It's no secret that Google tracks you everywhere, even when you keep Google's Location History feature disabled.
As revealed by an Associated Press investigation in 2018, other Google apps like Maps or daily weather update service on Android allows the tech giant to continuously collect your precise latitude and longitude.
According to Google, the company uses this location-tracking features with an intent to improve its users' experience, like "personalized maps, recommendations based on places you've visited, help finding your phone, real-time traffic updates about your commute, and more useful ads."
Moreover, it's also known that Google could share your location data with federal authorities in criminal investigations when asked with a warrant.
Google 'SensorVault' Database Help Police Solve Crimes
But what many people weren't aware of is that Google also helps federal authorities identify suspects of crimes by sharing location history of all devices that passed through crime scenes over a certain time period.
It should be noted Google doesn't share personal information of all nearby users; instead, it asks the police to first analyze location history of all users and narrows down results to only a few selected users to receive their names, email addresses, and other personal data from Google.
A new in-depth report from The New York Times revealed that Google maintains a database, known internally as Sensorvault, over nearly the past decade, containing detailed location records from hundreds of millions of phones around the world, and shares with authorities nationwide with warrants to mine it to help in criminal cases.
According to several unnamed Google employees cited in the report, such requests to dive into Google's Sensorvault database have spiked in the last six months, with the company receiving as many as 180 requests in just one week.
How Does Law Enforcement Use Google SensorVault Database?
To seek location data, law enforcement needs to get a so-called "geofence" warrant.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Here below I have tried to step-by-step illustrate how Google shares location data when "legally" required:
- The authorities reached out to Google with a geofence warrant looking for smartphones Google had recorded around the crime scene.
- After receiving the warrant, Google gathers location information from its Sensorvault database and sends it to investigators, with each device identified by an anonymous ID code and not the actual identity of the devices.
- Investigators then review the data, look for patterns of the devices near the crime scene, and request further location data on devices from Google that appear relevant to see the particular device movement beyond the original area defined in the warrant.
- When investigators narrow results to a few devices, which they think may belong to suspects or witnesses, Google reveals the real name, email address and other data associated with the devices.
The NYT report explained the entire process when federal agents requested the location data to investigate a string of bombings around Austin, Texas.
Federal agents first used this technique of catching criminals in 2016, which has since been spread to local departments across the country, including in California, Florida, Minnesota, and Washington.
While the technique has been proven to work, it's not a foolproof way to catch criminals.
Some cases highlighted by the NYT report showed how police used this data to accuse innocents, with one man jailed for a week last year in a murder investigation after being recorded near the killing location and then released after investigators pinpointed and arrested another suspect.
It's no surprise that law enforcement seeks help from tech companies during criminal investigations, but the use of location history databases like Sensorvault has raised concerns... concerns about the privacy of users... concerns about data collection... concerns about innocent being accused and implicated.