Police Are Filing Warrants for Android’s Vast Store of Location Data
In February 2015, a man with a painter’s mask and a gun walked into a Bank of America office in Ramona, California, and walked out with more than $3,000. Police tried to track down the bank robber, but the mask prevented a positive ID and the trail went cold. Until, in November of the same year, someone matching his description robbed the same bank again. This time, witnesses identified Timothy Graham, a 64-year-old who had taken out steep loans from Chase earlier that year. When they searched Graham’s apartment, investigators found clothes and a gun matching those used in the robbery, effectively sealing the case.
The November holdup was solved, and there was reason to think Graham had been responsible for the February holdup too, but how could they prove it? None of the witnesses saw Graham’s face in February, and Graham himself wasn’t talking. He was physically similar to the man who held up the bank in February — but it was only enough to keep the case going, not enough to make it stick.
So investigators tried a new trick: they called Google. In an affidavit filed on February 8th, nearly a year after the initial robbery, the FBI requested location data pulled from Graham’s Samsung Galaxy S5. Investigators had already gone to Graham’s wireless carrier, AT&T, but Google’s data was more precise, potentially placing Graham inside the bank at the time the robbery was taking place. "Based on my training and experience and in consultation with other agents," an investigator wrote, "I believe it is likely that Google can provide me with GPS data, cell site information and Wi-fi access points for Graham’s phone."
That data is collected as the result of a little-known Google feature that builds a comprehensive history of where a user has been — information that’s proved valuable to police and advertisers alike. A Verge investigation found affidavits from two different cases from the last four months in which police have obtained court orders for Google’s location data. (Both are embedded below.) Additional orders may have been filed under seal or through less transparent channels.
It’s not clear whether either of the public warrants were filled. No Google-based evidence was presented in Graham's trial, and the other suspect plead guilty before a full case could be presented. Still, there's no evidence of a legal challenge to either warrant. There's also reason to think the investigators' legal tactic would have been successful, since Google’s policy is to comply with lawful warrants for location data. While the warrants are still rare, police appear to be catching on to the powerful new tactic, which allows them to collect a wealth of information on the movements and activities of Android users, available as soon as there’s probable cause to search.
The data is collected by Google's Location History system, which has been present in various services for years but was made particularly visible with the release of Timeline last July. Location History uses the phone's location data to build a persistent portrait of where a user has traveled with their phone, a history that can be viewed or edited in the Timeline tab of Google Maps. Every time the phone establishes a strong enough location point, the system makes an entry in the user’s Timeline history, establishing that the user was in that place at that time. Google Photos users can even incorporate photos into the stream if the systems are fully integrated. The result is meant to let users "visualize your real-world routines," as Google put it in Timeline's official announcement, similar to Facebook's persistent history of everything you've shared.
While a user's Location History is largely private, Google can still use the data to target ads, and it's accessible to warrant requests from law enforcement. It's also only collected if a user enabled Location History while setting up their phone, although declining to do so also limits personalization features in Google Now and other products. The result is a persistent setting in any Google account, which users can opt in or out of through the account settings page.
The data is far more accurate than what's available from wireless carriers. Police routinely request location data from phone companies, but the result is determined on the basis of the nearest cell tower, which typically only provides a general estimate of a phone's location. (In Graham's case, AT&T warned that the results were "less than exact," and they were subsequently ruled inadmissible.) The location systems in Android and iOS combine that data with GPS, local Wi-Fi networks, and other sources. That lets Android pinpoint users to a single building, rather than a single city block.
That capability is also being actively promoted within the law enforcement community. In November, The Intercept reported a training manual specifically instructing police in how to obtain Android location data, available online here. Written by police training expert Aaron Edens, the manual instructs police in how to issue preservation orders to prevent the loss of user-deleted data and how to manage the KMF location files Google typically provides in response to warrant requests. The manual even offers a template for search warrants requesting the data. Both affidavits uncovered by The Verge were filed in the months following the publication of Edens' manual, although it's unclear if either team of investigators read the manual itself.
The capability is far more widespread on Android phones than iOS. While both iOS and Android can judge location with the same precision, the Location History functions can't easily log that data outside of the Android ecosystem. Android phones pair to Google accounts at the operating system level, so as long as Location History is enabled when the phone is first launched, location data can be collected even if you've never opened the Timeline tab. The result is a comprehensive location record, collected entirely in the background.
It’s possible to construct a similar record from an iPhone, but it’s much more difficult. Google Maps can collect the same location data in iOS, but it doesn't automatically connect that information to a specific user. iPhone users can get the same Timeline experience by installing the Google app, which also enables Android-style voice search, but it requires significant action on the user’s part. The Verge’s research turned up no equivalent affidavits concerning iOS phones or data stored by Apple Maps.
There are a few ways for Android users to manage or opt-out of that record once they're aware of it. Users can delete or rename specific data points from within the Maps app, which Google says will delete the information from company servers within half an hour of the initial request. (Police can request the preservation of those records once a specific suspect is identified, but that won't preserve data retroactively.) You can also opt-out of the system entirely by turning off Location History, a broad setting that also disables Google Now and the Explore function in Maps. That choice is presented during the setup of an Android phone, but modifiable at any point afterwards from the account privacy page.
Consistent location records are extremely valuable for Google’s advertising business. Google's DoubleClick system can use the records to target ads more precisely, a system that brings in billions each year and effectively funds the company's product ventures. The better Google’s data is, the more its ads are worth — a strong incentive for continuing to collect and store exact location data. "The more Google knows about your shopping, dining, commuting persona, it ultimately translates to higher CPMs for marketers," says Mike Ragusa, a director of mobile at IgnitionOne. "They want to know not just that you were in a mall, but that you were in a Gap store." Unlike data given to police, the advertising data is only available in aggregate form, making it all but impossible for a third-party advertiser to reconstruct a specific person's activities.
With a warrant, police can see the private, individual form of the data, which is otherwise only available to Google. That data can be extremely valuable to an investigation, since unlike carrier data, it's often precise enough to place a suspect at the scene of the crime. In Graham’s case, that’s exactly what investigators were hoping to do, using the collected Android data to prove the accused armed robber was inside the bank when the robbery took place.
In another case, police were looking to solve 12 different retail robberies in the DC metro area over the course of a year. Police believed the same man was behind all 12 robberies, based on his weapon and choice of tactics. When a man named David Flowers was arrested in connection with the last robbery, police turned to his phone, an HTC Desire 610. On the basis that Google "collects and retains location data from Android enabled mobile devices," police requested all the location data between the phone’s activation and the date of Flowers’ arrest.
These are the only two public affidavits uncovered so far, but it’s entirely possible that more have been filed under seal. Business records of this kind are also frequent targets for national security requests, a gag-ordered subpoena that some judges have criticized as unconstitutional, although Google says those requests are insufficient to obtain location data. The company’s most recent transparency report lists just over 12,000 US government requests in the first half of 2015, 78 percent of which produced some user data, although the majority of those requests are typically for Gmail inbox content. The company does not break out location requests individually.
It’s also difficult to be sure that Google complied with either of the two public affidavits, although the court record shows no legal objections filed. Reached by The Verge, a Google representative declined to comment on the specifics of the cases, but said the warrants were consistent with the company's general policy towards user data. "We respond to valid legal requests and require a warrant to disclose Location History information," a Google spokesperson said in a statement. "We have a long track record of advocating on behalf of our users."
In requiring a warrant, Google is choosing a higher standard than many courts. Earlier this week, the Fourth Circuit Court of Appeals maintained that the lighter burden of a subpoena was sufficient to obtain location records from a wireless carrier, although the precedent remains controversial. But all the courts agree warrants are sufficient, and since the location records are available on Google servers, it’s not clear whether the company would have legal grounds for resisting the orders.
There’s also reason to think there will be more orders in the months to come, as more investigators learn how to access Google's cache of data. As Edens' manual makes clear, being able to track a suspect's movements after the fact is a powerful investigative tool — too powerful for police to pass up. "This could revitalize cold cases and potentially help solve active investigations," Edens writes in the manual. "The personal privacy implications are pretty clear but so are the law enforcement applications."
Update 9:29 PM ET: Updated with further information from Google on how Location History interacts with a user's account, a company stance on National Security Letter requests for location data, and other clarifications.