Surveillance
He Went For A Bike Ride. Google Made Him A Burglary Suspect.
On a Tuesday afternoon in January 2020, Zachary McCoy was getting ready to leave for his shift at a restaurant in Gainesville, Florida when an email arrived from Google.
It was from Google's legal investigations support team.
Local police had demanded information related to his Google account.
Google would release that information in seven days unless he went to court to block it.
McCoy had no idea what this was about. He had never been in trouble with the law. He was a 30-year-old restaurant worker who rode his bike around the neighborhood to stay fit. He used an exercise app called RunKeeper to track his miles.
He searched the case number included in the email on the Gainesville Police Department website.
What he found made his stomach drop.
It was a one-page investigation report on the burglary of an elderly woman's home. She lived less than a mile from where he lived. Thousands of dollars worth of jewelry had been taken. The break-in had happened ten months earlier, in March 2019.
McCoy had never been to that house. He did not know the woman. He had nothing to do with the burglary.
But Google's data said he had been there.
And now he had seven days to prove he was innocent before police would know exactly who he was.
The Bike Ride That Started It All
McCoy opened his RunKeeper app and pulled up his route from the day of the burglary.
He saw it immediately.
He had ridden past the woman's house three times in the span of an hour. It was part of his regular route. He had ridden it dozens of times before and after that day. He simply rode his bike past that block. That was all.
But to police reviewing anonymized location data from a geofence warrant, a device passing the same address three times in one hour looked like surveillance behavior. Like someone casing the property before breaking in.
They flagged his device.
Then they went back to Google and asked for the identity behind it.
That request triggered the email McCoy received.
He was terrified. He did not want to go to the police directly because he was afraid it would lead to his arrest. Instead he drove to his parents' house in St. Augustine and told them what was happening over dinner. They dipped into their savings to help him hire a lawyer.
"I was hit with a really deep fear," McCoy said. "I didn't know what it was about, but I knew the police wanted to get something from me. I was afraid I was going to get charged with something."
What A Geofence Warrant Actually Does
Most people have never heard of a geofence warrant. That is not an accident.
These warrants are issued in secret and sealed by a judge. The people swept up in them are often never notified at all. McCoy only found out because Google has a policy of notifying users before complying, a policy that is not universal across all tech companies.
Here is how the process works.
Police identify a crime scene and a time window. They submit a legal demand to Google asking for every device that was active in that geographic area during that time. Google searches its database, which contains detailed location records from hundreds of millions of devices. Every Android smartphone with location services enabled. Every device using Google Maps. Every account running an app that feeds location data to Google, including fitness trackers, navigation apps, and social platforms.
The initial results come back without identifying information. Police sift through the data looking for devices that seem suspicious. When they find one, they go back to Google and request the name, address, and account details behind it.
That second request is what triggers the notification to the user.
McCoy had seven days. Most people would not even know what to do with that information. Most people could not afford a lawyer on seven days notice. Most people would simply run out the clock.
His lawyer, Caleb Kenyon, filed a motion arguing the geofence warrant was unconstitutional. He called it a digital dragnet that casts a net backward in time hoping to catch a suspect rather than starting with a suspect and gathering evidence.
The state attorney's office withdrew the warrant shortly after.
McCoy was cleared.
He never learned what the actual details were that led police away from him. The burglary of the elderly woman's home was never solved.
The Part That Should Concern Everyone
McCoy's case ended without an arrest, without charges, without his name being released to police.
He was lucky.
He had parents willing to spend their savings on a lawyer. He had a lawyer who understood geofence warrants and knew how to challenge one. He had Google's notification policy working in his favor.
Most people have none of those things.
Jorge Molina, the Arizona man arrested for murder based on Google location data from a smartphone he had given away, did not have the same outcome. He spent six days in jail. He lost his job. He struggled to find new work for months because his arrest appeared in every background check and every search of his name.
The difference between McCoy's outcome and Molina's was not innocence. Both men were innocent. The difference was circumstance, resources, and luck.
And the underlying mechanism that put both of them at risk was identical.
An Android smartphone. A Google account. Location services turned on.
That was all it took.
How Many Times Does This Happen
McCoy's case and Molina's are not isolated incidents. They are documented examples of a practice that happens thousands of times a year across the country, mostly in secret.
Google reported receiving approximately 9,000 geofence warrants in 2018. That number represented a 1,500% increase from 2017. By 2019, the number had grown another 500%.
Each warrant requires a search of tens of millions of Google user accounts.
The people whose data is searched are almost never notified. The warrants are sealed. The searches happen without the knowledge of the people being searched. And the only way to find out is if Google chooses to send a notice and you happen to understand what you are looking at when it arrives.
A federal judge described the process as a digital dragnet, a direct contradiction of constitutional protections that require suspicion of a specific individual before conducting a search. Several court challenges are currently working their way through the legal system.
In the meantime, the warrants continue.
What Your Smartphone Has To Do With This
McCoy's problem began with a fitness app.
He wanted to track his bike rides. He used RunKeeper. RunKeeper fed his location data to Google. Google stored it. Police requested it. And McCoy suddenly had seven days to prove he had not committed a crime he had never heard of.
He had not done anything wrong. He had simply used a smartphone the way most people use a smartphone.
That was enough.
The data that made him a suspect existed because his Android device was generating location records constantly, feeding them into Google's database, and storing them indefinitely tied to his identity.
The Ghostphone runs GrapheneOS, which removes Google entirely from the operating system. There is no Google account. There is no location history being built. There is no database record to return when a geofence warrant comes in.
McCoy's bike ride would have been just a bike ride.
Nobody would have known he was there.
Because there would have been nothing to find.
The Ghost Phone
No Google account. No location history. No geofence warrant exposure.
Ed Warren is a Digital Privacy Consultant with over 15 years of experience in the surveillance and data security industry.
