US police departments increasingly rely on a controversial surveillance practice to demand large amounts of user data from tech companies, with the goal of tracking down suspected criminals.
So-called “reverse” searches allow law enforcement and federal agencies to subpoena large tech companies such as Google, to transfer information from their vast stores of user data. These orders are not unique to Google — any company with access to user data can be forced to hand them over — but the search giant has become one of the biggest recipients of police demands for access to databases of user information.
For example, authorities can demand that a technology company hand over information about each person who was in a certain place at a certain time based on the location of their phone or who searched for a certain keyword or query. Thanks to a recently revealed court ruling, authorities have shown that they are able to collect identifiable information about everyone who watched certain videos on YouTube.
Reverse lookups effectively cast a digital net over a tech company’s user data repository to capture the information police are looking for.
Civil liberties advocates have argued that these kinds of court-approved orders are overbroad and unconstitutional, as they can also compel companies to hand over information about completely innocent people unrelated to the alleged crime. Critics fear these court orders could allow police to prosecute people based on where they go or what they search for online.
So far, not even the courts can agree on whether these orders are constitutional, setting up a potential legal challenge before the US Supreme Court.
Meanwhile, federal investigators are already probing this controversial legal practice. In a recent case, prosecutors asked Google to hand over information about everyone who accessed certain YouTube videos in an effort to track down a money-laundering suspect.
ONE newly unsealed search app filed in a Kentucky federal court last year revealed that prosecutors wanted Google to “provide records and information related to Google accounts or IP addresses accessing YouTube videos for one week between January 1, 2023 and January 8, 2023.”
The search app said that as part of an undercover transaction, the money laundering suspect shared a YouTube link with investigators, and investigators sent back two more YouTube links. The three videos — which TechCrunch has seen and have nothing to do with money laundering — had a combined total of about 27,000 views at the time of the search application. But prosecutors sought an order to compel Google to release information about every person who watched those three YouTube videos during this week, likely in an effort to narrow down the list of people to their top suspect, who prosecutors assumed that they had visited some or all of the three videos.
This particular court order was easier for law enforcement to obtain than a traditional search warrant because it sought access to login logs about who had access to the videos, rather than the higher-level search warrant that courts can use to require technology companies to hand over the content of someone’s private messages.
A federal court in Kentucky approved the search warrant under seal, preventing its public release for a year. Google was barred from disclosing the request until last month, when the court order expired. Forbes reported for the first time for the existence of the court decision.
It’s not known whether Google complied with the order, and a Google spokesperson declined to say either way when asked by TechCrunch.
Riana Pfefferkorn, a researcher at the Stanford Internet Observatory, said this was a “perfect example” of why civil liberties advocates have long criticized this type of court ruling for its ability to give police access to people’s intrusive information.
“The government is essentially pushing YouTube to serve as a honeypot for federal authorities to trap a suspected criminal by triangulating who had viewed the videos in question during a certain time period,” Pfefferkorn said, referring to the recent order targeting YouTubers. . “But by asking for information on everyone who had seen any of the three videos, the investigation is also potentially scanning dozens or hundreds of other people who are not suspected of wrongdoing, just as reverse geolocating search warrants do.”
Claiming the digital haystack
Reverse search orders and court orders are a problem largely Google’s fault, thanks in part to the gargantuan amounts of user data the tech giant has long collected on its users, including browsing histories, web searches and even analytics location data. Realizing that tech giants hold vast amounts of user location data and search queries, law enforcement has begun to persuade courts to grant broader access to tech companies’ databases than just targeting individual users.
A court-authorized search warrant allows police to request information from a technology or phone company about a person who investigators believe is involved in a crime that has occurred or is about to occur. But instead of trying to find the suspect by looking for a needle in a digital haystack, police are increasingly calling for big pieces of the haystack — even if they include personal information about innocent people — to look for clues.
Using this same technique to demand identifying information from anyone who viewed a video on YouTube, law enforcement can also demand that Google hand over data identifying each person who was at a particular place and time, or each user who searched the internet for a specific query.
Geofence warrants, as they are better known, allow police to draw a shape on a map around a crime scene or place of interest and request huge swaths of location data from Google databases on anyone whose phone was in that area. area at some point.
Police can also use so-called “keyword search” warrants that can identify any user who searched for a keyword or search term within a time frame, usually to find clues about criminal suspects investigating potential crimes them in advance.
Both of these warrants can be effective because Google stores the detailed location data and search queries of billions of people around the world.
Law enforcement might champion the surveillance collection technique for its uncanny ability to catch even the most elusive criminal suspects. But many innocent people have been caught in these investigative nets by mistake—in some cases as suspected criminals — simply by having phone data that appears to place them near the scene of an alleged crime.
While Google’s practice of collecting as much data as it can about its users makes the company a prime target and top recipient of reverse search warrants, it’s not the only company subject to these controversial court rulings. Any tech company big or small that stores banks of user-readable data can be forced to hand it over to law enforcement. Microsoft, Snap, Uber and Yahoo (which owns TechCrunch) have all received subpoenas for user data.
Some companies choose not to store user data, and others scramble the data so that it cannot be accessed by anyone but the user. This prevents companies from handing over access to data they don’t or can’t access — especially when laws change overnight, like when the US Supreme Court overturned the constitutional right to access abortion.
Google, for its part, is putting a slow end to its ability to respond to geo-protection warrants, specifically moving where it stores users’ location data. Instead of gathering vast amounts of users’ precise location histories on its servers, Google will soon begin storing location data directly on users’ devices, so that police will have to look up the data directly from the device owner. However, Google has so far left the door open to receiving search warrants that seek information about users’ search queries and browsing history.
But as Google and others are finding out the hard way, the only way for companies to avoid handing over customer data is to not have it in the first place.
