Somehow there were ways to get this done before websites existed. I do not believe that those channels for government no longer exist. If they choose to make themselves impossible to locate offline, this is on them. If all else fails, government-to-government should still be viable, and then the local government will take it from there.
I'm not sure there was ever much verifying before websites existed. Just less fraud.
Back in the NES days Tengen called the United States Copyright Office and told them they needed the technical details of the NES lockout chip to defend themselves in a copyright lawsuit. The Copyright Office faxed over the requested information. Except it was social engineering, there was no copyright lawsuit. Tengen used that proprietary information to build their own cartridges without paying the NES licences costs.
> Somehow there were ways to get this done before websites existed
Ah yeah, because fake subpoenas didn’t work before the internet existed?
> I do not believe that those channels for government no longer exist. If they choose to make themselves impossible to locate offline, this is on them.
Who says they ever existed? Back in the pre-internet days the situation was just worse.
Even the federal government can’t manage this, just look at misissuances of .gov domain names.
So google gets one of these requests and supposedly its from a police force in a small town that has no government website. How do they know who to call to confirm?
County? State? I would argue that this should be the method anyway. Start from the lowest level of known authentic bureaucracy and then work down from there until you reach a legitimate city government representative. I don't think website is an ideal method in any case.
So your solution is to get rid of speedy emergency requests entirely?
Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.
And then you need to do this internationally. What will you do? Contact the embassy? Suddenly your authentication process could take months, which is a problem if you’re legally required to comply sooner than that.
> So your solution is to get rid of speedy emergency requests entirely?
No?
Anecdotally, from what we are reading today, a typical EDR response time is on the order of an hour. So while someone on my team is gathering the requested data, someone else is doing the verification.
> Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.
If anything, I'm implying that if the government mandates that EDRs exist, they should have to back it up with someone to handle authentication. A phone number at the state level would do the trick.
> And then you need to do this internationally. What will you do?
First I'd have to be convinced why I should do this in every jurisdiction, why that jurisdiction would have access to customer data from other jurisdictions, etc.
Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.
Well, I assumed that the only reason anybody was complying with an EDR was because there was a law mandating they do so. Otherwise, why aren't they just dropping these requests in the trash?
> the only reason anybody was complying with an EDR was because there was a law mandating they do so
Alternatively, it's possible that understaffed and overworked providers are more concerned about their company looking bad when "Missing Child X with schoolbag containing cellphone" isn't located before the next news cycle?
Doesn't due process exist for a reason? Even if that's occasionally a PITA for the authorities?
> So while someone on my team is gathering the requested data, someone else is doing the verification
The whole point is that verification will take much longer than hours.
> Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.
The government is very specific when it comes to what is required of you. The government is not very specific when it comes to what is required of the government.
Research the village constables in Alaska. There are also small towns that have only part time police forces. This sort of stuff really isn't uncommon.
FWIW I lived in a village with a part-time police presence. Based on our experiences they're great for helping local kids not get run over on the walk to school (and for closing down public spaces when Covid paranoia was at its highest in early 2020). Manhunts or major crimes? Not so much.
I'm struggling to get my head around how a tiny and/or part-time police force should be the (sole?) point of contact for an emergency data request when <drum roll> they're not even there for the majority of every 24h cycle.
"Dear $TelCo, you must immediately release location data for subscriber 1-800-555-2368, it's so important and urgent we haven't got time to find a judge. Since it's almost 4pm we're going off duty now and will be at our desks from 9am tomorrow. Yours, $PartTimeForce"
Someone wearing a uniform turns up on your doorstep with a piece of paper that they claim is a search warrant. You say you want to talk to your lawyer. They say they're in a hurry and this is really important. At this point you decide to google the name of the person who signed the warrant, you phone the number you find on the internet, "Judge" Smith answers, so you let the "officer" into your house.
Nope, but for cities to be prepared for such emergencies before hand by completing some basics of bureaucracy by being properly authenticated, much like you expect a city fire department to have some fire trucks purchased already instead of expecting to purchase one in seconds when they need one from the dealership 1000 miles away.
> It is literally impossible for request recipients to solve this problem.
This I agree with. I'm trying to find the actual text of the law, I'm surprised the government isn't pretty specific about what constitutes a valid EDR, who can send them, etc. Bureaucrats love to write rules.
From the article, I couldn't see what actually compelled the need to comply with an "EDR". From what I could see, they were not actual warrants or subpoenas that legally compelled performance, they were requests. They do it out of not wanting to have bad PR in case it was real, because the consequences for a screw up are pretty much nil.
The end solution is either an authentication scheme, a $1000 rush processing fee that includes a verification process and the requirement to call it in (It is an emergency, isn't it? Emergencies do not happen often, so what is $1000 to an american organization funded by taxpayer dollars?) or E2E encryption that makes it they can't give data.
Another thing about the $1000 fee, is you get to see the payment information about the account it comes from, and you can further require it comes from a government account which matches the requesting organization. Thanks to governments being very gung ho about their financial surveillance infrastructure being a hard requirement for almost everything now.
We've banned this account for breaking the site guidelines.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
Would you please stop perpetuating flamewars on HN and also please stop using HN primarily for political/ideological battle? We ban accounts that do those things because they destroy what the site is supposed to be for.
I mean I want to call some entity in the US that doesn't have its number on a website, how do I do that now in a non emergency situation? Is there any reason that wouldn't work in an emergency?
This doesn't seem like an actual problem anyone has ever had.
That’s really not the case. What is “bad faith” about suggesting that the secretary of state probably isn’t going to rapidly solve this problem for you?
It’s not even about being a “devils advocate”, the balance of probabilities rests squarely on the side of this being far more difficult than many commenters here try to make it out to be.
Contacting the state government should be the right choice (but it may not be in practice). In many countries, every public official has the legal duty to direct you to the relevant authority if you contact them with matters outside their duties. That's a sensible requirement, because citizens should not have to be familiar with the internal administrative structures of government agencies.
> There are towns in the US where the local government consists only of a couple of people who may only do local government work for a few hours a week
How does anyone authenticate anything allegedly issued by such small parts of local government?
"Not very quickly" is presumably one part of the answer?
In the real world these documents are usually not authenticated, perhaps beyond trying to get a person on the phone by googling the issuing authority.
It’s actually a pretty novel idea that companies should be prepared to deal with fake court orders, etc. In theory it’s supposed to be the job of law enforcement to prevent this, but of course that is also essentially impossible.
If the federal lawmakers wanted the federal government to undertake the herculean task of making all these documents verifiable and traceable, they could of course do that. Are they likely to do so? No.
Also, there’s an important detail that is largely being ignored in this conversation: How many hours of paralegal time can we expect companies to spend verifying legal requests concerning accounts that don’t belong to paying customers?
> In the real world these documents are usually not authenticated [..]
So if a stranger in a suit were to turn up on your doorstep with a "search warrant" to search your house, issued by a court/judge/jurisdiction you'd never heard of, you'd not attempt to authenticate it?
> verifying legal requests
I'm not sure that these EDRs as described can be said to be "legal requests".
Aren't they just asking for disclosure of data without the usual legal checks and balances?
> So if a stranger in a suit were to turn up on your doorstep with a "search warrant" to search your house, issued by a court/judge/jurisdiction you'd never heard of, you'd not attempt to authenticate it?
Most people would not, no. I’ve had a search warrant served on my home once by police in civilian clothes, they handed me a piece of paper and refused to give ID even though I insisted.
What are you going to do? Physically fight them? Bad idea.
> I'm not sure that these EDRs as described can be said to be "legal requests".
The thing is that real search warrants or court orders do not provide any additional security over these EDRs when the submitting party is not acting in good faith.
> The thing is that real search warrants or court orders do not provide any additional security over these EDRs when the submitting party is not acting in good faith.
I'm not sure what you're saying there, can you expand on this? Are you saying a fake search warrant or fake court order is no more secure than a fake EDR?
My point is that the EDR system (if we can even call it a system) appears designed to avoid any and all scrutiny, verification or legal process. "We need this in a hurry, lives are on the line, we haven't got time to get a court order" doesn't exactly invite the recipient to understand that they have every right to say no.
EDRs are basically backdooring an otherwise fairly well-understood system with checks and balances.
So every major technology company will need to figure out the real contact details of every town government (how do you propose they will they do this?) and then when they receive one of these "life or death situation, you must respond immediately" requests they are supposed to call up the town, get the number for the police department in the town (hopefully the police department isn't shared between multiple towns or this could get confusing) and then call up the police department to confirm that they are the ones who sent the request?
I guess I don't see the value the town government contact details is providing here. If you have some way of figuring out the real contact details for every town why wouldn't that same mechanism work for figuring out the real contact details of every police department?
Yes? Tech companies don't have to do arbitrary things for whoever calls up. The court or law enforcement official has to convince you they are real and that they have a warrant.
They'll lose their case if all they did was call you and make a demand. Expecting them to show up in person in some capacity and show you the paperwork is fully reasonable. For a while they mostly operated with letters and sometimes registered mail but that can be faked also.
Look, if you want to preserve your rights you've gotta stand up for them.
The only real reason you get charged with contempt is for ignoring the warrant. If you try to verify it you're not ignoring it. If you ignore something that's not a warrant they're SoL. It's my understanding these "emergency requests" have no legal basis. The ability of the state to pressgang people into service is very limited.
I'm willing to agree the law is crap and you might go to jail (briefly) anyway, but that's not an excuse for "it should work this way" which is the direction everyone seems to be taking it.
I'm aware they'll fake court orders too, which is your defense if you piss off the court. Sadly this is only an issue that can be solved by the recipients doing more verification. If the courts offered more verification, you still need to teach the recipients to make use of it.
Someone will sell this information. West Law / Lexis Nexis already provide a lot of this kind of thing (contact info for judges and people in various government agencies).