from the redefining-bulwark deptTim Cushing
Tony Webster, writing for MPR News, has obtained court documents showing Minneapolis, Minnesota law enforcement agencies are deploying "reverse warrants" in hopes of tying suspects to crime scenes. A normal warrant targets a known object. Reverse warrants are loaded with unknowns -- an attempt to wrangle cell site location info into something that might lead police to a suspect. That's what these agencies are trying to do, but the approved warrants guarantee a sizable number of non-criminals will be swept up in the data haul.
Knowing the Silicon Valley giant held a trove of consumer mobile phone location data, investigators got a Hennepin County judge to sign a "reverse location" search warrant ordering Google to identify the locations of cellphones that had been near the crime scene in Eden Prairie, and near two food markets the victims owned in Minneapolis and St. Paul.
The scope of the warrant was so expansive in time and geography that it had the potential to gather data on tens of thousands of Minnesotans.
This new brand of warrant was first spotted last spring. Later that year, it was confirmed the feds were also using reverse warrants . These warrants are becoming more common, urged on by a private company pitching investigative methods and tools to law enforcement agencies.
[Brooklyn Park Deputy Police Chief Mark] Bruley said detectives learned about the potential value of the practice and how to write the warrant applications at an August training seminar held by ZetX, an Arizona-based company that teaches police about cellphone investigations, and sells software called TRAX that generates legal documents and maps cellphone data to assist in analysis. The company holds trainings all across the country.
The week after detectives attended the ZetX training in the Twin Cities, they wrote up their first three reverse location search warrants. By the next month, they had a dozen, each ordering Google to turn over information on devices located in the vicinity of crimes.
The warrants [PDF] demand Google turn over a bunch of data on every phone that happened to wander into a geofenced area around the time a crime was committed.
This warrant is directed to Google LLC, headquartered at 1600 Amphitheatre Parkway, Mountain View, California, and applies to (1) GPS, WiFi, Bluetooth or cellular sourced location history data generated from devices that reported a location within the geographical region bounded by the following latitudinal and longitudinal coordinates, dates, and times ("Initial Search Parameters")...
For each location point recorded within the Initial Search Parameters, Google shall produce anonymized information specifying the corresponding unique device ID, timestamp, coordinates, display radius, and data source, if available (the "Anonymized List").
As Webster notes, the warrants likely don't give judges any idea how many people will be swept up in these data requests. The warrants contain GPS coordinates but no map of the area covered. It's unlikely a judge can visualize the area covered just by looking at four coordinates. Judges may be able to enter those points into Google Maps to get some idea how much area is covered, but it doesn't appear any of the judges approached did anything more than briefly browse the warrants before signing them.
Here's how long it took to approve one requested by the Brooklyn Park PD:
No map was provided in the application to illustrate the area or accuracy level to the judge. This warrant was also issued within about 10 minutes of the detective requesting it.
Things moved even faster for Edina investigators:
About four minutes after the detective signed the application — which included no map of the targeted area — the judge approved it.
Webster has provided the maps the police wouldn't, which illustrate exactly how big an area is being covered by these reverse warrants. (Click through for a larger version.)
Given the scope of the area covered and the imprecise nature of location data, each warrant has the potential to generate a ton of false positives -- people who happen to live, work, or travel through these busy areas. If a map had been provided, there's a good chance judges would have taken a little longer considering these requests.
A number of fantastic papers explore vulnerabilities in 2G , 3G , and 4G which are potentially the same ones exploited by commercial CSSs. The upcoming 5G protocol for cellular communications promised many improvements over the current 4G standard, including a claim that it would protect mobile users from cell-site simulators.
Of the 22 reverse location search warrants issued in Hennepin County, only three times did the warrant applications include map demonstrating the geographic area being targeted by the warrant. And yet, the time difference between an officer signing a warrant request, and a judge approving it, was sometimes just a few minutes.
There's not a lot of good news from the law enforcement perspective either. Most of the reverse warrants failed to generate possible suspects. They also failed to generate false positives either, so that's a (very limited) plus. But I don't think a lack of success will deter investigators from seeking these warrants. Reverse warrants allow officers to perform a virtual canvassing of the neighborhood for possible suspects without expending much in the way of time or manpower.
Google appears to be pushing back when requests are excessive. This is all well and good, but Google's a one-stop shop for law enforcement thanks to its expansive data harvesting over the years. The initial pushback should be coming from judges, not the private sector. When it's up to a data-hungry megacorp to provide the first layer of protection for cellphone users' privacy, the judicial system is failing to do its job.