Assholes Are Now Forging ‘Emergency Data Requests’ To Talk Tech Companies Out Of User Data
from the discovering-new-ways-of-being-awful dept
Never underestimate the ability of the baddies to exploit the good nature inherent to most people. That’s the takeaway from this latest depressing news that malicious people are abusing law enforcement tools to harvest personal information to exploit. Here’s William Turton, delivering the most recent bit of bad news for everyone everywhere.
Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.
Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.
Claiming “circumstances” are “exigent” allows law enforcement to bypass several constitutional protections, and, just as often, critical backstops within the law enforcement chain of command. That’s why verification is almost impossible. If something is an “emergency,” time is of the essence. Senders and recipients will often bypass steps meant to prevent abuse because it’s assumed there’s no time to run things up the ladder or engage in verification efforts.
These innate aspects of “emergency” requests grease the wheels for abuse. And, as Brian Krebs details in his post, this has created a market for this method of illegally obtaining data.
The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.
“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.”
This group of malicious hackers is no longer active under this name. But they’re still out there and appear to be reorganizing as a new group called Lapsu$. The attacks will continue because they literally cannot be stopped. This is a legal process with nearly no legal backstops. There are hundreds of thousands of law enforcement agencies worldwide. And there are only so many steps recipients can take to ensure the emergency data request is legitimate.
This leaves recipients in the uneasy position of either possibly further endangering someone or handing out personal data to criminals and malicious hackers. There’s little the companies they work for can do about it either, since it makes the most sense to give those charged with handling government requests for data significant leeway to comply with requests.
The blame stops at the people impersonating law enforcement officers to illegally obtain personal data. People make mistakes for good reasons and those handling emergency requests shouldn’t be faulted for occasionally blowing a call on an emergency order.
“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
This is exploitation of a system with inherent flaws. That’s all there is to it. It is not that law enforcement handles things worse than the private sector or vice versa. It’s a system that relies on people’s willingness to assist law enforcement during emergencies and law enforcement’s efforts to get out of its own way when lives are on the line. With so many companies storing personal data and so many law enforcement agencies and identities to choose from, most of the mitigation will be aimed at reducing the aftermath of honest mistakes made by tech company employees, unfortunately.
Filed Under: emergency data requests, exigent circumstances, hackers, lapsu$, law enforcement, user data
Companies: apple, facebook, meta
Comments on “Assholes Are Now Forging ‘Emergency Data Requests’ To Talk Tech Companies Out Of User Data”
Made for abuse
This type of abuse has been a given since the government started NSL’s back when.
It would not surprise me if there are more forged orders than real ones.
Such abuse was so obvious a possibility that I think the goverenment made these laws to support the business model.
Re:
Are you saying that government is criminal or just maliciously incompetent?
Who am I kidding, they are both.
Backdoors are just front doors waiting to happen
While an imperfect parallel, it’s still a good example of why it should always be assumed software backdoors will be exploited. If there’s a workaround, it’s only a matter time before it is discovered.
This is not a software backdoor
there needs to be a method to allow police acess to personal data in the case of emergencys , how do tech company’s know the person asking is the real thing when responding to requests from different agency’s, in different country’s, there’s no ultimate database of thousands of police and emergency staff in Europe or America
Maybe each country could set up a an agency to deal with data requests that could guarantee the requests are genuine eg each police man woman would have an email adress phone no code no or maybe use an encrypted app just to send messages to Google apple twitter etc real people have to deal with do I send them personal data requested, if I refuse the request I could put them in danger
Real people make mistakes in emergencys
Or maybe give each police per on a twitter account eg policeuser4577
That’s only used to verify this is a real person not a hacker
Or maybe just give each police station an email account that is secure used to verify all date requests
Re:
You can have more than one agent contact the company in 9rder to verify. For large police departments and the feds, there should be at least a number the companies can call.
And certainly the system is abused far more by LEOs than non-LEO malicious actors.
The contacted company should inform the doxxed individual within a week that the (putative) fuzz made an emergency demand for info.
Re:
Does there? How many crimes are prevented by emergency access to Twitter data? What did cops to in the days before people posted their whereabouts and criminal intentions on all these services?
Whose fault is that? If these companies start telling cops it will take some time for the lawyers to verify their identity and legal authority, maybe the police will create such databases to speed things up. It’s not like we’re talking quantum physics here. Register police.gov and post the list that the FBI probably already has (since they sometimes investigate the local agencies). And eventually, add some verification feature there, perhaps based on police badges that incorporate the technology behind the Common Access Card or Transportation Worker Identification Credential.
It needs to be done for every country that wants this speed, but they pretty much all have some sort of readily identified “government” subdomain. Most of these countries have no actual jurisdiction over foreign companies anyway, so they should be thankful for any voluntary help they get and should make it as easy as possible.
Shades of the Bungie takedowns…
Well the request said the right things, and we totes thought the officer would have an AOL account.
Imagine a world where people understood there were hackers out there who can and will lie to get things.
Imagine listening to the people who told them this could be abused & 1 simple trick could have put a stop to it.
Blizzard can give a fscking authenticator to each customer who wants one, generating a secret code to confirm the person is who they say they is… but we can’t have this tech as the smallest requirement to bypass legal protections?
While people might bitch that zomg the 3 seconds to get the code might hinder them, on the other side of the coin is literally an unknown number of requests have been fulfilled for bad actors & no one can tell us what happened once the data was out there.
The whole rules about dmca takedowns are open to abuse that’s they way they law was written no penaltys for people who want to abuse it
, google, apple, tech company’s have to deal with data requests from country’s all around the world not just the USA, but it should be possible to at least have one
central place like the fbi that would have a list of all police officers with contact details emails so the identity of anyone in the USA who requests emergency could be verified
, is this person genuine or is it a random hacker who has a list of government police names , with hacks of government databases in the past it’s not hard to find out the names of police officers or emergency officials
It’s past time to start requiring a warrant to get this data.
Of course this is shit
There have been many articles here about law enforcement agencies grabbing up baskets of user data, with actual warrants, being a gross overreach, abuse of authority, and violation of countless people’s privacy . Their have been many articles in support of overturning onvictions as a result such overreaches. Why have we been so against law enforcement scooping up user data with shabby warrants, yet this article seems to be supporting a means by which law enforcement can scoop up user data with zero oversight, and is somehow surprised that bad people are abusing it. Why on Earth would we be against law enforcement getting access (with a warrant and at least some documentation) believing that they can’t be trusted not to abuse it, but we are also to believe that an unlocked door, with no oversight, documentation, or warrant should be available to provide access to endless personal data to anybody who can utter the magic password “emergency” is a good and necessary idea? At least it is multifactor authentication:
Q: “are you a cop?”
A: “um…yep”
The real assholes here are the police statists who only want power and see security as distant second place to that objective.