Google Location Services almost lands hapless cyclist in jail

A cyclist from Florida says that he was targeted by police as the prime suspect in a burglary because the RunKeeper app he used to log his rides via his Android phone showed him passing the crime scene three times on the day a house was broken into.

The first that Zachary McCoy, aged 30 and from Gainesville knew of police interest in him came when he received email notification from Google in January this year that police had requested information about his account, reports NBC News.

“I didn't know what it was about, but I knew the police wanted to get something from me, I was afraid I was going to get charged with something, I don't know what,” he said.

When he checked the reference number against the local police department’s website, he discovered an investigation report about a burglary that had taken place 10 months previously at the home of a 97-year-old woman.

With financial help from his parents McCoy, a restaurant worker, engaged a lawyer, Caleb Ewan, who discovered that four days after the burglary police had obtained a so-called “geofence warrant” against Google.

Such warrants are increasingly being used by law enforcement agencies to identify, via Google, the geolocation of people who were in an area at the time a crime was committed, helping them to identify potential suspects.

McCoy, who lives less than a mile from the location of the burglary, checked the data on his phone and realised he had recorded himself on RunKeeper riding his bike past there three times on the date in question.

“It was a nightmare scenario. I was using an app to see how many miles I rode my bike and now it was putting me at the scene of the crime,” he said. “And I was the lead suspect.”

Since McCoy, a computer science graduate, had always used anonymous accounts online – including the email address linked to his Google account – police referred to him only as a ‘John Doe’, the name used in the US when an individual cannot be identified.

His riding habits had piqued their interest in finding out who he was, which triggered the email to him from Google.

“I didn’t realise that by having location services on that Google was also keeping a log of where I was going,” he said. “I’m sure it’s in their terms of service but I never read through those walls of text, and I don’t think most people do either.

“If you’re innocent, that doesn’t mean you can’t be in the wrong place at the wrong time, like going on a bike ride in which your GPS puts you in a position where police suspect you of a crime you didn’t commit,” McCoy added.

Kenyon filed an application to have the geofence warrant dismissed, arguing, among other things, that it was unconstitutional in that it allowed police to cast a net too widely in seeking to investigate who may have perpetrated a crime.

He contrasted it with a search warrant which would be executed against a suspect who had already been identified.

“This geofence warrant effectively blindly casts a net backwards in time hoping to ensnare a burglar,” he argued. “This concept is akin to the plotline in many a science fiction film featuring a dystopian, fascist government.”

Shortly afterwards, he was contacted by someone working on the case in the state attorney’s office who said that the information he had provided led them to believe McCoy – whose identity was still unkown to them – was the suspected burglar, and the geolocation warrant was withdrawn.

McCoy, looking to fully vindicate his client, visited the detective investigating the case, showing him RunKeeper data going back months of him riding past the same location, before and after the date of the burglary.

“There was no knowing what law enforcement was going to do with that data when they got it behind closed doors,” he said.

“Not that I distrust them, but I wouldn’t trust them not to arrest someone,” he added, highlighting a case in Arizona in which a man was wrongly convicted of murder largely based on geolocation data obtained via such a warrant.

Clearly, the ability of law enforcement and other government agencies to use data and other information in the course of investigating a crime or for other purposes varies depending on jurisdiction, but as in this case it also raises issues of privacy.

In the UK, it is standard practice for police to check a motorists’ mobile phone for voice calls or other activity in the event of a road traffic collision to see whether they were using the device at the time a collision took place.

On the other side of the coin, as we have reported here on road.cc a number of times, criminals often use social media posts, as well as feeds from sites such as Strava, to target owners of high-end bikes, with this tactic suspected to have been employed in a number of burglaries.

road.cc’s online security tips

We’re all for online communities here at road.cc – after all, we are one and the interaction between our own users is one of the things that makes the site what it is – but as the story above shows, there may be people watching who have intentions that go beyond taking exception with your opinion of helmets or Rapha and who’ll give you more than the odd flame to worry about. Here’s some pointers to keeping safe online, with an emphasis on bike security.

If you mainly post online under a pseudonym and never mention your real name in connection with that, you’re already a step ahead. If not, there are a few things you can do to make yourself more secure, both when it comes to your bike and generally.

• Since Facebook accounts tend to be under users’ real names, it’s not difficult for thieves to link that and other information to publicly available address information, so you may want to review your privacy settings to have control over who can see your profile (yes, we know Facebook keeps changing them, but try and keep on top).

• Be very careful about posting images online. We all like to post pictures of our new toys online, but a bit of common sense is needed. A photo of your brand new bike with your house clearly identifiable behind it could attract unwanted attention. You may wish to disable GPS information used by some photo sharing sites.

• The same goes for information you share on sites that track your rides and make the information public. Strava has a feature that enables you to hide the start and finish point of your ride, particularly useful if that happens to be your home. Use it.

• Don’t go into detail online about the specific type of security you have, whether in relation to your bike or your home generally; you’re giving the thieves a chance to prepare by making sure they have the right tools for the job. Likewise talking online about going away for a while, on holiday perhaps, can flag up an unoccupied house to the thieves.

• Even if you don’t post on social media under your real name, be wary about how much information you make public. The less you reveal, the less others know about who you are and where you live. Keep it vague – town or district, fine, the street you live on, think twice.

• It's not just Facebook and Twitter, either that you need to be careful about - even club websites can be trawled by the crooks for information. Site admins may want to consider a private area of the site where members can chat.

• This isn’t specifically online-related, but we know that cyclists are sometimes followed home, the thieves returning later once they know where you live. If, close to your house, there’s somewhere you can go on your bike that someone watching you in a car can’t, go there. Try and vary your route if you can. Or ride a little way past your house then loop back.