Federal investigators trying to solve arson cases in Wisconsin have scooped up location history data for about 1,500 phones that happened to be in the area, enhancing concerns about privacy in the mobile Internet era.

Four Milwaukee-area arsons since 2018, as yet unsolved, have resulted in more than $50,000 of property damage as well as the deaths of two dogs, Forbes explains. In an attempt to find the person or persons responsible, officers from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) obtained search warrants to gather data about all the devices in the area at the time.

The two warrants Forbes obtained together covered about nine hours' worth of activity within 29,400 square meters—an area a smidge larger than an average Milwaukee city block. Google found records for 1,494 devices matching the ATF's parameters and sent the data along.

While this is far from the first search to demand a wide swath of data in a given geographic location, Forbes notes, this is the highest number of results such a geofenced search has so far produced. Not only is that a whole lot of potentially unrelated data for investigators to sort through, but it's also possible that the search will prove entirely fruitless, as whoever committed the crimes may not have a phone, may not have brought it with them, or may have brought it with them in airplane mode or powered off.

The big net

The concept behind such a request is straightforward: you can't track the phone of a suspect you don't have, but you can start with the time and place the crimes were committed and look to see who was there. With that information in hand, they can drill down, as Forbes explains:

[T]he police give Google a timeframe and an area on Google Maps within which to find every Google user within. Google then looks through its SensorVault database of user locations, taken from devices running the tech giant’s services like Google Maps or anything that requires the “location history” feature be turned on. The police then look through the list, decide which devices are of interest to the investigation and ask for subscriber information that includes more detailed data such as name, email address, when they signed up to Google services and which ones they used.

While the ability to go through data that way might be handy for law enforcement, some privacy experts are not on board. Such a request "shows the unconstitutional nature of reverse location search warrants because they inherently invade the privacy of numerous people, who everyone agrees are unconnected to the crime being investigated, for the mere possibility that it may help identify a suspect," Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society, told Forbes.

Google told Forbes it tries to protect individual users' privacy when it receives such a request, saying, "We only produce information that identifies specific users when we are legally required to do so." The company does have a history of trying to push back on overly broad reverse-location requests, Forbes notes. For example, when federal investigators wanted information on devices in a 400-meter radius around a bank robbery earlier this year, the company convinced them to drop that to a 50-meter radius.

Users who disable Google's location history features should, in theory, not have data in Google's SensorVault for the company to pass along to investigators. That said, Google is facing multiple lawsuits, including a potential class-action in the US and a suit by consumer protection regulators in Australia, alleging the company misled users and retained location data even if the setting was turned off.