> ...IF THEY ARE ASSIGNED TO A WHOLESALE CUSTOMER OF OURS, WE MAY BE ABLE TO PROVIDE THAT WHOLESALE CUSTOMER’S COMPLIANCE INFORMATION WITHOUT LEGAL PROCESS... Our wholesale customer then would make its own independent assessment of the request, including, without limitation, any subpoena subsequently delivered
It sounds like if you give them a telephone number used by Google Voice then they will give you Google's contact info, rather than end user info. That seems benign and logical to me.
This looks pretty bad at first glance. Unless I'm misunderstanding something, what Bandwidth is saying is this: we don't care about receiving subpoenas for information: we'll happily give it to you anytime upon request for us or any of our customers.
It sounds like they'll tell law enforcement if a phone number belongs to, for example, Microsoft or Earthlink ("wholesale customer"), but it's up to that company to tell law enforcement who is actually using the phone number. This seems about as leaky as whois servers (which say which ISP an address block is assigned to).
Well, it's really hard to say since it's clearly addressing a target audience (LEAs/LEOs) with a specific set of needs, and we are not those people.
However, as I read it, they're saying that if you just need confirmation that someone owns a particular number, they'll do that via email - usually for things like wiretaps or warrants, iirc, the LEO has to attest that they validated that so-and-so that made a harassing phone call to whoever owns number XXX-XXX-XXXX that the call originated from, ergo, this is probable cause to search them, etc.
So in this case, instead of generating a subpoena for records that a lawyer will have to review for $$$, the LEO sends an email from their work address that says, "I'm investigating Y, does So-and-so own XXX-XXX-XXXX?", bandwidth emails back with a "Yes" or "No" (obviously I assume there's a slightly more formal response for documentation purposes).
Saves legal time, doesnt' expose meaningful info, there's got to be some sort of validation step (if I emailed from a gmail account I'm sure I won't get very far, but hey, why doesn't someone try?). I don't see a huge issue here, assuming this is how it works.
I believe your reading is incorrect (and the reading of other commenters here is more correct).
Bandwidth.com will tell MyLocalPoliceDepartment that Google Voice is the "wholesaler" that controls my GVoice number. Bandwidth.com has never heard of me (nor I of them, until today). They don't have my information to give. They can't "confirm that I own a particular number."
They will, however, tell MyLocalPoliceDepartment that they should be barking up Google's tree without a subpoena, which I don't mind so much. I have entered into a relationship with Google. I would expect them to respond to well-targeted and legal subpoenas ordered by a judge.
Ok, so you spoof mail from totallyanofficer@yourlocalpoliceforce.gov, and they respond with 'yeah, that number is totally a google number, you should serve them any requests at legal at google dot com (or whatever it)' and totallyandofficer is confused and you didn't get your information.
An email has at least three fields that can both influence the address to which a reply goes and isn't necessarily visible to the recipient's MUA. Even if the recipient where to look into the headers, there are plenty of games to play with deceptively constructed international domain names. There is also the social engineering aspect I mentioned.
more likely the email server is compromised; so as soon as the doxxer sees the email come in, they copy and then delete from the Officer Friendly's inbox.
It sounds like if you give them a telephone number used by Google Voice then they will give you Google's contact info, rather than end user info. That seems benign and logical to me.