Posts

Google Kills the Geofence Capability that Will Show ~30,000 Trump Supporters Swarmed the Capitol on Trump’s Orders

/51 Comments/in , /by

At Trump’s trial, prosecutors will use Google Location data to show how Trump’s mobs responded to his order to march to the Capitol by doing just that: swarming the Capitol. That data will show that roughly a quarter of the people at the Ellipse, around 30,000 people, entered the restricted grounds outside the Capitol, committing at least trespassing on Trump’s instruction, of which 11,500 would be identified by their Google Location data.

Jack Smith’s prosecutors revealed that they will do this on Monday in an expert notice filing.

On Wednesday, Google announced that it will soon change the way Google Location works to make such analysis impossible in the future.

If you’re among the subset of users who have chosen to turn Location History on (it’s off by default), soon your Timeline will be saved right on your device — giving you even more control over your data. Just like before, you can delete all or part of your information at any time or disable the setting entirely.

If you’re getting a new phone or are worried about losing your existing one, you can always choose to back up your data to the cloud so it doesn’t get lost. We’ll automatically encrypt your backed-up data so no one can read it, including Google.

Additionally, when you first turn on Location History, the auto-delete control will be set to three months by default, which means that any data older than that will be automatically deleted. Previously this option was set to 18 months. If you want to save memories to your Timeline for a longer period, don’t worry — you can always choose to extend the period or turn off auto-delete controls altogether.

These changes will gradually roll out through the next year on Android and iOS, and you’ll receive a notification when this update comes to your account.

Orin Kerr first identified the significance of the change to surveillance capabilities: that it will make Google geofence warrants all but impossible. Forbes confirmed that Google is making the change with the intent of making it impossible to respond to geofence warrants.

But they missed one aspect of the timing. The announcement — of a change Google is implementing prospectively, a change that will take a year to implement — came days after prosecutors revealed they had obtained a Google warrant showing the movement of people from the Ellipse to the Capitol.

Expert 1

Expert 1 has knowledge, skill, experience, training, and education beyond the ordinary lay person regarding the interpretation and visual representation of geographic location data. The Government expects that Expert 1 will testify about his/her use of ArcGIS (Geographic Information Systems) software to create a map of the Google location history data produced in response to a search warrant. Specifically, Expert 1 plotted the location history data for Google accounts and devices associated with individuals who moved, on January 6, 2021, from an area at or near the Ellipse to an area encompassing the United States Capitol building. His/her testimony will describe and explain the resulting graphical representations of that data, and it will aid the jury in understanding the movements of individuals toward the Capitol area during and after the defendant’s speech at the Ellipse. [my emphasis]

We had known that the FBI used Google geofence warrants — which identify all the people using Google Location services in a given geographic area — to identify individual January 6 suspects.

Challenges to the geofence — first by trespasser David Rhine and then by cop-sprayer Isreal Easterday — revealed that the FBI had gotten two geofence warrants (and had done three sets of de-anonymization of the data obtained): the first, on January 13, 2021, for just the Capitol building itself, and then the second, for the entire restricted area outside the Capitol, on May 21, 2021.

The warrant described in Tuesday’s expert notice must be a third warrant, one building off the May 2021 one. Perhaps the FBI asked Google for all the selectors found in the May 2021 warrant (who, with the important exception of journalists, were either victims, first responders, or trespassers), that also showed up in a geofence at the Ellipse while Trump was speaking.

There would be no need to de-anonymize these selectors. Those of investigative interest for their own actions at the Capitol would have been de-anonymized with one of the earlier warrants. This warrant is about capturing the effect of Trump’s speech, measuring how many people who attended the speech itself — Trump claims 120,000 did so — then moved to the Capitol.

Of those who moved, only a third or less would trigger the geofence (and fewer among Apple users). But it would include most of the 11,500 people who had already been identified and de-anoymized. altogether, that’s consistent with 30,000 people being at the Capitol.

Trump is claiming that just 1% of those who heard his incitement went on to join the insurrection. This expert witness will show it’s closer to a quarter of the total.

There were, undoubtedly, a range of reasons why Google made the decision to end its ability to respond to geofence requests. As Forbes noted, the Fourth Circuit also heard the government’s appeal of Okello Chatrie’s successful challenge of a geofence this week. Early next year the DC Circuit will review Rhine’s appeal of its use with him. The Easterday challenge made it clear that Google geofences work best on Android devices — meaning Google was making it easier for law enforcement to investigate its customers over Apple’s.

But Google announced this decision — of prospective changes — months ahead of the time when a geofence will be used to prove the crimes of Donald Trump.

It’s likely at least partly an attempt to pre-empt the blowback that is bound to result.

Update: To clarify some responses I’m getting to this. Killing the geofence capability won’t affect the evidence against Trump at all. Prosecutors already got the warrant and did the analysis on the results. This will only prospectively make Google geofence warrants impossible, and not even immediately.

Easterday challenge

une 30, 2023: Motion to CompelDeclaration

August 22, 2023: Opposition Motion to Compel

September 26, 2023: Motion to Suppress Geofence

October 10, 2023: Opposition Motion to Suppress

October 17, 2023: Reply Motion to Suppress

October 26, 2023: Guilty Verdict

November 25, 2023: Supplement Opposition Motion to Suppress

The MAGA Tourist Geofence and the Violent Confederate Flag-Toting Geofence

/67 Comments/in , /by

By my rough count, Judge Tanya Chutkan has presided over the cases of more than 25 January 6 defendants, in addition to Donald Trump. Nevertheless, Trump keeps trying to lecture Chutkan about what happened, often by pointing to reports from journalists who have not otherwise covered the investigation closely.

Contrary to their false claims about how much video she has seen, Judge Chutkan knows these details far better than Trump’s attorneys.

For example, Trump keeps pointing to a December 2021 piece from Will Arkin to argue, using very dated numbers regarding the investigation, just one percent of his mobsters qualify as insurrectionists.

The Secret Service and the FBI estimated that at least 120,000 Americans gathered on the Mall for President Trump’s speech. 6 Government agencies estimated that about 1,200 people—at most 1% of the size of the crowd gathered to listen to President Trump—entered the Capitol, and a smaller percentage than that committed violent acts. 7 Thus, we can easily conclude that well over 99% of the attendees at President Trump’s speech did not engage in the events at the Capitol. Moreover, as the Indictment recognizes, a crowd had gathered at the Capitol before President Trump finished speaking, further proving he had nothing to do with those events.

6 William M. Arkin, Exclusive: Classified Documents Reveal the Number of January 6 Protestors, NEWSWEEK (Dec. 23, 2021), at https://www.newsweek.com/exclusive-classified-documentsreveal-number-january-6-protestors-1661296. The January 6 Committee estimated the crowd on the Mall at 53,000, while President Trump estimated it at 250,000. Compare Final Report, SELECT COMMITTEE TO INVESTIGATE THE JANUARY 6TH ATTACK ON THE UNITED STATES CAPITOL (Dec. 22, 2022), 585, at https://www.govinfo.gov/content/pkg/GPO-J6-REPORT/pdf/GPO-J6-REPORT.pdf with Read Trump’s Jan. 6 Speech, A Key Part of Impeachment Trial, NPR (Feb. 10, 2021), at https://www.npr.org/2021/02/10/966396848/read-trumps-jan-6-speech-a-key-part-ofimpeachment-trial (emphasis added).

7 Id. (“[T]he facts seem to indicate that as few as one percent of the people who were there fit the label of insurrectionist.”).

There are a slew of problematic assumptions in Arkin’s piece (as well as the follow-up piece that appears to be the actual source cited in footnote 7): about the relationship between militias and others, about the role of non-militia organized groups like QAnon or anti-vaxxers, about the role and increasing percentage of military participants.

The most important misconception is that only people who entered the building, as distinct from the often more violent crowds outside it or Proud Boy seditionists orchestrating things from afar, could be an insurrectionist.

Plus, Arkin’s 2021 numbers were outdated at the time — most outlets put the number of insiders at 2,000 to 2,500 at the one year anniversary and the Sedition Hunters have identified 3,200 specific people who went inside the Capitol (though this includes people, including at least one WaPo journalist, who weren’t rioters).

Given Trump’s reliance on such outdated numbers, however, I wanted to look at a filing in the latest challenge to one of the geofence warrants used in the investigation, this time from Isreal Easterday, a Confederate-flag toting rioter who sprayed two cops before entering the Capitol through the east door.

There have already been two failed challenges to geofence warrants used in the investigation. In August 2022, then-Chief Judge Beryl Howell rejected Matthew Bledsoe’s challenge to a geofence of those who live streamed to Facebook during the riot; he is appealing his conviction, but not that ruling. In January, then-presiding FISA Judge Rudolph Contreras rejected David Rhine’s challenge to the Google geofence tied to voluntary use of Google’s Location History service (there’s no FISA component to this, but FISA judges see more novel Fourth Amendment issues). Rhine does appear to be including that ruling in his appeal, in which his initial brief is due in February.

Like Rhine, Easterday is challenging the Google geofence, but from a Fourth Amendment standpoint, he is different than Rhine in two key ways. First, the investigation into Rhine started from some tips called in as early as January 10, 2021; the FBI didn’t need the Google geofence to find him, though it made it easier to pinpoint video of his path through the Capitol.

With Easterday (probably because two distinctive aspects of his appearance changed that day — he dropped his flag and took off his hat — making it harder to track him), the first really good lead on his identity was the geofence.

The second difference between Rhine and Easterday arises from the technicalities of how the FBI did the geofence.

The FBI did three rounds of geofence with Google. In the first, starting with a January 13, 2021 warrant to Google, they:

  • Obtained the identifiers for all the phones that hit the geofence during the riot
  • Took out the identifiers that were present in the building in the 15 minutes before and after the riot (assuming those were people who were lawfully present in the Capitol)
  • Sorted out hits that were in places (for example, areas where surveillance footage showed no rioters to be present) inconsistent with unlawful activity
  • Eliminated identifiers without at least one hit entirely within the Capitol factoring in margin-of-error radius
  • Added back in identifiers with lower confidence radius that deleted Location History with the week after the attack
  • Asked Google to deanonymize that data

For the second round, they submitted a second request for deanonymization on April 14, based on the logic that those for whom there were only low confidence hits within the Capitol would be high confidence hits for the larger restricted area.

Based on the same logic, on May 21, 2021, the FBI obtained a second geofence warrant to include (per Easterday’s filings) the entire restricted area on January 6.

This time, to cull the data, they:

  • Obtained the identifier for all the phones that hit the geofence during the riot
  • Removed identifiers previously deanonymized
  • Took out the lawfully present identifiers either voluntarily identified by Congressional offices or obtained by law enforcement
  • Removed identifiers present in the 15 minutes before or after the riot
  • Eliminated identifiers without at least one hit entirely within the restricted grounds
  • Asked Google to deanonymize that data

Rhine’s phone identifier was included in the first batch of identifiers the FBI asked to be deanonymized, a group of about 1,500 identifiers; Easterday’s was not. His phone was included in the second batch deanonymized, an additional 2,200 identifiers obtained in the first warrant. His phone was also IDed in the second warrant, but by that point had already been deanonymized.

The details of how the Google geofence worked were described in filings in the Rhine case (see this post and this post), but because Easterday was not identified until the second batch, the second cull gets more attention in Easterday’s filings.

Easterday did enter the Capitol. There are pictures of him wandering hallways and stairs. On October 26, a jury convicted him of trespassing inside the Capitol, 40 USC 5104, along with the more serious assault and riot felonies he committed outside the building.

Easterday was only inside the Capitol itself for 12 minutes — he entered at 2:39 and exited at 2:51; Easterday entered three minutes before Rhine but left 13 minutes before Rhine. But he would have been at the east door — not inside the Capitol, but helping to violently break into it — for at least 22 minutes; the assault on one of the cops was captured in video that starts at 2:17.

There are a number of possible explanations for why Easterday phone would not have had a high confidence hit inside the Capitol geofence but did trigger the broadened geofence. For example, the original hit or hits on Easterday’s phone may have been in a location (such as the east door) where the confidence radius of the location was partially outside the Capitol itself. Some of the relevant hits were surely entirely within that area outside the Capitol but inside the restricted area that day. As the government noted in their response to this challenge, being in that area was also a trespassing crime, 18 USC 1752, even if DOJ charged fewer of the people who were in that area. The jury convicted Easterday of that crime, too.

The government provided a supplement answering specific questions Chief Judge James Boasberg posed after the guilty verdict that provides more possible explanations why Easterday did not trigger the geofence within the building at high confidence. For example, it describes that iPhones capture a lot less activity in Location History than Androids do.

[Location History] is sometimes collected automatically, but is primarily and most frequently collected when a user is doing something with his or her device that specifically involves location information (such as following Google Maps directions or taking photographs or videos that record location as part of their metadata).

Moreover, in the government’s experience examining Google LH returns, the range of activities that generate a LH point is narrower on Apple’s iPhones than Android phones. Apple iPhones apparently collect LH data primarily when the user is specifically using Google Maps.

[snip]

In contrast, Android phones can collect LH data when the user uses a wider array of Google-based applications, or even when the device is not in use at all, such as when it is sitting on a user’s bedside table overnight. Additionally, if an Android phone detects that a user is moving, the Android phone specifically and automatically requests location data from the server about every two minutes, leading to a LH data point being collected by Google. However, if the phone determines that the user is standing relatively still, or remaining within the same Wi-Fi network’s range, Android phones will request location data much less frequently, as the phone is effectively not moving. Similarly, devices will not automatically request location data from the server—or will do so less frequently—when they are low on battery.

Easterday appears to have made a call while inside the building (which would trigger a different kind of location data, but data that DOJ only obtained with individualized warrants), but that’s less likely to be captured in Location History than taking a picture would.

Judge Boasberg’s request for more information — an order he made after the guilty verdict — appears to stem, in significant part, from the fact that FBI’s initial exclusion set of 215 people is obviously a mere fraction of the people who were lawfully in the Capitol that day.

(2) how could the Control List searches for the Initial Google Geofence Warrant have generated hits for only 215 unique devices/accounts when Google applications are so ubiquitous and presumably between 1,500-2,000 people were lawfully present in the Capitol building in the time periods before and after the riot?

It its earlier filings, DOJ used a dated stat that only 30% of Google users actually use the Location History service, a service that takes several steps to turn on. In this filing, DOJ argues that as the proportion of iPhone users increase, the number of people who trigger Location History will be smaller still, unless they’re using Google maps.

Boasberg is suggesting (and DOJ is not contesting) that their initial exclusion effort may only have included about 15% of those lawfully in the Capitol. While there would be some subset of people lawfully present who weren’t excluded in the first batch (people who were not moving in the 15 minutes before and after but who fled or took pictures during the riot, for example), this filing suggests all these numbers are low — very low.

If just one third of the people who entered the building could be expected to trigger the Google geofence, then the number who entered may be well over 4,000 (a reasonable number given the number Sedition Hunters have IDed).

If just a third of the people who were at the Capitol but not necessarily taking pictures inside it triggered the Google geofence, that number might be closer to 7,000 additional bodies, including those assaulting cops. And there could be another 23,000 people outside the Capitol — some no more than MAGA tourists, but others among the most violent people that day.

Using the Arkin numbers that were outdated when he published them in December 2021, Trump claims that, “we can easily conclude that well over 99% of the attendees at President Trump’s speech did not engage in the events at the Capitol.”

That’s not what the geofence shows. Using the same 120,000 number he uses for his own calculations, about one in ten were right at the building and a quarter may have made it to restricted ground, and the numbers could be double that.

One thing is clear though: the violent mobsters literally carrying the banner of insurrection as they attack cops may not be the ones you’ll find taking pictures inside the Capitol. And once you figure that out, the numbers of potential Trump insurrectionists starts to grow.

And Judge Chutkan knows that.

Take, Robert Palmer, whom Trump raised to complain that Chutkan had presided over the prosecution of someone who said he went to the Capitol at Trump’s behest, where he serially assaulted cops because he believed he needed to stop the voter certification. Robert Palmer never entered the Capitol. But it’s quite clear he believes Trump sent him.

Update: Distinguished between the two trespassing crimes to show one can be applied to both locations.

Timeline Easterday Google Geofence Challenge

June 30, 2023: Motion to Compel, Declaration

August 22, 2023: Opposition Motion to Compel

September 26, 2023: Motion to Suppress Geofence

October 10, 2023: Opposition Motion to Suppress

October 17, 2023: Reply Motion to Suppress

October 26, 2023: Guilty Verdict

November 25, 2023: Supplement Opposition Motion to Suppress

More on the Government’s January 6 Google GeoFence

/11 Comments/in , , /by

In October, I wrote a piece on a reasonably framed challenge to the Google GeoFence used to investigate January 6, in the trespassing case of David Rhine. In recent days, Wired picked up my story, but didn’t situate the GeoFence in the context of prior rulings overturning their use, including the EDVA ruling in March on which this challenge most directly relies. Nor did it show how this information worked with other evidence against Rhine (including two tips), that led to his arrest. That led to a lot of alarmism that, if the January 6 GeoFence is upheld, it’ll set some kind of precedent.

Yesterday, the government submitted its response to the challenge, which better explains how the GeoFence was used and why it is highly unlikely the conditions present with this GeoFence will be replicated in the future. That description is here.

As described this was a three step process:

  • Provide an anonymized list of the phones using Google Location Services that were present in the Capitol between 2 and 6:30PM on January 6 (whether in Google records preserved on the evening of January 6, the morning of January 7, or still on January 13). In addition, provide anonymized lists of phones using Google Location Services present in the Capitol between 12:00 and 12:15 and/or 9:00 and 9:15 PM on January 6.
  • Eliminate devices believed to be legally present in the Capitol (because they were in the earlier and/or later lists, so there before and/or after the riot), and identify those that evinced likely criminal behavior, either because the location data showed at least one hit entirely within the margin of error, or because there device showed presence in the Capitol (but not entirely within the margin of error) but also showed evidence of account deletion.

First, the government compared the 2:00 p.m. to 6:30 p.m. data with the noon and 9:00 p.m. “control” lists, and then struck the control-list devices from the main list. Def. Ex. A at 27. That process eliminated over 200 unique devices. Def. Ex. B. at 7. Second, the government eliminated all devices except those that had at least one location data point within the Capitol building with a margin-of-error radius entirely within the geofence. Def. Ex. B. at 7. This process reduced the pool to approximately 1,500 unique devices. Id. Third, the government added back 37 devices that, despite not having a margin-of-error radius entirely within the geofence, still hit on the geofence between 2:00 p.m. and 6:30 p.m. and, in addition, had another indicator of criminal activity: the account’s Location History data was deleted at some point between January 6 and January 13.

  • For the resulting ~1,500 devices, DOJ obtained a second warrant for Google to obtain the account identifier.

As the government explains this Google GeoFence differs from ones that have been overturned in several ways. Most importantly, in addition to the claim that the use of Location Services is voluntary (as distinct from location services associated with using cell phones), which was rejected in other GeoFences, here, the government also argues that, even on a normal day, anyone entering the Capitol would have no reasonable expectation of privacy, but all the more so here, where it was closed to the public.

So whereas the government argued that with Google and Facebook, users had no Reasonable Expectation of Privacy regarding information voluntarily shared with the tech company, they appear to have pursued individualized warrants with cell companies because sharing that information (under Carpenter) does involve REP. For all three, though, I think the government would argue there was no REP for people who entered the Capitol without authorization.

The government is also relying on the short timespan — 4.5 hours — to justify its GeoFence.

Relatedly, in contrast to other GeoFences that encompassed public spaces and in some cases, private residences, here, most people captured by the Google GeoFence would be people who committed a crime by being in the Capitol, or who were witnesses, victims, or first responders.

The defendant’s reliance (ECF No. 43 at 16) on the magistrate judge’s decision in Matter of Search of Information Stored at Premises Controlled by Google, 2020 WL 5491763 (N.D. Ill. July 8, 2020), is misplaced for essentially the same reason: there, the geofence covered “a congested urban area encompassing individuals’ residences, businesses, and healthcare providers,” so that “the vast majority of cellular telephones likely to be identified in [that] geofence will have nothing whatsoever to do with the offenses under investigation.” Id. at *5 (footnote omitted); see also id. at *5 n.7 (stating that “[t]he government’s inclusion of a large apartment complex in one of its geofences raise[d] additional concerns … that it may obtain location information as to an individual who may be in the privacy of their own residence”). Again, the geofence here was limited to the U.S. Capitol during a time period when members of the public were not allowed to be in the area.

In the past, I’ve noted that the others captured by the GeoFence would be victims (employees of Congress, whether Members, staff, or service staff) or First Responders. The most serious privacy exposure here might be journalists, particularly those carrying burner phones or similar.

I asked Igor Bobic, as a test of whether a credentialed journalist would be included in those deemed legally present(recall that Bobic took the iconic footage of Doug Jensen chasing Officer Eugene Goodman up the steps). He told me he was inside the Capitol for both the control periods, at noon and at 9PM. That makes sense: those present to report on the vote certification would have had cause to show up before it started and to stay — often until the wee hours of the morning — to witness its completion.

In other words, journalists who were covering events outside, but followed rioters in (and there were substantial teams from multiple media outlets as well as a number of documentary teams), would be those whose privacy was most affected.

I said in my last post that this is a well-argued motion to suppress. But the government’s response explains why Rhine is not the best situated defendant to bring this challenge. Generally, the FBI has used this GeoFence in three ways: To confirm already identified defendants were present in the Capitol or entered the Capitol, to help identify a suspect in surveillance footage, or (more recently) as leads sent out to the field to run down.

As I suspected, Rhine is in the second category: DOJ opened the investigation and advanced it based off several tips and even had confirmed Rhine’s presence via a particularized warrant to Verizon. Only later did it use the GeoFence to identify where in the existing surveillance footage to look for images of Rhine (who obscured his face with a mask).

In June 2021, the FBI’s principal investigator spent approximately 10 hours reviewing videos from the U.S. Capitol Building, attempting to locate the defendant and his activities during the January 6 riot. Def. Ex. O. During this initial review, the investigator already had access to the geofence data, which the FBI investigators received in March 2021. Gov’t Ex. 1. Despite having access to the geofence data, the investigator’s initial efforts were not successful. Def. Ex. O. After receiving additional training about the FBI’s video system, the investigator was able to locate the defendant in the Capitol Police footage. Def. Exs. O, P. The FBI then traced the defendant through U.S. Capitol based on his clothing and appearance. Def. Ex. O at 1-4 (trace of the defendant through the U.S. Capitol); Def. Ex. M at 15-22.

[snip]

[T]he November 2021 Affidavit described, in addition to the results of the geofence warrant, a constellation of evidence supporting probable cause. First, it described information reported by two separate tipsters who had learned that the defendant had entered the Capitol building during the riot on January 6. Def. Ex. M at 12. The first tipster also reported that, when confronted, the defendant did not deny entering the Capitol building and claimed that the Capitol police moved the barriers to let him into the building. Def. Ex. M. at 12. Second, the affidavit stated that, according to Verizon records, the defendant’s cell phone had connected, during the riot, to a cell site whose service area included the U.S. Capitol building’s interior. Def. Ex. M. at 12-13. Third, the affidavit reported that, in March 2021, investigators interviewed the first tipster. Def. Ex. M at 13. The tipster explained that, though he had not personally seen the Facebook post in which the defendant’s wife referred to the defendant entering the Capitol on January 6, he had seen a screenshot of the post, which a friend had sent to him. Id. The tipster also stated that he believed the defendant’s wife had deleted the Facebook post shortly after posting it. Id. And the affidavit included a screenshot of text messages that the tipster exchanged with the defendant and his wife after learning of the defendant’s participation in the riot. Id. In the exchange, the defendant did not deny entering the Capitol; in fact, he implied the opposite, stating that he saw no violence, and that Capitol police removed barriers and let people in. Def. Ex. M. at 14 (Aff. ¶ 42). Fourth, the affidavit reported that, in September 2021, the tipster identified the defendant in a still photograph obtained from the Capitol Police closed-circuit surveillance system: Def. Ex. M at 15. Fifth, the affidavit explained that investigators placed the same individual depicted in the photograph above at various locations inside the U.S. Capitol Building during the January 6 riot. Def. Ex. M. at 15-23. The affidavit included 10 supporting screenshots, complete with descriptions of the events depicted in the photographs. See Def. Ex. M at 16-23. Finally, the affidavit reported that, according to a Capitol Police officer who arrested the defendant inside the Capitol, the defendant was found in possession of two knives and pepper spray, which were seized. Ex. M, at 19. Even without the geofence evidence, the affidavit contained ample evidence of probable cause.

There are other arrest affidavits that, at least as described, start with the identification in the Google GeoFence (here’s one example). Some even suggest that leads based off GeoFence hits were sent to field offices to chase down. While there are no arrests based entirely on the GeoFence, defendants arrested after an investigation that started from a GeoFence lead would seem to be better situated to challenge the GeoFence.

In any case, the unique conditions at the Capitol on January 6, based on the fact that any unauthorized person who entered the Capitol was likely breaking the law, are unlikely to be replicated anytime in the future.

So whether or not this is sustained (and the warrants based on it would be sustained on good faith grounds), it’s unlikely to be a precedent for other GeoFences.

1,500 Investigative Subjects: A Competent Google GeoFence Motion to Suppress for January 6

/20 Comments/in , , /by

For some time, I’ve been waiting for a January 6 defendant to (competently) challenge the use of a Google GeoFence as one means to identify them as a participant in January 6. (There have been incompetent efforts from John Pierce, and Matthew Bledsoe unsuccessfully challenged the GeoFence of people who livestreamed on Facebook.)

The motion to suppress from David Rhine may be that challenge. Rhine was charged only with trespassing (though he was reportedly stopped, searched, and found to be carrying two knives and pepper spray, but ultimately released).

As described in his arrest affidavit, Rhine was first identified via two relatively weak tips and a Verizon warrant. But somewhere along the way, the FBI used the general GeoFence warrant they obtained on everyone in the Capitol that day. Probably using that (which shows where people went inside the Capitol), the FBI found him on a bunch of surveillance video, with his face partly obscured with a hat and hoodie.

The motion to suppress, written by Tacoma Federal Public Defender Rebecca Fish, attempts to build off a ruling in the case of Okello Chatrie (and integrates materials from his case) to get the GeoFence used to identify Rhine and everything that stemmed from it thrown out.

The three-step GeoFence Warrant and the returns specific to Rhine are sealed in the docket.

But the MTS provides a bunch of the details of how the FBI used a series of warrants to GeoFence the crime scene.

First, as Step 1, it got a list of devices at the Capitol during the breach, either as recorded in current records, or as recorded just after the attack. At this stage, FBI got just identifiers used for this purpose, not subscriber numbers.

The geofence warrant requested and authorized here collected an alarming breadth of personal data. In Step 1, the warrant directed Google to use its location data to “identify those devices that it calculated were or could have been (based on the associated margin of error for the estimated latitude/longitude point) within the TARGET LOCATION” during a four-and-a-half hour period, from 2:00 p.m. until 6:30 p.m. Ex. A at 6. The target location—the geofence—included the Capitol Building and the area immediately surrounding it, id. at 5, which covers approximately 4 acres of land, id. at 13. Indeed, the warrant acknowledges that “[t]o identify this data, Google runs a computation against all stored Location History coordinates for all Google account holders to determine which records match the parameters specified by the warrant.” Ex. A at 26 (emphasis added). Though not spelled out with clarity in the warrant itself, the warrant ordered that the list provided in step 1 not include subscriber information, but that such information may be ordered at a later step. See id. at 6; see also id. at 25 (“This process will initially collect a limited data set that includes only anonymous account identifiers, dates, times, and locations.”).

This yielded 5,723 unique devices (note, the MTS points to Google filings from the Chatrie case to argue that only a third of Google’s users turn on this location service).

Google ultimately identified 5,653 unique Device IDs that “were or could have been” within the geofence, responsive to the first step of the warrant. Ex. B (step 2 warrant and application) at 6. However, Google additionally searched location history data that Google preserved the evening of January 6. When searching this data, as opposed to the current data for active users at the time of the search, Google produced a list of 5,716 devices that were or could have been within the geofence during the relevant time period. Id. Google additionally searched location history data that Google preserved on January 7. When searching this data, Google produced a list of 5,721 devices that were or could have been within the geofence during the relevant time period. Id. The three lists combined yielded a total of 5,723 unique devices that Google estimated were or could have been in the geofence during the four-and-a-half hour period requested. Id. at 7.

In Step 2, the FBI asked Google to identify devices that had been present at the Capitol before or after the attack — an attempt to find those who were there legally. That weeded the list of potentially suspect devices to 5,518.

In this case, the second step of the geofence warrant was also done in bulk, given the lack of specificity as to the people sought. In the initial warrant, the Court ordered Google to make additional lists to eliminate some people who were presumptively within the geofence and committed no crimes. First, the warrant ordered Google to make a list of devices within the geofence from 12:00 p.m. to 12:15 p.m. on January 6. And second, the warrant ordered Google to make a list of devices within the geofence from 9:00 p.m. to 9:15 p.m. Ex. A at 6.

[snip]

Google provided these lists to the government in addition to the lists detailed above. Google identified 176 devices that were or could have been within the geofence between 12:00 p.m. and 12:15 p.m., and 159 devices that were or could have been within the geofence between 9:00 p.m. and 9:15 p.m. Ex. B at 6. The government ultimately subtracted these devices from those that they deemed suspect. Id. at 7. However, this still left 5,518 unique devices under the government’s suspicion. See id. The original warrant contemplated the removal of devices that were present at the window before and after the primary geofence time because the government asserted that the early and late windows were times when no suspects were in the Capitol Building, but legislators and staff were lawfully present. Ex. A at 27. However, the original warrant also indicated that “The government [would] review these lists in order to identify information, if any, that is not evidence of crime (for example, information pertaining to devices moving through the Target Location(s) in a manner inconsistent with the facts of the underlying case).” Ex. A at 6.

Aside from comparing the primary list with the lists for the early and late windows, the government appeared to do no culling of the device list based on movement. Rather, the government used other criteria to decide which devices to target for a request for subscriber information. 3.

The government then asked for the subscriber information of anyone who showed up at least once inside the Capitol (as the MTS notes, Google’s confidence levels on this identification is 68%). That identified 1,498 devices.

In step 3, as relevant to this case,4 the government sought subscriber information—meaning the phone number, google account, or other identifying information associated with the device—for two different categories of people. First, the government sought subscriber information for any device for which there was a single data point that had a display ratio entirely within the geofence. Ex. B at 7. In other words, the government sought identifying information for any device for which Google was 68 percent confident the device was somewhere within the geofence at a single moment during the four-and-a-half hour geofence period. Again, the government equated presence to criminality. The government sought and the warrant ordered Google to provide identifying information on 1,498 devices (and likely people) based on this theory. See id.

It also asked for subscriber information from anyone who had deleted location history in the week after the attack, which yielded another 37 devices.

Second, the government sought identifying subscriber information for any device where location history appeared to have been deleted between January 6 or 7 and January 13, and had at least one data point where even part of the display radius was within the geofence. See Ex. B at 7–8. The government agent asserted that such devices likely had evidence of criminality because: “Based on my knowledge, training, and experience, I know that criminals will delete their Google accounts and/or their Google location data after they commit criminal acts to protect themselves from law enforcement.” Id. at 8.

[snip]

The theory that potentially changed privacy settings or a deleted account as indicative of criminality led the government to request identifying information for 37 additional devices (and likely people). Ex. B at 8.

The MTS notes that at a later time, the FBI expanded the scope of the GeoFence for which they were seeking subscriber information, but that’s not applicable to Rhine.

4 Discovery indicates that the government later sought substantially more data from geofences in areas next to, but wholly outside of, the Capitol Building. However, Mr. Rhine addresses here the warrants and searches most relevant to his case.

The GeoFence was one of a number of things used to get the warrant to search Rhine’s house and digital devices.

I’ll hold off on assessing the legal merit of this MTS (though I do plan to share it with a bunch of Fourth Amendment lawyers).

For now, what is the best summary I know of how the known Google GeoFence reveals how the FBI used it: first obtaining non-subscriber identifiers for everyone in the Capitol, removing those who were by logic legally present before the attack, and then obtaining subscriber information that was used for further investigation.

And that GeoFence yielded 1,500 potential investigative subjects, which may be only be a third of Google users present (though would also by definition include a lot of people — victims and first responders — who were legally present). Which would suggest 4,500 people were inside the Google GeoFence that day, and (using the larger numbers) 15,000 were in the vicinity.

As I keep saying, the legal application here is very different in the Chatrie case, because everyone inside the Capitol was generally trespassing, a victim, a journalist, or a first responder.

To make things more interesting, Rudolph Contreras, who is the FISA Court presiding judge, is the judge in this case. He undoubtedly knows of similar legal challenges that are not public from his time on FISC.

Which may make this legal challenge of potentially significant import.