Until recently, I didn’t realize that police could use my Google search history to convict me of a crime. I also didn’t realize that Google itself can use my search history to sue me. This post is about my slow wake up call to the Big Brother world of Big Data.
As a United States citizen, I know how search warrants work: if the police request a search warrant, and if the court system approves it, the police can enter my home and search through my personal belongings. But in terms of my internet browsing history, I've always assumed that the data I create is so vast that it was untraceable. Really, who’s going to record the 500 celebrity gossip pages I visit per day? (And which government agency actually cares enough to store that information?) I know, call me naive, but logging onto a computer and visiting different pages of the internet felt sacred to me.
Alas, my idealism was misplaced. The government can access people’s search histories any time. Don’t believe me? Look no further than the 2012 LinkedIn hack, the hack that taught me how far the FBI's tendrils extend.
How the FBI finds hackers using search warrants
If you, like me, got a password reset notice from LinkedIn circa 2012, then you may already know about the LinkedIn hack of 2012. In it, a Russian hacker named Yevgeniy Nikulin stole 6.5 million LinkedIn users’ email addresses, usernames, and passwords, then used those credentials to hack into other companies like Dropbox (from whom he stole 20 million users' data) and Formspring (from whom he stole 420,000 users' data).
But no matter how many databases Nikulin hacked into, he was never going to have as much data about LinkedIn users as the FBI had about him. After the hack, the FBI spent four years collecting Nikulin's online data so that they could charge him for identity theft and computer intrusion. First, the FBI traced the original hack to the email address [email protected]. Next, they asked Google for the search history associated with [email protected], and Google gave them everything, including google searches for a dentist near Moscow. And it wasn't just Google that complied with the warrant. Microsoft, Vimeo, Automattic (the parent company of Wordpress), and others contributed so many records that the trial brief was chock full of incriminating information.
And yes, collecting this amount of data is normal for the FBI
The LinkedIn hack wasn’t a one-off in terms of the government using search warrants to chase down the online behavior of high profile hackers: after the 2017 WannaCry hack, which shut down an estimated 230,000 computers worldwide, the FBI again traced the email addresses involved in the hack back to a North Korean cybercriminal, and then indicted him.
Enter: The Fourth Amendment
In some ways, I’m okay with the government being able to retrieve information from Google in order to solve crimes. After all, the Fourth Amendment protects U.S. citizens unreasonable searches and seizures by the government. If the FBI wants someone's data, they probably have a good reason, right?
But I’m beginning to realize just how often government search warrants stretch the definition of "reasonable." Just a few months ago, police in Nebraska prosecuted a 17-year-old girl for getting an abortion, all using data acquired from Facebook through search warrants. And how did they get a search warrant for the girl’s Facebook message history? They told Facebook that they had evidence that she had burned and buried the baby (because they found the fetus discarded in a bag).
However, once the police read the Facebook messages, they realized that she had aborted the baby, not burned it, which changed the investigation from a murder investigation to an abortion investigation.
I am disturbed by Facebook's willingness to hand over the girl's records so readily. In fact, Facebook has stated publicly to the New York Times that, in the first half of 2020, it complied with 89% of search warrants it received. By comparison, Google complied with 83%, and Apple only complied with 43%.
Tech companies also use their records to sue employees
Even more disturbing than tech companies handing over records so readily is the fact that they also use these records to sue their own employees.
In 2017, Google sued two top self-driving car engineers at Uber for stealing Google’s self-driving car research. In the lawsuit, Google claimed that one of these engineers had – prior to leaving Google – googled things like "how to permanently delete google drive files from my computer."
If Google deems it necessary to publicize its employees' search history (like if 245 million dollars’ worth of AI car research is on the line), they will.
And for those of you who were reassured by Google’s new security policy that allows users to automatically delete all of their Google data – including search history – every 3 months, listen up. That policy only applies to Google search history, not Gmail emails themselves, which are still stored indefinitely, and which Google clearly hands over fairly freely. (See the aforementioned 83%.)
Sleep tight!
My point is, for those of you – like me – who long thought that your personal data is sitting pretty in a data center, not being used by anyone, or only being used for ad targeting purposes, just know that it can be used by law enforcement at the drop of a hat. And, if you're a tech worker like me, potentially by your future employer.
What are some steps to escape the prying eyes? Proton mail? A VPS? What do you do?