I have to admit I find this whole situation (and also Krebs article bizarre). The problem seems to be that tech companies approve EDRs without much checking. Then the argument somehow becomes it is essentially impossible for them to check because there could be any of the thousands of police departments in the world requesting the EDR? Why should MS in the US somehow respond to a request from police department in Cuxhafen in Germany?
I think the argument being made here is one of those "we can't make a perfect solution so no solution works", which is nonsense. Simply don't answer requests from police departmenents you can't verify. I bet you if a police department would request some business sensitive information they would not hand it over without going over the subpoena with a fine toothed comb. The issue is just that they don't value their customers privacy high enough to do a proper check.
"I think the argument being made here is one of those "we can't make a perfect solution so no solution works", which is nonsense."
I have seen this type of "argument" countless times reading HN. I always wondered if I was the only one who noticed. Thank you for calling it out. It is indeed nonsense.
IMO, if "tech" companies cannot exercise due care, then they are at fault. There is no exception based on some idea that "our company must be large and serve millions of people in order to make money therefore we should not be held to the same standard as a smaller company." If necessary "scale" and nonexistent or grossly reduced customer service comes at a cost (e.g., fraud), then "tech" companies should have to pay that cost, not anyone else.
"The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data."
IMHO, the amount of important stuff today that depends on the presumed integrity of an email address is astounding.
> The issue is just that they don't value their customers privacy high enough to do a proper check.
I think the real issue is that the backlash from politicians and the public for failing to respond to a legitimate emergency will be orders of magnitude larger than the backlash for disclosing some customer information.
The solution to that is having a well defined and understood mechanism to verify the police departments that the departments can easily be referred to (or look up themselves in advance) to fall back on.
For example, in the U.S. E911 services use a database of coordinates and other info to determine what police department to route you to based on location. Requiring an EDR to come from an agency in this database (or larger state and federal institutions that are well known) could solve a lot of this problem. Having a way to look up police badges might help as well, and is also just a good idea.
An EDR is essentially the same as some person on the street stopping you and saying they are police and need to commandeer your vehicle. It makes sense to verify that in some way (such as a badge), as otherwise even if you think a crime has just been committed, you could just as easily be giving a vehicle to the criminal as the police.
It shouldn’t and can not be the responsibility of the recipient to solve this. All the blame rests of the federal legislators, not companies which have to process requests from entities without any clear mechanism to verify them.
> It makes sense to verify that in some way (such as a badge)
But that’s hardly real verification, a badge is trivial to fake.
Yes, but in certain situations is very unlikely to be present. It's not a great way to verify an officer of the law, but it's better than nothing, and lack of it is a good indication that someone is not one.
> Why should MS in the US somehow respond to a request from police department in Cuxhafen in Germany?
If a non-US company does business in the US, most people would expect the business to also answer to US law enforcement. You can't just operate in a business and not follow the law of that country. Same applies the other way around, you do business as a US company in Germany, you better follow German law. Hence companies tend to have HQ in one country, and then subsidiaries in other countries, who know how the local market and laws work.
That's the point though. MS US headquarters is not responding to these requests. MS {local country} branch is responding. And I'm sure the people that work in country X know how to contact country X's police.
This is really a non issue being blown up in to some unsolvable conundrum by people in this conversation that want to find problems in using a phone book.
So much phishing potential in the links below. I know every GP surgery in the UK that uses a windows server is accessible online and Shodan can give away so much information, lets hope people like Cisco and netgear dont have any zero days.
"This clearly isn't working. We have evidence of it not working." So needs to be shut down immediately because nobody agreed to this level of failure.
From there the next argument becomes "This cannot work." I.e. there can be no adequate solution. But hey, if you disagree with that part and you've got a solution that you think /can/ work let's get it out there and analyse it and see if its worth the risk.
Note that data in Cuxhafen (??) Germany won't be partitioned from your home town and stored in a different and differently secured database. So the weakest link in the weakest country is the one relevant to your data security.
Please note I'm not agreeing with Krebs's argument here. I haven't got all the information to process it, nor have I had time, nor is this my area of expertise, nor do I have to have a firm opinion on everything.
I'm just spelling out Krebs's argument because I really don't care for your summary of it.
If you have a solution you think can work, let's hear it.
I'd be curious to hear from anyone with legal knowledge about the potential consequences (if any) of not swiftly complying with an EDR. I could imagine a scenario where the law was at fault, designed for a world before the internet in which police departments only ever need to subpoena local businesses.
Although, this:
> I bet you if a police department would request some business sensitive information they would not hand it over without going over the subpoena with a fine toothed comb.
This isn’t even an EDR specific issue — if someone makes an extraordinary request you should verify it, and if you don’t you are probably falling for scams constantly.
If a supposed police officers shows up at my door, and I have any doubts as to their authority, I'm supposed to call the publicly listed phone number of the local police department to verify. Seems that should be the very minimum standard of verification employed in this scenario as well ("our robot can't do that" isn't a very compelling excuse to me).
I think calling is a good verification step, but note that if a police officer shows up at your door with a warrant, you're not allowed to verify their authority before letting them in. Without knowing the particulars of these requests, asking "just wait while I verify your details" may not be legally sound.
Thanks for the clarification, I should have added "IANAL" of course. Not being able to verify the identity of an officer / warrant does sound a bit like the real-world equivalent of this issue unfortunately (though the supposed remedy is high penalties for impersonating a police officer, a remedy that is a lot harder to pursue in these online cases) ;)
If only there was some secure technology capable of hierarchical accreditation and authentication that already ran on every single computer operating system that could resolve this situation for no cost beyond administrative overhead and was so easy to deploy that a small team could prototype a solution within weeks.
You mean the "secure" technology where countless barely accountable organization across the globe can provide accreditation for any entity they want and it will be trusted without any hierarchical restrictions?
Or the one that is hierarchical in theory but provides no accreditation in practice an uses a completely insecure protocol? Or the protocol replacement for that technology that replaces the hierarchical nature and replaces it with cantralized entities that again get full authority to answer any request how they want?
Plus from the article:
> It involves compromising email accounts and websites tied to police departments and government agencies
If websites and emails can be compromized then the hackers also have a good chance of gettng at certificates.
But the root problem isn't even that hackers can claim to be the police when making the requests but rather that the police can make these requests in the first place without getting a court order. "Police" is already a very large group of externally unaccountable actors that will include those willing to abuse these powers without the need for "hackers".
Yes. Issues of poor implementation are not my concern. I think you are very wrong about the difficulties you suggest. What you identify as the 'root' problem is a policy problem best addressed by legislation and not really relevant here. Please don't misunderstand that to be a rejection of your beliefs about policy.
there could be any of the thousands of police departments in the world requesting the EDR?
Just wanted to point out there are ~18,000 police departments in the US alone. So, the request doesn’t have to come from an unlikely foreign country for this scam to be a problem. Not that this fact absolves the ISPs and others from failing to secure their data via an appropriate verification process.
> The problem seems to be that tech companies approve EDRs without much checking. Then the argument somehow becomes it is essentially impossible for them to check because there could be any of the thousands of police departments in the world requesting the EDR?
What I got from reading is that there are conflicting concerns. An EDR needs to be answered as quickly as humanly possible; they exist for cases where it's likely that someone would die while waiting for a warrant/subpoena. Secondarily, tech companies really don't want to have a headline like "School bombed because $socialMediaCompany refused to hand over records in time".
The competing concern is privacy. The problem isn't directly with the number of police departments, but that there's no way to automatically authenticate the requests. They'd have to manually look up the police department, call them, and try to get routed to the officer that supposedly sent the request.
The difficult part is that in order for EDR's to be at all useful, they need to be faster than getting a warrant. They can probably get a warrant faster than Facebook or whoever can finish their game of phone tag to check on the request. So right now, they're checking the only thing that can be validated within the request itself: the domain name.
The solution he calls out seems workable: a global identity provider for police through the FBI or another government agency. In my rough interpretation, we could use something like GPG to sign the requests and have the FBI run a keyserver. We would need to secure the GPG keys, but if they were kept offline on USB sticks except in the rare case of submitting an EDR, that should be far better. It would require physical access to the keys to submit an EDR, and tech companies can infer that someone has physical access to the keys by the signature.
Usually when the solution is "just remember to do X", you've found a bad solution.
Re-approach the problem from a different perspective - companies don't value their customer's privacy enough. What solution can we put in place to force them to care about their customer's privacy? Can we force them?
You have to start there for a worthwhile solution.
> The issue is just that they don't value their customers privacy high enough to do a proper check.
It seems like the false positives (wrongly assuming fake police department) will cause more present damage than true negatives (giving away data to scammers) because the damage this does is very much somewhere in the future (it takes a lot of time for a person to realise their data had been leaked, especially if it’s not part of a dump)
Its not unverified. It's trust based on the email domain and hopefully DMARC etc. That's an ok trust model, it proves the request is coming from a government agency. In my opinion the issue is that police forces are not securing their email properly, which is a big issue, but not necessarily the tech companies fault. Domain ownership is the trust model of the internet after all.
Wouldn't it be better if federal government would open a service for handling all EDRs nation-wide, and then forward the legit ones to the IT companies as needed? It would simplify the verification, maybe scare some hackers away because it'd become a federal crime to fake it, and also allow for some stats on how many such request are really urgent, and how many (I presume a lot) are just used to circumvent the law because courts would reject them.
This is, to me, the only real solution. We can't have the onus be on individual companies to vet requests coming from random podunk police departments nationwide. Companies will err on the side of caution/CYA and honor requests they shouldn't, lest they find themselves responsible for causing harm by inaction. But companies don't have the resources or legal authority to make those determinations, nor vet the authenticity of requests from every time government entity that might make one. There's also plenty of reason not to trust some small town police force that might not have adequate internal controls, or might have a rogue officer far exceeding his authority.
The feds need to own this and all requests need to flow through them. It wouldn't be hard for them to have a small staff available 24/7 to confirm requests and forward them on to businesses, and then the business only needs to trust a single entity. There may still be disputes over the legality, but those disputes will need to be defended by the central federal authority, rather than putting the burden on every company.
> lest they find themselves responsible for causing harm by inaction.
In the US, the police aren't responsible (in a criminal or civil sense) for harm due to inaction. I don't know why you think a national/multi-national corporation would be.
It's not just a legal action that a company has to think about. Getting caught into a case of someone dying or being hurt because your company wasn't prompt to assist police could be a huge PR screwup, even if there's no legal responsibility.
And it doesn't have to even be a decision on a company level, ordinary people are strongly inclined to follow the police requests and see them as an authority, so employees of the company will feel as their duty to provide the data promptly. Just look on all those cases of pranksters posing as police officers and making ordinary people do insane and even clearly illegal things just because they were "ordered so by the police". Compared to what that McDonalds manager did [1], pulling some personal data from the database and emailing it back to the person one believes is a police officer is nothing.
I was referring to companies fearing repercussions from inaction and acting without adequately vetting requests because they aren't able to and err on the wrong side.
> We can't have the onus be on individual companies to vet requests coming from random podunk police departments nationwide.
The onus is already on individual companies to vet requests from private individuals that want to move money around via Know Your Customer laws. I don't see why the same shouldn't apply to verifying whether or not a request for customers' private information is valid or not.
That might work great if the federal authorities were reliable, motivated, and their interests were always aligned with state authorities.
However, there are often disputes where the feds do not what to prosecute certain groups or individuals, and might interfere with state / local authorities. (e.g. police in a Democrat-run state prosecuting allies of a Republican president and vise versa, or investigations into federal informants who are violating state law).
This would also allow make it easier for the feds to perform on-path attacks where they "forward" EDRs from state / local authorities that were never issued by those state / local authorities.
Trying to find more information about Emergency Data Requests leads in large part right back to this discussion and the original Brian Krebs post, with a few hits to various private organizations that explain what it takes to use an Emergency Data Request with them.
I'm having trouble finding any basis for this in law. Can anyone help clarify that? Are EDRs just 100% voluntary compliance on the part of some private organizations who are choosing to divulge customer information without an actual court order?
If that's the case, why are we lamenting the existence of the hackers and not publicly shaming the companies complying with these nonsense EDRs? Real court orders aren't that hard to get, and at least there'd be a more blatant crime to prosecute if anyone forges them.
> An emergency request must relate to circumstances involving imminent danger of death or serious physical injury to any person. If Apple believes in good faith that it is a valid emergency, we may voluntarily provide information to law enforcement on an emergency basis.
I imagine this is a middle ground between 'governments always have instant access to customer info' and 'i don't care, get your warrant', because in the latter scenario real harm can be done in the hour/hours it can take to process even a FISA warrant. With this, Apple can deny requests if there is not obvious imminent harm, while probably pretty good at identifying legitimate requests and delivering helpful information within a few hours to keep lawmakers from creating more types of warrants to force Apple's hand. (apple ~= all the other data providers with an emergency request system)
> Apple can deny requests if there is not obvious imminent harm, while probably pretty good at identifying legitimate requests
You're saying the privacy of my data depends solely on providers being "pretty good" at identifying legitimate requests from people trying to get their hands on it?
>“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”
There are already preexisting systems for solving this sort of problem. For example the FBI could set up a PGP based certificate authority[1] for email. Then the FBI signs the identities of the podunk police departments ahead of time. All the service providers would need would be the FBI identity (PGP public key) which they would sign once to authorize it and then they would be able to verify emails coming from any of the podunk police departments with no extra work on their part. This example comes with a revocation system that actually would work in this case.
All secret key material would remain under the control of the specific FBI department acting as the certificate authority. No third party involvement would be required.
How does this solve the issue? If a local police department laptop gets pwnd, or a local police officer's credentials get compromised through a reuse attack/stuffing (as seems to have happened here), what oversight mechanisms would prevent their email from getting PGP signed? In this case, these emails were probably DKIM and SPF verified already, which (as I understand your proposed system) seems entirely equivalent.
There's no "magic bullet" in security, you can't just "authenticate" individual emails "with no extra work" and hope that that solves things without addressing the gaping security holes that allowed those emails to be sent from official servers in the first place.
Normally the secret key stuff is protected by a passphrase for a PGP verified email. So the entity owning the laptop would have to wait for the department to make a request first (rare) to keylog the passphrase and would only get to make one bogus request before revocation of the identity.
DKIM and SPF only prove that an email passed through a particular email server. The whole point of doing the verification end to end is that the stuff in between does not have to be secure.
Yes, if you're assuming that police departments can keep a rarely-used passphrase secure and not written down in online documentation anywhere, while also being accessible in emergencies, then that system might work. (But then you also have to remember to rotate the passphrase when anybody in the entire department leaves or gets fired).
Access to the passphrase would not by itself provide access to anything. The malicious person leaving would also have to take along a copy of the encrypted private key.
In practice you would just register 2 or more keys left in the care of 2 or more people. Each person would be individually responsible, as it should be. When someone left you would revoke the key. You would not have to go super hard on this, most of the requests would be routine and not time sensitive. In an emergency you do the best you can with what you have available.
Probably take 5 minutes to find an example order online from most judges in the country. Make a fake document to look just like it saying whatever you want. Send it in - how do they authenticate it?
Same way they validate them now. Call up the court and ask. The clerk will be happy to help you. If you can fake a district court into existence we've got bigger problems.
Slim to no chance that a US telecom actually bothers to call up the court and verify an order with the clerk except for orders that are unusual (say: overly broad in scope, or targeting a recognizable name such as a politician or celebrity). My guess is that at best they look at the fax caller ID and/or email headers and that's that.
Their position is likely "it looked like it came from a cop, not our problem if the cop is forging court orders."
Then make it their problem with regulators or legislation. KYC is law of the land when dealing with private individuals, same logic should apply to verifying court orders or law enforcement requests.
We're already very familiar with the concept that ignorance of the law isn't a valid reason for violating the law. What's wrong with that in this scenario?
Judges can be phoned up at late hours to e-sign time-sensitive warrants. Hours that court clerks will not be sitting at their desk answering calls or emails. They also don't work weekends.
If they're already building a central identity provider then something built upon Web/EU standards would work much much better. Tried and tested for decades, ASiC-E (or S/MIME if you really really want) works great.
A simple web application on the FBI's end that takes requests from verified parties and then forwards them to companies would be enough. No need for PGP or anything like that.
wouldn't this just shift the trust from the police email address to the police email PGP signer? wouldn't hackers then just target that part of the infrastructure?
relevant comment: "I had to click through more than 100 links to download all the data, how can this be acceptable? Specially coming from Amazon. How hard is it for them to create an archive with all the data? This is ridiculous, I can't imagine how was the meeting when they decided to produce purposefully such garbage UX."
This would indicate that Amazon has some kind of internal interface for these Emergency Data Requests for law enforcement that just dumps all the data to them immediately without all those barriers to access. Makes one wonder why that's not also available to Amazon users?
Also, are these Emergency Data Requests ever subjected to post-mortem court review of any kind? Is anyone in law enforcement ever subjected to discipline for bogus requests?
Just a guess, but perhaps Amazon responds to EDRs only with potentially meaningful data rather than how many minutes into your third viewing of The Simpsons S16E4 you paused the video last, how often you've clicked on but never carried through with that Roomba purchase on woot.com, or the full history of Amazon App Store promotions you took part in back in 2015 to get free coins added to your wallet that you've completely forgotten about.
> This would indicate that Amazon has some kind of internal interface for these Emergency Data Requests for law enforcement that just dumps all the data to them immediately without all those barriers to access.
If they scratch the government's back, chances are the government will scratch Amazon's back, too.
> Makes one wonder why that's not also available to Amazon users?
There's a benefit to giving law enforcement whatever they want, but little to no benefit to giving users the freedom to move their data out of Amazon's walled garden.
Amazon is the same company that is creating partnerships with law enforcement agencies all over the country with their Ring products and surveillance network[1][2].
"KT said fake EDRs don’t have to come from police departments based in the United States, and that some people in the community of those sending fake EDRs are hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization."
This sounds extremely unlikely.
Maybe in 1999 someone would have hosted their mail server on the same server as their web site. But today?
Some backstory that's not in the piece. I originally started reporting this about six months ago, when an anonymous tip suggested people were creating fake police department .org domains and sending requests from there. Spent ridiculous amt of time chasing that to no end.
As part of that research I looked at all new police dept domains in the last year. Found so many I was sure were fake. They were all real. Some were half-done. Some completely wide open, security-wise. It was depressing to learn after that there are > 18k police depts nationwide.
18k police departments is mind blowing. I looked it up because I wasn’t sure it was plausible, but a Department of Justice publication confirmed [0]. Meanwhile the UK has 48 police forces [1].
330,000,000 / 18,000 = 18,500 Americans per police force
67,000,000 / 48 = 1,396,000 Brits per police force
Individual UK police forces were created through acts of Parliament, and after an act was passed making UK policing universal, each force was monitored by the central "Inspectorate of Constabulary." Parliament passed two more acts; "The Police Act of 1946" merging towns with counties reducing the number of forces to 117, and the "1964 Police Act" reducing forces to 67.
The US just blanket legalized every local paramilitary. Any random-ass local law could give you the right to create your own personal police force.
-----
> It's easier than you think to create your own police department in the United States.
> Yosef Maiwandi formed the San Gabriel Valley Transit Authority -- a tiny, privately run nonprofit organization that provides bus rides to disabled people and senior citizens. It operates out of an auto repair shop. Then, because the law seems to allow transit companies to form their own police departments, he formed the San Gabriel Valley Transit Authority Police Department. As a thank you, he made Stefan Eriksson a deputy police commissioner of the San Gabriel Transit Authority Police's anti-terrorism division, and gave him business cards.
Very different population sizes and land mass. The US is way more spread out than in the UK (730 per sq mile in the UK vs. 93 per sq mile in the US.)
In the US the Top 100 cities (each will have at least one police department) have just 20% of the population.
You have a police department for almost every state, county, city, and town in America. And, the US has about 3000 counties and 19,000 towns (with about 14,000 being 5,000 or fewer people.)
"We don't live in a police state. We just happen to have a lot of [State | Federal | Regional | Capitol | Transit | Park | University | Hospital | County | Airport | Local] Police!"
Yeah, it sounds pretty bad, but at least it's somewhat decentralized so that power is diffuse. One way to make it worse would be to connect all those agencies to a central aggregator that acts on their behalf. I'm surprised to see so many comments in this thread advocating for exactly that kind of centralization of power.
>One way to make it worse would be to connect all those agencies to a central aggregator that acts on their behalf. I'm surprised to see so many comments in this thread advocating for exactly that kind of centralization of power.
So here in the UK, Special Branch are the intermediate between the security services and police forces, but dont be fooled into thinking UK police forces are independent, there are official channels which is what gets reported and the public are allowed to know about and then there are unofficial channels, in financial stock trading, this could be likened to Dark Pools.
Today they use the same crappy hosting company as in 1999, that does the same thing it's always done, just only slightly newer hardware. Especially on a municipal level, there still is not much of a standard when it comes to such things.
The average police officer doesn't even know the law very well. I'd be shocked if the average police dept had someone technically competent enough to speak to network security concerns: that's not their job.
Right, but setting up a web site and email server on the same host (even poorly, in a just-about-works state) requires more expertise to set up than getting a web site and email set up on GoDaddy or whatever.
It sounds like EDRs shouldn't really be a thing. If police needs a court-issued warrant to enter my home, why can't they enforce the same for data access?
If there's one thing I learned from practice in programming is the more "exceptions" you make, the more room there is for bugs and security flaws. The same applies for everything. Keep rules simple. The more "if this, then that" you add, the more loopholes you may find.
Yea exactly. Maybe we can give it a name, how about multi-factor authentication? So you verify who you say who you are through a different factor/channel. And making a phone call to actually talk to a person in real time.
In methodology this is similar to an ancient scam, where scammers would send fake yellow page/phone book invoices to companies. Many companies would just pay the bills.
I doubt the public is aware of the very large number of different electronic requests for their information, and how many can be faked, from dmca takedowns to these fake emergency data requests to requests from the feds for your email etc in the name of 'national security'. Somehow we need to get this out there better, and get more lawmakers aware. It's doubtful in my lifetime that the addiction of law enforcement to these easy electronic requests will cease.
The fact that such requests can't really be authenticated reliably without a human in the loop (because as Krebs says, you can just create real email accounts on the police dept email server) and there are so many of them is terrifying. You could put our entire society (in the us) into chaos just be pushing this more and more until our law enforcement is just overwhelmed. If we were in a war with Russia or China, why wouldn't they do that?
The statements about this being "unfixable" are utter nonsense. If someone claims to be from a particular law enforcement agency it is trivial to just call up said police department and ask to speak to that person. If no one answers or the person can't be reached you don't approve the request.
The only thing that's "unfixable" about this is that it's not something you can automate. You need an actual human being to perform the verification step(s).
Faking a warrant is a felony, perhaps even a federal one that would get the FBI involved I assume. You'd have to forge an official court document, forge a signature of a judge, etc. That has _serious_ consequences and prison time vs. faking a "data request" that might be entirely digital with no physical document or signatures, etc.
Not saying it can't happen or won't happen, but a criminal has to be seriously determined and ready to risk a long prison sentence to fake a warrant.
I feel like I've been seeing a lot of comments lately to the effect of, "no - that would be illegal!" Yeah, we are talking about criminals who are already breaking one law. Often criminals who, in the very nature of their crime, are hard to identify.
But then, even if they're not overtly breaking the law with a simple request for information, debt collectors and car warranty salesman are notorious for sending letters that will imply they are your financial institution, the letter was sent by your account manager, etc. IRS impersonators will tell people that jail time is imminent. I can imagine someone could create something that looks to a non-lawyer (who's afraid and not paying attention) like it's basically warrant signed by someone who's basically a judge, but just doesn't outright say that. You'd still need to verify - hey is this person actually a judge, and did this person actually sign that as a warrant?
Yes, which is why just set the bar at responding to any request for any data with "Sorry we do not respond to requests for data that aren't court ordered warrants. Please come back with a warrant we can verify."
The problem here is that companies have a policy of trusting some government email address for little one-off, no warrant needed requests. Don't have that policy.
You check the court records. These are easy to find with a digital records search, or you call the court clerk. The phone number is listed on the warrant. This is not hard, but it's not an automated process by design.
“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.
The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.
Most criminals aren't thinking about any of that at all. Either they're so goal focused, any possible punishments don't even cross their mind, or they think they're clever enough to not have to worry about it.
If it's important enough to issue a warrant then it's important enough to have a court official and issuing police/judge on call to confirm its validity.
Being able to read back a code to validate the contact is all that is enough. It doesn't even have been complicated.
If they can't be bothered to answer the phone then it's not important.
All the courts that would issue these types of warrants will be easy to find. This isn't the sort of thing you do over a traffic ticket or shoplifting. It's not the court you go to when your neighbor owes you fifty bucks. These are murder and kidnapping cases. The people processing these warrants today are likely already on a first name basis with the clerks of these courts.
Think about it, how do you validate any court order? Why is this only a problem now? I think it's beacuse they want to side step the judicial oversight process. Keep that intact, as the constitution requires, and this issue disappears.
Local-ish courthouse for me only has a contact info for regular business hours. So if not in business hours, then what? There's ~3200 counties (or equivalent) in the US. There's no way to be on a first name basis with the clerks of each county courthouse, let alone if you have a big county with multiple different types of courts.
Your local courthouse may not even do jury trials. It doesn't do the sort of cases that require 3AM emergency warrants. If it's that important it can go in front of a district or federal judge, otherwise it can wait for business hours.
Local police departments don't need the ability to engage a global surveillance apperatus at the drop of a hat. Stuff like that can be ran up the chain first.
Who would you even give the data to if they are closed? Fax it over the the courthouse if you are concerned, or tell them it's at your location ready for pickup. If they are legit that won't be a problem.
The data is collected by the LEO, not the court. But yes, you can fax it to the law enforcement office, whose number should also be independently verifiable.
Can you point us to an incident where this has ever happened, namely, where a service provider didn't to respond to a demand immediately while they verified its authenticity and someone went to jail for it? Or even got a finger wagged at them by a judge? Third-party records production is almost never time-sensitive to the degree that, say, a warrant to search for drugs or contraband is, and there's little risk of spoliation of evidence.
You cannot conclude that because someone has been held in contempt for intentionally failing to respond to a records production request because they simply didn’t want to do it, that someone would also be held in contempt for delaying production for a few hours while they make a good-faith attempt to verify the authenticity of a request. Judges take all the facts and circumstances into account—including intent—when making these kinds of decisions, especially those that involve depriving someone of their liberty.
Is being unable to independently verify a request for information or a warrant a real problem, or are you just making up problems that may not actually exist?
Let's stick to reality, folks.
If you have ever received a demand from a court that you couldn't verify the authenticity of, I'd like to hear from you.
They're also "we think this kid is selling marijuana" cases. Law enforcement doesn't even need a warrant, they can just send a request for data and every company will just rubber stamp it and give them whatever they want.
They do not! And you'll be surprised how tricky it is to find local/state courts as someone with non-regular contact with the legal system.
Even more fun would be the process of jurisdictional verification. All of which I'm sure the "Officers" would be more than happy to leave you be with your electronics and whatnot long enough to verify, right?
Longer I'm alive, the more insane our system seems to me on a daily basis. Not sure if it's just cognitive decline or rapidly amplified cynicism as I dig into the signalling nightmare that is the interface between the executive and the judiciary system.
> And you'll be surprised how tricky it is to find local/state courts as someone with non-regular contact with the legal system.
Name one court that signs warrants to service providers that can't be verified by spending 5 minutes doing some basic research, or that has a LEO office serving such warrants that also can't be verified.
The topic at hand isn't whether a lawyer or a court officer can, but whether EVERYONE can in a timely manner such that if a police officer or LEO (or someone impersonating one, since we're talking zero trust) can be told to go sod themselves by a layman.
Fundamentally this is a signal/info propagation problem. Processes take time.
The people who process these requests, particularly at the large companies that possess such data, are typically dedicated to the task and possess the specialized knowledge needed to do so. They have often developed significant relationships with the law enforcement community.
Do you know them?
Do you have a connection that you could entrust with giving you a positive or negative answer as to whether the armed man with no sense of humor in the cop uniform outside is the real deal?
I don't. Hell, even if I had a lawyer on hand, I doubt the lawyer would go "hold up.. checking the registries, yup it's legit"; rather they'd tell you to cooperate then maybe challenge outcomes down the road when the paperwork catches up.
For most, the answer is they take it on faith anyone usurping that authority would have such a shit ton of bricks dropped on them, no one would be stupid enough to do it. Obviously, that logic is showing it's age.
Frankly, if I were the courts/LE and found out this was going on, there'd be a new Public Enemy #1. Trust is too important.
All of which makes me wonder, and this being HN, wouldn’t it make so much sense of law enforcement agencies start signing these kind of requests with verifiable public keys?
It seems like such a trivial problem from a technology point of view, it makes me believe it’s mostly an organizational problem.
The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data. In July 2021, a bipartisan group of U.S. senators introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.
“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.
The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.
The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data. In July 2021, a bipartisan group of U.S. senators introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.
I agree that it does seem like a trivial problem that is mostly organizational. There are nearly 18,000 police departments in the US. Standardizing anything across a subset these and getting approval from the judicial system just seems like a nightmare.
This seems like one of those issues that is solved only when someone is murdered and a law is written after their name.
In theory you could automate it, but that would require a different architecture.
It's honestly pretty stupid that email is being used for this instead of having a secure portal which could include things like RSA hard tokens, or even just passwords with 2FA would be a step up. Nothing is fool proof, but this sort of stuff is common with other sensitive information like finance.
Honestly, email would do the job too, if it was signed email.
I’m pretty sure the largest deployed PKI system is the US federal government’s - it really feels like we should be able to deploy something for law enforcement agencies. (And in fact that’s what the legislation mentioned at the end of the article appears to do.)
The email server typically does not contain key material. If you’ve ever interacted with the military or related contractors you may recognize this card: https://www.cac.mil/common-access-card/
That’s a smart card, containing a certificate that can be used to sign email, be used as a client cert for web access, etc.
Now, it has moved the problem to some extent, in that now you have to secure the CA that’s issuing these certs.
I'm a little familiar with CAC cards from years ago. I don't believe they were using them to sign emails at that time. Thats different than the signing process I was familiar with. That would work.
The DoD root CAs are pretty damn secure. They're offline in physical vaults on military installations. Compromising one of those is a far cry more difficult than some town of 400's local PD e-mail server.
Granted, you only need to compromise a RAPIDs office to issue yourself a CAC, but that is still offline and on military installations (though often much less secure reserve/guard installations).
Wouldn't the cert need to be specific to the individual for proper identification? So getting one for yourself might not provide the sufficient privilege.
The cert would verify that a specific individual signed the email, with someone having previously verified issuing the credential to the right person (this sort of thing is usually issued as a smart card ID, so it's used for several things, and it's unlikely people lose it without reporting it lost and getting it revoked).
Yeah, issuing themself one through RAPIDS. You need to authenticate against RAPIDS to issue one. So you're looking at stealing a credential, and hoping you can get it done before it's noticed it's gone and revoked, and hoping that they don't go ahead and look at logins between when it was last seen and when it was revoked in order to see if there's any weirdness, at which point your credential gets revoked.
If they did something similar for law enforcement, it would probably have the same sort of restrictions: you need to authenticate to get a credential, but to authenticate you need a credential. So you need to steal one to issue yourself one.
Sorry for the somewhat off-message thought, but perhaps this kind of thing is actually more secure if you _don't_ attempt to automate it?
Maybe the person receiving the request should actually go and look up the phone number of the police department or court who allegedly issued it/approved it, and then call that number (note: not the number mentioned on the request itself).
Surely if that was the SOP, this kind of stuff would just stop?
Where are they looking it up? Is that source secure? If it's just on a website, that could be easily corrupted.
There's a huge number of systems across the US. I am assuming that a centralized system would provide better security overall compared to the many small and often neglected local systems. This would also standardize the process, reducing the possibility of some locales practice insecure processes.
> If it's just on a website, that could be easily corrupted.
Back in the day we had things called "telephone directories" (I'm showing my age somewhat)
Is it beyond the wit of man to have the CIA/FBI/NSA/$TLA publish a "list of places to phone" when you receive an Emergency Data Request?
If the source isn't on the list, you can ignore it. If it is on the list, phone the number on the list to verify it?
This really isn't rocket science. At least not for those of use who grew up in an age where you could step into a phone box and open up a printed directory and look up someone's phone number...
Yeah, I'm baffled by the idea that the internet is the only possible way to convey information about phone numbers.
It's not even that we are old enough to have experienced looking up a number in a phone book and some people here are to young to have that experience. The obvious solution to this seemingly unsolvable problem is to print some numbers on a piece of paper and post it to each company you want to get data from in the future.
So are they issuing a new book every time a department/precinct is created, merged, disbanded, or the number is otherwise changed? This still doesn't solve the issue of authentication of the issuing party since the phone location could be unsecured, or the call rerouted.
That is a possibility. It would likely need to be digital, not printed, to avoid stale data. The identity verification will still be less than what you could do with something certificates or RSA tokens since there's nothing guaranteeing the person on the other end is who they say they are (numbers change, area could be unsecured/unmanned, call redirected, etc).
> It would likely need to be digital, not printed, to avoid stale data
Q: Would one expect police departments to be the kind of places which would change their main telephone number regularly?
Consumers change providers often. Institutions? Maybe not so much. (As an aside, I've just checked, and my old university's phone number is exactly the same as it was 30-odd years ago when I enrolled).
To be frank, I'd prefer a printed version for something like this. Harder to hack a directory that's hard copy and whose entries really ought not to be changing very often. If ever.
For the telephone number of their local police department? Is it supposed to be secret? My point is that it should be public!
> How does it not change often? There are constantly new departments starting, departments/precincts merging, and departments shutting down
There is simply no reason for a newly-started/merged police department to be able to unilaterally issue an Emergency Data Request, and I say this as a father of three young kids.
For $deity's sake, some new and/or newly-merged and/or micro police force must surely have their local, regional and national-level police forces on speed dial on all their phones. If someone is missing and needs to be found quickly, all they need to do is pick up the phone and reach out to "higher authority" (who can be quickly authenticated, because they definitely have been around for decades), not start acting like the local heroes.
"Is it supposed to be secret? My point is that it should be public!"
If I have a list of all the agency numbers, then I can look for organizations that disbanded and use those numbers. Since they could still exist in the book (because it wasn't updated instantly), the other party could think you're legitimate.
"There is simply no reason for a newly-started/merged police department to be able to unilaterally issue an Emergency Data Request, and I say this as a father of three young kids."
How so? For the first year of existence they can't issue anything because they have to wait for the next book to be publish. That's sounds dumb. There's no reason they shouldn't be able to issue anything they have the lawful authority to do so. Have any support/logic for your claim that they have no reason?
"some new and/or newly-merged and/or micro police force must surely have their local, regional and national-level police forces on speed dial on all their phones. If someone is missing and needs to be found quickly, all they need to do is pick up the phone and reach out to "higher authority" (who can be quickly authenticated, because they definitely have been around for decades), not start acting like the local heroes."
Um... so how does this higher level authority authenticate this lower level authority if they aren't in the book we are using for authentication? In some cases, jurisdiction can get in the way of the scenario you just described. And again, how long are you going to prevent a department from doing what they are lawfully allowed to do?
"This isn't a technical problem, folks"
Ok, then how do you solve the authentication issues in my previous comment? So far your system hasn't addressed them.
Trivial for someone who is suspicious and cares, sure. But that is not _prevention_ by any stretch. People still get phished via email every single day. I wish I could rely on something more robust than just the services I use being extra careful.
Sure, but the point is the process at the company receiving the request for data should change. They should verify the requesting entity.
Then if the people processing these requests don't follow that process, then that is a different problem. But as it stands now, those people can follow the process to the letter and we still get the wrong outcome.
Yes, the call back mechanism is a pretty good one but it has limitations too. It requires the switchboard operator at the police station to be trustable. Indeed, that human needs to actually pick up the phone. In many cases, the 911 line is the only one that's routinely answered.
I'm thinking that the number of "Gun to victim's head; we need secrets from $Corporation_Name now!!!" situations which a typical small police dept. would actually experience, even over a decade, is ~ZERO. And the chance that a small police dept. would have the skill set, familiarity with the procedure, etc., so that they could correctly request the right data, from the right part of the right corporation, is about the same.
SO - move the power to make such requests up to (say) State Police departments, or even somewhere in the DHS. Those guys have (or should have) sufficient resources to secure their e-mail, staff call-back phone lines 24/7, etc. And in the other direction, they should be far better able to vet alleged local police officers who contact them with emergency requests.
Require police stations to register their callback number for EDRs. Require a response before releasing information.
You still have the issue of vetting each police station, but you can do that once before the EDR comes in. Then when the EDR comes in, you call that number, confirm the details.
It can still be hacked, but not nearly as easily as a random officer's email account.
It could also be “fixed” by deciding that the risks associated with government not getting data that could help stop an ongoing crime is less severe than the risks associated with these data leaks.
Us. By not using shitty systems to host our data as well as actively combatting laws and regulations that require backdoors or cross-platform compatibility.
I don't want my conversations to be "cross-platform compatible" with Facebook. Thank you very much.
And also the companies in question. They are responding to non warrant requests. As I understand it there is not legal obligation to do anything on their part.
It is a public perception thing. The companies (probably rightly) think the public will react badly to headlines about "Little kidnapped girl could have been saved by Google, but they didn't care" more so than the current article we are discussing.
Others have brought up problems with this but another one is that companies get paid by police agencies to provide these data in response to records requests, they are incentivized to not rate-limit these responses.
How much are they paid? It seems unlikely that they get enough income to cover a department dedicated to this processing, let alone make significant money out of it.
This could work for domestic requests, but the one example of this I've seen in the wild (and this was mentioned in the original post) involved a request (supposedly) coming from police internationally. Though, requests from foreign police are more likely to be handled with scrutiny, so maybe forcing more manual verification (and identification of the proper process in the first place) aren't bad things.
It's not trivial. But regardless, you're saying the hacker should submit data to Google and also answer a telephone call, both of which increase the risk of getting caught later. The aim should be to stop or mitigate the misuse of EDRs, not to cure the underlying problem of social engineering.
Somehow there were ways to get this done before websites existed. I do not believe that those channels for government no longer exist. If they choose to make themselves impossible to locate offline, this is on them. If all else fails, government-to-government should still be viable, and then the local government will take it from there.
I'm not sure there was ever much verifying before websites existed. Just less fraud.
Back in the NES days Tengen called the United States Copyright Office and told them they needed the technical details of the NES lockout chip to defend themselves in a copyright lawsuit. The Copyright Office faxed over the requested information. Except it was social engineering, there was no copyright lawsuit. Tengen used that proprietary information to build their own cartridges without paying the NES licences costs.
> Somehow there were ways to get this done before websites existed
Ah yeah, because fake subpoenas didn’t work before the internet existed?
> I do not believe that those channels for government no longer exist. If they choose to make themselves impossible to locate offline, this is on them.
Who says they ever existed? Back in the pre-internet days the situation was just worse.
Even the federal government can’t manage this, just look at misissuances of .gov domain names.
So google gets one of these requests and supposedly its from a police force in a small town that has no government website. How do they know who to call to confirm?
County? State? I would argue that this should be the method anyway. Start from the lowest level of known authentic bureaucracy and then work down from there until you reach a legitimate city government representative. I don't think website is an ideal method in any case.
So your solution is to get rid of speedy emergency requests entirely?
Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.
And then you need to do this internationally. What will you do? Contact the embassy? Suddenly your authentication process could take months, which is a problem if you’re legally required to comply sooner than that.
> So your solution is to get rid of speedy emergency requests entirely?
No?
Anecdotally, from what we are reading today, a typical EDR response time is on the order of an hour. So while someone on my team is gathering the requested data, someone else is doing the verification.
> Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.
If anything, I'm implying that if the government mandates that EDRs exist, they should have to back it up with someone to handle authentication. A phone number at the state level would do the trick.
> And then you need to do this internationally. What will you do?
First I'd have to be convinced why I should do this in every jurisdiction, why that jurisdiction would have access to customer data from other jurisdictions, etc.
Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.
Well, I assumed that the only reason anybody was complying with an EDR was because there was a law mandating they do so. Otherwise, why aren't they just dropping these requests in the trash?
> the only reason anybody was complying with an EDR was because there was a law mandating they do so
Alternatively, it's possible that understaffed and overworked providers are more concerned about their company looking bad when "Missing Child X with schoolbag containing cellphone" isn't located before the next news cycle?
Doesn't due process exist for a reason? Even if that's occasionally a PITA for the authorities?
> So while someone on my team is gathering the requested data, someone else is doing the verification
The whole point is that verification will take much longer than hours.
> Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.
The government is very specific when it comes to what is required of you. The government is not very specific when it comes to what is required of the government.
Research the village constables in Alaska. There are also small towns that have only part time police forces. This sort of stuff really isn't uncommon.
FWIW I lived in a village with a part-time police presence. Based on our experiences they're great for helping local kids not get run over on the walk to school (and for closing down public spaces when Covid paranoia was at its highest in early 2020). Manhunts or major crimes? Not so much.
I'm struggling to get my head around how a tiny and/or part-time police force should be the (sole?) point of contact for an emergency data request when <drum roll> they're not even there for the majority of every 24h cycle.
"Dear $TelCo, you must immediately release location data for subscriber 1-800-555-2368, it's so important and urgent we haven't got time to find a judge. Since it's almost 4pm we're going off duty now and will be at our desks from 9am tomorrow. Yours, $PartTimeForce"
Someone wearing a uniform turns up on your doorstep with a piece of paper that they claim is a search warrant. You say you want to talk to your lawyer. They say they're in a hurry and this is really important. At this point you decide to google the name of the person who signed the warrant, you phone the number you find on the internet, "Judge" Smith answers, so you let the "officer" into your house.
Nope, but for cities to be prepared for such emergencies before hand by completing some basics of bureaucracy by being properly authenticated, much like you expect a city fire department to have some fire trucks purchased already instead of expecting to purchase one in seconds when they need one from the dealership 1000 miles away.
> It is literally impossible for request recipients to solve this problem.
This I agree with. I'm trying to find the actual text of the law, I'm surprised the government isn't pretty specific about what constitutes a valid EDR, who can send them, etc. Bureaucrats love to write rules.
From the article, I couldn't see what actually compelled the need to comply with an "EDR". From what I could see, they were not actual warrants or subpoenas that legally compelled performance, they were requests. They do it out of not wanting to have bad PR in case it was real, because the consequences for a screw up are pretty much nil.
The end solution is either an authentication scheme, a $1000 rush processing fee that includes a verification process and the requirement to call it in (It is an emergency, isn't it? Emergencies do not happen often, so what is $1000 to an american organization funded by taxpayer dollars?) or E2E encryption that makes it they can't give data.
Another thing about the $1000 fee, is you get to see the payment information about the account it comes from, and you can further require it comes from a government account which matches the requesting organization. Thanks to governments being very gung ho about their financial surveillance infrastructure being a hard requirement for almost everything now.
We've banned this account for breaking the site guidelines.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
Would you please stop perpetuating flamewars on HN and also please stop using HN primarily for political/ideological battle? We ban accounts that do those things because they destroy what the site is supposed to be for.
I mean I want to call some entity in the US that doesn't have its number on a website, how do I do that now in a non emergency situation? Is there any reason that wouldn't work in an emergency?
This doesn't seem like an actual problem anyone has ever had.
That’s really not the case. What is “bad faith” about suggesting that the secretary of state probably isn’t going to rapidly solve this problem for you?
It’s not even about being a “devils advocate”, the balance of probabilities rests squarely on the side of this being far more difficult than many commenters here try to make it out to be.
Contacting the state government should be the right choice (but it may not be in practice). In many countries, every public official has the legal duty to direct you to the relevant authority if you contact them with matters outside their duties. That's a sensible requirement, because citizens should not have to be familiar with the internal administrative structures of government agencies.
> There are towns in the US where the local government consists only of a couple of people who may only do local government work for a few hours a week
How does anyone authenticate anything allegedly issued by such small parts of local government?
"Not very quickly" is presumably one part of the answer?
In the real world these documents are usually not authenticated, perhaps beyond trying to get a person on the phone by googling the issuing authority.
It’s actually a pretty novel idea that companies should be prepared to deal with fake court orders, etc. In theory it’s supposed to be the job of law enforcement to prevent this, but of course that is also essentially impossible.
If the federal lawmakers wanted the federal government to undertake the herculean task of making all these documents verifiable and traceable, they could of course do that. Are they likely to do so? No.
Also, there’s an important detail that is largely being ignored in this conversation: How many hours of paralegal time can we expect companies to spend verifying legal requests concerning accounts that don’t belong to paying customers?
> In the real world these documents are usually not authenticated [..]
So if a stranger in a suit were to turn up on your doorstep with a "search warrant" to search your house, issued by a court/judge/jurisdiction you'd never heard of, you'd not attempt to authenticate it?
> verifying legal requests
I'm not sure that these EDRs as described can be said to be "legal requests".
Aren't they just asking for disclosure of data without the usual legal checks and balances?
> So if a stranger in a suit were to turn up on your doorstep with a "search warrant" to search your house, issued by a court/judge/jurisdiction you'd never heard of, you'd not attempt to authenticate it?
Most people would not, no. I’ve had a search warrant served on my home once by police in civilian clothes, they handed me a piece of paper and refused to give ID even though I insisted.
What are you going to do? Physically fight them? Bad idea.
> I'm not sure that these EDRs as described can be said to be "legal requests".
The thing is that real search warrants or court orders do not provide any additional security over these EDRs when the submitting party is not acting in good faith.
> The thing is that real search warrants or court orders do not provide any additional security over these EDRs when the submitting party is not acting in good faith.
I'm not sure what you're saying there, can you expand on this? Are you saying a fake search warrant or fake court order is no more secure than a fake EDR?
My point is that the EDR system (if we can even call it a system) appears designed to avoid any and all scrutiny, verification or legal process. "We need this in a hurry, lives are on the line, we haven't got time to get a court order" doesn't exactly invite the recipient to understand that they have every right to say no.
EDRs are basically backdooring an otherwise fairly well-understood system with checks and balances.
So every major technology company will need to figure out the real contact details of every town government (how do you propose they will they do this?) and then when they receive one of these "life or death situation, you must respond immediately" requests they are supposed to call up the town, get the number for the police department in the town (hopefully the police department isn't shared between multiple towns or this could get confusing) and then call up the police department to confirm that they are the ones who sent the request?
I guess I don't see the value the town government contact details is providing here. If you have some way of figuring out the real contact details for every town why wouldn't that same mechanism work for figuring out the real contact details of every police department?
Yes? Tech companies don't have to do arbitrary things for whoever calls up. The court or law enforcement official has to convince you they are real and that they have a warrant.
They'll lose their case if all they did was call you and make a demand. Expecting them to show up in person in some capacity and show you the paperwork is fully reasonable. For a while they mostly operated with letters and sometimes registered mail but that can be faked also.
Look, if you want to preserve your rights you've gotta stand up for them.
The only real reason you get charged with contempt is for ignoring the warrant. If you try to verify it you're not ignoring it. If you ignore something that's not a warrant they're SoL. It's my understanding these "emergency requests" have no legal basis. The ability of the state to pressgang people into service is very limited.
I'm willing to agree the law is crap and you might go to jail (briefly) anyway, but that's not an excuse for "it should work this way" which is the direction everyone seems to be taking it.
I'm aware they'll fake court orders too, which is your defense if you piss off the court. Sadly this is only an issue that can be solved by the recipients doing more verification. If the courts offered more verification, you still need to teach the recipients to make use of it.
Someone will sell this information. West Law / Lexis Nexis already provide a lot of this kind of thing (contact info for judges and people in various government agencies).
The problem would be establishing a web of trust of which PGP keys are valid, who still is "law enforcement", and whether they're on gardening leave or have retired etc.
There's too many (US) law enforcement bodies to make a centralised system work, as you'd need to get a certificate authority managing every individual officer's status for every one of these (small and large) agencies, and handle onboarding and offboarding.
In other countries there are more formal structures for these request through verifiable channels, with standard operating procedures in place.
The question is whether the companies are adopting a lowest common denominator model (a false but assumed valid US request can request any user's data) or not, as that might start to make it a more global concern, and get it on European data protection regulators' radars.
No, I don't believe it's the DoJ's job to track law enforcement. There is some Federal-level recordkeeping of crime statistics... training... intelligence sharing.
Could you explain what you mean, or give some examples?
How do you verify the PGP key for a random LEO? The web of trust is a total failure for general use verification, it only solves the special ultra-paranoid use case.
Key distribution has always been the weak point of PGP.
> It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
Ah, very simple then: Ignore such demands for as long as you can, then, if approached by actual law enforcement, tell them you were told such messages are phishing attempts from hackers.
This seems like on of those ill-advised crimes that carries a huge federal penalty if caught right? Pretending to be a police officer feels like something that typically gets smacked down pretty aggressively if not officially sanctioned.
Some challenges here are how you'd discover the police departments phone line and what happens after hours when no one will answer. Keep in mind, not all police departments have websites where you'd be able to look up the info.
E: lots of police websites on .com as well, so you can't even depend on .gov.
There is an easy fix for Thai: if a department have a way to verify the request (secure phone line) then that department cannot issue an emergency request.
Why not make federal service for this? Give access to all relevant authorities to file such request there and then make it possible to cross-reference it? Leaks of access can be tracked more easily.
Sad that I've toyed around with signing emails with PGP 30 years ago. Now decades later we still haven't got that working. Perhaps something like this will push email signing.
This is hilarious. That email with Vinny Troia, and fast-flux... I received that email at my previous employer. We had a good laugh about it with our security team at the time.
All this high speed life or death information and yet the clearance rate of solved homicides in the US has dropped from 70% in the 1980's to 50% today.
I expect this is true, and shows the ridiculous scope creep of government snooping and stalking on individual privacy for what it largely is, power grabs by individuals in government drunk on the power of control.
I imagine the picture is a lot more complex than the charts make it out to be. For example, I'd be curious about rate trendlines of false imprisonment.
Interesting. And since you can't even store the email address, you can't detect that someone is recreating a deleted account. Hashes to the rescue though. You can just return a cryptic "email/account name not accepted" message.
Right. There should be agency run certificate authorities for this. One to issue certificates to law enforcement, and one to issue certificates to judges
A valid warrant would include the intended judge and be signed by the department and the issuing officer before going to the judge, then signed by that judge’s cert to be authorized.
Well that's just one of lesser things that happens for a paranoid society that trades freedom and privacy for what the oppression apparatus calls security.
You don't have security, just a police-state, and to add insult to injury besides having less freedom now you also have less security too.
And yes, let's pretend that only China, Iran and Russia are police states, let's keep singing star spangled banner while we happily slip through this slope towards the gulags.
>let's keep singing star spangled banner while we happily slip through this slope towards the gulags
You had a point until "gulags." You honestly think we're on the verge of becoming a Stalinist state that imprisons and murders political dissidents by the millions?
We'll get our own flavor of gulags. The USA already has a pretty nasty and oppressive prison system. We have pro-authoritarian politicians in office, in the police forces, and now throughout the court system. So it doesn't seem alarmist to me.
I'm pretty sure the police could get away with murdering political rivals right now. But a few key court decisions are all we need to formalize that capability for the next 100 or so years.
Yet again I find myself in between rather detached perspectives. I agree with you regarding the trajectory because it is clear as day by all objective measures where this is all heading, yet I am left befuddled by your parroting of tropes about the “pretty nasty and oppressive prison system” that the very people are pushing who are leading us to the state where an equivalent of gulags will be created.
The American prisons are not full of thought criminals just because you are being denied all the footage and proof of the violent crimes the people in US prisons commit, constantly. I realize that most people live in a negative bubble, where they have no idea what is happening because the truth has been withheld from them, but that does not change the reality most people are at least unwittingly ignorant of.
But yes, the gulag system actually already exists in America, and the political prisoners in the USA right now already know that. Assange is also in that gulag system and can probably be considered the first, Prisoner #1 of the American Empire’s Gulag Equivalent System, even though it is on foreign soil.
> "I wanted to tell everyone that there is a cancer within the government and when I tried to weed it out, I got fired," Gilmore wrote. "It was just easier for government management to get rid of me rather than to deal with the underlying issue."
>Police across the country are letting criminals run rampant due to fear of prosecution for doing their job.
Police are "letting criminals run rampant" because they throw tantrums the moment money or accountability is discussed. Just watch how they behave the moment a city even whispers "pension" despite the fact that police pensions are crushing city budgets across the nation.
> Police are "letting criminals run rampant" because they throw tantrums the moment money or accountability is discussed. Just watch how they behave the moment a city even whispers "pension" despite the fact that police pensions are crushing city budgets across the nation.
What? I see no-one throwing 'tantrums' in the articles you linked. I see some people trying to keep the pensions they have earned. Do you expect ordinary Americans to jump to take a pension cut after working all their lives?
And this in the hope that magically that money will go to the right places and reduce crime?
Where that money goes is not what’s up for debate.
We have conservatives non-stop calling for “reduced spending” and “tightening the belt” who are all too happy to cut everything they feel “their people” don’t need, but the big ticket items - military, pensions, etc. - are arbitrarily sacrosanct. Well, it’s not actually arbitrary. It’s because they want to hurt “the right people.”
Reduced spending will never be fair to the people on the receiving end.
I don't think so, America has a massive amount of political unrest.
Both parties seem to adore violence on their political enemies these days, and most Americans think civil war is on the way.
Personally, if we survived the 60’s/70’s, I think we can survive this. They literally murdered college students in front of the world.
I’m also not sure how any of this translates into Stalin-era gulags. People throw that term around too lightly, like “nazi.” If you’ve actually studied any Russian/Soviet history you should know how insane those were, even for an era with rampant fascism.
Right; I think at worst we're managing to rewind ourselves to the `90s, at this point. I think a lot of people don't remember how much social change there was starting in the early `00s through the early `10s. I'm not pleased with the retrogression; I think Project Red Map has really uncovered a large scale hack/flaw in the US electorate that needs to be fixed quickly, but the political situation is certainly nothing like the `60s/`70s.
My parents were activists in the 60s, and my grandparents were activists in the 20s & 30s. My parents mostly feared being beaten, with a background fear of being shot at. My grandparents feared being disappeared along with retribution to their extended family, friends, and neighborhoods.
Re: your grandparents, I really don't think people appreciate how easy it was to cross the government with your speech - especially in wartime - prior to late 20th century.
The advent of increased population, social media, technology, and major american hyper polarization make the current times very different than the 60s/70s.
It seems in vogue to use words without understanding the actual meanings. Most people haven't read history and speak, loudly, of that which they don't know.
Well I think many of welcome valid sources showing that “most Americans think civil war is on the way.”
If a civil war has “already begun,” I guess I live somewhere else, because I don’t hear any gun shots. Frankly it feels a lot calmer around here than it did a year or two ago.
Just as we're no longer using muskets and cavalry, the method of warfare has changed in other ways. Perhaps meld in aspects of The Cold War as well.
A key change this time is not to split apart, but to simply grab all the marbles and declare the game to be over. I wish I could be sanguine about this and would love to be proven wrong, but it's looking grim.
There are influential media personalities calling for the jailing people who aren't towing the line on the war drum beat on ukraine/russia... that any narrative deviation is treasonous and thus a jailable offense. Yeah, so what if our gulags have rainbow flags and black fists murals.
It is worth pointing out that the American penal system is already distressingly close to the scope of the gulag system in Stalinist Russia. The gulag system hit a high of 1.5m prisoners in the 1940s out of a population of 168m (pre war), or about 0.89%. America’s prison population peaked in 2009 at an estimated 0.754%. If you include parole that shoots up to 3.1%, but I’m not sure how to compare that to the gulag system
Wildly different death tolls though.
Our best estimate is that the gulag system had an 8.88% death rate, with that varying wildly on a year by year basis. Meanwhile the US prison system as of 2018 kills 344 per 100,000, or .344%. But unfortunately those numbers are getting worse, not better. I think the difference here is less about our system being more humane, and more the fact that food and antibiotics are cheap. Heck, just look at how the prison system responded to covid.
I honestly think we’re a lot closer to a gulag system than people think. We’ve already built the majority of the machinery to actually implement such a system, and politically making the system harsher and less humane is very popular. There is also a bipartisan consensus that what we need is to fund the system even more. All that we’re missing is the jump to directly imprisoning political opponents, and we’ve already seen some calls for that although it isn’t quite mainstream yet.
>It is worth pointing out that the American penal system is already distressingly close to the scope of the gulag system in Stalinist Russia
What do you know about the gulag system? Serious question, not baiting or anything. What are the broad strokes of what you understand to be "The Gulags"? Because like you, I am VERY concerned with the US penal system, but to compare the two is...a stretch for me.
This is sort of a dodge, isn't it? The question wasn't, what rhetorical device are you employing? It's, do you truly believe the situation is as extreme as you imply? If the answer is "no", then there's an implied invitation to lay out what you actually believe. If the answer is "yes", there's an implied request to justify why you think that way.
Saying 'this is what we call hyperbole' seems to imply, 'my ideas stand so well on their own, I don't need to respond to your criticism; the problem is not with my ideas or how I've expressed them, it is with your inability to recognize a particular rhetorical device.' Which is both patronizing and wrong. Your use of hyperbole was recognized and is being interrogated.
You're under no obligation to respond to that challenge, no one here has a right to your time, but if you're going to, it would be more productive for everyone if you did so in good faith.
> Saying 'this is what we call hyperbole' seems to imply, 'my ideas stand so well on their own, I don't need to respond to your criticism; the problem is not with my ideas or how I've expressed them, it is with your inability to recognize a particular rhetorical device.'
It certainly isn't a strawman, it's how I interpreted your statement. I continue to believe that it is what you intended, but feel free to correct me; I'm listening. If you're truly being misinterpreted as often as you seem to imply, consider communicating more plainly without sarcasm and hyperbole. I personally find them to be poor tools for communication in general and on the internet especially.
Don't forget that we very nearly had a successful coup, which would have spelled the end of American democracy. Are we on the verge of becoming a Stalinist state? No, not really. Could it happen? Absolutely, and we need to recognize that possibility to avoid becoming the next one.
Please forget whatever idea you came up with. America was never under a coup attempt. Hard to even attempt to call it a coup without weapons. Don't worry America is safe from farmers rallying at the white house.
The 'without weapons' implies it wasn't violent, which seems a stretch to me when a police officer was beaten to death and plenty of others were injured
oh looks like fake news, even the ny times article says.
"New information has emerged regarding the death of the Capitol Police officer Brian Sicknick that questions the initial cause of his death provided by officials close to the Capitol Police."
Wikipedia says
"The cause of Sicknick's death was first thought to be from injuries, but months later the medical examiner reported there were none."
"The District of Columbia chief medical examiner found that Sicknick had died from stroke, classifying his death as natural"
The original commenter said some officer was beaten to death. Maybe another officer, or were they just mistaken?
There is no such implication at all. "Without weapons" means "without weapons". The vast majority of people at that riot were gun owners, and none of them were armed or fired a shot. I can assure you, people who own guns and are committed to violently overthrowing the government bring those guns and shoot them. For evidence see any of the numerous coups that occur in countries around the world.
Of course it was violent, all riots are violent by definition. It is absurd hyperbole to call this an insurrection just like it would have been absurd to call the far more violent riots during the Trump inauguration an insurrection.
I was personally at trump’s inauguration filming the protests and I can assure you they were not nearly as destructive as the January 6th insurrectionists trying to overturn an election. A few smashed windows and some flipped over trashcans is not a mob attacking the capitol chanting “HANG MIKE PENCE.”
Not single LEO was beaten to death on Jan 6th. You are literally spreading misinformation and fake news lol. SCP Officer Brian Sicknick died after having two strokes aka natural causes.
Oh come now. "Hang Mike Pence." "Stop the steal." The former president calling election officials telling them to "find the votes." I don't care what your politics are, what we saw this last election was like nothing we've ever seen before in this country. It was a failed attempt to overturn a democratic election on the basis of a lie.
Maybe they're referring to the attempts to invalidate the 2020 election? No weapons, but what is a better word for a coordinated attempt to undermine the government?
This is the same verbal gymnastics confederate sympathizers use when trying to say that the civil war was about "states rights." All you have to do is follow the logic to its conclusion.
What was the civil war about? States rights. What rights, specifically? The right of states to allow their citizens to practice slavery. Therefore, the civil war was about slavery.
What was jan 6 about? It was about an attempt to undermine the government. An attempt to undermine what, specifically? The election process. Why did they seek to undermine the election process? So that the mob could extra-judicially install a leader of their preference. Another word for this is coup d'etat.
Jan 6th was about a small number of ignorant people who bought into a bunch of lies. A protest that got out of control. One that was far, far less violent, with far fewer casualties than dozens of protests that happened around the country the prior year. All mobs are bad, all riots are bad. Unfortunately different partisans have been trying to blow up the implications of one riot while downplaying all the others.
People involved have already been charged with seditious conspiracy. Sympathizers were found among the Capitol Police, members of the government openly supported a coup. Supreme Court Justice Clarence Thomas may either be impeached or have to resign over his wife's pro-insurrectionist texts to Trump's chief of staff. There were plans. There were conspiracies. We have the receipts.
And stuff is still coming out about Trump. A mysterious seven hour gap in the White House communications logs. A Federal judge ruling that it's "more likely than not" that Trump "corruptly attempted to obstruct Congress" attempting to overturn the election results. He called it a "coup in search of a legal theory." Yes, that's not "beyond a reasonable doubt," but it's also not nothing.
You're right that it was far less violent, and had far fewer casualties, but it wasn't just a riot, nor were there just a small number of ignorant people involved. To think that at this point, or to dismiss all concerns as partisan hyperbole, is kind of ridiculous.
It was a little more than some randos protesting. That was a sideshow. There were actual members of our government trying to overturn election results.
Insurrection is an absurdly inaccurate and hyperbolic term to refer to this crowd of misfits and deluded group of people. If you tried to destroy the planet by jumping up and down nobody intelligent would describe your antics as attempted planetary destruction no matter how devout your intent.
A mob that left multiple people dead and did widespread property damage/theft in an effort to overturn a democratic election after being egged on by the outgoing President, calling to hang the Vice President and “stop the steal,” rises to the level of insurrection. They literally attacked the Capitol, they were barely held off from getting their hands on Congress.
If they were able to successfully break into that room while Congress was still in there, what do you think would’ve happened? They would’ve invited them over for tea?
I don’t like engaging in speculation but I think it’s pretty obvious we would’ve had more casualties.
> AFAIK, in common use the word coup involves the military taking control of the government.
That is one common kind of coup, but distinguished from the broader category. That's why the phrase “military coup” exists to distinguish the kind of coup where the military (or some part of it) is the main actor in seizing control outside of normal bounds.
You’re using a much more narrow definition of what a coup d’état means.
> The sudden overthrow of a government by a usually small group of persons in or previously in positions of authority.
Or to use Wikipedia’s definition
> A coup d'état (French for "blow of state"), often shortened to coup in English (also known as an overthrow), is a seizure and removal of a government and its powers. Typically, it is an illegal seizure of power by a political faction, rebel group, military, or a dictator. Many scholars consider a coup successful when the usurpers seize and hold power for at least seven days.
Yes, the military can be involved in a coup, but the essential definition does not require their involvement. Different terms might be applied if the military is involved, and based on whether or not the military is the primary driver (as in Myanmar) or is backing one side.
> How about 'attempt to undermine the government'? That is much more accurate than coup.
No, attempted coup (specifically, attempted self-coup) is much more accurate.
> Words have meanings
Yes, they do. And the precise political science terms for the coordinated attempts by the 45th President and his allies to extend his powers beyond their lawful duration by extralegal means is “self-coup” or “auto-coup” (in the original French, “autogolpe”), which is a form of coup carried out by or on behalf of the existing leader.
> and using the words inaccurate/the wrong meanings is saying one thing but meaning another, and the word for that is lying.
Yes, that is exactly what you are doing when you explicitly refuse to use the correct term in attempt to minimize the act.
An attempt to overturn the results of the election? Yes. A coup? Not really; doesn't fit the definition, though it was far closer than I thought I would ever see. "Very nearly successful"? No.
Yes, many people are under the impression that a coup is only the result of military or generalized revolt. In fact most modern coups are staged as a political mechanism to avoid the results of the democratic norm.
America elected Trump and then Congress knowingly rejected evidence that he colluded with Putin to defraud voters and steal the election. He then occupied that office for four years, while additional evidence continued to mount against the increasingly obviousness of Russian interference.
Not only did a sitting President betray people and killed millions with anti-masker/anti-vaccine rhetoric, he did so to aid a foreign country that is known for murdering political dissidents, and did so during WW2, during the Cold War, and the post-Soviet era that exists today; but also our Congress, most of those still occupying those seats today, aided and abetted him. What Trump and his Congress did is terrorism without being formally charged with it, and is hardly any different than the pre-Stalin era of Soviet Russia and the pre-Kristallnacht era of the Nazi occupation of Germany.
So, please, I'd like you to tell me why you think people shouldn't be seriously alarmed? You sound like all the deniers in the history books: "Oh, the Nazis wouldn't kill Jews and political dissidents", "Oh, Stalin wouldn't (also) kill Jews and political dissidents", "Oh, Chairman Mao wouldn't just starve tens of millions to gratify his own ego". People keep saying this, it keeps not being true.
I'd encourage you to consider that Democrats and Republicans work in parallel as much as they'd like you to think otherwise to coerce Americans into subscribing to a two-party system. It will continue as long as people believe that if they don't subscribe to it that Democracy will fail and the only thing preventing it from happening is to vote for one of the two-party candidates that fits their propaganda news network approved message.
Also, it is funny how when it comes to politics Republicans have moved so far right that now center-right is considered the left party.
You say "Democrats and Republicans work in parallel". And then you say "Republicans have moved so far right". Which is it?
Also, some Republicans have moved far right. Some Democrats have moved pretty far left, too. I will admit that more Republicans moved than Democrats. But both parties have sections near the center, and both have extreme parts. And both are having trouble maintaining unity in the face of that tension.
Many Democrats also decided to join the Putin-backed coup attempt, and also voted to not impeach during one or both trials. Many Democrats also tried to claim Hunter Biden, while working for a natural gas company in Ukraine, somehow was up to something and using his dad's appointment as VP for something.
Funny how Biden became President, and now Russia is invading Ukraine to maintain their stranglehold on Europe's energy supply, and all the pro-Russian bot accounts on Twitter and Facebook that were repeating the "Hunter's Laptop" and "But Her Emails" stories to divide and conquer, suddenly vanished.
I am a socialist, and what both parties do is disgusting, and, honestly, anti-American. Our government has been rapidly degrading my entire lifetime, and the only reasonable action is to ring the alarm bell and hope other people wake up and start fighting the fascism that is threatening to destroy our nation.
>Funny how Biden became President, and now Russia is invading Ukraine to maintain their stranglehold on Europe's energy supply, and all the pro-Russian bot accounts on Twitter and Facebook that were repeating the "Hunter's Laptop" and "But Her Emails" stories to divide and conquer, suddenly vanished.
It's not "funny." It makes complete sense. Services for .ru accounts are being suspended around the world.
The funny thing about Hunter Biden is that it was genteel corruption, in that he brought nothing to his role but a family connection. But the attention about it was also corrupt -- there was no interest in "how do we have less of this", but only about smearing a rival.
There's many sad things. Partisanship is destroying this country; we should be united in being against corruption even if it's one of our own, so to speak.
Comparatively speaking, yes. There's definitely opportunities for improvement there.
But I'm vexed that it's not even possible to talk about these things here in a policy and goals context because the fucking tribalism is out of control. I can haz such disappoint.
The tribalism of politics is fierce, and even a forum with as much collective intelligence as HN is not immune from that force.
We should be able to discuss policy and actions on their own merits without it being taken as a personal affront. I wish I could find the magical incantation that would allow that dialog to manifest.
It is well-known that nowhere in the mueller report does he exonerate the president. He leaves it to Congress to determine how to move forward. He explicitly wrote that his investigation did not find him innocent.
> You shouldn’t let your personal animosity towards Trump lead to believing misinformation.
I don't have to. I witnessed several Republican congressmembers go out of their way to announce that no matter what evidence presented is, they had already decided to ignore it and vote against the removal of Trump from office.
Now, I can't tell you why they decided to announce their criminal enterprise shortly before enacting it, but a quick Google tells me their names are Cindy Hyde-Smith, Roger Wicker, Thom Tillis, Rob Portman, James Inhofe, Mike Rounds, and Jerry Moran.
> Mueller finds no collusion with Russia, leaves obstruction question open
"On March 27, 2019, Mueller reportedly wrote to Barr in a letter, as stated in the New York Times "expressing his and his team's concerns that the attorney general had inadequately portrayed their conclusions".[226] This was first reported on April 30, 2019. Mueller thought that the Barr letter "did not fully capture the context, nature, and substance" of the findings of the special counsel investigation that he led.[227] "There is now public confusion about critical aspects of the results of our investigation". Mueller also requested Barr release the Mueller report's introductions and executive summaries.[228][229]"
What you linked to covers Barr's misleading summary of the Muller report.
> The Washington Post corrects, removes parts of two stories regarding the Steele dossier
It’s also looking like some of the Bidens are going to jail for what they were accusing Trump.
The entire Trump Russia gate was to divert attention from what Hillary / Biden were doing.
Oh a laptop was found with solid evidence showing collusion between the Bidens and various countries. Well naturally the same response is to sensor anyone that wants to talk about it and to impeach Trump.
All or nothing nihilism, that makes no major distinction between the US & china, Russia and Iran is also a road to totalitarian hell. It's a favoured rhetoric style if Putin and many reactionary extremists.
Spotify records all the songs I listen to. Last week 10 songs. This week 100. Next week 200. The week after? PRISON IN A FROZEN WASTE! I suffer endlessly from the data they have collected. Cold bits are thrown upon me every morning; I've lost my toes to frostbyte due to data in cold storage; I have made friends, nay fellow sufferers, in the bitcoin mines, as we hash out issues together.
If only I could have seen this last week. L'horreur! L'horreur!
But Apple says "Any government agency seeking customer content from Apple must obtain a search warrant issued upon a showing of probable cause.” So what's up?
One way to approach crime is to make the risk too big. What about punishing with death those who do identity theft and impersonation? Our society tolerates too much crime.
"Hi, I'm rvr_ member of law enforcement, someone's life is in danger, please provide customer details for IP 1.2.3.4 immediately!"
... ignoring those double impersonation swatting problems, enforcement against crimes online is really hard due to global scope. Police won't even investigate because all they find is that the hacker was some russian and they can't do anything about it.
I think the argument being made here is one of those "we can't make a perfect solution so no solution works", which is nonsense. Simply don't answer requests from police departmenents you can't verify. I bet you if a police department would request some business sensitive information they would not hand it over without going over the subpoena with a fine toothed comb. The issue is just that they don't value their customers privacy high enough to do a proper check.