Four unsolved Milwaukee-area arsons since 2018 have resulted in more than $50,000 of property damage as well as the deaths of two dogs – and officers from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) obtained search warrants to gather data regarding all the devices in the area at the time of the crimes, Forbes reported.
The two warrants Forbes obtained together covered about nine hours' worth of activity within 29,400 square meters – that is the records for 1,494 devices. According to Forbes, this is the highest number of results such a geofenced search has so far produced and demanded by the federal officials. Moreover, it’s possible the search will prove entirely fruitless, as whoever committed the crimes may not have a phone, may not have brought it with them, or may have brought it with them in airplane mode or powered off.
The mechanism behind the request is simple: the police give Google a timeframe and an area on Google Maps within which to find every Google user within and Google then looks through its SensorVault database of user locations, taken from devices running services like Google Maps or anything that requires the “location history” feature be turned on. The police then look through the data and if there is any person of interest, demands from Google the subscriber information that includes more detailed data such as name, email address, when they signed up to Google services and which ones they used.
However, a request like this raises security and privacy concerns. Such a request "shows the unconstitutional nature of reverse location search warrants because they inherently invade the privacy of numerous people, who everyone agrees is unconnected to the crime being investigated, for the mere possibility that it may help identify a suspect," Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society, told Forbes.
The company said that they “only produce information that identifies specific users when we are legally required to do so.” The company does have a history of trying to push back on overly broad reverse-location requests, Forbes notes. For example, when federal investigators wanted information on devices in a 400-meter radius around a bank robbery earlier this year, the company convinced them to drop that to a 50-meter radius.
The company could also not have data in Google's SensorVault to pass along to investigators – or acquired it illegally. For example, Google is facing multiple lawsuits, including a potential class-action in the US and a suit by consumer protection regulators in Australia, alleging the company misled users and retained location data even if the setting was turned off.