Thousands of Geofence Warrants Appear to Be Missing from a California DOJ Transparency Database
California requires law enforcement to report the controversial warrants to a state database—but The Markup found massive discrepancies in how they’re reported.
In the last three years, Google says, public agencies in California have increasingly demanded location data collected from people’s phones and other devices through geofence warrants—an evidence-gathering mechanism that privacy advocates argue violates civil liberties. Between 2018 and 2020, the company said in a recent transparency report, it had received 3,655 geofence warrant requests from agencies operating in the state.
But California’s OpenJustice dataset, where law enforcement agencies are required by state law to disclose executed geofence warrants or requests for geofence information, tells a completely different story.
A Markup review of the state’s data between 2018 and 2020 found only 41 warrants that could clearly constitute a geofence warrant. We looked for any warrant described as targeting information such as “users within a geographical area” and “google id's in a certain area.”
“When the providers are telling you one thing, and the government is telling you another, then something’s broken and it needs to be fixed,” said Albert Gidari, who served as consulting director of privacy at the Stanford Center for Internet and Society and recently retired. He has also represented Google as a lawyer in the past.
There are 186 warrants containing the word Google in California's OpenJustice dataset from 2020.
Even when The Markup looked at logged warrants in the OpenJustice dataset from 2020 that contained the word Google, we found only 186 had been reported to the state. Google’s transparency report, on the other hand, stated that the company received 1,909 geofence warrant requests from California in 2020.
A comparison of 2019 numbers yielded similar results: Google says it was served 1,537 geofence warrants in California. Law enforcement agencies, meanwhile, publicly reported only 168 warrants that mentioned Google to the California DOJ.
There were 1,909 geofence warrant requests received by Google from California in 2020.
Google spokesperson Alex Krasov said in an email that any out-of-state agencies granted geofence warrants by California state courts would not be included in the DOJ database, which may account for some of the discrepancy.
The company’s transparency report counts requests based on the court where the geofence warrant is issued, not where the originating agency is from. The report has a separate tally for geofence warrants issued by federal courts.
Krasov also noted that the report is a count of warrant requests, which includes any revised or modified warrants. “That of course is different from the number of warrants in response to which we disclosed information,” said Krasov, who didn’t provide specific numbers for how many geofence warrants the company actually fulfilled.
Stephen Wm. Smith, a retired federal magistrate judge and a former director of Fourth Amendment and Open Courts at Stanford’s Center for Internet and Society, said that Google is the main target for geofence warrants because of its massive Sensorvault database, which includes granular location data from hundreds of millions of devices worldwide.
“Google is sitting on so much location data,” explained Smith. “That’s the gold mine of location information of all the providers. Phone companies have location data, but typically it’s not as precise as what Google has, and it’s not as extensive.”
Google, in its transparency report, noted that geofence warrants have increased dramatically over the past two years and recently made up “more than 25 percent of all warrants we receive in the United States.”
In 2020, geofence warrants came primarily from California, followed by Texas, where Google says the company was served 824 such warrants.
When asked about the discrepancy between the OpenJustice dataset and Google’s transparency report, Rishi Khalsa, the California Department of Justice’s press secretary, offered potential explanations for why hundreds of geofence warrants targeting the company appeared to be missing from its public database.
“The data is self-reported by local law enforcement. As a result of those requirements, the data on our website only reflects a subset of such search warrants,” Khalsa said in an email. “The information you reference may be pulled from a broader pool of data that may conversely include information regarding federal agencies, sealed warrants, and known targets.”
The California Police Chiefs Association, the California District Attorneys Association, and California Peace Officers’ Association didn’t respond to requests for comment.
The Peace Officers Research Association of California declined to comment.
Why California Agencies Are Required to Report Geofence Warrants
In 2015, California lawmakers passed the California Electronic Communications Privacy Act, or CalECPA, which requires government agencies to obtain a warrant for people’s electronic information. California agencies are also required to publicly report any unsealed warrants that don't have a known subject to the attorney general’s office—which is why the OpenJustice dataset exists.
By definition, geofence warrants don’t have known targets, since they scoop up data generated in specific areas, not by specific people. And advocates behind CalECPA say sealed warrants aren’t an excuse for failing to report. The law allows for delaying a disclosure to avoid interfering with an active investigation, but, advocates say, warrants should eventually be publicly reported.
“These delayed notices are a huge issue,” Jennifer Lynch, the Electronic Frontier Foundation’s surveillance litigation director, said. “The fact that law enforcement can delay their reporting, while their warrant is essentially sealed—it’s a huge problem.”
These delayed notices are a huge issue.
JENNIFER LYNCH, ELECTRONIC FRONTIER FOUNDATION
“We would also probably try and intervene in more of these cases if we could, to challenge the warrant as being unconstitutional,” Lynch said. “But if you don’t know about them, how do you get involved in the cases?”
Geofence warrants aren’t the only surveillance mechanism with differences between private and public reports. Gidari, the former Stanford CIS director of privacy, also found a discrepancy between the number of wiretaps reported by phone companies and tech companies in transparency reports and the public disclosure sent to Congress every year.
He found that wiretaps were underreported because of a lack of enforcement and no standardized formats for submitting these disclosures.
Critics raised the same concerns with CalECPA after seeing the discrepancies between the legally mandated disclosures and Google’s transparency report on geofence warrants.
“It shows the major issue with these reporting requirements is, ‘What’s the enforcement mechanism?'” Lynch said.
The California DOJ’s Khalsa said that the law doesn’t have specific penalties for failing to report, but police departments are still required to publicly disclose these electronic warrants.
When The Markup reviewed the OpenJustice database, we found a lack of consistency in the exact data law enforcement reported to the state. While some agencies explicitly labeled warrants as “geofence” or “google reverse location obfuscated IDs,” others offered more vague descriptions, like “evidence related to crime,” and simply “warrant.”
Smith, the former magistrate judge, pointed out that sometimes law enforcement agencies draft geofence warrants in terms that are so general and neutral that it can be difficult for anyone reading them to pick up on the extent of information actually being collected.
It’s possible that there are more geofence warrants included in the OpenJustice dataset that are described in a way that was too vague for The Markup to identify them as such. In an email, Khalsa said the California DOJ frequently works with law enforcement to “prevent data entry errors” from showing up in the dataset, along with other “quality control” issues.
“It’s awfully hard to track it, and that’s just not the way it’s supposed to work,” Gidari said. “It’s certainly not the way that CalECPA is supposed to work.”
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.