Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Get the police department phone number from the town's government and not google maps.


And how do you identify the real government for some small town? There are many that don’t even have websites.

Contact the state government to ask? There’s a good chance nobody will be able to provide the answers you seek on short notice.


Somehow there were ways to get this done before websites existed. I do not believe that those channels for government no longer exist. If they choose to make themselves impossible to locate offline, this is on them. If all else fails, government-to-government should still be viable, and then the local government will take it from there.


I'm not sure there was ever much verifying before websites existed. Just less fraud.

Back in the NES days Tengen called the United States Copyright Office and told them they needed the technical details of the NES lockout chip to defend themselves in a copyright lawsuit. The Copyright Office faxed over the requested information. Except it was social engineering, there was no copyright lawsuit. Tengen used that proprietary information to build their own cartridges without paying the NES licences costs.


> Somehow there were ways to get this done before websites existed

Ah yeah, because fake subpoenas didn’t work before the internet existed?

> I do not believe that those channels for government no longer exist. If they choose to make themselves impossible to locate offline, this is on them.

Who says they ever existed? Back in the pre-internet days the situation was just worse.

Even the federal government can’t manage this, just look at misissuances of .gov domain names.


If you're in a community that's so small it has no online presence for their government, then chances are you already know who to call anyway.


So google gets one of these requests and supposedly its from a police force in a small town that has no government website. How do they know who to call to confirm?


County? State? I would argue that this should be the method anyway. Start from the lowest level of known authentic bureaucracy and then work down from there until you reach a legitimate city government representative. I don't think website is an ideal method in any case.


So your solution is to get rid of speedy emergency requests entirely?

Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.

And then you need to do this internationally. What will you do? Contact the embassy? Suddenly your authentication process could take months, which is a problem if you’re legally required to comply sooner than that.


> So your solution is to get rid of speedy emergency requests entirely?

No?

Anecdotally, from what we are reading today, a typical EDR response time is on the order of an hour. So while someone on my team is gathering the requested data, someone else is doing the verification.

> Sounds like you’re just repeating the point that authenticating these requests is impossible, as that authentication would have to happen fast.

If anything, I'm implying that if the government mandates that EDRs exist, they should have to back it up with someone to handle authentication. A phone number at the state level would do the trick.

> And then you need to do this internationally. What will you do?

First I'd have to be convinced why I should do this in every jurisdiction, why that jurisdiction would have access to customer data from other jurisdictions, etc.

Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.


> if the government mandates that EDRs exist

Q: Is government mandating this? At what level?

...and if so, why?


Well, I assumed that the only reason anybody was complying with an EDR was because there was a law mandating they do so. Otherwise, why aren't they just dropping these requests in the trash?


> the only reason anybody was complying with an EDR was because there was a law mandating they do so

Alternatively, it's possible that understaffed and overworked providers are more concerned about their company looking bad when "Missing Child X with schoolbag containing cellphone" isn't located before the next news cycle?

Doesn't due process exist for a reason? Even if that's occasionally a PITA for the authorities?


> So while someone on my team is gathering the requested data, someone else is doing the verification

The whole point is that verification will take much longer than hours.

> Sounds like you're saying the problem is that the government is mandating things and providing no rules about how it should work. That seems like such an un-government-like thing to do, they usually get weirdly specific.

The government is very specific when it comes to what is required of you. The government is not very specific when it comes to what is required of the government.


> The whole point is that verification will take much longer than hours.

How can it take longer than hours to reach the actual police department in $someSmallTown, USA ?

$Deity forbid you actually happen to live in $someSmallTown and need the police in a hurry...


Research the village constables in Alaska. There are also small towns that have only part time police forces. This sort of stuff really isn't uncommon.


FWIW I lived in a village with a part-time police presence. Based on our experiences they're great for helping local kids not get run over on the walk to school (and for closing down public spaces when Covid paranoia was at its highest in early 2020). Manhunts or major crimes? Not so much.

I'm struggling to get my head around how a tiny and/or part-time police force should be the (sole?) point of contact for an emergency data request when <drum roll> they're not even there for the majority of every 24h cycle.

"Dear $TelCo, you must immediately release location data for subscriber 1-800-555-2368, it's so important and urgent we haven't got time to find a judge. Since it's almost 4pm we're going off duty now and will be at our desks from 9am tomorrow. Yours, $PartTimeForce"


$someSmallTown might not even have a police department, how are you supposed to find out if the only one that comes up on the internet is fake?


Someone wearing a uniform turns up on your doorstep with a piece of paper that they claim is a search warrant. You say you want to talk to your lawyer. They say they're in a hurry and this is really important. At this point you decide to google the name of the person who signed the warrant, you phone the number you find on the internet, "Judge" Smith answers, so you let the "officer" into your house.

Really?


Nope, but for cities to be prepared for such emergencies before hand by completing some basics of bureaucracy by being properly authenticated, much like you expect a city fire department to have some fire trucks purchased already instead of expecting to purchase one in seconds when they need one from the dealership 1000 miles away.


Yeah, of course the federal government could legislate this problem away. Not gonna happen though.

It is literally impossible for request recipients to solve this problem.


> It is literally impossible for request recipients to solve this problem.

This I agree with. I'm trying to find the actual text of the law, I'm surprised the government isn't pretty specific about what constitutes a valid EDR, who can send them, etc. Bureaucrats love to write rules.


From the article, I couldn't see what actually compelled the need to comply with an "EDR". From what I could see, they were not actual warrants or subpoenas that legally compelled performance, they were requests. They do it out of not wanting to have bad PR in case it was real, because the consequences for a screw up are pretty much nil.

The end solution is either an authentication scheme, a $1000 rush processing fee that includes a verification process and the requirement to call it in (It is an emergency, isn't it? Emergencies do not happen often, so what is $1000 to an american organization funded by taxpayer dollars?) or E2E encryption that makes it they can't give data.

Another thing about the $1000 fee, is you get to see the payment information about the account it comes from, and you can further require it comes from a government account which matches the requesting organization. Thanks to governments being very gung ho about their financial surveillance infrastructure being a hard requirement for almost everything now.


>So your solution is to get rid of speedy emergency requests entirely?

Who said that?


That’s the implication. A lengthy verification process makes speedy processing of requests impossible.


A fake subpoena is not a home invasion. It's not like seconds matter.


Until you get in trouble for not complying with a real one.

Worst case scenario is probably a horrible PR disaster after a child dies because you couldn’t process a real request fast enough.

And we’re not talking about seconds, but easily days or weeks.


You think this is something someone can't figure out in a matter of weeks?


[flagged]


We've banned this account for breaking the site guidelines.

If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.


>Sorry, but this isn’t your first comment demonstrating severe struggles with reading comprehension.

This isn't reddit, you can't talk to people like that here. I'm not engaging this further.

https://news.ycombinator.com/newsguidelines.html


Would you please stop perpetuating flamewars on HN and also please stop using HN primarily for political/ideological battle? We ban accounts that do those things because they destroy what the site is supposed to be for.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.


For some problems, there is no good solution.


That’s my point. The OP “riskable” claimed the opposite though.


Are the white pages a thing in the States?

I mean I want to call some entity in the US that doesn't have its number on a website, how do I do that now in a non emergency situation? Is there any reason that wouldn't work in an emergency?

This doesn't seem like an actual problem anyone has ever had.


No, except for easy-to-influence websites that scrape numbers from sketchy sources and accept user submissions without verification.

Not that the inability to confirm a phone number in a hypothetical phone book would be an excuse for noncompliance anyway.


The secretary of state for that state can provide that information.


Only in the United States. There are almost two hundred countries in the world. What if the request comes in from Kiribati?


If you give them days, weeks or perhaps months to come up with a response. Sure.

Not going to work internationally anyway.


You are being intentionally argumentative, and not in a devil's advocate, let's explore all the consequences of the topic at hand kind of way.

You are engaging in bad faith, please stop it.


That’s really not the case. What is “bad faith” about suggesting that the secretary of state probably isn’t going to rapidly solve this problem for you?

It’s not even about being a “devils advocate”, the balance of probabilities rests squarely on the side of this being far more difficult than many commenters here try to make it out to be.

I think it is you who is engaging in bad faith.


I’m really confused as to how this relates to what is being discussed here.


>And how do you identify the real government for some small town? There are many that don’t even have websites.

This was the question I responded to. I'm not sure how else to explain it?


We are talking about fake law enforcement requests sent to big internet companies. Do you think these bigcos have presence in McMullen, AL?


Contacting the state government should be the right choice (but it may not be in practice). In many countries, every public official has the legal duty to direct you to the relevant authority if you contact them with matters outside their duties. That's a sensible requirement, because citizens should not have to be familiar with the internal administrative structures of government agencies.


> And how do you identify the real government for some small town? There are many that don’t even have websites

(Sorry to have to ask) but are there [m]any towns in the USA without telephones?


Where do you intend to find the numbers to call?

There are towns in the US where the local government consists only of a couple of people who may only do local government work for a few hours a week.

There are towns with essentially no online presence, you could easily create your own fake local government, police and whatever you’d like.


> There are towns in the US where the local government consists only of a couple of people who may only do local government work for a few hours a week

How does anyone authenticate anything allegedly issued by such small parts of local government?

"Not very quickly" is presumably one part of the answer?


In the real world these documents are usually not authenticated, perhaps beyond trying to get a person on the phone by googling the issuing authority.

It’s actually a pretty novel idea that companies should be prepared to deal with fake court orders, etc. In theory it’s supposed to be the job of law enforcement to prevent this, but of course that is also essentially impossible.

If the federal lawmakers wanted the federal government to undertake the herculean task of making all these documents verifiable and traceable, they could of course do that. Are they likely to do so? No.

Also, there’s an important detail that is largely being ignored in this conversation: How many hours of paralegal time can we expect companies to spend verifying legal requests concerning accounts that don’t belong to paying customers?


> In the real world these documents are usually not authenticated [..]

So if a stranger in a suit were to turn up on your doorstep with a "search warrant" to search your house, issued by a court/judge/jurisdiction you'd never heard of, you'd not attempt to authenticate it?

> verifying legal requests

I'm not sure that these EDRs as described can be said to be "legal requests".

Aren't they just asking for disclosure of data without the usual legal checks and balances?


> So if a stranger in a suit were to turn up on your doorstep with a "search warrant" to search your house, issued by a court/judge/jurisdiction you'd never heard of, you'd not attempt to authenticate it?

Most people would not, no. I’ve had a search warrant served on my home once by police in civilian clothes, they handed me a piece of paper and refused to give ID even though I insisted.

What are you going to do? Physically fight them? Bad idea.

> I'm not sure that these EDRs as described can be said to be "legal requests".

The thing is that real search warrants or court orders do not provide any additional security over these EDRs when the submitting party is not acting in good faith.


> The thing is that real search warrants or court orders do not provide any additional security over these EDRs when the submitting party is not acting in good faith.

I'm not sure what you're saying there, can you expand on this? Are you saying a fake search warrant or fake court order is no more secure than a fake EDR?

My point is that the EDR system (if we can even call it a system) appears designed to avoid any and all scrutiny, verification or legal process. "We need this in a hurry, lives are on the line, we haven't got time to get a court order" doesn't exactly invite the recipient to understand that they have every right to say no.

EDRs are basically backdooring an otherwise fairly well-understood system with checks and balances.


Create a fake small town?



Fantastic story, it's hilarious that the "town" popped up on Google Maps for a bit.


So every major technology company will need to figure out the real contact details of every town government (how do you propose they will they do this?) and then when they receive one of these "life or death situation, you must respond immediately" requests they are supposed to call up the town, get the number for the police department in the town (hopefully the police department isn't shared between multiple towns or this could get confusing) and then call up the police department to confirm that they are the ones who sent the request?

I guess I don't see the value the town government contact details is providing here. If you have some way of figuring out the real contact details for every town why wouldn't that same mechanism work for figuring out the real contact details of every police department?


In the United States, does <area code> 555-1212 not work anymore? It certainly seems to: https://www.businessinsider.com/555-phone-number-tv-movies-t... https://www.nationalnanpa.com/number_resource_info/555_numbe...


Yes? Tech companies don't have to do arbitrary things for whoever calls up. The court or law enforcement official has to convince you they are real and that they have a warrant.


Try refusing to comply with a real warrant because you aren’t convinced that it’s real. You will go to jail.

Turns out the government actually has no duty to convince you, locking you up tends to be convincing enough.


They'll lose their case if all they did was call you and make a demand. Expecting them to show up in person in some capacity and show you the paperwork is fully reasonable. For a while they mostly operated with letters and sometimes registered mail but that can be faked also.

Look, if you want to preserve your rights you've gotta stand up for them.


This is so deeply wrong. You will go to jail if you act like this.

> Look, if you want to preserve your rights you've gotta stand up for them.

You have absolutely no such right to refuse to comply with subpoenas, search warrants or court orders not delivered via your preferred means.

> Expecting them to show up in person in some capacity and show you the paperwork is fully reasonable

It’s not reasonable, because actual judges will not partake in such games. They will just hold you in contempt.

It might sound reasonable to a layman, but your lawyer will think you’ve gone crazy.


The only real reason you get charged with contempt is for ignoring the warrant. If you try to verify it you're not ignoring it. If you ignore something that's not a warrant they're SoL. It's my understanding these "emergency requests" have no legal basis. The ability of the state to pressgang people into service is very limited.

I'm willing to agree the law is crap and you might go to jail (briefly) anyway, but that's not an excuse for "it should work this way" which is the direction everyone seems to be taking it.


Don’t get stuck on the “emergency requests”, the people faking those are perfectly happy to fake court orders too.

> but that's not an excuse for "it should work this way" which is the direction everyone seems to be taking it.

I see many people arguing that the recipients should solve this problem by doing better verification, I don’t think that’s reasonable.

This is absolutely something that the lawmakers need to fix, but that will be a herculean task.


I'm aware they'll fake court orders too, which is your defense if you piss off the court. Sadly this is only an issue that can be solved by the recipients doing more verification. If the courts offered more verification, you still need to teach the recipients to make use of it.


Someone will sell this information. West Law / Lexis Nexis already provide a lot of this kind of thing (contact info for judges and people in various government agencies).


I wasn't able to find this information on West Law or Lexis Nexis, do you know what term they use to describe this category of information?


Try Judicial Profile.


Accurint




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: