1,500 Investigative Subjects: A Competent Google GeoFence Motion to Suppress for January 6
For some time, I’ve been waiting for a January 6 defendant to (competently) challenge the use of a Google GeoFence as one means to identify them as a participant in January 6. (There have been incompetent efforts from John Pierce, and Matthew Bledsoe unsuccessfully challenged the GeoFence of people who livestreamed on Facebook.)
The motion to suppress from David Rhine may be that challenge. Rhine was charged only with trespassing (though he was reportedly stopped, searched, and found to be carrying two knives and pepper spray, but ultimately released).
As described in his arrest affidavit, Rhine was first identified via two relatively weak tips and a Verizon warrant. But somewhere along the way, the FBI used the general GeoFence warrant they obtained on everyone in the Capitol that day. Probably using that (which shows where people went inside the Capitol), the FBI found him on a bunch of surveillance video, with his face partly obscured with a hat and hoodie.
The motion to suppress, written by Tacoma Federal Public Defender Rebecca Fish, attempts to build off a ruling in the case of Okello Chatrie (and integrates materials from his case) to get the GeoFence used to identify Rhine and everything that stemmed from it thrown out.
The three-step GeoFence Warrant and the returns specific to Rhine are sealed in the docket.
But the MTS provides a bunch of the details of how the FBI used a series of warrants to GeoFence the crime scene.
First, as Step 1, it got a list of devices at the Capitol during the breach, either as recorded in current records, or as recorded just after the attack. At this stage, FBI got just identifiers used for this purpose, not subscriber numbers.
The geofence warrant requested and authorized here collected an alarming breadth of personal data. In Step 1, the warrant directed Google to use its location data to “identify those devices that it calculated were or could have been (based on the associated margin of error for the estimated latitude/longitude point) within the TARGET LOCATION” during a four-and-a-half hour period, from 2:00 p.m. until 6:30 p.m. Ex. A at 6. The target location—the geofence—included the Capitol Building and the area immediately surrounding it, id. at 5, which covers approximately 4 acres of land, id. at 13. Indeed, the warrant acknowledges that “[t]o identify this data, Google runs a computation against all stored Location History coordinates for all Google account holders to determine which records match the parameters specified by the warrant.” Ex. A at 26 (emphasis added). Though not spelled out with clarity in the warrant itself, the warrant ordered that the list provided in step 1 not include subscriber information, but that such information may be ordered at a later step. See id. at 6; see also id. at 25 (“This process will initially collect a limited data set that includes only anonymous account identifiers, dates, times, and locations.”).
This yielded 5,723 unique devices (note, the MTS points to Google filings from the Chatrie case to argue that only a third of Google’s users turn on this location service).
Google ultimately identified 5,653 unique Device IDs that “were or could have been” within the geofence, responsive to the first step of the warrant. Ex. B (step 2 warrant and application) at 6. However, Google additionally searched location history data that Google preserved the evening of January 6. When searching this data, as opposed to the current data for active users at the time of the search, Google produced a list of 5,716 devices that were or could have been within the geofence during the relevant time period. Id. Google additionally searched location history data that Google preserved on January 7. When searching this data, Google produced a list of 5,721 devices that were or could have been within the geofence during the relevant time period. Id. The three lists combined yielded a total of 5,723 unique devices that Google estimated were or could have been in the geofence during the four-and-a-half hour period requested. Id. at 7.
In Step 2, the FBI asked Google to identify devices that had been present at the Capitol before or after the attack — an attempt to find those who were there legally. That weeded the list of potentially suspect devices to 5,518.
In this case, the second step of the geofence warrant was also done in bulk, given the lack of specificity as to the people sought. In the initial warrant, the Court ordered Google to make additional lists to eliminate some people who were presumptively within the geofence and committed no crimes. First, the warrant ordered Google to make a list of devices within the geofence from 12:00 p.m. to 12:15 p.m. on January 6. And second, the warrant ordered Google to make a list of devices within the geofence from 9:00 p.m. to 9:15 p.m. Ex. A at 6.
[snip]
Google provided these lists to the government in addition to the lists detailed above. Google identified 176 devices that were or could have been within the geofence between 12:00 p.m. and 12:15 p.m., and 159 devices that were or could have been within the geofence between 9:00 p.m. and 9:15 p.m. Ex. B at 6. The government ultimately subtracted these devices from those that they deemed suspect. Id. at 7. However, this still left 5,518 unique devices under the government’s suspicion. See id. The original warrant contemplated the removal of devices that were present at the window before and after the primary geofence time because the government asserted that the early and late windows were times when no suspects were in the Capitol Building, but legislators and staff were lawfully present. Ex. A at 27. However, the original warrant also indicated that “The government [would] review these lists in order to identify information, if any, that is not evidence of crime (for example, information pertaining to devices moving through the Target Location(s) in a manner inconsistent with the facts of the underlying case).” Ex. A at 6.
Aside from comparing the primary list with the lists for the early and late windows, the government appeared to do no culling of the device list based on movement. Rather, the government used other criteria to decide which devices to target for a request for subscriber information. 3.
The government then asked for the subscriber information of anyone who showed up at least once inside the Capitol (as the MTS notes, Google’s confidence levels on this identification is 68%). That identified 1,498 devices.
In step 3, as relevant to this case,4 the government sought subscriber information—meaning the phone number, google account, or other identifying information associated with the device—for two different categories of people. First, the government sought subscriber information for any device for which there was a single data point that had a display ratio entirely within the geofence. Ex. B at 7. In other words, the government sought identifying information for any device for which Google was 68 percent confident the device was somewhere within the geofence at a single moment during the four-and-a-half hour geofence period. Again, the government equated presence to criminality. The government sought and the warrant ordered Google to provide identifying information on 1,498 devices (and likely people) based on this theory. See id.
It also asked for subscriber information from anyone who had deleted location history in the week after the attack, which yielded another 37 devices.
Second, the government sought identifying subscriber information for any device where location history appeared to have been deleted between January 6 or 7 and January 13, and had at least one data point where even part of the display radius was within the geofence. See Ex. B at 7–8. The government agent asserted that such devices likely had evidence of criminality because: “Based on my knowledge, training, and experience, I know that criminals will delete their Google accounts and/or their Google location data after they commit criminal acts to protect themselves from law enforcement.” Id. at 8.
[snip]
The theory that potentially changed privacy settings or a deleted account as indicative of criminality led the government to request identifying information for 37 additional devices (and likely people). Ex. B at 8.
The MTS notes that at a later time, the FBI expanded the scope of the GeoFence for which they were seeking subscriber information, but that’s not applicable to Rhine.
4 Discovery indicates that the government later sought substantially more data from geofences in areas next to, but wholly outside of, the Capitol Building. However, Mr. Rhine addresses here the warrants and searches most relevant to his case.
The GeoFence was one of a number of things used to get the warrant to search Rhine’s house and digital devices.
I’ll hold off on assessing the legal merit of this MTS (though I do plan to share it with a bunch of Fourth Amendment lawyers).
For now, what is the best summary I know of how the known Google GeoFence reveals how the FBI used it: first obtaining non-subscriber identifiers for everyone in the Capitol, removing those who were by logic legally present before the attack, and then obtaining subscriber information that was used for further investigation.
And that GeoFence yielded 1,500 potential investigative subjects, which may be only be a third of Google users present (though would also by definition include a lot of people — victims and first responders — who were legally present). Which would suggest 4,500 people were inside the Google GeoFence that day, and (using the larger numbers) 15,000 were in the vicinity.
As I keep saying, the legal application here is very different in the Chatrie case, because everyone inside the Capitol was generally trespassing, a victim, a journalist, or a first responder.
To make things more interesting, Rudolph Contreras, who is the FISA Court presiding judge, is the judge in this case. He undoubtedly knows of similar legal challenges that are not public from his time on FISC.
Which may make this legal challenge of potentially significant import.
He’s going to lose this motion. Looking at cell phone data stored by a third party that originated from a specific time and location where a crime occurred is not much different than looking at security camera data at a specific time and location where a crime occurred. That data contained likely evidence of a crime and is therefore a reasonable subject of a search warrant. IMO no court is going to stop it.
[Revisit your comment from 23-SEP-2022 in which I made a specific request about your username. Address the issue as requested. /~Rayne]
I’m not certain I agree with the presumption of criminality asserted in the motion. It describes a process in which the FBI is trying to eliminate people who were not committing crimes from its investigation. Even the language about those who delete data from phones (“Based on my knowledge, training, and experience, I know that criminals . . .”) doesn’t mean that those who deleted the info ARE criminals. It means they can be investigated further, but not that they are automatically assumed to be guilty. Also in Rhine’s case, we have a photograph of him in and with the crowd. Is that photo to be discarded because the FBI used available technology to narrow down a huge list of (potential) suspects?
Zirc
What if the sequence were reversed, i.e. the video was used as the basis for the geofence search to see who was there? Would that validate / cure the search of 4th Amendment grounds? It appears to be indisputable that Rhine was in the Capitol which IIRC is the actual criminal action here.
Whether or not the challenge is successful, this seems like a good moment to celebrate PDs. In spite of being beleaguered and under-resourced, I’m somehow not surprised that this is one of the few examples of competency to be called out by EW. For any PDs with eyes on this, thank you for what you do!
This is also a good moment for everyone to ask themselves… do you really need your phone’s location services enabled by default? Is it really so hard to turn it on when you need driving directions and turn it off the rest of the time? What other applications or behaviors do you genuinely care about that depend on location services?
Public defenders and defense lawyers more generally. The wealthy few taking top dollar to keep rich white men out of prison contribute to a negative stereotype that our current prosecution-hungry culture feeds into. I got more help from defense lawyers (on the opposing side, no less), along with judges and clerks … than I ever did from Durham’s office. I’ll leave it at that.
Before google they could track by cell tower.
Google makes it easier but turning off location may not offer complete protection.
For complete protection you’d have to leave your phone behind.
Opsec in smartphone era: Instead of burner phones, it’ll be round robin phones with burner people.
Instead of a rapid deployment force, they would have done better to have a non-moving X-box force who stayed in their hotel rooms with others’ phones while those others swapped with them or used even others’ phones.
Thank you for this article! I learned a lot.
I’m not knowledgeable on this subject, so I had to do some googling. I hope it’s okay to share some links for others like me who need background information. Obviously, these aren’t for you experts!
First, I’m guessing MTS is “.m2ts is a filename extension used for the Blu-ray disc Audio-Video (BDAV) MPEG-2 Transport Stream (M2TS) container file format.”. (https://en.m.wikipedia.org/wiki/.m2ts)
Now the interesting links:
From the National Association of Criminal Defense Lawyers: https://www.nacdl.org/getattachment/816437c7-8943-425c-9b3b-4faf7da24bba/nacdl-geofence-primer.pdf
https://harvardlawreview.org/2021/05/geofence-warrants-and-the-fourth-amendment/
https://www.lawfareblog.com/do-geofence-warrants-violate-fourth-amendment
I’m still reading these; if anyone has a good reference to share, I’d sure appreciate it!
Thanks again!
I read “MTS” as used here, in this context, as “Motion To Suppress“.
(See beginning of paragraph preceding the second screenshot, “The motion to suppress,…”. Use of the acronym “MTS” then follows the screenshots. Thus my read of the acronym.)
Thanks!
(I’d googled it, and that was the only result that sorta fit.)
I turned all my location services off on Sunday. I turn it back on for directions only when using.
I’ve been turning mine off since [checks notes] I’ve gotten a smart phone.
Yes, but have you regularly changed your Google Ad ID? And have you shut your phone off and on regularly along with using a VPN?
Do you avoid using apps if you can do what you need with a browser? Do you avoid using dedicated weather apps in particular?
Targets who turn off location history appear perhaps to be anticipated by the government in the context of at least one geofence warrant application.
I/M/O Search Of Information That Is Stored At The Premises Controlled By Google (D.D.C. Dec 30, 2021) at 79:
Magistrate Judge Harvey’s citatation for this proposition appears to be the Warrant Affidavit, which I myself have not seen in this particular case.
It’s possible I’m mis-reading this.
“The GeoFence was one of a number of things used to get the warrant to search Rhine’s house and digital devices.”
Is there any way for a non-plutocrat to challenge a warrant based on geofence issues to block the search in the first place? Or can it just not be done in real time and the challenge has to be used after the fact to block gov’t use of stuff that it already collected?
(extended username past 8 characters)
[Thanks for updating your username to meet the 8 letter minimum. /~Rayne]
At the moment police show up at your house with a search warrant in hand, you are really going to be hard-pressed to convince the serving officer in real time in that moment that it might be invalid based on the legal theory that some predicating elements of the warrant may be overbroad.
You have to do it like this one: after you’ve been charged based on it.
But as I noted, this challenge is from public defenders. FPDs have, in general, gotten their clients the best outcomes among Jan 6ers.
Like geofence data for ‘trespassing on the Capital’, geofence data for ‘impeding traffic on a public roadway’ during a protest march where there was civil disobedience, and so the government can find you if you were there. If the search will pay off to identify perpetrators for crimes which may have occurred, I suppose, the local or federal police get the list of everybody at the protest march.
There is the list in the hands of Marjorie Taylor Greene at the Department of Justice. This is what the GOP keeps saying, so there is a double standard at play. The BLM protestors should have gotten this same treatment. They should have been geofenced too, so I guess we should all prepare for the day when this power is in the hands of a corrupted Dept. of Justice with a neo-fascist GOP President. Maybe big front-end loaders like in Soylent Green.
> [T]he local or federal police…
Following up on this particular point risks serious thread-drift into off-topic territory here, but all the same I’ll briefly raise the issue that in many search and seizure cases there’s a strong legal distinction between state and federal prosecutions.
Just for instance, “It is well established that article I, section 7 [of the Washington state constitution] often provides broader protections than the Fourth Amendment.”
Or, running south down the coast, “First Court in California Suppresses Evidence from Overbroad Geofence Warrant“.
This strong difference between state and federal prosecutions, to a certain extent, impacts the usual practices of local versus federal law enforcement officers.
Don’t just casually equate “local or federal police”.
“…because everyone inside the Capitol was generally trespassing, a victim, a journalist, or a first responder.”
Besides “lucky,” to which category does Matthew Martin (acquitted from bench of trespassing by Judge McFadden) get assigned to?
He clearly entered the Capitol. The court determined he was innocent of trespassing. And he is obviously not a journalist or first responder?