Posts

Google Kills the Geofence Capability that Will Show ~30,000 Trump Supporters Swarmed the Capitol on Trump’s Orders

/51 Comments/in , /by

At Trump’s trial, prosecutors will use Google Location data to show how Trump’s mobs responded to his order to march to the Capitol by doing just that: swarming the Capitol. That data will show that roughly a quarter of the people at the Ellipse, around 30,000 people, entered the restricted grounds outside the Capitol, committing at least trespassing on Trump’s instruction, of which 11,500 would be identified by their Google Location data.

Jack Smith’s prosecutors revealed that they will do this on Monday in an expert notice filing.

On Wednesday, Google announced that it will soon change the way Google Location works to make such analysis impossible in the future.

If you’re among the subset of users who have chosen to turn Location History on (it’s off by default), soon your Timeline will be saved right on your device — giving you even more control over your data. Just like before, you can delete all or part of your information at any time or disable the setting entirely.

If you’re getting a new phone or are worried about losing your existing one, you can always choose to back up your data to the cloud so it doesn’t get lost. We’ll automatically encrypt your backed-up data so no one can read it, including Google.

Additionally, when you first turn on Location History, the auto-delete control will be set to three months by default, which means that any data older than that will be automatically deleted. Previously this option was set to 18 months. If you want to save memories to your Timeline for a longer period, don’t worry — you can always choose to extend the period or turn off auto-delete controls altogether.

These changes will gradually roll out through the next year on Android and iOS, and you’ll receive a notification when this update comes to your account.

Orin Kerr first identified the significance of the change to surveillance capabilities: that it will make Google geofence warrants all but impossible. Forbes confirmed that Google is making the change with the intent of making it impossible to respond to geofence warrants.

But they missed one aspect of the timing. The announcement — of a change Google is implementing prospectively, a change that will take a year to implement — came days after prosecutors revealed they had obtained a Google warrant showing the movement of people from the Ellipse to the Capitol.

Expert 1

Expert 1 has knowledge, skill, experience, training, and education beyond the ordinary lay person regarding the interpretation and visual representation of geographic location data. The Government expects that Expert 1 will testify about his/her use of ArcGIS (Geographic Information Systems) software to create a map of the Google location history data produced in response to a search warrant. Specifically, Expert 1 plotted the location history data for Google accounts and devices associated with individuals who moved, on January 6, 2021, from an area at or near the Ellipse to an area encompassing the United States Capitol building. His/her testimony will describe and explain the resulting graphical representations of that data, and it will aid the jury in understanding the movements of individuals toward the Capitol area during and after the defendant’s speech at the Ellipse. [my emphasis]

We had known that the FBI used Google geofence warrants — which identify all the people using Google Location services in a given geographic area — to identify individual January 6 suspects.

Challenges to the geofence — first by trespasser David Rhine and then by cop-sprayer Isreal Easterday — revealed that the FBI had gotten two geofence warrants (and had done three sets of de-anonymization of the data obtained): the first, on January 13, 2021, for just the Capitol building itself, and then the second, for the entire restricted area outside the Capitol, on May 21, 2021.

The warrant described in Tuesday’s expert notice must be a third warrant, one building off the May 2021 one. Perhaps the FBI asked Google for all the selectors found in the May 2021 warrant (who, with the important exception of journalists, were either victims, first responders, or trespassers), that also showed up in a geofence at the Ellipse while Trump was speaking.

There would be no need to de-anonymize these selectors. Those of investigative interest for their own actions at the Capitol would have been de-anonymized with one of the earlier warrants. This warrant is about capturing the effect of Trump’s speech, measuring how many people who attended the speech itself — Trump claims 120,000 did so — then moved to the Capitol.

Of those who moved, only a third or less would trigger the geofence (and fewer among Apple users). But it would include most of the 11,500 people who had already been identified and de-anoymized. altogether, that’s consistent with 30,000 people being at the Capitol.

Trump is claiming that just 1% of those who heard his incitement went on to join the insurrection. This expert witness will show it’s closer to a quarter of the total.

There were, undoubtedly, a range of reasons why Google made the decision to end its ability to respond to geofence requests. As Forbes noted, the Fourth Circuit also heard the government’s appeal of Okello Chatrie’s successful challenge of a geofence this week. Early next year the DC Circuit will review Rhine’s appeal of its use with him. The Easterday challenge made it clear that Google geofences work best on Android devices — meaning Google was making it easier for law enforcement to investigate its customers over Apple’s.

But Google announced this decision — of prospective changes — months ahead of the time when a geofence will be used to prove the crimes of Donald Trump.

It’s likely at least partly an attempt to pre-empt the blowback that is bound to result.

Update: To clarify some responses I’m getting to this. Killing the geofence capability won’t affect the evidence against Trump at all. Prosecutors already got the warrant and did the analysis on the results. This will only prospectively make Google geofence warrants impossible, and not even immediately.

Easterday challenge

une 30, 2023: Motion to CompelDeclaration

August 22, 2023: Opposition Motion to Compel

September 26, 2023: Motion to Suppress Geofence

October 10, 2023: Opposition Motion to Suppress

October 17, 2023: Reply Motion to Suppress

October 26, 2023: Guilty Verdict

November 25, 2023: Supplement Opposition Motion to Suppress

1,500 Investigative Subjects: A Competent Google GeoFence Motion to Suppress for January 6

/20 Comments/in , , /by

For some time, I’ve been waiting for a January 6 defendant to (competently) challenge the use of a Google GeoFence as one means to identify them as a participant in January 6. (There have been incompetent efforts from John Pierce, and Matthew Bledsoe unsuccessfully challenged the GeoFence of people who livestreamed on Facebook.)

The motion to suppress from David Rhine may be that challenge. Rhine was charged only with trespassing (though he was reportedly stopped, searched, and found to be carrying two knives and pepper spray, but ultimately released).

As described in his arrest affidavit, Rhine was first identified via two relatively weak tips and a Verizon warrant. But somewhere along the way, the FBI used the general GeoFence warrant they obtained on everyone in the Capitol that day. Probably using that (which shows where people went inside the Capitol), the FBI found him on a bunch of surveillance video, with his face partly obscured with a hat and hoodie.

The motion to suppress, written by Tacoma Federal Public Defender Rebecca Fish, attempts to build off a ruling in the case of Okello Chatrie (and integrates materials from his case) to get the GeoFence used to identify Rhine and everything that stemmed from it thrown out.

The three-step GeoFence Warrant and the returns specific to Rhine are sealed in the docket.

But the MTS provides a bunch of the details of how the FBI used a series of warrants to GeoFence the crime scene.

First, as Step 1, it got a list of devices at the Capitol during the breach, either as recorded in current records, or as recorded just after the attack. At this stage, FBI got just identifiers used for this purpose, not subscriber numbers.

The geofence warrant requested and authorized here collected an alarming breadth of personal data. In Step 1, the warrant directed Google to use its location data to “identify those devices that it calculated were or could have been (based on the associated margin of error for the estimated latitude/longitude point) within the TARGET LOCATION” during a four-and-a-half hour period, from 2:00 p.m. until 6:30 p.m. Ex. A at 6. The target location—the geofence—included the Capitol Building and the area immediately surrounding it, id. at 5, which covers approximately 4 acres of land, id. at 13. Indeed, the warrant acknowledges that “[t]o identify this data, Google runs a computation against all stored Location History coordinates for all Google account holders to determine which records match the parameters specified by the warrant.” Ex. A at 26 (emphasis added). Though not spelled out with clarity in the warrant itself, the warrant ordered that the list provided in step 1 not include subscriber information, but that such information may be ordered at a later step. See id. at 6; see also id. at 25 (“This process will initially collect a limited data set that includes only anonymous account identifiers, dates, times, and locations.”).

This yielded 5,723 unique devices (note, the MTS points to Google filings from the Chatrie case to argue that only a third of Google’s users turn on this location service).

Google ultimately identified 5,653 unique Device IDs that “were or could have been” within the geofence, responsive to the first step of the warrant. Ex. B (step 2 warrant and application) at 6. However, Google additionally searched location history data that Google preserved the evening of January 6. When searching this data, as opposed to the current data for active users at the time of the search, Google produced a list of 5,716 devices that were or could have been within the geofence during the relevant time period. Id. Google additionally searched location history data that Google preserved on January 7. When searching this data, Google produced a list of 5,721 devices that were or could have been within the geofence during the relevant time period. Id. The three lists combined yielded a total of 5,723 unique devices that Google estimated were or could have been in the geofence during the four-and-a-half hour period requested. Id. at 7.

In Step 2, the FBI asked Google to identify devices that had been present at the Capitol before or after the attack — an attempt to find those who were there legally. That weeded the list of potentially suspect devices to 5,518.

In this case, the second step of the geofence warrant was also done in bulk, given the lack of specificity as to the people sought. In the initial warrant, the Court ordered Google to make additional lists to eliminate some people who were presumptively within the geofence and committed no crimes. First, the warrant ordered Google to make a list of devices within the geofence from 12:00 p.m. to 12:15 p.m. on January 6. And second, the warrant ordered Google to make a list of devices within the geofence from 9:00 p.m. to 9:15 p.m. Ex. A at 6.

[snip]

Google provided these lists to the government in addition to the lists detailed above. Google identified 176 devices that were or could have been within the geofence between 12:00 p.m. and 12:15 p.m., and 159 devices that were or could have been within the geofence between 9:00 p.m. and 9:15 p.m. Ex. B at 6. The government ultimately subtracted these devices from those that they deemed suspect. Id. at 7. However, this still left 5,518 unique devices under the government’s suspicion. See id. The original warrant contemplated the removal of devices that were present at the window before and after the primary geofence time because the government asserted that the early and late windows were times when no suspects were in the Capitol Building, but legislators and staff were lawfully present. Ex. A at 27. However, the original warrant also indicated that “The government [would] review these lists in order to identify information, if any, that is not evidence of crime (for example, information pertaining to devices moving through the Target Location(s) in a manner inconsistent with the facts of the underlying case).” Ex. A at 6.

Aside from comparing the primary list with the lists for the early and late windows, the government appeared to do no culling of the device list based on movement. Rather, the government used other criteria to decide which devices to target for a request for subscriber information. 3.

The government then asked for the subscriber information of anyone who showed up at least once inside the Capitol (as the MTS notes, Google’s confidence levels on this identification is 68%). That identified 1,498 devices.

In step 3, as relevant to this case,4 the government sought subscriber information—meaning the phone number, google account, or other identifying information associated with the device—for two different categories of people. First, the government sought subscriber information for any device for which there was a single data point that had a display ratio entirely within the geofence. Ex. B at 7. In other words, the government sought identifying information for any device for which Google was 68 percent confident the device was somewhere within the geofence at a single moment during the four-and-a-half hour geofence period. Again, the government equated presence to criminality. The government sought and the warrant ordered Google to provide identifying information on 1,498 devices (and likely people) based on this theory. See id.

It also asked for subscriber information from anyone who had deleted location history in the week after the attack, which yielded another 37 devices.

Second, the government sought identifying subscriber information for any device where location history appeared to have been deleted between January 6 or 7 and January 13, and had at least one data point where even part of the display radius was within the geofence. See Ex. B at 7–8. The government agent asserted that such devices likely had evidence of criminality because: “Based on my knowledge, training, and experience, I know that criminals will delete their Google accounts and/or their Google location data after they commit criminal acts to protect themselves from law enforcement.” Id. at 8.

[snip]

The theory that potentially changed privacy settings or a deleted account as indicative of criminality led the government to request identifying information for 37 additional devices (and likely people). Ex. B at 8.

The MTS notes that at a later time, the FBI expanded the scope of the GeoFence for which they were seeking subscriber information, but that’s not applicable to Rhine.

4 Discovery indicates that the government later sought substantially more data from geofences in areas next to, but wholly outside of, the Capitol Building. However, Mr. Rhine addresses here the warrants and searches most relevant to his case.

The GeoFence was one of a number of things used to get the warrant to search Rhine’s house and digital devices.

I’ll hold off on assessing the legal merit of this MTS (though I do plan to share it with a bunch of Fourth Amendment lawyers).

For now, what is the best summary I know of how the known Google GeoFence reveals how the FBI used it: first obtaining non-subscriber identifiers for everyone in the Capitol, removing those who were by logic legally present before the attack, and then obtaining subscriber information that was used for further investigation.

And that GeoFence yielded 1,500 potential investigative subjects, which may be only be a third of Google users present (though would also by definition include a lot of people — victims and first responders — who were legally present). Which would suggest 4,500 people were inside the Google GeoFence that day, and (using the larger numbers) 15,000 were in the vicinity.

As I keep saying, the legal application here is very different in the Chatrie case, because everyone inside the Capitol was generally trespassing, a victim, a journalist, or a first responder.

To make things more interesting, Rudolph Contreras, who is the FISA Court presiding judge, is the judge in this case. He undoubtedly knows of similar legal challenges that are not public from his time on FISC.

Which may make this legal challenge of potentially significant import.