The identity fraud went down like this: in January, a man who identified himself as the customer of a Minnesota bank called to ask for a wire transfer of $28,500 from a line of credit to another bank.
To verify his identity, he gave the bank his name, date of birth, and taxpayer ID. The purported customer also faxed in a copy of what looked like his passport.
It wasn’t. It was fake, and the transfer was fraudulent. The crook had faxed it over with a phone number spoofed to masquerade as the victim’s phone number.
The image wasn’t actually of the victim, but it was of an individual close to the victim’s age. Police in Edina, Minnesota, searched for the image online, but they couldn’t find it via Yahoo or Bing searches. They did however find it on Google, so they hypothesized that the fraudster must have used Google to search for the image subject’s name when making the fake passport.
Thus were they led to seek a warrant with a massive scope: one that sought “any/all user or subscriber information” related to searches on the victim’s name for a period of five weeks.
The warrant, which Edina police applied for in February, was signed off on by Hennepin county judge Gary Larson. Here’s how broad the document was: the warrant sought the specific times and dates of the searches, along with names, addresses, telephone number(s), dates of birth, social security (taxpayer) numbers, email addresses, payment information, account information, IP addresses, and MAC addresses of any and all persons who ran a search on a handful of variations on the victim’s name between December 1 and January 7.
The warrant application was discovered and published by Tony Webster, who calls himself a web engineer, public records researcher and policy nerd. He’s put up a version of the document on his site, with the victim’s full name redacted so as to protect his privacy.
Webster told Ars Technica’s David Kravets that language in the warrant that says “located in city or township of Edina, County of Hennepin, State of Minnesota” is standard, pro forma language, often contained in the county’s warrants. The language doesn’t mean that the warrant’s limited to those who searched the victim’s name from within the city limits of Edina.
But the warrant goes far beyond Edina. In fact, it’s a sweeping dragnet looking for details about an untold number of people on a global scale, the vast majority of whom are assuredly innocent of any wrongdoing.
Webster likens it to taking out a warrant for anybody who bought a pressure cooker on Amazon a month before the Boston bombing. He also questions how police access to those people’s personal details might play out:
Could this type of search warrant be used to wrongly ensnare innocent people? If Google were to provide personal information on anyone who Googled the victim’s name, would Edina Police raid their homes, or would they first do further investigative work? The question is: what comes next?
He also compared it to tower dumps: a warrantless, large-scale interception of mobile phone data that gives police the identity, activity and location of any phone that connects to targeted phone towers, generally within one or two hours.
For those, law enforcement agents use stingrays: suitcase-sized cell site simulators that they use to mimic a cell tower and trick nearby phones (as in everybody’s phones, not just crooks’) into connecting and giving up their identifying information and location.
The warrant for the people who searched on the wire fraud victim’s name is similar to tower dumps in that both entail police sweeping up a vast amount of non-public data on people who aren’t wanted for any crime. As Webster noted, it represents “an opportunity for police to arrest or convict the wrong person through a flurry of circumstantial evidence”.
Andrew Crocker, a staff attorney for the Electronic Frontier Foundation (EFF), called out the warrant as unconstitutional on Twitter:
Holy shit. Case name should be In re Minnesota Unconstitutional General Warrant. Nice job unearthing @webster https://t.co/lGUd6s32dt
— Andrew Crocker (@agcrocker) March 16, 2017
According to the warrant application, Edina authorities had first sent Google an administrative subpoena “requesting subscriber information for anyone who had performed a Google search” for the victim’s name. Google refused to comply with that administrative subpoena, which is similar to a search warrant but without a judge’s signature.
Officer David Lindman wrote in the warrant application that he was after the judge-signed warrant to save time:
Though Google’s rejection of the administrative subpoena is arguable, your affiant is applying for this warrant so that the investigation of this case does not stall.
Google hinted, in an email to Ars, that it plans to fight the warrant:
We aren’t able to comment on specific cases, but we will always push back when we receive excessively broad requests for data about our users.
Bryan
I usually come down on the side of privacy, but while this warrant grants some serious leeway it’s not akin to eyeballing everyone with a pressure cooker–making dinner is still far more common than killing people.
Contrarily, how many legitimate Google searches are done on my name in a given month? Zero. Do any of the remaining searches represent philanthropic intent toward me? Probably not.
If I’m not preparing for a job interview I can only think of one reason I’d search a non-celebrity. If I recently added you to my phone contacts I’ll seek an image to supplant that annoying “generic contact” silhouette. Granted in this case it would bring me more suspicion than usual, but I doubt raided homes will be the first course of action–maybe over murder or child porn, but not larceny or fraud.
This warrant is more like years ago when a van cracked my windshield with a rock. I lost the van at a traffic light but recalled the plate, which city hall used to give me their address. They wanted my details, and even as young as I was I realized it protected the van owner–an accountability mechanism. I never did call them, realizing it was an accident anyway.
There are multitudinous creepy scenarios which could follow a license plate lookup, and a far narrower percentage begin with the recipient’s benefit in mind.
And these days not many web searches are Ed McMahon trying to get me that pesky million dollars.
Farid
Completely agree with Bryan here. The pressure cooker analogy is not only baseless, but I inclined to attribute it to deliberate misleading by sensationalism.
Max
What is a “legitimate” Google search? And on a global scale, your name might not just be yours. In fact, this whole case only exists the way it does because two people share the same name. I think the pressure cooker example is a very good one. Most people you will get with a warrant for all people who bought a pressure cooker are people who bought it for a reason other than making the bomb in question. It doesn’t have to be eating, it just matters that it isn’t the person they are looking for. Same with the Google search. Most people that warrant will give you have not searched the victims name because they are the crook, but for some other reason. And it doesn’t even matter what that reason is. Only one person has searched the victims name to use it for the fraud, and that is not even a sure thing. They just assume that. The crook could have gotten the image a lot of other ways too.
Adam
…Wow, just…wow. I had no idea that a warrant could be so vague or broad in what the law-enforcement agency was looking for.
I mean, the only thing they really “knew” was that the crook had searched for the victim’s name on Google, and they only “knew” that because they couldn’t find any similar images on Yahoo or Bing. Leads don’t get much flimsier than that, I don’t think.
Mike
It would be easier to determine how broad this is if we knew the name. How rare is it?
My full name is hardly a rare thing to google, because there are fifty thousand of us in the UK alone.