Another day, another example of how the data sharing choices we make can come back to haunt us. The Guardian reports a Florida resident finding his bike ride data requested by law enforcement. This is due to his route taking him close to the scene of a burglary a year earlier.
According to the report, he had just seven days to put something in front of a judge to block the data’s release. Not everyone would know how to do this, much less have heard of geofencing before.
What happened here?
Geofencing wraps virtual "fences" around real locations. It’s commonly talked about in relation to advertising and marketing activities, and it helps you track movement by pinging away should you enter or leave a specified location. It can be helpful or adversarial, depending on your need, and your point of view. It can be used for things as varied as keeping your advertising spend focussed on people from a particular area, or tracking that serious offenders under some form of house arrest don't outside the areas they're allowed to visit.
What is a geofence warrant?
A geofence warrant, also known as “reverse location warrants”, involve grabbing data on everybody close to a crime scene. Were you involved? Or simply passing by? Doesn’t matter! Into the pile of law enforcement data you go. You just have to hope you’re not caught up in some sort of mistaken identity fiasco down the line.
These warrants are increasingly being used for all sorts of reasons. The fear is they’ll contribute to a chilling effect on free speech, protest, and more. Indeed, Google has recently said these warrants “make up one quarter of all US demands” for its data. It’s easy to see why this would be the case. It’s lots of incredibly precise movement data, tied to big slices of people’s personal identity and physical objects kept about their person.
Which keywords open the door?
It’s not just geofencing causing headaches for privacy advocates. Requests for keyword searches are very popular too. This is where your search history is grabbed and examined for signs of...well...who knows. Essentially, you’re at the mercy of completely random investigations aligning with your completely random searches.
While Google states these data requests “...represent less than 1% of total warrants and a small fraction of the overall legal demands for user data that we currently receive”, it’s still rather uncomfortable to think about.
Is there any refuge in anonymity?
Well, that’s a very good question. There’s plenty of examples where theoretically anonymous data turned out not to be, after ending up online. Time and again we've seen that, with surprisingly few data points, users can be identified from anonymised data.
Geofence warrants leapfrog several of those issues and go directly for the user ID. If you make use of any form of location data whatsoever, it can be used against you. Even if you disable your Bluetooth, refuse beacon access, turn off all GPS features, choose not to store your exercise routes in your latest exercise app. Simply carrying the phone around and using it as intended is potentially more than enough.
There is no simple solution to this one; primarily it’s down to Google to run a tight ship. It’s also incumbent on privacy orgs and people working at various levels of Government to ensure no overreach is taking place.
What can I do to reduce any privacy risk?
You can consider using services other than Google. If you don’t want your entire online existence in one big pot of data, feel free to mix and match a little. Try out DuckDuckGo for your searching perhaps, or fire up a VPN. Just be aware that other organisations may not have the same outlook on these requests as Google does. It might be the case that they don’t have the same legal might Google carries. They may have no policy on this kind of request at all, and hand everything they have on you to whoever asks for it. This would probably not be ideal in the privacy stakes.
The choice, as they say, is yours.