Android’s pattern lock is often considered one of the least secure methods of keeping your phone’s data away from prying eyes. Well, it appears that it’s at least secure enough to stymie the FBI. An undercover agent witnessed one Dante Dears using an Android device to run a prostitution and human trafficking gang. Upon seizing the phone, the FBI was locked out, and is now subpoenaing Google to gain access. Could Google itself be the real security hole in your Android phone?

The just-approved FBI subpoena asks Google to provide an astonishing amount of information regarding that locked down cell phone. The government wants Dears’ user name, password, email, contact list, list of websites visited, text messages, photos, search terms, as well as any location data stored for the device. Google may not have access to all that data, but probably more than enough.

The email and contacts from the device might be from a third party service, but odds are Dears was using Gmail and Google Contacts. If this is the case, Google will be able to hand that data over easily once it associates the phone’s unique ID with a Google account. While access is tightly restricted, Google can access a user’s cloud content without a password. In fact, a few years ago Google had to fire an engineer that was accessing the accounts of several children.

Location data is a hot button issue for many, but Dears might be in the clear on this count. Android does collect GPS data to improve location services, but this feature is opt-out and anonymized. The only way for Google to provide the government any reliable location data on Dears would be if he turned on Latitude, which does keep a log of locations.

Some users might be floored that the government is asking Google to turn over a list of all websites visited. Don’t get too excited about that one; Google itself doesn’t have a full list of your web history. Just the Google searches and the links clicked from within those searches. If the investigators could unlock the phone, then there would likely be web history in the browser. Gaining access to the phone itself could be tricky, though.

Because the FBI investigators entered the pattern incorrectly too many times, the phone can only be unlocked with the user’s Google credentials. The issue of the password is the most intriguing, seeing as we’ve all had to go through the password reset shuffle once or twice. Google might not be able to provide the actual unencrypted password, but could reset it and tell the FBI what they’ve changed it to.

If law enforcement can gain access to a phone, the SMS and photos therein will be theirs for the taking. That is more than likely the only way investigators will get into Dears’ photos, unless in the unlikely event he was backing them up to Google+. The text messages are not going to be saved on Google’s servers anywhere, so if Dears was conducting his business via SMS, the FBI will have to go after the carrier instead of Google.

Shortly after the subpoena was served, Google made a statement on what has become a bizarrely big story. “Like all law-abiding companies, we comply with valid legal process,” a Google spokesperson said. It also added that if a subpoena is too broad, the internet giant could seek to narrow it. Still, the moral of the story is that even a device lock can’t keep all your data safe when it’s synced to the cloud.

Read more at Ars Technica