cross-posted from: https://lemmy.world/post/10984512
Full text from the Electronic Frontier Foundation (EFF) article:
Companies Make it Too Easy for Thieves to Impersonate Police and Steal Our Data
By Matthew Guariglia and Eva Galperin
~3 minutes
For years, people have been impersonating police online in order to get companies to hand over incredibly sensitive personal information. Reporting by 404 Media recently revealed that Verizon handed over the address and phone logs of an individual to a stalker pretending to be a police officer who had a PDF of a fake warrant. Worse, the imposter wasn’t particularly convincing. His request was missing a form that is required for search warrants from his state. He used the name of a police officer that did not exist in the department he claimed to be from. And he used a Proton Mail account, which any person online can use, rather than an official government email address.
Likewise, bad actors have used breached law enforcement email accounts or domain names to send fake warrants, subpoenas, or “Emergency Data Requests” (which police can send without judicial oversight to get data quickly in supposedly life or death situations). Impersonating police to get sensitive information from companies isn’t just the realm of stalkers and domestic abusers; according to Motherboard, bounty hunters and debt collectors have also used the tactic.
We have two very big entwined problems. The first is the “collect it all” business model of too many companies, which creates vast reservoirs of personal information stored in corporate data servers, ripe for police to seize and thieves to steal. The second is that too many companies fail to prevent thieves from stealing data by pretending to be police.
Companies have to make it harder for fake “officers” to get access to our sensitive data. For starters, they must do better at scrutinizing warrants, subpoenas, and emergency data requests when they come in. These requirements should be spelled out clearly in a public-facing privacy policy, and all employees who deal with data requests from law enforcement should receive training in how to adhere to these requirements and spot fraudulent requests. Fake emergency data requests raise special concerns, because real ones depend on the discretion of both companies and police—two parties with less than stellar reputations for valuing privacy.
Solution: don’t let police have your data
Right? Like “make sure you get a warrant” isn’t a hard answer.
TFA has an example of a fake warrant being used and the fake being clearly fake but accepted anyways.
I know a few people who happily have ring doorbells in their house as cheap cameras and don’t seem to care at all that all an officer has to do to get INTERIOR footage of their house is to ask for it and they get it no questions asked.
I hadn’t even thought of how easy that makes it for non officers to just do the same thing.
I’d trust the “non officers” more than the officers in most scenarios.
Very true!
At least non-cops can only scope out your place for a future robbing, be a perv or plan to blackmail you.
An officer can do all that and also kill you with an almost 0% chance of facing any consequences!
They’re not asking you. They’re asking the companies
The real solution is for companies to ask for the name of the officer, and then go to the official police website, call their non emergency number, and ask to speak with the officer. Then confirm that it was them, in fact, that sent the request.
Bonus: then tell them to get a fucking warrant and hang up the phone.