Wouldn't it be better if federal government would open a service for handling all EDRs nation-wide, and then forward the legit ones to the IT companies as needed? It would simplify the verification, maybe scare some hackers away because it'd become a federal crime to fake it, and also allow for some stats on how many such request are really urgent, and how many (I presume a lot) are just used to circumvent the law because courts would reject them.
This is, to me, the only real solution. We can't have the onus be on individual companies to vet requests coming from random podunk police departments nationwide. Companies will err on the side of caution/CYA and honor requests they shouldn't, lest they find themselves responsible for causing harm by inaction. But companies don't have the resources or legal authority to make those determinations, nor vet the authenticity of requests from every time government entity that might make one. There's also plenty of reason not to trust some small town police force that might not have adequate internal controls, or might have a rogue officer far exceeding his authority.
The feds need to own this and all requests need to flow through them. It wouldn't be hard for them to have a small staff available 24/7 to confirm requests and forward them on to businesses, and then the business only needs to trust a single entity. There may still be disputes over the legality, but those disputes will need to be defended by the central federal authority, rather than putting the burden on every company.
> lest they find themselves responsible for causing harm by inaction.
In the US, the police aren't responsible (in a criminal or civil sense) for harm due to inaction. I don't know why you think a national/multi-national corporation would be.
It's not just a legal action that a company has to think about. Getting caught into a case of someone dying or being hurt because your company wasn't prompt to assist police could be a huge PR screwup, even if there's no legal responsibility.
And it doesn't have to even be a decision on a company level, ordinary people are strongly inclined to follow the police requests and see them as an authority, so employees of the company will feel as their duty to provide the data promptly. Just look on all those cases of pranksters posing as police officers and making ordinary people do insane and even clearly illegal things just because they were "ordered so by the police". Compared to what that McDonalds manager did [1], pulling some personal data from the database and emailing it back to the person one believes is a police officer is nothing.
I was referring to companies fearing repercussions from inaction and acting without adequately vetting requests because they aren't able to and err on the wrong side.
> We can't have the onus be on individual companies to vet requests coming from random podunk police departments nationwide.
The onus is already on individual companies to vet requests from private individuals that want to move money around via Know Your Customer laws. I don't see why the same shouldn't apply to verifying whether or not a request for customers' private information is valid or not.
That might work great if the federal authorities were reliable, motivated, and their interests were always aligned with state authorities.
However, there are often disputes where the feds do not what to prosecute certain groups or individuals, and might interfere with state / local authorities. (e.g. police in a Democrat-run state prosecuting allies of a Republican president and vise versa, or investigations into federal informants who are violating state law).
This would also allow make it easier for the feds to perform on-path attacks where they "forward" EDRs from state / local authorities that were never issued by those state / local authorities.
