14 C
New York
Thursday, September 28, 2023

How a Secret Google Geofence Warrant Helped Catch the Capitol Riot Mob

Court documents suggest the FBI has been using controversial geofence search warrants at a scale not publicly seen before, collecting account information and location data on hundreds of devices inside the US Capitol during a deadly invasion by a right-wing mob on January 6.

While Google receives over 10,000 geofence warrants for location data in the US a year, those covering the Capitol breach appear to have been particularly productive, apparently enabling the FBI to build a large, searchable database in its hunt for the rioters.

Geofence warrants are intended to locate anyone in a given area using digital services. Google has been the target for many geofence warrants because its location technologies, which leverage GPS, Wi-Fi, and Bluetooth signals to pinpoint a phone within a few yards, are powerful and widely used.

Investigators can and do also serve warrants on phone companies. However, cell phone towers can only locate phones to within about three-quarters of a mile. While court documents suggest that the FBI collected cell tower records for “thousands of devices that were inside the Capitol” during the riot, Google’s data offers a much higher degree of accuracy.

The use of a geofence search warrant was first reported by The Washington Post, and others have previously noted specific instances of investigations that used Google geolocation data. But WIRED has found 45 federal criminal cases that cite Google geolocation data to place suspects inside the US Capitol on January 6, including at least six where the identity of the suspect appears to have been unknown to the FBI prior to the geofence warrant. One of these involved a serving Chicago police officer.

“I'm terribly concerned about the potential for misuse of that technology,“ says Ari Waldman, professor of law and computer science at Northeastern University. “Even if I think staging a coup against a democratic government is abhorrent, it doesn't mean that constitutional privacy protections shouldn't be in place.”

In fact, court documents refer to two geofence warrants relating to January 6, one of which a government filing seems to say was served even as the riot was raging. They were immediately sealed and are unlikely to be made public for years. However, a close reading of hundreds of court filings reveals that both the secretive geofence warrants and further Google-focused geolocation warrants delivered a wealth of information about dozens of suspects.

Geofence warrants are essentially a fishing expedition: Investigators know roughly where and when a crime was committed, and want to find out who might have been nearby at the time. As this would normally include innocent people and bystanders, Google requires law enforcement to go through a three-step process to access the information.


A geofence warrant initially seeks an anonymized list of devices tracked within a specific area at a specific time. Investigators then use that list to focus on tracks that look suspicious, and can ask Google to widen the time or geofence boundaries on only those devices. Finally, investigators can go back to Google to unmask the real name, email, phone number, and other information of just a few account holders. Courts can and have—albeit very rarely—denied geofence warrant requests that are overly broad.

But where a typical geofence fishing expedition might catch only one or two suspects, the January 6 investigation appears to have landed a netful.

Court documents show that the initial Google geofence warrant included the US Capitol building and the stairs leading down to Capitol plaza. They also reveal that within days or weeks, the FBI had access to personal information about many of their owners, including at least the account name, email, and phone number.

None of the legal experts WIRED spoke with had heard of another case where the personal data for devices in a geofence warrant had been unmasked at this scale.

“What might have happened is that the FBI got the anonymized data and just got straight back in touch with Google and said we suspect 90 percent of these people, so give us their IDs,” says Matthew Tokson, a law professor and Fourth Amendment expert at the University of Utah. “Or it may have been an atypical warrant where they said to Google: Give us not only the numbers but the account names, because we think we have probable cause on the bulk of them.”

However the FBI secured the information, court documents show that before the end of January it had a trove of personal data from Google that it could use to easily identify suspects, or confirm their presence inside the Capitol in a narrow window of time. Investigators first excluded anyone authorized to be in the Capitol on January 6, such as members of Congress and their staffs, law enforcement, first responders, and government employees. That left the FBI with a set of Google accounts and related data that it could search as its investigations proceeded.

For example, court documents say that Jeffrey Register deleted photographs of his time in the Capitol and even claimed to have factory-reset his phone in the days after the breach to obscure his tracks. It was already too late; the FBI appears to have identified him from the Google geofence data in January, and it used his drivers license photo to confirm his alleged appearance in a video shot inside the building during the riot. Register has pleaded not guilty to four charges relating to entering and disorderly conduct within the Capitol.

The evidence from the warrant also appears to have enabled more sophisticated data mining. On March 2, the FBI learned of a YouTube video showing people within the Capitol on January 6, including a white woman wearing a jacket from a plumbers and pipefitters union in Joliet, Illinois.

The FBI investigator searched the geofence data for all phones having Joliet’s 815 area code. Two of the six 815 records were attributed to women, and one of those names was Amy Schubert. Schubert’s public Facebook profile photo matched the woman in the video. Identifying her led the FBI to her husband, John, a previously unknown suspect who allegedly appeared in a different video. The Schuberts were each charged with four counts last week related to entering the US Capitol; they pleaded not guilty.

Another suspect that the FBI seems to have originally identified using the Google geofence data was Karol Chwiesiuk, whose phone Google placed inside the Capitol between 2:37 and 3:24 pm on January 6. When the FBI ran Chwiesiuk’s name through “publicly available resources,” says the filing, they found a Chicago police officer with the same name. The Chicago Police Department confirmed that Chwiesiuk’s home phone number was the same as the one Google had captured.

Using a traditional search warrant, the FBI then obtained full geolocation and communication records for Chwiesiuk’s Google account, which showed him allegedly traveling from Chicago to Washington, DC, and admitting in a series of text and picture messages that he had been in the Capitol. Chwiesiuk has pleaded not guilty to five charges, including violent entry in a Capitol building.

For multiple suspects, the FBI eventually gathered a wide set of Google data, including recovery numbers and emails, and dates on which the accounts were created and last accessed. Some court filings even note that FBI agents could see a field called “User Deleted Locations,” although its meaning was not explained. It is unclear whether this data came from the initial geofence warrant, a follow-up, or traditional search warrants after the suspects had been identified.

If, as it appears, the Justice Department used the geofence warrant data to build a searchable database of suspects, it would be the first known instance, say legal experts.

“It does sound unusual, but it's worth noting that this whole circumstance is unusual,” says Tim O’Brien, a tech industry executive currently working on AI policy at Microsoft, who studied geofence warrants at the University of Washington School of Law. “If I were law enforcement, I would argue that the three-step process is unnecessary in this case, because the moment you set foot inside the Capitol, you became a suspect or witness.”

Others see the start of a slippery slope. “When law enforcement and prosecutors see what they can do in an unusual case, it normally spills over and then becomes the usual case,” says a digital forensics lawyer who asked not to be named. “I think that not only will you see this in murders, you'll probably start seeing it in car thefts. There are no reins on this.”

Google provided a statement: “We have a rigorous process for geofence warrants that is designed to protect the privacy of our users while supporting the important work of law enforcement. To the extent we disclose any data in response to a geofence warrant, we always produce de-identified data as the initial step in the process. Then, any production of additional information is a separate step as mandated by the warrant or a new court order.”

Google also noted that court orders are often accompanied by gag orders that prevent the recipient from discussing them.

The DOJ did not respond to requests for comment.

Geofence warrants are usually filed before defense counsels become involved, are often sealed from public scrutiny for years, and there has been no substantial litigation over their constitutionality or use. The law governing them, the Stored Communications Act, was passed in 1986, long before smartphones, Wi-Fi, or widespread GPS use, and it has not been significantly updated since.

Instead, the DOJ’s Computer Crime and Intellectual Property Section and Google quietly came up with their own framework for processing geofence warrants, which most courts to date have accepted.

The fact that Google at least makes the DOJ obtain search warrants for its data is a great first step, says Tokson. “But if we're depending on giant tech companies to protect people's privacy against the government, that's a very shaky proposition,” he says. “These companies depend heavily on the government for business, and to not regulate them to death.”

Over 600 people have now been arrested, and at least 185 charged, in connection with the Capitol breach, with the most recent criminal complaint using Google’s geofence data filed just last week.

Meanwhile, the secret Capitol breach geofence warrants have yet to be identified themselves. In April, The New York Times thought it had tracked one down and filed a motion to unseal it. The warrant turned out to be for an unrelated drug trafficking case. When it comes to geofence data, it seems that information flows strictly in one direction.

Related Articles

Latest Articles