For years, people have been impersonating police online in order to get companies to hand over incredibly sensitive personal information. Reporting by 404 Media recently revealed that Verizon handed over the address and phone logs of an individual to a stalker pretending to be a police officer who...

cross-posted from: https://lemmy.world/post/10984512

Full text from the Electronic Frontier Foundation (EFF) article:

Companies Make it Too Easy for Thieves to Impersonate Police and Steal Our Data

By Matthew Guariglia and Eva Galperin

~3 minutes

For years, people have been impersonating police online in order to get companies to hand over incredibly sensitive personal information. Reporting by 404 Media recently revealed that Verizon handed over the address and phone logs of an individual to a stalker pretending to be a police officer who had a PDF of a fake warrant. Worse, the imposter wasn’t particularly convincing. His request was missing a form that is required for search warrants from his state. He used the name of a police officer that did not exist in the department he claimed to be from. And he used a Proton Mail account, which any person online can use, rather than an official government email address.

Likewise, bad actors have used breached law enforcement email accounts or domain names to send fake warrants, subpoenas, or “Emergency Data Requests” (which police can send without judicial oversight to get data quickly in supposedly life or death situations). Impersonating police to get sensitive information from companies isn’t just the realm of stalkers and domestic abusers; according to Motherboard, bounty hunters and debt collectors have also used the tactic.

We have two very big entwined problems. The first is the “collect it all” business model of too many companies, which creates vast reservoirs of personal information stored in corporate data servers, ripe for police to seize and thieves to steal. The second is that too many companies fail to prevent thieves from stealing data by pretending to be police.

Companies have to make it harder for fake “officers” to get access to our sensitive data. For starters, they must do better at scrutinizing warrants, subpoenas, and emergency data requests when they come in. These requirements should be spelled out clearly in a public-facing privacy policy, and all employees who deal with data requests from law enforcement should receive training in how to adhere to these requirements and spot fraudulent requests. Fake emergency data requests raise special concerns, because real ones depend on the discretion of both companies and police—two parties with less than stellar reputations for valuing privacy.

  • @AFaithfulNihilistEnglish
    85 months ago

    What on earth is a company if not management and the processes it uses?

    In other words, If they have bad management and they lack proper processes to safeguard client data, are they not a bad company?!

    • @[email protected]English
      15 months ago

      What on earth is a company if not management and the processes it uses?

      The most important part - people.

      In other words, If they have bad management and they lack proper processes to safeguard client data, are they not a bad company?!

      A company encompasses the people who work there. Like the person on the end of the phone in the article. They are not responsible for bad management and bad processes. They are a victim in this having to deal with it.