Enterprise Mobility Management / BYOD , Governance & Risk Management , Privacy
Google Sensorvault Database Draws Congressional ScrutinyQuestions Raised About Use of Android Location Data by Law Enforcement
Google is facing questions from Congress about Sensorvault, its database that stores the geolocation data of millions of Android users, which and has sometimes been shared with police as part of criminal investigations.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In a letter to Google CEO Sundar Pichai, the Democratic and Republican leaders of the House Energy and Commerce Committee have posed 10 questions about Sensorvault and what information Google has collected about users over the past decade.
The committee's leaders want to know what Google does with all this data, who can access it and whether consumers are protected in cases of mistaken identification that may result from police investigations.
Because Google uses geolocation data to sell targeted advertising to consumers, Sensorvault is also raising questions about privacy and the personal information that companies collect.
"The potential ramifications for consumer privacy are far reaching and concerning when examining the purposes for the Sensorvault database and how precise location information could be shared with third parties," according to the letter. "We would like to know the purposes for which Google maintains the Sensorvault database and the extent to which Google shares precise location information from this database with third parties."
The letter is signed by Energy and Commerce Chairman Frank Pallone, Jr., D-N.J., ranking member Greg Walden, R-Ore., Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky, D-Ill., and subcommittee ranking member Cathy McMorris Rodgers, R-Wash.
The committee is asking for answers by May 7.
A Decade of Data
Since at least 2009, Sensorvault has collected data on users of Android smartphones who have turned on the operating system's "location history" feature. For those who opt in, the database sweeps up information based on GPS signals, cellphone towers, nearby Wi-Fi devices and Bluetooth beacons. The information remains in the database indefinitely.
For 10 years, the database and its use by law enforcement has been a well-kept secret within Google until a New York Times story on Saturday exposed what the company was doing with Sensorvault, including sharing some of the data with police when they had obtained a warrant.
The Times also explained that law enforcement will sometimes use a technique called "geofence." If there has been a crime committed, police can ask Google about a specific area and time, and the company can gather up all data on any phones used during that time in that area, but the users remain anonymous.
Once detectives have narrowed down that information to a few suspects, however, Google can reveal the names if law enforcement authorities obtain a warrant, according to the Times. In one week this year, the search giant received up to 180 requests for geofence data, the newspaper reports. Several Google employees told the Times that Sensorvault was never designed for use in law enforcement, cautioning that it can provide incorrect or partial data.
In one case cited by the newspaper, a man was picked up on murder charges based on the Sensorvault data, but let go a week later after police arrested a different suspect.
In a statement provided to Information Security Media Group, a Google spokesperson notes that the location history feature of Android is turned off by default and it's up to the users to turn it on.
"The data in question is used for location history, which is off by default. If a user chooses to turn it on, we can provide helpful information, like real-time data to help them beat traffic on their way home from work," the spokesperson says. "They can delete their location history data, or turn off the product entirely, at any time."
The spokesperson did not respond to questions about the issues raised by the Times concerning the use of Sensorvault by law enforcement authorities.
Questions About Sensorvault
Other organizations are joining Congress in asking questions about what Google does with Sensorvault data.
In a blog post, Jennifer Lynch, a surveillance litigation director at the Electronic Frontier Foundation, contends that the use of Sensorvault by police violates precedent set by the U.S. Supreme Court on how law enforcement can gather evidence and violates protections guaranteed by the Constitution, specially the Fourth Amendment.
"Unlike other methods of investigation used by the police, the police don't start with an actual suspect or even a target device - they work backward from a location and time to identify a suspect," Lynch writes. "This makes it a fishing expedition - the very kind of search that the Fourth Amendment was intended to prevent."
Law enforcement officials who spoke to the Times, however, reported that databases such as Sensorvault are useful during investigations. Gary Ernsdorff, a senior prosecutor in Washington state, told the publication that the location data is only one part of the case. "We're not going to charge anybody just because Google said they were there," he said.
Congress and Technology
The way technology companies use and store the personal data that they collect on consumers continues to be a significant issue, with Congress asking more and more questions.
In addition to Google, the House Energy and Commerce Committee has questioned Facebook recently about how Cambridge Analytica came to access and use information on tens of millions of Facebook users.
Questions posed by members of Congress who wrote the letter to Google include:
- What information does Google store in the Sensorvault database, and for what purposes does Google use this information?
- Does Google maintain other databases of precise location information?
- Who is able to access the information in the Sensorvault database?
- How accurate is the precise location information stored in the Sensorvault database?