Why are EDR's from LE even a thing? If it's really such a matter of life and death, they should have a judge on call (i.e. a judge-type judge, with a robe and a gavel) to issue an emergency court order. So it's a real court order and not some simulation from a police department. Of course that can also be forged so this question is only about why judges are removed from the loop. If it's really a matter of life and death, wake up the damn judge. If that's too big a deal, you are doing too many of these "emergency" requests.
Our courts and legislative bodies have not grown in size linearly with the population, but the modus operandi of these institutions has also not changed. The distortion of too many people per representative without a change in how representation functions explains a lot of our issues.
> how much money can we expect e.g. Google to spend verifying court orders targeting users on free plans?
You don't pay money to enter Walmart but they are required to spend as much money as it takes to ensure you don't die in a fire while giving them zero dollars. Likewise food safety standards required by law aren't a sliding scale based on income. The relevant factor isn't how much money you made off the mark its how much harm your behavior can cause to that person.
If you put yourself in possession where your failure causes them greater harm you bought yourself a potentially expensive obligation that you wouldn't have for example if you just served search engine results based on search query or ads served without knowing the persons life story and the contents of their diary since the 3rd grade.
The actual answer is however much it takes to do a reasonable job or we ought to just fine you so much per screw up that you are forced to go sell shoes instead of search engine results.
The government can and should help make this procedure reasonable as it is 99% of the problem. Such orders ought to be cryptographic signed by hardware tokens that are physically in the judges possession on a device that isn't online THEN emailed to google. This relies purely on 1970s technology and probably should have been implemented about 20 years ago if we weren't collectively complete morons.
While this is implemented just coming from judges official government emails as opposed to their personal emails or a billion idiot cops would be substantially more secure.
Part of the problem is, because any cop can send an emergency request, in California there are 93,000 cop e-mail accounts, every one of which has to be protected from hacking.
By creating a bottleneck of, say, 10 judges per state who can issue emergency warrants (generously paid to staff a 24/7 rota) there are only 10 people whose e-mail accounts have to be kept 100% secure.
What if we taxed Google like we should and then use that money to properly fund out legal system and come up with solutions to the problem that you've pointed out?
A simple illustration of how it could be useful: Search and rescue teams.
Somebody notices my car parked there with the whiteboard laying on the dash saying "Griffith Shadow 3/24". Any responsible hiker seeing that is going to call it in.
The search and rescue team will look at that whiteboard and note the label tape at the bottom with various bits of information. It should be obvious that I'm inviting search and rescue to use the information printed there, why should a judge be involved?
(And the S&R guys will know it's probably serious--from reading that board they know I should have been able to call for help.)
> It should be obvious that I'm inviting search and rescue to use the information printed there, why should a judge be involved?
For the same reason you still need to enter a sudo password when you use sudo for a trivial self-evident thing: It is not the trivial self evident thing we want to prevent, but the difference between a cop tracking the ex they are stalking and that missing person is literally just their no own judgement.
Trusting cops not to abuse a certain power is bad when you can just implement a little systemic friction that prevents large scale abuse.
> If it's really a matter of life and death, wake up the damn judge.
This really isn't a reasonable expectation. There are only so many judges, and being on-call 24/7 for all emergencies is not part of their job description, and it probably should not be, either. They need clarity of mind when they're making decisions, not to be in a sleepy mood. Moreover, you seem to be proposing a solution in search of a problem. There isn't widespread abuse of this by cops in the US (that I've heard of, anyway) to justify upending an otherwise effective procedure.
> There isn't widespread abuse of this by cops in the US (that I've heard of, anyway) to justify upending an otherwise effective procedure.
There's massive abuse of police power to get access to data that would normally require a warrant. The only reason EDRs aren't abused more often is because it's often easier for cops to use more "straightforward" approaches like threatening the person/organization they want to get the data from, or lying (or misrepresenting) in order to get the other party to "voluntarily" give up the information.
There's also massive abuse by police of the tools and information provided to them for non-official purposes. Police personnel that will casually run license plate checks for friends and local businesses will abuse other tools as well.
> There's massive abuse of police power to get access to data that would normally require a warrant. The only reason EDRs aren't abused more often is because it's often easier for cops to use more "straightforward" approaches like threatening the person/organization they want to get the data from
Nobody said anything about "police power" in the general case. The discussion here is about EDRs, which you yourself acknowledge aren't abused frequently. Therefore it follows that making EDRs harder would not really solve that problem. You'd need to make other avenues for getting people's data more difficult before you contemplate changing this one.
Actually nobody is in a position to say they aren't abused frequently so that is a completely unreasonable position to take given the centuries of corrupt behavior.
I wouldn't even know about the corruption if they were not so completely sure to be untouchable.
One anecdote: a friend moved into a new neighborhood, a gated community. One evening when walking the dogs, a neighbor who is a cop greeted her by her full legal name. She said she never uses her middle name anywhere. As far as we know, there is no way the cop could know her middle name without looking her up. Who in any social situation greets someone by their full legal name (and that too without ever being introduced)?
As far as she can tell this was their way of telling her that the officer knows who she is, knows where she lives, and is watching her. Who does that?
The cop might have been going for intimidating, but there are a number of ways he could have had access to her middle name without abusing power:
- In my county (and every other county I've looked into in the US) real estate transactions and deed recordings are public record, available online, and sometimes include the purchaser's middle name.
- If it's a gated community, it almost certainly has a HOA, which would have an application/notification process (probably including ID info, potentially including a background/credit check) to feed information to the HOA board (which cops, being local government-oriented people, might be inclined to be involved with).
Occam's razor - when your friend moved into this gated community, it is almost certain they had to provide some background information, including name to the gated community. Might even had some contractual requirements that needed background checks. This person maybe just looked at the monthly flyer that was stuffed under every owners' door "please welcome Jimmy John Joe Smith living in 123 Fancy St." ...
My state has hundreds of judges. I daresay they could convince some of these to run an oncall rotation for a slight compensation bump. It's not like the police are filing these EDRs every day.
> It's not like the police are filing these EDRs every day.
Do you have a source for this? I just went to check T-Mobile for example and their site says they got 164k of them in 2020. [1] That's about 450/day, and it's just one company.
All the more reason to get some oversight into the system. The CDC reported 24.5K homocides in 2020 [0], so one company's EDRs represented 6X this figure. I find it difficult to believe that each and every one of those 164K represented a true life/death scenario that would necessitate a breach of privacy by a government agent without any due process.
Do you honestly believe the number of emergency data requests aimed at preventing a suicide is more than a 2 digit number out of those requests? Nobody and I mean nobody in government gives one damn about a person in crisis unless that person is literally standing in the high place about to jump in which case they will surely show up in time to file whatever paperwork is required to initiate the cleanup.
> any police jurisdiction can use an EDR to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death.
You shouldn't read so much into a single sentence like that when it's so broad. That's just a summary they wrote offhand. It's not an absolute statement about every jurisdiction or company. Google around and you'll find there's more to it than that. Like "serious physical injury" for example.
> You shouldn't read so much into a single sentence
I disagree. That sentence is unambiguous. Either that sentence is blatantly incorrect or an EDR does imply life or death. The two possibilities are mutually exclusive.
Ridiculous. Look up how many homicides and suicides there are every day in the US. A lot of them are associated with such emergency requests.
It's so funny that you are using the word "proof" without using any logic or reasoning, but just talking out of your head -- "that number seems too large, so it must be wrong"!
My state has hundreds of judges. I daresay they could convince some of these to run an oncall rotation
They probably already do. Most jurisdictions have rotating pager duty. The on call judge is called the duty judge.
Imagine a discussion between cops and judges about secure software engineering without anyone knowing what a pointer is. That’s what legal discussions on HN are like.
I assure you I was under no illusion that it's impossible to reach any judge outside court hours. What I was trying to point out (and what you still seem to not be considering) was the sheer magnitude of the proposal. At some point it becomes a difference in kind, not just degree. Like imagine asking a dev to be on-call a handful of days during the year, vs. one day each week. The former is infrequent enough that many people would manage it fine; the latter really demands that you stop pulling them away from their normal job and start hiring people dedicated to that one.
Now you could try to argue the scale is actually smaller than I expect, and I'd love to see numbers to that effect, but the numbers I've seen so far don't suggest that.
I can't believe all they were doing was validating the email, if that's true. Virtually every town, city, borough, county, etc. across the country has a police/sheriff's department, sometimes as small as a few people. Even a few private companies have them.
Sure the NYPD, FBI, etc. are going to (theoretically) have top security, but if any LEO anywhere in the country is good enough, just hack some podunk PD that exists solely to generate ticket revenue and has no IT department, no 2FA, no security training.
I can't really fault the tech companies for this, it's not a great place to be in and there isn't an obvious solution.
The bad actors are explicitly exploiting an emergency provision intended for quick information return to prevent serious harm/death using verified police accounts they've compromised.
You either end up with the headline we have here or "Apple's failure to comply with an emergency request led to the death of X"
I don't know what the right policy is, but this is just a tradeoff without an easy answer.
One obvious thing I'd do if Officer Bob from the Podunk PD asked me for anything, is say "let me call you back", find the published phone number of the Podunk PD, call it, and ask for Officer Bob. I'd of course tell him I was about to do that, so he could arrange to receive a call from the PD front desk, or at least have them confirm that they had just talked to him. So the crooks would have to intercept that front desk number too, if they wanted to fake it. That would at least slow them down a little more, I hope.
Social engineering this is trival. Lookup for a phone will likely be on their website.
The threat actor could compromise the website just as they did for the email, Or create a legitimate looking fake one, not every department has one or is indexed well
Tech support staff handling these requests cannot possibly know the thousands of police departments sites to know if the site is legitimate.
There is simply no single national authoritative source for validation ( international is even more complex with different laws and languages)
Back in the day you could get national phone directories on cd-rom. So the crooks would have had to compromise the phone book or the cd. Idk if those cd's still exist.
Yes, the police web site is another point of vulnerability. But with any luck you can reliably find the area code for Podunk, then call directory assistance in that area code to ask for the police department number. So the crooks would have to compromise that too.
Tech support staff handling these requests cannot possibly know the thousands of police departments sites to know if the site is legitimate.
You know who probably would be in a better position to know? Your corporate counsel. Chances are pretty high they not only know who to contact, they probably have additional contacts that your 'tech support' staff do not in the nearby agencies and beyond, not to mention having the actual knowledge on the response mechanisms that said agency requires for compliance with requests for corporate data.
Which forces me to ask this question: I understand that as technologists we probably have an abundance of confidence in the knowledge and skills we possess in our domain, so why are tech support staff even 'handling' legal requests at all?
The only "handling" they should be doing is "handing" whatever evidence or materials that have been requested directly to the company's legal counsel, who should have been the party liaising with the 'requestor'.
You expect any company to have on payroll corporate counsel 24/7 for emergency requests in like 200 jurisdictions ? .
Also in my experience counsel who practice civil and corporate law have very little experience with law enforcement. Companies don't generally keep lawyers who practice criminal law inhouse .
You expect any company to have on payroll corporate counsel 24/7 for emergency requests in like 200 jurisdictions ?
To an extent, yes as a matter of fact, or at minimum a Registered Agent. Because in almost all of those 200 Jurisdictions, for a majority of business types (including Corporations) a Registered Agent is required by law for exactly this purpose: to receive and help your company properly respond to legal requests.
I concur. You will note that I said “for a majority of”, not “all”. Even online businesses still, if they intend to register as a business entity and enjoy all that comes with registering a business, like business tax ID or EIN, they must register with a jurisdiction. Also note where I said having an attorney “or at minimum a Registered Agent”
Creating a national db of validated police department phone numbers seems like the easiest problem to solve in this chain of issues. What’s on the EDR form?
It will have to be international, and law enforcement is loosely police. Even in the U.S. there are tones of depts which are law enforcement and not police .
I can't really fault the tech companies for this, it's not a great place to be in and there isn't an obvious solution.
For all of the box ticking, theatrical diligence and audit-preparedness work I’ve had assigned to me in my Devops career, and bespoke security “services” and “products” out there that merely exist to enable more box ticking in the name of “security and compliance”, I think maybe we should start.
Sadly, the "common sense" solution would be a single email provider -- something provided by the federal government. Alas, sense isn't common in the US: it's up to every state (and, it would appear, county, city, university, etc) to decide.
I don't know, maybe look up the police department's number online and call them back? If we can do it when the "bank" calls us and asks for private information, maybe these guys could do the same.
> Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply
Nevermind the risk that it’s actually a cop sending these requests for their own personal reasons. It’s far from unheard of for cops to abuse these systems to harass former partners and personal rivals; the courts are supposed to provide oversight to prevent these abuses.
All tech companies have provided an interface for the law enforcement. No need to verify warrants, no need to show warrants, as long as one is from the law enforcement.
Unfettered access without oversight as was acceptable during WWII in practice means LE is behaving as if they are fighters in a war. If they are not regular militia, then according to official US narrative they are insurgents.
Turns out the war on drugs was a war against the People.
Agreed, but it still baffles me that people want to give LE backdoors to encryption to "protect the children" and because "they have done nothing wrong".
How can police get data without a court order? Shouldn't there be a 24/7 court number, where the police can request one, and then use that?
What happens if the police abuses this system (and not the hackers)... does anyone get notified that "p.o. John Doe requested your data on 1. 1. 2022"? And why not? If it's a life or death situation, and you're still alive, you'll either be thankful they used the data to save you, or your laywer could get a lot happier, because you'd be suing them, because they faked such a situation.
The legal system has been (claimed to be) backed up since I was born. My question, as someone not familiar, is what are the plans to resolve this perpetual backlog? And, are these massive backlogs concentrated in certain areas (bigger cities?) or are they pretty evenly dispersed?
> My question, as someone not familiar, is what are the plans to resolve this perpetual backlog?
Plea deals are the current tool attempting to address that. They take drastically less time and resources. Scholars estimate 90 to 95 percent of cases are resolved via plea deals at this point. It's been going on long enough that I think we've actually adjusted prison sentences to entice it; we have incredibly long prison sentences relative to the rest of the world, to scare people into taking a deal where they serve a more normal numbers of years.
It's not unheard of for innocent people to take a plea to serve 30 days in jail instead of risking trial and serving 4 years or something like that.
If a majority of defendants actually exercised their right to a trial, our judicial system would fall apart. We don't have nearly enough judges, lawyers, or courthouses for that to happen, and it would start triggering 6th Amendment "right to a speedy trial" issues.
I'm of the opinion that the current system of plea deals is unconstitutional, because it establishes a penalty for exercising 6th Amendment rights to a trial. If the plea deal is 60 days in jail, or they're going to go to trial and recommend the maximum, we are coercing people into not exercising their rights. If the court believes that 60 days is a reasonable sentence for the crime, it shouldn't matter whether guilt is established via a plea deal or trial.
> And, are these massive backlogs concentrated in certain areas (bigger cities?) or are they pretty evenly dispersed?
I can't seem to find any readily available data on that, it's an interesting question. I did read that basically everyone had issues during COVID because courts were closed, and a lot of charges were dropped because they couldn't be handled quickly enough to satisfy the right to a speedy trial.
I'd love to see data if anyone knows where to get it online.
> drug task forces seem to have no problem getting warrants pretty quick to search a car that is stopped.
Does this happen often? Most stops tell the story of the officer having probable cause for a search, even if that's just the smell of weed or something (not sure if it's still a valid reason).
Federal officers typically have pretty quick access to FISA warrants; otherwise there can still be multiple hours between requesting a warrant and having it issued, since it still requires legal review.
Wyden seems to be ahead of the loop on this kind of stuff - is he normally this far ahead of the game? My understanding is that he is basically the only person in congress that actually bothers to understand about these kind of threats but reading this article it seems he is even further ahead than I would have expected.
It's a fun thought experiment - How many 'really important' topics are there in the US, where it would be worthwhile to have at least one Congress Critter who understands it really well?
Every MoC has some responsibility to a geographic constituency, and some topical specialization through committee assignments... Geography can create /some/ specialization through electoral incentives, but mostly in rural and resource extracting districts... (Such as Manchin and the coal industry... sigh.)
Many countries have plurinominal representatives. They are not elected for a geographic district since many groups may not be able to win a single district but they have people all across the country and they represent a fair % of the total population. (i.e. lgtb, cyclists, scientists, etc)
Plurinominal representatives are also a counter balance to gerrymandering tendencies.
Outside a national system/portal (wherein you can implement all the security you want) it doesn't seem solvable. You need law enforcement and the judiciary to sign on though, since actual fake warrants will be their next target.
The prospect if using certificate signed email is an unrealistic tech-nerd dream, the average rural law enforcement personal can barely use Word and has poor or no on-site IT staff. If it is harder to use than Gmail, you may have well forget it.
Could a centralized portal get hacked? Absolutely. But the security spend can be significantly higher, and entirely fictional police departments almost entirely eliminated.
> the average rural law enforcement personal can barely use Word and has poor or no on-site IT staff.
Maybe this should be a sign that they have no business requesting sensitive information be transferred to their poorly secured computers?
If you let them use insecure computers as endpoints it seems like that there will inevitably continue to be data leaks -- regardless of what sort of security you put on the portal(s) that they use their insecure computers to access. I don't see that a national portal fixes this.
Perhaps a national IT-department that controls all the computers involved would work, though I can only imagine what a nightmare setting that up would be.
This is a problem that can be solved with existing solutions like MFA. Provide a one time use code with each “emergency search warrant” to sign off on it. The company can then verify this one time use code, invalidate it, and provide the necessary information. Any further requests using that same code will get denied and the LEO account will be flagged for review.
Still scary that information is given to LEOs without a proper warrant. I think in these emergency cases should notify the individual(s) their information is accessed/requested via quasi-legal channels. This would allow users to take proactive measures as well.
Italy and other countries implemented and open and parallel mail system for legal documents. While it is still possible to forge emails, it makes it much harder to do so. https://en.wikipedia.org/wiki/Certified_email
In order to open one of those email accounts you need to give full details using Italian digital identity (SPID). It is also possible to forge a SPID, but that's even more complicated.
So, to sum up, it's quite an antifragile system. Relatively simple, widely adopted and secure enough.
Every gaming platform will give the information upon "emergency request," and most CSR's, siding in caution, will happily give out the name, mailing address...email, and even challenge questions...
It's a social engineering attack that has worked 2ezily since 2007.
Similar to SWATting, but essentially in reverse.
Also abusable are the new GDPR requests. Compliance is pretty much at odds with security of the account itself. Complying with the inane EU rules basically makes your system at risk at trivial account takeover, which juxtapositionally/ironically then make it easier to leverage a person.
It's like 2FA over SMS....you are basically at the mercy of a Verizon/ATT employee.
Stop trusting humans, make systems that humans cannot make unilateral decisions without a reasonable amount of redtape.
How? Seems to me that if they're storing (and handing over) data that allows trivial account takeover, they have a broken security process to begin with.
