So google gets one of these requests and supposedly its from a police force in a small town that has no government website. How do they know who to call to confirm?
County? State? I would argue that this should be the method anyway. Start from the lowest level of known authentic bureaucracy and then work down from there until you reach a legitimate city government representative. I don't think website is an ideal method in any case.
So your solution is to get rid of speedy emergency requests entirely?
Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.
And then you need to do this internationally. What will you do? Contact the embassy? Suddenly your authentication process could take months, which is a problem if you’re legally required to comply sooner than that.
> So your solution is to get rid of speedy emergency requests entirely?
No?
Anecdotally, from what we are reading today, a typical EDR response time is on the order of an hour. So while someone on my team is gathering the requested data, someone else is doing the verification.
> Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.
If anything, I'm implying that if the government mandates that EDRs exist, they should have to back it up with someone to handle authentication. A phone number at the state level would do the trick.
> And then you need to do this internationally. What will you do?
First I'd have to be convinced why I should do this in every jurisdiction, why that jurisdiction would have access to customer data from other jurisdictions, etc.
Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.
Well, I assumed that the only reason anybody was complying with an EDR was because there was a law mandating they do so. Otherwise, why aren't they just dropping these requests in the trash?
> the only reason anybody was complying with an EDR was because there was a law mandating they do so
Alternatively, it's possible that understaffed and overworked providers are more concerned about their company looking bad when "Missing Child X with schoolbag containing cellphone" isn't located before the next news cycle?
Doesn't due process exist for a reason? Even if that's occasionally a PITA for the authorities?
> So while someone on my team is gathering the requested data, someone else is doing the verification
The whole point is that verification will take much longer than hours.
> Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.
The government is very specific when it comes to what is required of you. The government is not very specific when it comes to what is required of the government.
Research the village constables in Alaska. There are also small towns that have only part time police forces. This sort of stuff really isn't uncommon.
FWIW I lived in a village with a part-time police presence. Based on our experiences they're great for helping local kids not get run over on the walk to school (and for closing down public spaces when Covid paranoia was at its highest in early 2020). Manhunts or major crimes? Not so much.
I'm struggling to get my head around how a tiny and/or part-time police force should be the (sole?) point of contact for an emergency data request when <drum roll> they're not even there for the majority of every 24h cycle.
"Dear $TelCo, you must immediately release location data for subscriber 1-800-555-2368, it's so important and urgent we haven't got time to find a judge. Since it's almost 4pm we're going off duty now and will be at our desks from 9am tomorrow. Yours, $PartTimeForce"
Someone wearing a uniform turns up on your doorstep with a piece of paper that they claim is a search warrant. You say you want to talk to your lawyer. They say they're in a hurry and this is really important. At this point you decide to google the name of the person who signed the warrant, you phone the number you find on the internet, "Judge" Smith answers, so you let the "officer" into your house.
Nope, but for cities to be prepared for such emergencies before hand by completing some basics of bureaucracy by being properly authenticated, much like you expect a city fire department to have some fire trucks purchased already instead of expecting to purchase one in seconds when they need one from the dealership 1000 miles away.
> It is literally impossible for request recipients to solve this problem.
This I agree with. I'm trying to find the actual text of the law, I'm surprised the government isn't pretty specific about what constitutes a valid EDR, who can send them, etc. Bureaucrats love to write rules.
From the article, I couldn't see what actually compelled the need to comply with an "EDR". From what I could see, they were not actual warrants or subpoenas that legally compelled performance, they were requests. They do it out of not wanting to have bad PR in case it was real, because the consequences for a screw up are pretty much nil.
The end solution is either an authentication scheme, a $1000 rush processing fee that includes a verification process and the requirement to call it in (It is an emergency, isn't it? Emergencies do not happen often, so what is $1000 to an american organization funded by taxpayer dollars?) or E2E encryption that makes it they can't give data.
Another thing about the $1000 fee, is you get to see the payment information about the account it comes from, and you can further require it comes from a government account which matches the requesting organization. Thanks to governments being very gung ho about their financial surveillance infrastructure being a hard requirement for almost everything now.
We've banned this account for breaking the site guidelines.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
Would you please stop perpetuating flamewars on HN and also please stop using HN primarily for political/ideological battle? We ban accounts that do those things because they destroy what the site is supposed to be for.
I mean I want to call some entity in the US that doesn't have its number on a website, how do I do that now in a non emergency situation? Is there any reason that wouldn't work in an emergency?
This doesn't seem like an actual problem anyone has ever had.
That’s really not the case. What is “bad faith” about suggesting that the secretary of state probably isn’t going to rapidly solve this problem for you?
It’s not even about being a “devils advocate”, the balance of probabilities rests squarely on the side of this being far more difficult than many commenters here try to make it out to be.
