, using a variety of services it operates, keeps “detailed location data on ‘numerous tens of millions’ ” of [Google] users. That’s right—not just tens of millions of users.  Numerous tens of millions.

One service Google uses to track users’ location is called, plainly enough, Location History. This is the service that allows Google users to view their own histories in their Google timelines. If you’ve ever gotten an email from Google at the end of the month telling you where you went that month, that’s Location History at work.

Advertisement

Not surprisingly, Google also uses this data in its advertising efforts. With this information, it can gauge, for example, if people who saw an ad online later went to the physical location for the store that did the advertising. Location History gathers location information from GPS data, Bluetooth beacons, proximity to cellphone towers, IP address information, and the strength of nearby Wi-Fi networks. Location History logs a user’s location, on average, every two minutes.

Advertisement
Advertisement
Advertisement

Google stores Location History in what it calls a Sensorvault. Each set of location data is associated with a unique user account.

Users have to opt in to Location History. Once they do, though, Google will continue to collect Location History data even if the user later deletes the app that prompted the opt-in. Once a user enables Location History, Google tracks the user’s location across every app and from every device associated with that user.

The location data obtained by Location History data isn’t pinpoint accurate. Location History estimates a user’s location within a “confidence interval” circle and aims to be right about that approximate location 68 percent of the time.

Sometimes the confidence interval circle is as little as 3 meters across. Sometimes it’s hundreds of meters. (I once lost my phone on a trail near the James River. Google told me it was somewhere in the middle of the river, which was close geographically but useless practically.)  Because the location tech has this functional limitation, some users’ devices that seem to fall inside the geofence will in fact be outside it.  That’s because the physical circle described in the geofence warrant may overlap with the confidence interval circles identifying the location of users’ devices.

Advertisement
Advertisement
Advertisement
Advertisement

Here’s a rendering of how user data overlapped with the red circle of the geofence in the Chatrie case. Note that the “confidence interval” circle for one device identified through the geofence warrant could only be narrowed to a circle with a 387-meter radius. That circle is more than twice the size of the geofence itself.

Overlapping geofence circles overlaid on a Google Earth map of a bank with surrounding points of interest labeled
Google via U.S. v. Chatrie
Advertisement
Advertisement

The second service most useful to locating users is called Google Location Accuracy. This is the service Google uses when responding to government geofence search warrants. Users who turn on Google Location Accuracy permit Google to determine their location using additional inputs like Wi-Fi access points, mobile networks, and other “sensors.” Location History isn’t sufficient to pinpoint devices within a geofence. But Google Location Accuracy is. It’s only available on Google Android devices.

Advertisement

The Chatrie record also showed that users have the ability to pause Google’s location tracking service or even to delete their location history. That ability suggests users have some power over Google’s location tracking. But that power is limited because the interfaces that permit user control can be difficult for them to find or navigate.

Advertisement

Google received its first geofence warrant in 2016. Law enforcement’s use of these warrants has grown exponentially since then. Warrants to Google for users’ location information grew 1,500 percent from 2017 to 2018 and 500 percent from 2018 to 2019. In 2019, Google received about 9,000 geofence requests.

The proliferation of geofence warrants has resulted in a three-step process for Google to respond to them. Google intends this process to respect users’ privacy while, at the same time, helping law enforcement with legitimate investigative needs.

First, Google uses Location History to identify users whose estimated location is within the geofence. Sometimes Google’s own security specialists will coordinate modifying the geofence terms to make them more limited. Google then provides to law enforcement a “de-identified” list of users who fall within the geofence. (Instead of identifying, say, “Cullen Seltzer,” Google reports the user at this stage as “Mr. Blue.” Very Reservoir Dogs.)

Advertisement
Advertisement
Advertisement

Second, law enforcement will ask Google for additional “de-identified” location information for some of the devices that were found inside the geofence. This additional location data may in fact be outside the geofence. For example, the police may ask, “Tell me all the users who were inside the geofence at 1 p.m., but were also at a particular restaurant, outside the geofence, at 5 p.m.”) This second-step request is intended to assess whether the users inside the geofence are relevant to their investigation. Google requires law enforcement to narrow its request for this second step of location data but has no firm policy on how much narrowing is required.

Advertisement
Advertisement

Third, law enforcement then assesses which of the users selected in the second step will be identified by their account information (e.g., their names, usernames, etc.). Google “prefers” that this third set of users be narrowed from the second set, but it’s possible, at least, that sometimes that doesn’t happen.

Advertisement

Significantly, although a judge has to issue the geofence warrant that starts this process between Google and law enforcement, once the warrant is issued, the back-and-forth happens between the police and Google. Judges aren’t required to assess the reasonableness of the resulting searches and disclosures.

Advertisement

The U.S. Supreme Court has, as recently as 2017’s Carpenter v. U.S., expanded the scope of Fourth Amendment protections against unreasonable searches in response to evolving technology. Carpenter instructed that we have Fourth Amendment privacy rights even in data that we don’t own. In that case, the Supreme Court ruled that cellphone location data about us, but in the hands of our cell service provider, was still private. If the government wants that information, the Fourth Amendment requires it to get a warrant.

Advertisement

That makes sense. The Fourth Amendment’s protections must reflect our changing times and changing technology. If the Constitution won’t keep up with new tech, then the Fourth Amendment will stop being a check on modern governmental power.  It’ll instead become a quaint footnote to a bygone era when police had to search your files to find out about your finances and follow you in a car to know where you are. Just because James Madison, in 1787, couldn’t have imagined the internet, or a $2.5 trillion corporate behemoth with millions of terabytes of data at its disposal, doesn’t mean the Fourth Amendment has no application to those realities of our lives.

Advertisement
Advertisement
Advertisement

But location-tracking technology is too powerful, and too useful, for any of us to expect it to be sidelined from law enforcement’s use forever. So consider these guidelines for how geofencing might be used reasonably:

Advertisement

• Geofence warrants should only disclose users’ identities when the fence is narrowly drawn and the confidence interval circle clearly puts the user inside the geofence.

• The identities of users inside the geofence should be disclosed to the police only when they can corroborate that the user inside the geofence has some connection to the crime being investigated.

• When considering a geofence warrant, courts should consider the stakes of the investigation. Busting kids for selling dime bags of weed probably doesn’t justify invading the privacy of innocent people inside and outside the geofence. Finding the whereabouts of a ticking-bomb terrorist, though, may well warrant some intrusion into privacy, in the same way that police stop cars after an escape from a prison, for example.

Advertisement

• Every step of the geofence warrant process should be reviewed by a judge before additional searches are run or disclosures are made. The touchstone for reasonableness in the Fourth Amendment warrant context has been, and should remain, review of search requests by a dispassionate magistrate. Law enforcement and Google shouldn’t be negotiating over what gets disclosed. Google shouldn’t be in the position of deciding if the police have narrowed their search requests sufficiently. That’s a judge’s job.

Advertisement

In Chatrie, the judge ruled that the geofence warrant was unconstitutional. But Lauck said the evidence from the warrant was admissible anyway, because the police acted in good faith in seeking the warrant. That’s probably the right answer. You can hardly fault the police, after getting a warrant, for not fully appreciating the contours of what’s fair game when it comes to location data. Those rules are still being written.

Advertisement
Advertisement

Geofencing isn’t the first engagement in this rolling battle over what privacy means in the digital age. It won’t be the last. Indeed, New York lawmakers are considering legislation to outlaw geofence warrants. But this argument highlights for all of us what it means to have personal autonomy in our lives. Lauck called on Congress to help fill in the blanks to make privacy real and the Fourth Amendment relevant for all of us. That’s probably the right answer, too.

The defendant in Chatrie has since pleaded guilty in his case. But he reserved the right to appeal the geofence ruling. This issue isn’t going away for Chatrie, or for any of us, anytime soon.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.

Advertisement