Police Impersonators Fool Meta, Apple into Giving Up Personal Data

The United States has 18,000 police jurisdictions. When law enforcement officers in any one of these U.S. jurisdictions want to view the activity of an American’s social media account or a phone number associated with it, they should – as the Fourth Amendment requires – obtain a warrant or subpoena from a court and submit it to a social media platform.
 
Unless it’s a matter of life and death.
 
Current practice allows for “emergency data requests,” often cases in which someone has been kidnapped or in which violence is believed to be imminent. When such a request is made by U.S. law enforcement or by any of tens of thousands of foreign agencies, social media companies usually comply immediately, no warrant required.
 
This is a good faith workaround, which functions well provided everyone acts in good faith. Bloomberg reports that Meta, Apple, VoIP provider Discord, and other platforms have responded to data requests that were forged by hackers, who compromised email domains of police systems to make emergency requests for private data, including home addresses. The hackers forged the signatures of real law enforcement officials. When that wasn’t possible, they made up fictional officers.
 
Bloomberg reports that Apple received 1,162 emergency requests from 29 countries over six months in 2020. Apple provided data in response in 93 percent of those requests. Meta received 21,700 emergency requests in the first six months of 2021 from around the world. Meta provided data in response to 77 percent of those requests.
 
“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” Allison Nixon, chief research officer at cyber firm Unit 221B told Bloomberg. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
 
Investigators believe this recent raft of forged emergency data requests is the handiwork of misfits, possible juveniles. In the hands of experienced criminals, or malevolent state actors, such trickery could endanger lives and threaten national security. There is no common program among companies to evaluate such requests.
 
It strikes us that developing a seamless and adaptable software verification program for companies to evaluate law enforcement data requests might be a worthwhile (and perhaps lucrative) project for some startup.