Companies make it too easy for thieves to impersonate police and steal data(eff.org)
eff.org
Companies make it too easy for thieves to impersonate police and steal data
https://www.eff.org/deeplinks/2024/01/companies-make-it-too-easy-thieves-impersonate-police-and-steal-our-data
21 comments
In a lot of places, you just bribe the police and do it officially.
Governments could make these requests a lot easier to verify. Companies shouldn't be in the position of having to guess at who is a real government official.
Governments could make these requests a lot easier to verify. Companies shouldn't be in the position of having to guess at who is a real government official.
The solution is to minimize data in company's possession, which includes minimizing collection and retension. Otherwise, even if you close this loophole, another will appear. Your data is an asset with value and people will seek it out.
Carefully checking every request costs money. Giving away data to unauthorized parties pretending to have such authorization costs nothing. Follow the incentives.
Receiving a fine for failing in due diligence to protect personal information definitely costs money.
Fines are never high enough to align incentives
Maybe in does in the EU or California.
The people nominally responsible for issuing fines also have their own incentives.
Whether that's the case or not, it is orthogonal to the point being made.
No? I think it's quite relevant.
The government has been entirely too slow to adopt the really simple stuff like PGP-signed email. If we had what was child's play in the 90s, most of these problems would go away. (And be replaced with different problems, like someone hacking the police's computers to get their private key, but let's imagine they can use some sort of HSM because those exist now.)
To be fair, PGP has broken usability by design. The (rarely-recognized) problem is that it's too stateful, and thus hard to reproduce.
Then set minimum standards for data requests, possibly in law, if not via the European idea of a data commissioner.
Then two things
0. Persue companies that screw up like this. I mean the SEC strikes terror into the hearts of the Boards of some of the worlds richest companies so it’s feasible
1. Fucking prosecute the actual criminals! Yea companies should put more effort in. So raise the floor so no one feels doing the right thing leaves them at a disadvantage- but also, this is very much a blame the banks for having cash in the safe during a robbery. The robbers need to be prosecuted- and the companies need to think of data like cash in transit - needs much better protection than they currently do
Then two things
0. Persue companies that screw up like this. I mean the SEC strikes terror into the hearts of the Boards of some of the worlds richest companies so it’s feasible
1. Fucking prosecute the actual criminals! Yea companies should put more effort in. So raise the floor so no one feels doing the right thing leaves them at a disadvantage- but also, this is very much a blame the banks for having cash in the safe during a robbery. The robbers need to be prosecuted- and the companies need to think of data like cash in transit - needs much better protection than they currently do
It should not be too hard to verify?
Call up the clerk of the court who issued the order, or the police department of the city, or whoever the relevant authority is, and ask them to confirm.
You don't need digital signatures or encryption to do that.
Call up the clerk of the court who issued the order, or the police department of the city, or whoever the relevant authority is, and ask them to confirm.
You don't need digital signatures or encryption to do that.
The governments require this. This is 100% the governments' fault.
There may an opportunity for a startup to authenticate law enforcement, like a specialized version of id.me.
Why are we blaming the companies because the police are easy to impersonate?
If the bank allowed anyone to impersonate you at the bank and withdraw all your money, who would you blame?
Why would I blame a bank when it's easy to impersonate me?
There are root-cause issues here when identifying a US citizen, and US law enforcement.
There are root-cause issues here when identifying a US citizen, and US law enforcement.
Very true.
The companies that gave data to criminals need to be bankrupted.
The companies that gave data to criminals need to be bankrupted.
I see this as exceptionally unlikely in most legal systems.
"Dear Court, this suit that is brought against us is going to make the next case that comes in so much harder. Next time we're going to challenge everything you as the court and law enforcement ask for and this will lead to the bad guys getting away. This could mean less funds for your next reelection. All we were doing was acting in good faith giving the legal system what it needed to be efficient".
"Dear Court, this suit that is brought against us is going to make the next case that comes in so much harder. Next time we're going to challenge everything you as the court and law enforcement ask for and this will lead to the bad guys getting away. This could mean less funds for your next reelection. All we were doing was acting in good faith giving the legal system what it needed to be efficient".
We already have the technology (PKI with smartcards) to fix this, but unless something really bad happens, there doesn't seem to be a rush to do so.
[0] From Mr Robot Season 2 Episode 9 https://www.youtube.com/watch?v=5qTSoCzp-LY