Google Dragnet Descends On Gun Stores | Hack Hits 150,000 Surveillance Feeds |Microsoft Exchange Attacks Explode

Plus: Stop This ‘Secret’ Location Tracking On Your iPhone—3 Critical Settings You Need To Change Today

In a recurring feature in this newsletter, I'm publishing court documents that you won't have seen anywhere else, ones that paint a picture of what police surveillance looks like in the real world. I call it The Wire IRL.

This week's edition looks at an order on Google for location data on anyone inside or near a two Arizonian gun stores and one range that were targeted by robbers earlier this year.

It's known as a reverse location search, in which the feds ask Google to provide information on all phones within a given geographic area during a specified period of time. The police then decide which of those devices are pertinent for the investigation and ask Google for more detailed personal information of the phone owner, such as their name, contact information and previous locations.

This February, in Tucson, Arizona, an agent with the Bureau of Alcohol, Tobacco, Firearms and Explosives was investigating robberies or attempted robberies at three different federal firearms licensees. The robbers, who stole not just guns but safes and paintball masks too, managed to avoid being caught in the act. Security camera footage wasn't able to identify them, though it did indicate one white male was present at two of the hits.

To try to learn more about who may have been responsible, the investigator went to Google to get information on any devices in areas inside and surrounding those gun shops during the times which the robberies were believed to have taken place. For one of the victims, the Marksman Pistol Institute, that was a period of six hours during the night. For another, The Hub Tucson, it was just half an hour in the evening.

Such warrants have proven controversial, especially in Arizona, where one man was wrongfully arrested and kept locked up for a week because his device was caught up in a Google dragnet covering an area near a murder. As the author, Jennifer Valentino-DeVries, wrote then, the investigative technique has much promise in helping solve crimes, but "it can also snare innocent people." Showing how broad such orders can be, I previously reported on a case in 2019 where Google returned information on 1,500 devices in response to a request from the ATF regarding some arsons in Milwaukee, Wisconsin.

Given these new Google reverse location searches are in Arizona, and cover areas surrounding three gun stores over nearly ten hours, the risk of innocents being unwittingly caught up in a criminal investigation could be significant. The DOJ declined to comment as the investigation was ongoing.

You can read the search warrant in full for yourself here.

If you have any tips on government surveillance or cybercrime, drop me an email on tbrewster@forbes.com or message me on Signal at +447837496820.

The Big Story

The Stories You Have To Read Today

Verkada, a Silicon Valley startup that provides surveillance camera and facial recognition tech, was hacked and access to its feeds exposed, William Turton from Bloomberg reports. Its customers, whose internal surveillance footage was leaked to the media, include Tesla and CloudFlare. Turton subsequently found Verkada employees had extensive access to that same footage. Meanwhile, the hacker, Till Kottmann, has been raided.

As expected, cybercriminals are now actively exploiting those nasty Exchange vulnerabilities. Microsoft warned about a brand of ransomware targeting those still vulnerable.

Google's location data is also proving useful to investigators of the January 6 Capitol Hill riots, providing information relating to one particular person suspected to storming the home of American democracy.

Joseph Cox is back with more reporting in Vice on government agencies buying location data that comes from everyday smartphone apps. This time it's the Florida Department of Corrections. It might be buying the tech to learn which prisoners are illegally using smartphones.

T-Mobile is going to start selling customers' web-usage data to advertisers unless they opt out, starting April 26, reports Ars Technica. Privacy advocates are, understandably, unhappy with the telecoms giant.

Winner Of The Week

If you've been reading this newsletter for the last couple of months since launch, you might know that I'm a big fan of DocumentCloud. I put all of those search warrants for The Wire IRL in there and open up access for everyone. But there's more to the service than that, annotation, easy embeds and analysis tools being especially useful. This last week, it announced a revamped service, which provides more speed and mobile-friendly features. I've been trialling it for a while and it sure feels more modern than the old system. Get publishing and get sharing all those valuable docs, folks!

Loser Of The Week

The CEO of Canada-based encrypted phone provider Sky Global, Jean-Francois Eap, has been indicted on charges that he and a colleague knowingly and intentionally participated in facilitating narcotics trafficking. Eap and Thomas Herdman, a former distributor of Sky Global devices, were charged with a conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO). Sky sells iPhone, Google Pixel, Blackberry and Nokia phones that come preloaded with an encrypted comms app, which in itself doesn't sound awful. But according to the Justice Department, the company had created a tool that could remotely delete any evidence of drug trafficking from customers' devices. And, the DOJ said, the company had "generated hundreds of millions of dollars in profit by facilitating the criminal activity of transnational criminal organizations and protecting these organizations from law enforcement." Eap told Vice the charges were false and that the company had only been targeted because it provided privacy-enhancing phones. As the case unfolds, it'll be fascinating to see who is the eventual loser.

Across Forbes