Location History is turned off by default, so a user must take several affirmative steps before Google begins tracking and storing his Location History data. First, he must enable location sharing on his mobile device. Second, he must opt in to the Location History setting on his Google account, either through an internet browser, a Google application (such as Google Maps), or his device settings (for Android devices). Before he can activate the setting, however, Google always presents him language that explains the basics of the service. Third, he must enable the “Location Reporting” feature on his mobile device. And fourth, he must sign in to his Google account on that device. Only when a user follows these steps will Google begin tracking and storing his Location History data. Roughly one-third of active Google users have enabled Location History.

Even after a user opts in, he maintains some control over his location data. He can review, edit, or delete any information that Google has already obtained. So, for instance, he could decide he only wants to keep data for certain dates and to delete the rest. Or he could decide to delete everything. Google also allows him to pause (i.e., disable) the collection of future Location History data. Whatever his choice, Google will honor it. From start to finish, then, the user controls how much Google tracks and stores his Location History data.

Once a user enables Location History, Google constantly monitors his location through GPS, even when he isn’t using his phone. And if he has an Android phone, he can turn on another setting—”Google Location Accuracy”—that enables Google to determine his location using more inputs than just GPS, such as Wi-Fi access points and mobile networks. As a result, Location History can be more precise than other location-tracking mechanisms, including cell-site location information. But whether Google Location Accuracy is activated or not, Location History’s power should not be exaggerated. In the end, it is only an estimate of a device’s location. So when Google records a set of location coordinates, it includes a value (measured in meters) called a “confidence interval,” which represents Google’s confidence in the accuracy of the estimate. Google represents that for any given location point, there is a 68% chance that a user is somewhere within the confidence interval.

Google stores all Location History data in a repository called the “Sensorvault.” The Sensorvault assigns each device a unique identification number and maintains all Location History data associated with that device. Google then uses this data to build aggregate models to assist applications like Google Maps.

In 2016, Google began receiving “geofence warrants” from law enforcement seeking to access location information. A geofence warrant requires Google to produce Location History data for all users who were within a geographic area (called a geofence) during a particular time period. Since 2016, geofence requests have skyrocketed in number: Google claims it saw a 1,500% increase in requests from 2017 to 2018 and a 500% increase from 2018 to 2019. Concerned with the potential threat to user privacy, Google consulted internal counsel and law enforcement agencies in 2018 and developed its own three-step procedure for responding to geofence requests. Since then, Google has objected to any geofence request that disregards this procedure.

Google’s procedure works as follows: At Step One, law enforcement obtains a warrant that compels Google to disclose an anonymous list of users whose Location History shows they were within the geofence during a specified timeframe. But Google does not keep any lists like this on-hand. So it must first comb through its entire Location History repository to identify users who were present in the geofence. Google then gives law enforcement a list that includes for each user an anonymized device number, the latitude and longitude coordinates and timestamp of each location point, a confidence interval, and the source of the stored Location History (such as GPS or Wi-Fi). Before disclosing this information, Google reviews the request and objects if Google deems it overly broad.

At Step Two, law enforcement reviews the information it receives from Google. If it determines that it needs more, then law enforcement can ask Google to produce additional location coordinates. This time, the original geographical and temporal limits no longer apply; for any user identified at Step One, law enforcement can request information about his movements inside and outside the geofence over a broader period. Yet Google generally requires law enforcement to narrow its request for this more expansive location data to only a subset of the users pinpointed in Step One.

Finally, at Step Three, law enforcement determines which individuals are relevant to the investigation and then compels Google to provide their account-identifying information (usually their names and email addresses). Here, too, Google typically requires law enforcement to taper its request from the previous step, so law enforcement can’t merely request the identity of every user identified in Step Two.