from the discovering-new-ways-of-being-awful dept
Never underestimate the ability of the baddies to exploit the good nature inherent to most people. That’s the takeaway from this latest depressing news that malicious people are abusing law enforcement tools to harvest personal information to exploit. Here’s William Turton, delivering the most recent bit of bad news for everyone everywhere.
Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.
Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.
Claiming “circumstances” are “exigent” allows law enforcement to bypass several constitutional protections, and, just as often, critical backstops within the law enforcement chain of command. That’s why verification is almost impossible. If something is an “emergency,” time is of the essence. Senders and recipients will often bypass steps meant to prevent abuse because it’s assumed there’s no time to run things up the ladder or engage in verification efforts.
These innate aspects of “emergency” requests grease the wheels for abuse. And, as Brian Krebs details in his post, this has created a market for this method of illegally obtaining data.
The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.
“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.”
This group of malicious hackers is no longer active under this name. But they’re still out there and appear to be reorganizing as a new group called Lapsu$. The attacks will continue because they literally cannot be stopped. This is a legal process with nearly no legal backstops. There are hundreds of thousands of law enforcement agencies worldwide. And there are only so many steps recipients can take to ensure the emergency data request is legitimate.
This leaves recipients in the uneasy position of either possibly further endangering someone or handing out personal data to criminals and malicious hackers. There’s little the companies they work for can do about it either, since it makes the most sense to give those charged with handling government requests for data significant leeway to comply with requests.
The blame stops at the people impersonating law enforcement officers to illegally obtain personal data. People make mistakes for good reasons and those handling emergency requests shouldn’t be faulted for occasionally blowing a call on an emergency order.
“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
This is exploitation of a system with inherent flaws. That’s all there is to it. It is not that law enforcement handles things worse than the private sector or vice versa. It’s a system that relies on people’s willingness to assist law enforcement during emergencies and law enforcement’s efforts to get out of its own way when lives are on the line. With so many companies storing personal data and so many law enforcement agencies and identities to choose from, most of the mitigation will be aimed at reducing the aftermath of honest mistakes made by tech company employees, unfortunately.