On a May afternoon in 2019, someone held up the Call Federal Credit Union in Midlothian, Virginia, fleeing on foot with $195,000 from the bank safe. Police got to work right away. To try and find the thief, they turned to a powerful and increasingly common law enforcement tool: They got a warrant for a geofence.
In this case, they used data from Google to try and identify known cellphone users who might’ve been within 150 meters of the Call Federal Credit Union in the hour before and after the robbery. That physical radius, and the two-hour time window, is the geofence. Data from within it led to the arrest of Okello Chatrie months after the robbery.
In March, federal District Judge Hannah Lauck, in U.S. v. Chatrie, took up the question of whether geofences can be used in criminal investigations. In Chatrie, Lauck ruled the geofence in that case was unconstitutional. Privacy considerations and the limitations of geofence technology combined to make the search illegal.
The Chatrie case offered unusual and important insights into geofence technology. It also highlighted new privacy concerns stemming from the massive collection of data that tech companies compile from our digital lives. Combine that massive data set with the government’s police powers, and the implications for privacy and security are striking.
To understand geofences, you have to know a bit about how your phone works. Modern phones track your physical location in a variety of ways. If you’re connected to a Wi-Fi network, your phone monitors which ones. In the same way, if you’re connected to a cellphone network, the phone knows which cell towers are communicating with the phone. Of course, your phone also has a GPS receiver that tracks the phone’s location.
The geofence warrant process described in Chatrie is fascinating. According to the record in Chatrie, Google, using a variety of services it operates, keeps “detailed location data on ‘numerous tens of millions’ ” of [Google] users. That’s right—not just tens of millions of users. Numerous tens of millions.
One service Google uses to track users’ location is called, plainly enough, Location History. This is the service that allows Google users to view their own histories in their Google timelines. If you’ve ever gotten an email from Google at the end of the month telling you where you went that month, that’s Location History at work.
Not surprisingly, Google also uses this data in its advertising efforts. With this information, it can gauge, for example, if people who saw an ad online later went to the physical location for the store that did the advertising. Location History gathers location information from GPS data, Bluetooth beacons, proximity to cellphone towers, IP address information, and the strength of nearby Wi-Fi networks. Location History logs a user’s location, on average, every two minutes.
Google stores Location History in what it calls a Sensorvault. Each set of location data is associated with a unique user account.
Users have to opt in to Location History. Once they do, though, Google will continue to collect Location History data even if the user later deletes the app that prompted the opt-in. Once a user enables Location History, Google tracks the user’s location across every app and from every device associated with that user.
The location data obtained by Location History data isn’t pinpoint accurate. Location History estimates a user’s location within a “confidence interval” circle and aims to be right about that approximate location 68 percent of the time.
Sometimes the confidence interval circle is as little as 3 meters across. Sometimes it’s hundreds of meters. (I once lost my phone on a trail near the James River. Google told me it was somewhere in the middle of the river, which was close geographically but useless practically.) Because the location tech has this functional limitation, some users’ devices that seem to fall inside the geofence will in fact be outside it. That’s because the physical circle described in the geofence warrant may overlap with the confidence interval circles identifying the location of users’ devices.
Here’s a rendering of how user data overlapped with the red circle of the geofence in the Chatrie case. Note that the “confidence interval” circle for one device identified through the geofence warrant could only be narrowed to a circle with a 387-meter radius. That circle is more than twice the size of the geofence itself.
The second service most useful to locating users is called Google Location Accuracy. This is the service Google uses when responding to government geofence search warrants. Users who turn on Google Location Accuracy permit Google to determine their location using additional inputs like Wi-Fi access points, mobile networks, and other “sensors.” Location History isn’t sufficient to pinpoint devices within a geofence. But Google Location Accuracy is. It’s only available on Google Android devices.
The Chatrie record also showed that users have the ability to pause Google’s location tracking service or even to delete their location history. That ability suggests users have some power over Google’s location tracking. But that power is limited because the interfaces that permit user control can be difficult for them to find or navigate.
Google received its first geofence warrant in 2016. Law enforcement’s use of these warrants has grown exponentially since then. Warrants to Google for users’ location information grew 1,500 percent from 2017 to 2018 and 500 percent from 2018 to 2019. In 2019, Google received about 9,000 geofence requests.
The proliferation of geofence warrants has resulted in a three-step process for Google to respond to them. Google intends this process to respect users’ privacy while, at the same time, helping law enforcement with legitimate investigative needs.
First, Google uses Location History to identify users whose estimated location is within the geofence. Sometimes Google’s own security specialists will coordinate modifying the geofence terms to make them more limited. Google then provides to law enforcement a “de-identified” list of users who fall within the geofence. (Instead of identifying, say, “Cullen Seltzer,” Google reports the user at this stage as “Mr. Blue.” Very Reservoir Dogs.)
Second, law enforcement will ask Google for additional “de-identified” location information for some of the devices that were found inside the geofence. This additional location data may in fact be outside the geofence. For example, the police may ask, “Tell me all the users who were inside the geofence at 1 p.m., but were also at a particular restaurant, outside the geofence, at 5 p.m.”) This second-step request is intended to assess whether the users inside the geofence are relevant to their investigation. Google requires law enforcement to narrow its request for this second step of location data but has no firm policy on how much narrowing is required.
Third, law enforcement then assesses which of the users selected in the second step will be identified by their account information (e.g., their names, usernames, etc.). Google “prefers” that this third set of users be narrowed from the second set, but it’s possible, at least, that sometimes that doesn’t happen.
Significantly, although a judge has to issue the geofence warrant that starts this process between Google and law enforcement, once the warrant is issued, the back-and-forth happens between the police and Google. Judges aren’t required to assess the reasonableness of the resulting searches and disclosures.
The U.S. Supreme Court has, as recently as 2017’s Carpenter v. U.S., expanded the scope of Fourth Amendment protections against unreasonable searches in response to evolving technology. Carpenter instructed that we have Fourth Amendment privacy rights even in data that we don’t own. In that case, the Supreme Court ruled that cellphone location data about us, but in the hands of our cell service provider, was still private. If the government wants that information, the Fourth Amendment requires it to get a warrant.
That makes sense. The Fourth Amendment’s protections must reflect our changing times and changing technology. If the Constitution won’t keep up with new tech, then the Fourth Amendment will stop being a check on modern governmental power. It’ll instead become a quaint footnote to a bygone era when police had to search your files to find out about your finances and follow you in a car to know where you are. Just because James Madison, in 1787, couldn’t have imagined the internet, or a $2.5 trillion corporate behemoth with millions of terabytes of data at its disposal, doesn’t mean the Fourth Amendment has no application to those realities of our lives.
But location-tracking technology is too powerful, and too useful, for any of us to expect it to be sidelined from law enforcement’s use forever. So consider these guidelines for how geofencing might be used reasonably:
• Geofence warrants should only disclose users’ identities when the fence is narrowly drawn and the confidence interval circle clearly puts the user inside the geofence.
• The identities of users inside the geofence should be disclosed to the police only when they can corroborate that the user inside the geofence has some connection to the crime being investigated.
• When considering a geofence warrant, courts should consider the stakes of the investigation. Busting kids for selling dime bags of weed probably doesn’t justify invading the privacy of innocent people inside and outside the geofence. Finding the whereabouts of a ticking-bomb terrorist, though, may well warrant some intrusion into privacy, in the same way that police stop cars after an escape from a prison, for example.
• Every step of the geofence warrant process should be reviewed by a judge before additional searches are run or disclosures are made. The touchstone for reasonableness in the Fourth Amendment warrant context has been, and should remain, review of search requests by a dispassionate magistrate. Law enforcement and Google shouldn’t be negotiating over what gets disclosed. Google shouldn’t be in the position of deciding if the police have narrowed their search requests sufficiently. That’s a judge’s job.
In Chatrie, the judge ruled that the geofence warrant was unconstitutional. But Lauck said the evidence from the warrant was admissible anyway, because the police acted in good faith in seeking the warrant. That’s probably the right answer. You can hardly fault the police, after getting a warrant, for not fully appreciating the contours of what’s fair game when it comes to location data. Those rules are still being written.
Geofencing isn’t the first engagement in this rolling battle over what privacy means in the digital age. It won’t be the last. Indeed, New York lawmakers are considering legislation to outlaw geofence warrants. But this argument highlights for all of us what it means to have personal autonomy in our lives. Lauck called on Congress to help fill in the blanks to make privacy real and the Fourth Amendment relevant for all of us. That’s probably the right answer, too.
The defendant in Chatrie has since pleaded guilty in his case. But he reserved the right to appeal the geofence ruling. This issue isn’t going away for Chatrie, or for any of us, anytime soon.