Google has vowed to fight a search warrant put forward by a Minnesota judge to collect information on anyone who Googled the name of an identity theft victim.
The warrant, issued by Hennepin County District Judge Gary Larson on February 1, demands that Google hand over not only basic information on who searched for the victim, such as their names and IP addresses, but also their Social Security numbers, account and payment information; information that Google may not actually have access to.
Originally uncovered by blogger Tony Webster, the warrant relates to a case of wire fraud in Edina, Minnesota. In January, a Minnesota bank received a call from who they thought was their customer, known as Douglas in the released documents. Douglas asked for a wire transfer of $28, 500 worth of credit to another bank. To verify his identity, the bank requested he fax a copy of his passport. This document was faked by the fraudster on the other end of the line.
While investigating the crime, Edina police found the image used for the fake passport on Google when they searched for Douglas’ name. It did not turn up on two other major search engines, Yahoo and Bing, and so concluded that the criminal must have Googled the victim’s name in order to make the passport.
Detective David Lindman expanded on this theory in a request for a warrant to Judge Larson, asking for the aforementioned details. Larson signed the warrant and Lindman then served it to Google approximately twenty minutes later.
A spokesperson for Google said on Friday that they will “continue to object to this overreaching request for user data, and if needed, will fight it in court. We always push back when we receive excessively broad requests for data about our users.”
Privacy experts have already questioned the decision of Larson, arguing that it is an unusually broad definition of probable cause. William McGeveran, a law professor at the University of Minnesota, argued that:
This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent… it’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect… if the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions.
Rob Kohn, a professor of privacy law at the University of St Thomas, went further, arguing that those who may have searched the name for other reasons would also be picked up in the search and that the police should exclude any data that does not pertain to the case at hand. “I’m concerned both about ensnaring innocent people but also … that this become a pattern,” Kahn said. “It’s certainly a scary slippery slope that they’re setting up here.”
Ashlee Kieler, writing in The Consumerist, pointed out a key flaw in the warrant itself:
Google’s search engine can be used by anyone without logging into a Google-connected account. Even those who are registered with Gmail or YouTube may have used completely false information to create those accounts, as they are largely free to use.
She also made a rather apt comparison of how the warrant may have looked in a non-digital world, in that the closest thing to this case pre-internet would have been if a police officer served a search warrant on a phone company, demanding the names of everyone who looked up a certain number.
Stephanie Lacambra, an attorney for the Electronic Frontier Foundation, was “skeptical of this warrant’s ability to survive constitutional scrutiny.” Her colleague Andrew Crocker made his feelings extremely clear in a tweet:
— Andrew Crocker (@agcrocker) March 16, 2017
Lieutenant Timothy Olson of Edina PD declined to comment on the case, except to say that the department would be “reluctant to disclose active case information or specific strategies used during the investigation.”